1.About this notice
This Privacy Notice explains how Naasflow (operated by [[NAASFLOW_LEGAL_ENTITY]], a company organised under the laws of the Islamic Republic of Pakistan, referred to here as “Naasflow”, “we”, “us” or “our”) collects, uses, shares, retains and protects personal data when you visit naasflow.com or use the products and services we provide under the Naasflow brand (the “Services”).
This notice is published in English. If we translate it, the English version prevails in the event of any conflict. It is reviewed periodically and may change in line with section 15 below.
2.When we are a controller and when we are a processor
Naasflow operates a software-as-a-service workforce platform used by employers to run human resources, attendance, payroll, contractor management and related operations. The role we play in respect of any piece of personal data depends on the context:
- We are the controller of personal data we collect directly from visitors to our website, prospective customers, our own account holders (for example, when you sign up for an account, request a demo, or contact our sales team), and our own staff. For this data we determine the purposes and means of processing.
- We are a processor of personal data that an employer-customer (the “Customer”) uploads to, generates within, or otherwise routes through the Services about its workforce — for example employee records, attendance logs, payroll calculations, salary slips, CNIC numbers, bank account details, and contractor invoices (collectively, “Customer Workforce Data”). For this data the Customer is the controller; we process it on the Customer’s instructions under our Terms of Service and any applicable Data Processing Addendum.
If you are an employee, contractor, or other individual whose data is processed by us on behalf of a Customer, please direct rights requests and questions about that processing to your employer. We will support the Customer in responding to your request within the time-frames required by applicable law.
3.Scope of this notice
This notice applies to personal data processed by us:
- through the naasflow.com marketing website and any subdomain;
- through the Naasflow application, mobile app, customer portal, and APIs;
- in the course of pre-sales, onboarding, customer support, billing, and incident response activities; and
- in our offices, on our corporate channels, and in our internal systems insofar as personal data of our own staff and contractors is concerned.
This notice does not apply to the personal data processing of any Customer that uses the Services (each Customer maintains its own privacy notice) or to third-party websites, products, or services that link to ours.
4.Definitions
- Personal data means any information relating to an identified or identifiable natural person.
- Processing means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- Controller means the natural or legal person that determines the purposes and means of processing personal data.
- Processor means a natural or legal person that processes personal data on behalf of a controller.
- Sub-processor means a third party engaged by a processor to process personal data on the controller’s behalf.
- You means the natural person whose personal data we process.
5.Personal data we collect
The categories of personal data we collect, and the typical fields in each category, are set out below. Not every field is collected for every individual; what we collect depends on how you interact with us.
(a) Account & profile data. Full name, work email address, telephone number, role/designation, language, time zone, company affiliation, account password (stored only as a salted hash), profile picture, and account preferences.
(b) Customer Workforce Data we process on behalf of Customers (we act as processor). This may include, depending on what the Customer configures: full name, gender, date of birth, CNIC, NTN, marital status, dependents, home address, contact details, photograph, employment status, designation, department, reporting manager, joining date, contract terms, salary structure and history, attendance and biometric punch records, leave balances and requests, expense claims, loan and advance balances, salary slips, bank account details (account title, IBAN, branch), contractor agreements, invoices, payout instructions, year-end tax certificates, and other workforce records the Customer chooses to maintain in the Services. Some of this data is sensitive personal data under the law of Pakistan, including financial information, government identifiers, and (where recorded) information concerning religion, ethnicity, or disability.
(c) Customer billing data. Company name, NTN, STRN, billing address, contact name, billing email, payment method identifiers, invoice history, payment receipts, currency, and tax status.
(d) Technical & device data. IP address (which we store as a salted hash for anti-abuse purposes rather than in raw form on form-submission tables), user-agent string, device identifiers, browser type and version, operating system, screen resolution, language settings, pages visited, referring URL, timestamps, session identifiers, and application diagnostic data (error logs, performance traces).
