This is a starter version of our legal terms. We're having them reviewed by Pakistani counsel before public launch. Please contact support if anything here matters to your decision to use Khata Saaz today.
Privacy Policy
Last updated: 2 May 2026
This policy explains what data Khata Saaz collects, how we use it, and the choices you have. We try to keep it readable; if anything here is unclear please ask us.
1. What we collect
Account: your phone number, name, business name, role (manufacturer / distributor / wholesaler / retailer), city, and optional NTN. Google sign-in: when you choose it, we receive your name, email, and a Google-issued ID token; we never see your Google password. Business records: the parties, products, invoices, payments, and inventory you record. Device: IP address and basic browser / device information for security and abuse prevention. Logs: timestamps of your actions for support and audit.
2. How we use it
To run the service: show you your data, calculate balances and aging, generate invoices, send WhatsApp and SMS notifications you trigger, and (in future) submit invoices to FBR through a licensed integrator. To keep the platform safe: detect abuse, comply with court orders or regulator requests, prevent fraud. To improve the service: anonymous, aggregate metrics — we never sell your records.
3. Who we share with
We share data only with the parties we need to operate the service: Google Cloud (hosting), Meta (WhatsApp Business API for messages you send), local SMS aggregators (when you use SMS), payment integrators when you use direct collection, and PRAL or its licensed integrators when you submit an invoice to FBR. We do not sell your data, and we do not share it for advertising. We may share data when required by Pakistani law or by a valid legal request.
4. Where your data lives
Khata Saaz currently runs on Google Cloud Platform with primary infrastructure in the United States (us-central1 region). This means your data leaves Pakistan in the course of normal operation. We use TLS in transit, encryption at rest, and per-business row-level isolation in the database so one shop's records cannot reach another's. We are evaluating GCP regions in the Asia-Pacific area for future deployments closer to home.
5. How long we keep it
While your account is active, we keep your data so the service works. If you close your account, we delete your business records within 90 days. We keep account-level information (phone, sign-in audit) for up to 12 months after closure for fraud prevention and legal compliance, then delete it.
6. Your rights
You can: see the data we hold about you, correct it, export it (CSV / PDF download is on the roadmap; in the meantime contact support), and ask us to delete your account. We respond to verified requests within 30 days. Closing your account triggers the deletion timeline above.
7. WhatsApp and SMS
When you trigger a WhatsApp or SMS notification (for example a payment reminder or an invoice link), we send the message through Meta or our SMS aggregator. The recipient's phone number, the message content, and a delivery status are processed by these providers. Recipients can reply STOP to opt out, which we honour. We do not send marketing messages to your customers.
8. Cookies and similar technologies
We use a small number of strictly necessary cookies: a session cookie for your sign-in, a CSRF token, and a locale preference. We do not use third-party advertising or tracking cookies.
9. Children
Khata Saaz is for businesses and is not directed at children under 18. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we will close the account.
10. Changes to this policy
We will tell registered users by email or in-app notice when this policy changes. The date at the top reflects the latest published version.
11. Contact
For privacy questions or to exercise your rights, email support@khatasaaz.com. We try to reply within two business days.