of Business Management System “MyProfit”
1. General Provisions
1.1. This Privacy Policy (hereinafter referred to as the “Policy”) sets forth the terms, objectives, principles, and procedures for processing the personal data (hereinafter referred to as “PD”) of Users when using the Profit ERP software product, owned by “TrackIT” Limited Liability Company (hereinafter referred to as the “Owner”).
1.2. MyProfit is an integrated ERP/CRM system that provides access to automation functionality for inventory accounting, cash flow, basic bookkeeping, and unit economics calculations, including the ability to provide pricing recommendations and analyze key business metrics. Use of the system may include access to the web interface, as well as authorization of the Owner in digital channels (e.g., in customers’ online stores) solely with the consent of the customers.
1.3. For the purposes of this Policy, personal data means any information directly or indirectly related to a specific individual (User) that can be used to identify them, including registration, contact, payment, behavioral, and other data obtained through the use of the MyProfit system.
1.4. This Policy applies to all Users interacting with the MyProfit system, including:
• individuals using the web interface as business owners or representatives of legal entities;
• employees authorized by invitation or internal link;
• third parties granted access by permission of the primary User (e.g., accountants, auditors, consultants);
• technical intermediaries providing connection via API or other integration channels.
1.5. Use of MyProfit constitutes the User’s full and unconditional agreement with the terms of this Policy. If the User disagrees with this Policy, or if they do not have the right to provide personal data on behalf of third parties, they must refrain from accessing the System.
1.6. The Owner processes personal data in strict accordance with the laws of the Republic of Uzbekistan, including the requirements of the Law of the Republic of Uzbekistan “On Personal Data” No. LRU-547 as of July 2, 2019. Processing is carried out in good faith, on a lawful basis, and to the extent necessary to achieve specific purposes.
1.7. The Owner reserves the right to unilaterally amend this Policy. The new version of the Policy comes into effect upon its publication in the system’s user interface and is binding on all Users from the moment of publication.
1.8. If, as part of integration with external platforms (e.g., online stores, accounting systems, sales channels), the Owner gains access to clients’ accounts upon their direct instruction (e.g., adding a TrackIT account to the client’s personal account on the electronic trading platform), such connection is made solely for the purpose of providing the relevant services and within the agreed-upon authority. The User undertakes to independently ensure compliance with the terms of the platforms to which access is provided and to inform third parties of the possibility of such integration. The Owner does not use access to such systems for purposes beyond providing Profit ERP functionality.
2. Composition, categories, and sources of personal data
2.1. As part of the operation of the MyProfit system, the following categories of personal data, provided directly by Users or automatically collected during the use of the system, are processed:
A) Identification and registration data:
• User’s first and last name;
• Email address, mobile phone number, and other contact information;
• Login, password (encrypted), authorization identifiers;
• details of the legal entity on whose behalf the User acts.
B) Organizational and financial data containing personalized elements:
• information on cash flows and counterparties, to the extent related to individuals (e.g., full name, PIN, payment details);
• data on orders, clients, suppliers, and employees;
• information entered manually by the User or imported from external systems (spreadsheets, accounting files, bookkeeping documentation, etc.).
C) Technical and analytical data:
• IP address, connection region, interface language;
• information about the browser, device, and operating system used;
• User actions in the system (navigation, clicks, settings changes);
• behavioral events, including logs, errors, and module usage frequency;
• data download and upload statistics.
D) Data for integration with external systems:
• identifiers, passwords, and access tokens (stored in encrypted form) provided by the User to connect to external resources (e.g., marketplaces, banks, accounting systems);
• information about actions performed on behalf of the User in the external system (e.g., order synchronization or automatic report downloads);
• data about linked external accounts and access rights to them.
2.2. The sources of the above data are:
• direct completion of forms, tables, and system modules by the User;
• data imported at the User’s initiative from external sources (files, APIs, cloud storage, etc.);
• automatic telemetry and analytics collection tools integrated into Profit ERP;
• data provided by the User’s employees as part of their authorized access to the system.
2.3. The processing of personal data in the system does not include special (sensitive) categories of personal data, such as information on race or ethnicity, religious beliefs, health, or political views. If such information is entered in free form as part of user input (e.g., in comments or notes), responsibility for providing it lies solely with the User.
2.4. Anonymized data collected as part of the system’s operation, including aggregated usage metrics, module statistics, transaction frequency, and other information that does not allow identification of a specific individual, may be used by the Owner for internal analysis, optimization, reporting, and the development of new features.