(e) Communications. The content of emails, contact-form submissions, chat messages, support tickets, demo recordings (only where you have been informed and consented), and survey responses you send to or receive from us.
(f) Marketing data. Subscription preferences, email-open and link-click activity within our newsletters (where applicable), and event registrations.
We do not knowingly collect special categories of data such as biometric data for unique identification, genetic data, sexual orientation, or trade-union membership, except where (i) a Customer uploads such data as part of Customer Workforce Data under its own legal basis, or (ii) you voluntarily provide it to us.
6.How we collect personal data
We collect personal data:
- Directly from you when you create an account, submit a form, contact us, or interact with the Services.
- Automatically when you use the Services, through cookies, similar technologies, and server-side logs (see section 10).
- From your employer if you are an employee or contractor whose data your employer uploads to the Services.
- From third parties we work with for the limited purposes described in this notice, including identity verification, anti-fraud, payment processing (where applicable), and integration partners you have authorised.
- From public sources, such as publicly available business directories, when we research prospective customers.
7.Why we process personal data, and on what legal basis
We process personal data for the purposes set out below. Where the applicable law requires us to identify a specific lawful basis for processing (including, where in force, the Personal Data Protection Act of Pakistan), the legal basis for each purpose is shown in brackets.
- To provide and operate the Services, including account creation, authentication, configuration, customer support, and incident response. [Performance of a contract with you or the Customer; legitimate interest in operating our business.]
- To process Customer Workforce Data on the Customer’s documented instructions. [Performance of the Customer’s contract with us; the Customer is the controller and is responsible for establishing the lawful basis vis-à-vis the data subject.]
- To bill and collect amounts owed and comply with our tax-record retention obligations. [Performance of a contract; legal obligation under FBR rules.]
- To secure the Services, prevent fraud, detect abuse, maintain audit logs, and respond to security incidents. [Legitimate interest in protecting users and our systems; legal obligation under the Prevention of Electronic Crimes Act 2016 and related instruments.]
- To communicate with you about the Services, service changes, security advisories, support tickets, and transactional matters. [Performance of a contract; legitimate interest in keeping users informed.]
- To send direct marketing about our products and features that we believe may be of interest, where you have opted-in or where applicable law permits us to do so on a soft opt-in basis. [Consent; legitimate interest where permitted.]
- To improve the Services, including analytics, product research, and AI-assisted feature development (only where you or the Customer has opted in to such features). [Legitimate interest, balanced against your rights; consent where required.]
- To comply with law, respond to lawful requests from public authorities, defend legal claims, and enforce our agreements. [Legal obligation; legitimate interest in establishing, exercising, or defending legal claims.]
You may withdraw any consent you have given at any time by writing to us at privacy@naasflow.pk. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal, and does not affect processing that we carry out on a different legal basis.
9.International transfers of personal data
Some of our sub-processors are established outside Pakistan, including in the European Union (Supabase EU region) and the United States (Vercel, Anthropic). Where personal data is transferred to a jurisdiction whose data-protection laws differ from those of Pakistan, we implement appropriate safeguards, which may include:
- contracts with sub-processors that impose data-protection obligations consistent with those in this notice;
- relying on recipients with industry-standard certifications (such as ISO 27001 or SOC 2) where available;
- applying transfer mechanisms recognised under the laws of the recipient’s jurisdiction (such as the European Commission’s standard contractual clauses) where they offer adequate protection; and
- making Customer data-residency arrangements available on request for Customers that require their data to remain within a specific region.
You may request a copy of the safeguards in place for transfers relevant to your data by writing to privacy@naasflow.pk. Some commercially sensitive terms may be redacted.
10.How long we keep personal data
We retain personal data only for as long as we have a legitimate purpose to do so, and in line with the periods below. After the retention period expires, we delete or anonymise the data, except where continued retention is required by law or to defend or establish a legal claim.
- Account & profile data — for the duration of the account, then up to ninety (90) days after closure to allow for export, dispute resolution, and accidental-deletion recovery.
