WeCertify

Legal

Privacy Policy

Effective date: 1 July 2025  ·  Last updated: 27 June 2026

WeCertify is Pakistan's compliance platform. We act as your authorised representative when filing returns with FBR and SECP. Because that means handling sensitive personal and financial data, we take privacy seriously. This policy explains exactly what we collect, why, and how we protect it.

1. Information We Collect

Account information

Name, email address, phone number, country of residence, and password (hashed — we never store plaintext passwords).

Identity & tax information

CNIC number (encrypted at the application layer before storage — our database never holds a plaintext CNIC), NTN, tax year, employment status, income sources, salary slips, bank statements, wealth statement inputs, and any other documents you upload to support your filing.

Payment information

Subscription plan, payment method (JazzCash, EasyPaisa, or Stripe), and transaction reference numbers. We do not store full card numbers — Stripe handles card data under PCI-DSS on their own infrastructure.

Usage data

Pages visited, calculator inputs, session duration, and device/browser type. This is collected in aggregate and used only to improve the product.

2. How We Use Your Information

  • Preparing and submitting tax returns, NTN applications, and wealth statements to FBR on your behalf.
  • Sending you status updates, document requests, and filing confirmations via email and WhatsApp.
  • Processing subscription payments and generating receipts.
  • Monitoring your ATL (Active Taxpayer List) status and alerting you to changes.
  • Assigning an in-house consultant (CA or tax specialist) to your filing.
  • Detecting fraud and preventing unauthorised access to your account.
  • Improving our calculators, onboarding flows, and product features using anonymised usage data.

We do not use your data for advertising, and we do not sell or rent it to any third party.

3. When We Share Information

We share your information only when required to deliver the service:

  • FBR / SECP — Your tax and identity information is submitted to the Federal Board of Revenue and, where applicable, SECP, as the purpose of your subscription.
  • Supabase — Our database and authentication provider. Data is stored in a dedicated project with Row Level Security enforced.
  • Cloudflare R2 — Encrypted document storage. Your uploaded files are stored as private objects; only your assigned consultant and authorised WeCertify staff can access them.
  • 360dialog / WhatsApp — Used to send you filing status messages if you opt in to WhatsApp notifications.
  • Stripe — Payment processing for international (USD/GBP/AED) subscriptions. Stripe operates under PCI-DSS Level 1.
  • Legal requirement — We may disclose information if required by Pakistani law, a court order, or a regulatory authority with jurisdiction.

4. Storage & Security

All data in transit is protected by TLS 1.2+. CNICs are encrypted at the application layer before being written to the database — the database stores only ciphertext. Document files are stored as private objects in Cloudflare R2 and are accessible only via signed, expiring URLs generated server-side.

We use Supabase's Row Level Security (RLS) to ensure that users can only access their own records. Consultants can access only the filings explicitly assigned to them. Admin access is restricted to named WeCertify staff and is logged.

5. Data Retention

We retain your account and filing data for 7 years from the date of the relevant tax year filing. This matches the FBR record-keeping requirement under the Income Tax Ordinance 2001.

If you close your account, we will delete your profile, payment history, and uploaded documents within 90 days, except where retention is required by law. Filing audit trails (timestamped status events) are retained for the statutory 7-year period regardless.

6. Your Rights

You may contact us at any time to:

  • Request a copy of the personal data we hold about you.
  • Correct inaccurate information in your profile.
  • Request deletion of your account and associated data (subject to legal retention requirements).
  • Withdraw consent for WhatsApp notifications.
  • Ask questions about how your data is processed.

To exercise any of these rights, email privacy@wecertify.pk. We will respond within 14 business days.

7. Cookies & Analytics

We use essential cookies for authentication (session management) and theme preference (light/dark mode). These cannot be disabled without breaking the service.

We do not use third-party advertising cookies. Any analytics we run are privacy-respecting and aggregate — we do not track individual users across sites.

8. Changes to This Policy

We may update this policy when our services or applicable law changes. If we make a material change, we will notify active subscribers by email at least 14 days before the change takes effect. Continued use of WeCertify after that date constitutes acceptance of the updated policy.

9. Contact Us

WeCertify.pk
Privacy enquiries: privacy@wecertify.pk
General support: support@wecertify.pk