Privacy Policy

Account Information

• Phone number: required for account creation and OTP authentication.
• Name and email: provided during profile setup. Email is optional but used for transaction notifications.
• City: used to show relevant listings and for shipping.

Verification Data (Sellers Only)

• CNIC last 4 digits: we store only the last 4 digits of your CNIC number. We never store the full CNIC number.
• Verification photos: selfie, CNIC front/back, and selfie holding CNIC. Stored securely in encrypted cloud storage. Used solely for identity verification.
• NTN number: optional, for business sellers.

Transaction Data

• Order details, escrow status, payment method, payment proof screenshots.
• Dispute records, evidence uploads, and resolution outcomes.

Communications

• In-app chat messages between buyers and sellers. Messages containing contact information (phone numbers, emails, social media handles) are automatically filtered to protect both parties.
• Original unfiltered messages are retained for dispute resolution and fraud investigation only.

Technical Data

• IP address, device information, and browser type, collected for security, rate limiting, and fraud detection.
• Session tokens, used for authentication. Stored as secure HTTP-only cookies.

• Account management: authenticate you, display your profile, manage your listings.
• Identity verification: verify seller identity through CNIC review. Verification is performed manually by our team, not by automated systems or third-party APIs.
• Escrow & payments: process transactions, hold escrow funds, release payouts.
• Dispute resolution: review evidence from both parties, make fair decisions.
• Fraud prevention: detect duplicate accounts, blocked IMEIs, suspicious listing patterns, and scam attempts.
• Notifications: send transaction updates via email and in-app notifications.
• Platform improvement: understand usage patterns to improve the service.

• We do NOT sell your personal data to third parties.
• We do NOT share your CNIC photos or verification data with anyone outside our verification team.
• We do NOT use your data for advertising or marketing profiling.
• We do NOT store full CNIC numbers. Only the last 4 digits.
• We do NOT store OTPs in plain text. They are hashed before storage.
• We do NOT send your personal data to any third-party verification service (NADRA, Shufti Pro, etc.).

We share limited data only in these cases:

• With the other party in a transaction: Buyer sees seller name, city, trust score, and verification status. Seller sees buyer name and city for shipping. Neither party sees the other's phone number, email, or CNIC data.
• With law enforcement: If required by Pakistani law, court order, or to prevent imminent harm.
• With service providers: Email delivery (Resend), cloud storage (Supabase), and hosting (Vercel). These providers process data on our behalf under strict confidentiality agreements.

• All data transmitted over HTTPS/TLS encryption.
• Authentication tokens are JWT-signed with a secret key and stored in HTTP-only, secure cookies.
• OTPs are hashed (SHA-256) before database storage.
• Verification photos are stored in private Supabase storage buckets with access controls.
• Admin access requires ADMIN role, enforced at both proxy and API levels with no development-mode bypass.
• Chat messages with contact information are filtered and the original is stored separately, accessible only during disputes.

• Account data: Retained as long as your account is active.
• Verification photos: Retained for the duration of your seller status plus 1 year after account deletion.
• Transaction records: Retained for 5 years for legal and audit purposes.
• Chat messages: Retained for 1 year after the related transaction is completed.
• OTP sessions: Auto-expire after 10 minutes and are deleted after use.
• Fraud logs: Retained indefinitely for pattern detection.

• Access: You can view all your personal data in your account settings.
• Correction: You can update your name, email, and city at any time.
• Deletion: You can delete your account from Settings. Personal data (name, email, phone) will be anonymized. Transaction history and reviews remain attributed to "Deleted User" for the counterparty's records.
• Data export: Contact us at support@yaqeenpk.com to request a copy of your data.

Note: Account deletion is not available while you have active orders or open disputes.

We use a single essential cookie (yaqeen_session) for authentication. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

Yaqeen is not intended for users under 18 years old. We do not knowingly collect data from minors. If we discover a minor's account, it will be terminated immediately.

We may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email or in-app notification at least 7 days before taking effect.

Privacy questions or data requests: support@yaqeenpk.com

Security vulnerabilities: security@yaqeenpk.com