PRIVACY POLICY (PERSONAL DATA PROCESSING RULES) — yoyo24.uz
Effective date: 11.04.2026
Document version: 1.0.0
This Privacy Policy describes how the website and platform yoyo24.uz (hereinafter – the Platform) processes personal data.
Data controller (Operator): yoyo24.uz
Name: YATT YULDASHEVA NADEJDA YUREVNA
Reg. No.: 7598205
Legal address: ASALOBOD MFY 10 UY
Email for privacy-related matters: info@yoyo24.uz
This policy applies to personal data that we process when you:
create an account on the Platform;
place advertisements and use the Platform’s functions;
communicate with other users in chat;
make payments / top up your account with funds;
leave reviews or report content;
visit the Platform (technical data, cookies).
First name, last name
Email address
Password (not stored in plain text; stored only in cryptographic hash form with a “salt” — bcrypt/Argon2)
Account identifiers (for example, user ID)
Depending on what the user enters in the profile:
Phone number, address
Company information
Profile description, gallery, etc.
The user may choose not to display part of the profile data publicly.
Title, description
Category / subcategory
Location
Price / “no price” (if available), currency, unit type
Images
Advertisement term, status (for example, active / sold / deleted)
Additional attributes (for example, “new”, “unused”, color, etc.)
Advertisement language fields (UZ/RU/EN — if completed)
We store only the minimum necessary:
message text,
timestamp,
sender and recipient ID,
read status.
There is no end-to-end encryption. Messages are encrypted in transit (HTTPS), but may be stored in the system in a way that allows the platform to process them for security purposes (for example, to reduce fraud risks) and provide information to competent authorities in cases prescribed by law.
rating,
review text,
time/date,
which seller the review was left for,
who left the review (user ID / account).
reporter identification (user ID),
what is being reported (advertisement/user),
reason/comment of the report,
time/date,
administration decision and actions,
sanctions history (if applicable).
Depending on the settlement/payment model on the Platform:
account top-up amount, date, status,
payment identifiers (transaction ID),
payment service provider (for example, [Payme/Click] or another),
invoice details (company details), if the user submits them for invoice issuance.
We generally do not store full payment card data; payment processing takes place through the systems of payment service providers.
IP address,
User-Agent (browser/device identifiers),
device and system data (to the extent provided by the browser),
access events and security logs (audit logs): logins, errors, security events, administrator actions,
anti-bot data (rate limiting, local CAPTCHA).
We process data in order to:
ensure account creation and account management;
ensure the submission, publication, and display of advertisements;
provide the chat function;
ensure payments / account top-ups / payment record-keeping;
ensure moderation, Platform quality, and security (prevention of fraud, spam, attacks);
fulfill legal obligations (accounting, taxes, disputes);
examine user requests, complaints, and reports;
maintain and improve the operation of the Platform (internal, self-hosted analytics).
We process personal data on the basis of:
Performance of a contract — account, advertisements, chat, core platform functions;
Legal obligation — accounting, tax requirements, fulfillment of lawful requests;
Legitimate interests — security, prevention of fraud/spam, system protection, audit logs, moderation;
Consent — marketing cookies/trackers or similar technologies, if/when they are enabled with consent (see Section 12).
Publicly on the Platform: advertisement content and images (according to what the user has posted).
Other users: chat correspondence between the specific participants of the conversation; public profile data, unless the user has hidden it.
Administration: access to data only to the extent necessary for maintenance, security, moderation, and support.
We may transfer data to the following recipients/data processors:
hosting/data center service provider (servers physically located in Frankfurt, Germany);
email/SMPP gateway (local authorized SMTP solution);
payment service providers: [Payme, Click] or others used by the Platform;
internal (self-hosted) analytics (without external third-party trackers by default).
We do not disclose personal data to “third parties for marketing” by default.
8.1. The Platform’s infrastructure and data storage are located on servers physically situated in Tashkent, Uzbekistan.
8.2. If any service providers (for example, payment partners) are located outside the UZ or process data outside the UZ, we ensure an appropriate legal basis for such transfer (for example, the European Commission’s Standard Contractual Clauses (SCCs) or another mechanism permitted by the UZ), to the extent applicable.
We store data only for as long as necessary to achieve the purposes and fulfill legal obligations:
Account data: after the user requests deletion of the account, personal data is deleted or irreversibly anonymized within 30 days (except for data that must be retained due to legal obligations).
Deleted advertisements and chats: stored in an inactive archive for up to 1 year, after which they are deleted.
Payment and accounting data: 5–10 years (in accordance with applicable accounting/tax rules).
Security logs (IP, audit logs): 90–180 days, after which they are automatically deleted/rotated.
Backups: created daily, encrypted, and stored on an isolated backup server in Tashkent.
The user has the right to:
access their data;
rectify inaccurate data;
request deletion (to the extent this does not conflict with a legal obligation or legitimate interests, for example, security/disputes);
restrict processing;
object to processing (where the basis is legitimate interests);
data portability (to the extent applicable);
withdraw consent (where processing is based on consent), without affecting the lawfulness of processing before withdrawal.
Requests may be submitted to: info@yoyo24.uz. To protect users, we may request additional information to verify identity (for example, that the request be sent from the email registered in the account).
We use organizational and technical measures to protect personal data, including:
HTTPS/SSL encryption in data transmission;
password storage only in secure hash form (bcrypt/Argon2) with a “salt”;
access control, VPN, and firewalls at the data center level;
audit logs (logins, security events, admin actions);
rate limiting and local CAPTCHA against bots/attacks;
encrypted daily backups on an isolated server.
12.1. We use only strictly necessary cookies required for authentication and session integrity.
12.2. Marketing trackers are disabled by default and may be activated only with the user’s consent through a Consent Banner.
12.3. If additional cookies are introduced on the Platform (for example, for analytics or marketing), the user will be given the opportunity to accept or reject them.
We may disclose personal data to competent public authorities only where necessary and justified in accordance with applicable legal acts (for example, within the framework of an official request).
The user has the right to lodge a complaint with the supervisory authority:
State Center for Personalization under the Cabinet of Ministers.
We may update this Privacy Policy from time to time. The current version is always available on the Platform. We may also inform users about material changes by email.