Privacy Policy

Data Controller: ChaiLink (Pvt) Ltd, Arfa Software Technology Park, Lahore, Pakistan. Data Protection Contact: privacy@chailink.co Legal Contact: legal@chailink.co We will respond to privacy inquiries within fifteen (15) business days unless extended for complex requests.

2.1 Creator Account Data: full name, CNIC/NICOP number (where required), date of birth, email, mobile number, profile photo, bio, social links, bank/wallet payout coordinates, tax identifiers if applicable. 2.2 Supporter Transaction Data: name (optional), message content, payment method selected, transaction amount, timestamp, device/browser metadata, IP address, and fraud scores. 2.3 Technical Data: cookies, session identifiers, crash logs, analytics events, referral URLs, and approximate geolocation derived from IP. 2.4 Communications: support tickets, dispute correspondence, and survey responses. 2.5 We do not intentionally collect special categories of data (health, biometric government IDs beyond verification, political opinions). Do not submit such data in supporter messages.

3.1 Service Delivery: processing Contributions, maintaining Vault balances, executing Payouts, displaying supporter messages. 3.2 Legal Compliance: AML/CFT screening, SBP reporting, tax record retention, response to lawful orders under PECA and Code of Criminal Procedure. 3.3 Security: fraud detection, abuse prevention, DDoS mitigation, account recovery. 3.4 Product Improvement: aggregated analytics without direct identification where feasible. 3.5 Marketing: only with explicit opt-in; Creators may receive product updates essential to account operation without separate consent.

4.1 Payment Partners: Easypaisa/Telenor Microfinance Bank, JazzCash/Mobilink Microfinance Bank, Raast infrastructure operated under SBP, card acquirers and PCI-compliant gateways. 4.2 Identity Verification Providers: licensed e-KYC vendors for CNIC verification against NADRA protocols where integrated. 4.3 Cloud Infrastructure: hosting providers with data centers meeting contractual security standards; primary processing occurs with awareness of Pakistani data localization guidance. 4.4 Legal Disclosures: we may disclose data to FIA Cyber Crime Wing, SBP, FBR, courts, or law enforcement pursuant to valid legal process. 4.5 We do not sell personal data to advertisers.

5.1 Transaction records are retained for minimum seven (7) years per AML/CFT record-keeping requirements under SBP BPRD circulars. 5.2 Creator profile data is retained while the account is active and for three (3) years thereafter unless longer retention is required by law. 5.3 Supporter messages may be retained on Creator profiles until deleted by the Creator or account closure. 5.4 Logs and security data are retained for twelve (12) to twenty-four (24) months unless needed for active investigations.

6.1 TLS 1.2+ encryption in transit; AES-256 encryption at rest for sensitive fields. 6.2 Role-based access controls, MFA for administrative systems, annual penetration testing. 6.3 PCI-DSS scope minimization — card data tokenized by certified gateways; ChaiLink does not store full card numbers or CVV. 6.4 Incident response plan with notification to affected users and regulators where required by law within seventy-two (72) hours of confirmed breach affecting personal data.

7.1 Access: request a copy of personal data we hold about you. 7.2 Correction: update inaccurate Creator profile information via dashboard or support. 7.3 Deletion: request account deletion subject to legal retention obligations. 7.4 Objection: object to non-essential marketing communications. 7.5 Complaints: lodge complaints with ChaiLink first; you may also refer matters to relevant Pakistani authorities as they become designated under future data protection legislation.

8.1 Essential cookies enable login sessions, CSRF protection, and payment flow continuity. 8.2 Analytics cookies measure feature usage in aggregate; you may disable non-essential cookies via browser settings though some features may degrade. 8.3 We do not deploy third-party advertising trackers on supporter checkout pages.

The Service is not directed to children under eighteen (18). We do not knowingly collect data from minors. If you believe a minor has created a Creator account, contact privacy@chailink.co for prompt deletion.

Material changes will be notified via email or prominent Platform notice at least fifteen (15) days before effectiveness. The "Last Updated" date at the top reflects the current version.