PRIVACY AND PERSONAL DATA PROCESSING POLICY Bishkek. Revision as of 13.02.2026 1. GENERAL PROVISIONS 1.1. This Policy defines how Callio (Sole Proprietor Daniil Viktorovich Ostapenko) collects, stores and processes users' personal data. 1.2. The Policy is drafted in accordance with the Law of the Kyrgyz Republic on Personal Information. 1.3. Use of the Service constitutes unconditional acceptance of this Policy. 2. DATA WE COLLECT We collect: Personal information: name, email, phone, company details (for legal entities). Technical data (VoIP): IP addresses, call data (CDR): numbers, date, time, duration, codec type. Call recordings (if enabled in the dashboard). Cookies for the web interface. 3. PURPOSES OF PROCESSING We use data for: identification and performance under the Offer; technical support and quality of service; billing and fraud prevention; compliance with KR law. 4. STORAGE AND SECURITY 4.1. Personal data is stored on secure servers. 4.2. Call metadata (CDR) is retained for the period required by KR telecommunications law (up to 2 years). 4.3. Call recordings are retained for 30 days or until deleted by the user. 4.4. We use SSL/TLS encryption. 5. DISCLOSURE TO THIRD PARTIES 5.1. We do not sell data for marketing. 5.2. Disclosure is only to: carriers for call delivery; KR state bodies upon lawful request. 6. USER RIGHTS You may: request information on stored data; request correction or deletion (subject to no outstanding obligations); withdraw consent (which will terminate access to the Service). 7. CHANGES TO THE POLICY 7.1. We may change the Policy. The new version takes effect upon publication on the site. CONTACT Sole Proprietor Daniil Viktorovich Ostapenko Email: owner@callio.online Address: Kyrgyz Republic, Bishkek

Privacy and Personal Data Processing Policy