2.5. If access to the system is granted to third parties by invitation (e.g., an accountant or external auditor), the User is responsible for the lawfulness of such access and is obligated to ensure that such third parties comply with the provisions of this Policy.
3. Purposes and Legal Grounds for Processing Personal Data
3.1. Personal data is processed in the MyProfit system solely for purposes directly related to the provision, maintenance, and development of the system’s functionality, including:
• User registration and identification;
• Providing access to Profit ERP functional modules;
• Recording transactions, documents, settlements, and other elements containing personalized data;
• Automating accounting, HR, financial, and logistics processes involving individuals (e.g., the User’s employees and clients);
• Generating analytical reports, graphs, charts, and forecasts based on data containing personalized elements;
• Integration with external platforms, including e-commerce sites, banks, tax systems, and marketplaces, provided that such integration has been voluntarily activated by the User;
• Providing the User with help and technical support;
• Ensuring information and technical security of the system;
• Compliance with the requirements of the legislation of the Republic of Uzbekistan regarding the storage of accounting documents, reporting, personal data protection, and disclosure of information at the request of authorized bodies.
3.2. Personal data is processed solely to the extent necessary to achieve the above purposes and is not used for other purposes, including marketing, sharing with third parties, profiling, or automated decision-making, without the User’s separate and explicit consent.
3.3. The legal grounds for processing personal data within the framework of the system’s operation are:
• Articles 6, 7, 9, and 10 of the Law of the Republic of Uzbekistan “On Personal Data” under No. LRU-547 as of July 2, 2019;
• conclusion of an agreement (acceptance of an offer, registration in the system) between the User and the System Owner, within the framework of which the processing of personal data is necessary for the fulfillment of the obligations of the parties;
• voluntary and informed consent of the personal data subject to the processing of information if such information is manually entered into the system by the User;
• fulfillment of obligations established by current legislation in the field of accounting, taxation, labor relations, and civil obligations.
3.4. Personal data obtained during integration with external services (e.g., marketplaces, online store dashboards, cloud accounting platforms) is processed solely to the extent and for the purposes expressly specified by the User. The User confirms that they have legal grounds for granting access to such data, including third-party data.
3.5. In cases where the processing of certain types of data (e.g., sensitive personal information not covered by the basic functionality of the system) requires the separate consent of the personal data subject, such consent must be provided in accordance with legal requirements and independently provided by the User as the data operator.
3.6. The Owner does not carry out hidden or mass processing of personal data beyond the stated purposes. Any expansion of the list of purposes requires separate public notification and, if necessary, additional consent from the User.
4. Storage Periods, Deletion Procedure, and Revocation of Consent
4.1. Personal data processed in the MyProfit system will be retained for the period necessary to achieve the processing purposes set out in Chapter 3 of this Policy, but no longer than permitted by applicable legislation of the Republic of Uzbekistan.
4.2. Specific retention periods are established depending on the data category and type of processing and are as follows:
| Personal Data Category | Storage period |
| User registration data and authorization-related data | Until account deletion |
| Data of employees, clients, and contractors entered by the User | Until the deletion of the relevant object, but not less than the periods established by the law on accounting and taxation (up to 5 years) |
| Accounting, tax, and personnel records | In accordance with the requirements of the legislation of the Republic of Uzbekistan (usually at least 5 years) |
| Log files of events, interface actions, and technical tags | Up to 12 months from the date of generation |
| Integration data with external platforms (API, stores) | Until the integration is disabled by the User |
4.3. The User has the right at any time to:
• revoke consent to the processing of personal data;
• request the deletion or depersonalization of certain categories of personal data;
• request the export of their data in a machine-readable format;
• stop using the system and delete their account.
4.4. To exercise their rights, the User may use the functionality of their personal account in the MyProfit system or send a written request to the contact information specified in this Policy.
Revocation of consent and deletion of an account may result in termination of the agreement and the impossibility of further use of the system if the processing of personal data is necessary for its functioning.
4.6. Upon receipt of a request to delete personal data, the Owner undertakes to:
• delete or anonymize the information within 30 (thirty) calendar days, with the exception of data required to be retained by law;
• notify the User of the results of the request.
4.7. Deletion of an account or data does not automatically cancel the User’s current obligations to pay for paid services or disable access to already generated documents. The User is obligated to independently disable paid plans through the system interface.
4.8. In the event of data deletion or access blocking at the Owner’s initiative due to a violation of the system’s terms of use or legal requirements, personal data may be stored in anonymized or encrypted form to prevent abuse, protect the interests of the system, and fulfill obligations at the request of government agencies.