- Customer Workforce Data — for the duration of the Customer’s subscription, then up to ninety (90) days after termination, after which the data is permanently deleted from primary systems and from backups within a further sixty (60) days. Customers may export their data at any time before deletion.
- Billing & tax records — for at least six (6) years from the end of the relevant tax year, as required by the Income Tax Ordinance 2001 and the Sales Tax Act 1990.
- Audit logs and security telemetry — for at least seven (7) years from the date of the event, or longer where a specific incident or investigation requires it.
- Support tickets and communications — for three (3) years from the date of the most recent interaction.
- Marketing data — until you opt-out, plus one (1) year to demonstrate compliance with your opt-out request.
- Cookies and similar technologies — for the lifetimes set out in our cookie disclosures (section 10).
12.Your rights in relation to personal data
Subject to the conditions and limits in applicable law, you have the following rights in relation to personal data we hold about you as a controller:
- Access — to obtain confirmation of whether we process your personal data and a copy of that data.
- Rectification — to have inaccurate personal data corrected and incomplete data completed.
- Erasure — to have personal data deleted in the circumstances permitted by law (for example, where it is no longer necessary for the purposes for which it was collected).
- Restriction — to request that we restrict processing of your personal data in certain circumstances (for example, while the accuracy of the data is being verified).
- Objection — to object to processing that we carry out on the basis of our legitimate interests, and to object to direct marketing at any time.
- Portability — to receive personal data you have provided to us in a structured, commonly used and machine-readable format, where the processing is based on consent or a contract and carried out by automated means.
- Withdrawal of consent — where processing is based on consent, to withdraw that consent at any time.
- Complaint — to lodge a complaint with the relevant data-protection authority constituted under Pakistani law.
To exercise any of these rights, write to privacy@naasflow.pk. We will acknowledge your request within seven (7) calendar days and respond substantively within thirty (30) calendar days, unless the request is complex or numerous, in which case we may extend the period by a further sixty (60) days and will tell you why. We may ask you to verify your identity before responding.
If your data is held by us as a processor on behalf of a Customer (your employer), please direct your request to the Customer. We will support the Customer in responding to your request within the time-frames the law requires.
13.How we secure personal data
We maintain technical and organisational measures appropriate to the risk of processing, including encryption in transit (TLS 1.3) and at rest (AES-256), tenant isolation enforced at the database layer via row-level security, role-based access control, mandatory audit logging for sensitive actions, daily backups with point-in-time recovery, and a documented incident-response process.
A summary of our security posture, including the controls we have in place and the certifications we are working towards, is published at naasflow.com/security. No system can be guaranteed to be perfectly secure; we continuously improve our defences and disclose material incidents in line with our incident-response procedures.
14.Children
The Services are intended for use by employers and their staff in a workplace setting. We do not knowingly collect personal data from children under the age of eighteen (18). If you believe we have collected personal data of a child, please contact us at privacy@naasflow.pk and we will take steps to delete the data without undue delay.
15.Changes to this notice
We may update this notice from time to time to reflect changes in our practices, technology, legal requirements or other factors. When we do, we will revise the version number and the “last updated” date shown at the top of this page. Material changes will be notified to account holders by email or through an in-product notice at least fourteen (14) days before they take effect, unless a shorter period is required to comply with the law.
Prior versions of this notice are available on request from privacy@naasflow.pk.
16.How to contact us
Naasflow is operated by [[NAASFLOW_LEGAL_ENTITY]] (NTN [[NTN_NUMBER]], CUIN [[CUIN]]), with registered office at [[REGISTERED_OFFICE_ADDRESS]].
For privacy-related enquiries, requests to exercise your rights, or complaints, write to privacy@naasflow.pk. For security incident reports, write to security@naasflow.pk.
You may also lodge a complaint with the data-protection authority constituted under Pakistani law (currently pending establishment under the Personal Data Protection Act). We would, however, appreciate the opportunity to address your concerns first.