Privacy Policy

Effective: 26 May 2026 · Last updated: 26 May 2026

1. Who we are

Mavrify is a phone-lock SaaS platform operated for Pakistani installment retailers. During our pilot phase, the platform is operated by the founding team based in Lahore, Pakistan. Once incorporated, Mavrify Private Limited will be the legal data controller and contracting entity.

2. What data we collect

2.1 From end-customers (the phone buyer)

• Identity: name (Latin + Urdu), CNIC number, date of birth, father's name, photograph, signature.
• Contact: phone number, email address (if provided), home address.
• Device identifiers: IMEI, SIM subscription identifier, SIM carrier, device manufacturer and model, Android version, Google Play Services version.
• Plan data: total amount, down payment, installment schedule, payment history, lock/unlock events.
• Cryptographic material: a per-device cryptographic key sealed in the Android Keystore on the customer's phone (we never see the key itself; we store its identifier).
• Audit data: heartbeat timestamps, integrity check results, lock state transitions, tamper signals.

2.2 From shopkeepers (the retail partner)

• Username, password (hashed, never stored in plaintext), TOTP secret for multi-factor authentication.
• Shop name, branch identifiers, location.
• Actions logged for audit (which user did what, when).

2.3 From website visitors

• Standard Cloudflare-level request logs (IP address, user agent, requested path, response time). Retained for 7 days for security purposes.
• If you email us, we keep your email and message for as long as needed to respond and for our records.

3. How we use this data

• Operating the installment plan: generating unlock codes, processing payment recordings, applying lock/unlock state changes.
• Verifying identity at enrollment: validating CNIC information with NADRA Verisys (with consent).
• Communicating about your plan: SMS reminders, WhatsApp notifications, in-app notifications about installment status.
• Fraud prevention: detecting unusual patterns, SIM-swap events, tamper attempts.
• Compliance: retaining audit logs as required by Pakistan's Prevention of Electronic Crimes Act (PECA) and the forthcoming Personal Data Protection Act (PDPA).
• Improving the service: aggregated, de-identified analytics on platform usage.

We do not sell your data to anyone. Ever.

4. Where data is stored

During the pilot phase, data is stored on Cloudflare infrastructure (Workers, D1 database, R2 object storage, Durable Objects) with edge presence including Pakistan.

Ahead of Pakistan's Personal Data Protection Act enforcement, sensitive personal information (CNIC scans, customer photographs, signatures, consent documents) will be migrated to Pakistan-located storage. This migration is on our roadmap for Q3–Q4 2026.

All data is encrypted in transit (TLS 1.3) and at rest (AES-256).

5. Who we share data with

We share the minimum data necessary with the following categories of third parties, each under a written agreement:

• Your shopkeeper: sees your plan, payment history, and basic identity data — they are your contracting counterparty.
• NADRA Verisys (Pakistan): CNIC information sent for identity verification at enrollment, with your consent.
• Payment providers (JazzCash, EasyPaisa, Raast, banking): transaction identifiers sent to confirm payment receipt.
• Communication providers (SMS aggregators, WhatsApp Business): phone number and message body for reminders.
• Cloud infrastructure provider (Cloudflare): processes data on our behalf as a data processor under a Data Processing Agreement.
• Google (Android Management API): device identifiers and policy state for the enterprise mobility infrastructure that powers the lock mechanism.
• Legal authorities: if compelled by a valid Pakistani court order or regulatory request.

We do not share data with advertisers, data brokers, or for any marketing purpose other than our own direct outreach.

6. How long we keep your data

• Active plan data: for the duration of the installment plan, plus 12 months for dispute resolution.
• Audit logs: 12 months minimum (PECA § 38 requirement), then archived.
• CNIC scans, photographs, signatures: for the duration of the plan, plus 12 months. After this, we delete unless you request earlier deletion (subject to legal retention rules).
• Website request logs: 7 days.
• Email correspondence: as long as needed to respond and for our records, typically 24 months.

7. Your rights

Under applicable Pakistani law and our own commitment, you can:

• Access the data we hold about you.
• Correct data that is inaccurate.
• Delete your data, subject to legal retention requirements (audit logs cannot be deleted before the 12-month retention period).
• Object to specific processing activities.
• Withdraw consent for data processing that relies on consent — note that this may prevent us from operating your installment plan.
• Receive a copy of your data in a machine-readable format.

To exercise any of these rights, email privacy@mavrify.com from the email address registered to your account, or contact your shopkeeper. We respond within 30 days.

8. Children

Mavrify is not directed at anyone under 18. We do not knowingly collect data from minors. Customer enrollment requires a valid CNIC, which is issued at age 18.

9. Security

• TLS 1.3 for all network traffic.
• AES-256 at rest for all stored data.
• Per-device cryptographic keys sealed in Android Keystore (StrongBox where available).
• Multi-factor authentication required for sensitive shopkeeper and administrator actions.
• Audit logs on every access to sensitive data.
• Cloudflare-managed master keys held under Shamir Secret Sharing with multiple custodians.

If you become aware of a security issue affecting Mavrify, please report it to security@mavrify.com.

10. Cookies and tracking

The Mavrify website uses no third-party trackers, no advertising cookies, and no analytics cookies that personally identify visitors. We may use functional cookies essential to website operation (e.g., to remember language preference).

11. International data transfers

During the pilot, some processing happens on Cloudflare's global network, which includes infrastructure outside Pakistan. We rely on Cloudflare's Standard Contractual Clauses for international transfer. As noted in section 4, sensitive personal information will be migrated to Pakistan-located storage ahead of PDPA enforcement.

12. Changes to this policy

We may update this policy. Material changes will be notified via in-app notification and email to active users at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

For any privacy-related question or to exercise your rights:

Email: privacy@mavrify.com
Subject line: "Privacy request"
Location: Lahore, Pakistan