5. Information Protection, Security Measures, and User Rights
5.1. The owner of the MyProfit system (TrackIT LLC) implements a set of legal, organizational, and technical measures aimed at ensuring the confidentiality, integrity, and availability of personal data, preventing its unauthorized processing, loss, or unauthorized access by third parties.
5.2. To protect personal data and other information processed in the system, the following measures are used, in particular:
• Authorization and access control based on logins, passwords, multi-factor authentication, and a role-based rights model;
• End-to-end encryption during data transmission and storage, including the use of TLS/SSL, as well as encryption of databases and backups;
• Segmentation of the server infrastructure, restricting access to administrative panels and API interfaces;
• Continuous auditing of user and administrator actions, maintaining event logs;
• Protection against external attacks (DDoS, SQL injections, XSS, etc.) using modern threat detection and prevention systems (IDS/IPS);
• Backup and duplication of critical components with regular recovery checks;
• Limiting the rights of TrackIT LLC employees to access User data solely to the extent necessary to provide technical support or fulfill contractual obligations (the “need-to-know” principle).
5.3. In the event of an incident involving the compromise of personal data or an attempt at unauthorized access, the Owner undertakes to:
• Immediately isolate and block the source of the threat;
• Conduct an internal investigation of the circumstances of the incident;
• If necessary, notify authorized bodies and affected Users in accordance with the procedure established by law;
• Implement corrective measures to minimize the consequences and prevent a recurrence of the incident.
5.4. All TrackIT LLC employees with access to personal data undergo mandatory training and sign a non-disclosure agreement (NDA). Violation of confidentiality will result in disciplinary and legal liability.
5.5. The User has all the rights stipulated by the Law of the Republic of Uzbekistan “On Personal Data” No. ZRU-547 dated July 2, 2019, including:
• the right to receive information about the fact and purpose of processing their personal data;
• the right to access, correct, update, block, or delete their data;
• the right to revoke previously given consent for processing;
• the right to limit processing methods;
• the right to defend their rights in court or through authorized government agencies.
5.6. To exercise their rights, the User may submit a corresponding request in writing or through the MyProfit system interface. A response will be provided within 30 (thirty) calendar days of receipt of the request.
5.7. The Owner is not responsible for the consequences of the actions of third parties who gain access to the User’s data through the User’s fault, including in the following cases:
• sharing logins and passwords with third parties;
• using compromised or unsafe devices;
• failure to properly configure security settings on corporate equipment or browsers.
6. Cross-border Data Transfer, Interaction with Government Agencies, and Contacts
6.1. Due to the specific architecture of the MyProfit system, including the use of cloud solutions, Users’ personal data may be transferred and stored outside the Republic of Uzbekistan only in compliance with legal requirements and with an equivalent level of protection.
6.2. Cross-border data transfer is permitted under the following conditions:
• the selected country ensures adequate legal protection of personal data in accordance with international standards;
• appropriate Data Protection Agreements have been concluded with storage operators, cloud providers, or technical partners;
• encryption, authentication, and access control mechanisms have been implemented to prevent unauthorized access to data processing.
6.3. By accepting this Policy, the User consents to the cross-border transfer of their personal data to the extent necessary for the functioning of the MyProfit system, including, but not limited to: registration data, account data, financial and contractual information, system logs, and telemetry.
6.4. The Owner has the right to provide the User’s personal data upon official request from authorized bodies of the Republic of Uzbekistan exclusively in cases and according to the procedure stipulated by current legislation. In this case, the transfer is carried out only:
• upon presentation of a duly executed document (request, decree, court order);
• in a volume proportionate to the purpose of the request;
• provided that the transfer does not violate the rights and legitimate interests of other subjects of personal data.
6.5. The User has the right to send any requests, comments, appeals, and demands related to the processing of their personal data through the following official channels:
• Email: [email protected]
• Legal and postal address: 100158, Republic of Uzbekistan, Tashkent city, Bektemir District, 51 Husain Baykaro Street, Office 2, “TrackIT” LLC.
• Legal Department: upon prior written request through the system interface.
6.6. The applicable law to this Policy and any relations arising in connection with its implementation is the law of the Republic of Uzbekistan. All disputes and disagreements not resolved through the claims procedure shall be considered exclusively by the courts of the Republic of Uzbekistan at the place of registration of the Owner.
6.7. This Policy shall enter into force upon its publication in the MyProfit system interface and shall remain in effect until it is officially replaced or cancelled. Users will be duly notified in the event of material changes to the terms of the Policy.