Privacy policy

This page explains what personal data AVAT collects, why we collect it, where we store it and what rights you have. Written in plain English. Effective from 23 May 2026.

1. Who we are

AVAT is the trading name of a sole-proprietor practice operated by Mikhail Khlestov, registered in the Republic of Kazakhstan, Individual Taxpayer Identification Number (IIN) 920508051495. We provide custom software development services (SaaS, MVP, landing pages, AI assistants) under the brand AVAT.

Contact for any privacy question: info@avat.studio.

2. What personal data we collect

2.1 When you contact us

• Name, email, phone or messenger handle you give us in the brief form, on Telegram, WhatsApp or by email.
• Content of the messages you send us.
• Company name and role if you share them.

2.2 When you visit the site

• Standard server logs: IP address, user-agent, request time and URL. Retained for 30 days for security and abuse detection.
• Analytics cookies (Google Analytics 4, Yandex Metrica) measuring anonymised traffic patterns. You can refuse them in your browser or via the consent banner if present.

2.3 When you become a client

• Company billing details required for the contract and the invoice.
• Stripe collects payment data on its own infrastructure when you pay; we never see your card number.
• Any project data you share with us (designs, copy, customer data, credentials) is held only for the duration of the project and the agreed support window.

3. Why we collect it

• To respond to your inquiry and prepare a proposal.
• To deliver the contracted services.
• To issue invoices and process payment.
• To meet tax and accounting obligations under Kazakhstan law and any applicable laws of your jurisdiction.
• To keep the site secure and reliable.

4. Lawful basis for processing

We rely on the following bases under common privacy frameworks (GDPR, UK GDPR and equivalents):

• Performance of a contract for everything related to delivering the work to you.
• Consent for analytics cookies and marketing messages; you can withdraw consent at any time.
• Legitimate interest for replying to your inquiry, securing the site and operating the business.
• Legal obligation for tax, accounting and anti-money-laundering checks where applicable.

5. Who else sees your data

We do not sell personal data. We share it only with the following categories of processors, strictly to deliver the service:

• Stripe for payment processing.
• Vercel for hosting the website.
• Selectel for some backend hosting.
• Supabase for database when your project uses it.
• Google Workspace for email correspondence.
• Telegram and WhatsApp Business when you message us through these channels.
• Accountants and lawyers under standard confidentiality obligations.

6. International transfers

Some of our processors are based in the United States or the European Union. Where you are in the UAE, the UK or the EU, we rely on standard contractual clauses or the processor's own approved transfer mechanism. If you would like a copy of the relevant transfer agreement, email info@avat.studio.

7. How long we keep your data

• Inquiry data: 12 months after the last contact, then deleted unless you become a client.
• Client data: for the duration of the contract plus 6 years for tax and accounting purposes, as required by Kazakhstan law.
• Server logs: 30 days.
• Analytics: per the provider's default retention (typically 14 to 26 months).

8. Your rights

You can ask us to:

• Confirm what personal data we hold about you.
• Provide a copy of it.
• Correct it if it is wrong.
• Delete it (subject to tax and accounting obligations we cannot override).
• Stop processing it for marketing.
• Object to processing based on legitimate interest.
• Receive it in a portable format.

To exercise any of these rights, email info@avat.studio. We respond within 30 days.

9. Cookies

The site uses two kinds of cookies:

• Essential cookies for the site to function; you cannot disable these without breaking the experience.
• Analytics cookies (Google Analytics 4, Yandex Metrica) measuring anonymised traffic patterns. You can disable them in your browser or via the consent banner if present in your region.

10. Children

Our services target adult professionals. We do not knowingly collect data from anyone under 16. If you believe a child has provided data, email us and we will delete it.

11. Security

We use industry-standard measures to protect personal data: HTTPS everywhere, access controls on infrastructure, encrypted backups, principle of least privilege for team access. No transmission over the internet is 100 percent secure; we use commercially reasonable means to protect your data.

12. Changes

If we change this policy, we update the date below and post a note in the site footer for at least 30 days. Material changes affecting how we use existing data will be communicated by email to active clients.

13. How to complain

If you believe we have not handled your data properly, please contact us first at info@avat.studio. You also have the right to lodge a complaint with the data protection authority in your country (for UAE residents, the UAE Data Office; for EU residents, your national supervisory authority).