Privacy Policy

HerbaClub mobile application
Effective date: June 2, 2026

This Privacy Policy explains how the Operator collects, uses, stores, shares and protects personal data of users of the HerbaClub mobile application (the “App”). Please read it together with the Consent to the Processing of Personal Data and the Terms of Use.

1. Operator (Data Controller)

Operator Individual Entrepreneur “SRM GROUP”
Identification number (IIN) 781217000619
Country Republic of Kazakhstan
Registered address Turan Avenue 3, apt. 17, 010000, Republic of Kazakhstan
Application HerbaClub (Google Play, Apple App Store)
Hosting provider Internet-company PS LLP; servers located at Hetzner, Helsinki, Finland
Contact e-mail: herbaclub.app@gmail.com

2. Legal frameworks

The Operator processes personal data in accordance with the Law of the Republic of Kazakhstan No. 94-V dated 21 May 2013 “On Personal Data and Its Protection”. Because the App is offered to an international audience, this Policy is also designed to meet the requirements of the EU General Data Protection Regulation 2016/679 (“GDPR”) for users located in the European Economic Area, and the privacy requirements of Apple App Store and Google Play.

3. Personal data we collect

3.1. Data you provide directly

3.2. Health and wellness data (special category)

To provide its core features, the App processes wellness and health-related data, including: body weight and height, Body Mass Index (BMI) calculated from them, step count, water intake, and your use of meditation features. Your interactions with the AI assistant may also reveal information about your physical or emotional well-being.

Such data is treated as a special category of personal data (Article 9 GDPR) and as data of restricted access under the law of the Republic of Kazakhstan, and is processed only on the basis of your explicit consent.

3.3. Data collected automatically

Through the integrated Firebase services (provided by Google), the App processes technical and usage data, such as: device and application identifiers, push notification token, app activity and feature usage, crash and diagnostic data, and approximate technical information. This data is used to operate, secure and improve the App.

3.4. Device permissions

Permissions are requested only when the related feature is used and can be changed at any time in your device settings. Profile photos are not used for biometric identification.

4. Purposes of processing

5. Legal bases for processing

You may withdraw your consent at any time; this does not affect the lawfulness of processing carried out before the withdrawal.

6. Children and minors

The App is intended for users aged 14 and older. The Operator does not knowingly collect personal data from children under 14. Where the applicable law of the user’s country requires consent of a parent or legal guardian for the processing of a minor’s personal data (for example, users below the age of digital consent under the GDPR), such processing is carried out only with the consent of the parent or legal guardian. If you believe that a minor has provided personal data without the required consent, please contact the Operator and the data will be deleted.

7. Third-party services and recipients

7.1. General Principles

The Operator does not sell personal data and does not use it for third-party advertising. Personal data is processed by the following service providers acting on the Operator’s behalf (processors):

7.2. AI Assistant

The AI assistant (AI trainer) is powered by Google Gemini, provided by Google. The text you submit to the AI assistant is transmitted to and processed by Google solely to generate responses. The Operator does not use such content for any other purpose.

7.3. Legal Disclosure

Personal data may be disclosed to competent public authorities where required by applicable law.

8. International data transfers

The App’s data is stored on servers located in Finland (European Economic Area) operated by the hosting provider. The Firebase services and the Google Gemini AI assistant, both provided by Google, may process data on Google infrastructure located in other countries, including outside the EEA. Where personal data is transferred across borders, the Operator relies on appropriate safeguards (such as the European Commission’s Standard Contractual Clauses) and on your consent, and takes measures to ensure an adequate level of protection consistent with the law of the Republic of Kazakhstan and the GDPR.

9. Data retention

Personal data is retained while your account is active and for the period necessary to achieve the purposes described in this Policy, after which it is deleted or anonymised. The Operator may retain certain data for longer where required for security, fraud prevention or to comply with legal obligations. Upon deletion of your account, associated personal data is deleted, subject to such legitimate retention.

10. Your rights

Subject to applicable law (the law of the Republic of Kazakhstan and, for EEA users, the GDPR), you have the right to:

To exercise your rights, contact the Operator at herbaclub.app@gmail.com. The Operator will respond within the period required by applicable law.

11. Account and data deletion

You can request deletion of your account and associated personal data at any time: (a) within the App, in the account settings; and (b) by sending a request to herbaclub.app@gmail.com or via the web page https://herbaclub.org. Upon such request, the Operator deletes the account and associated personal data, except data that must be retained for legitimate reasons such as security, fraud prevention or legal compliance, as described in Section 9.

12. Security

The Operator applies organisational and technical measures to protect personal data, including encryption of data in transit (TLS), access controls, use of reputable infrastructure providers and restriction of access to authorised persons. The Operator has designated a person responsible for organising the processing of personal data and applies additional protection measures to data of restricted access (sensitive data), including health and wellness data.

No method of transmission or storage is completely secure; the Operator continuously works to maintain an appropriate level of protection. In the event of a personal data security breach, the Operator notifies the competent authorities, including the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan, and affected users, where and within the time required by applicable law.

13. Changes to this Policy

The Operator may update this Policy from time to time. The current version is made available within the App and at the published Policy URL, and the effective date is updated accordingly. Material changes will be communicated through the App.

14. Contact

For any questions regarding this Policy or the processing of your personal data, contact the Operator: Individual Entrepreneur “SRM GROUP”, e-mail herbaclub.app@gmail.com.