Privacy Policy

MASK ("we," "us," "our") operates the link management platform at mask.pk (the "Service"). This Privacy Policy explains how we collect, use, store, share, and protect Personal Data when you use our Service, visit our website, or interact with links, bio pages, or QR codes created through our platform.

We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Pakistan Personal Data Protection Bill, and all other applicable data protection legislation.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. This policy should be read in conjunction with our Terms of Service.

As Data Controller: MASK acts as the data controller for Personal Data we collect directly from registered users (e.g., account information, billing details, usage data). We determine the purposes and means of processing this data.

As Data Processor: When we collect analytics data on behalf of our users (e.g., click data, page view data from visitors interacting with links or bio pages), we act as a data processor. In this capacity, we process data in accordance with our users' instructions and these terms. Our users (workspace owners) are the data controllers for such data and are responsible for ensuring they have appropriate legal bases and consent for this collection.

3.1 Information you provide directly

• Account data: Name, email address, password (stored as a cryptographic hash, never in plaintext), and organisation name upon registration.
• Workspace data: Workspace names, member invitations, role assignments, and configuration preferences.
• Blog and changelog data: Content, categories, tags, and publishing metadata for blog posts and platform changelog entries managed by administrators.
• Content data: Links, bio page content, QR code configurations, campaign details, custom domains, tags, and folders you create.
• Billing data: Subscription plan selection and billing history. Payment card details are processed and stored exclusively by our third-party payment provider and are never stored on our servers.
• Communication data: Information you provide when contacting support, submitting abuse reports, or responding to surveys.
• Contact form data: Name, email address, subject, and message content submitted through our contact form.

3.2 Information collected automatically

• Analytics data (link/page visitors): When someone clicks a link, visits a bio page, or scans a QR code created through our Service, we collect: anonymised or truncated IP address, approximate geographic location (country level), device type, operating system, browser type, referring URL, and interaction timestamp.
• Platform usage data (registered users): Feature usage patterns, session duration, API call volumes, and error logs to improve the Service.
• Security data: Login timestamps, IP addresses associated with authentication events, two-factor authentication status, and suspicious activity indicators for fraud prevention.

3.3 Information from third parties

• OAuth providers: If you sign in using a third-party provider (e.g., Google), we receive your name, email address, and provider account identifier. We do not receive or store your third-party password.
• Payment provider: Transaction confirmations, subscription status updates, and billing event notifications from our payment processor.

We process Personal Data on the following lawful bases:

• Contractual necessity (Art. 6(1)(b)): Processing necessary to perform our contract with you, including providing the Service, managing your account, processing subscriptions, and delivering analytics.
• Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, including platform security, fraud prevention, abuse detection, service improvement, and enforcing our Terms of Service. We balance these interests against your rights and freedoms.
• Legal obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, such as tax regulations, financial reporting, and responding to lawful requests from public authorities.
• Consent (Art. 6(1)(a)): Where we rely on consent (e.g., marketing communications, optional cookies), you may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

We use the information we collect for the following purposes:

• To operate, maintain, and provide all features of the Service, including link redirection, bio page hosting, QR code generation, analytics dashboards, and campaign management.
• To authenticate users, manage sessions, and enforce access controls including role-based permissions within workspaces.
• To process payments, manage subscriptions, generate invoices, and administer billing.
• To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service, including bot detection and suspicious click filtering.
• To enforce our reserved slug registry and content policies.
• To communicate service updates, security alerts, billing notifications, and, where you have opted in, marketing communications.
• To improve and develop the Service through anonymised and aggregated usage analysis.
• To comply with legal obligations and respond to lawful requests from authorities.
• To respond to enquiries submitted through our contact form and maintain a record of correspondence.

We do not sell, rent, or trade your Personal Data to third parties. We share data only in the following limited circumstances:

• Service providers: We share data with trusted third-party service providers who assist us in operating the Service, including cloud infrastructure providers, payment processors, and email delivery services. These providers are contractually obligated to process data only on our behalf and in accordance with our instructions.
• Workspace members: Analytics data, link data, and workspace configuration data are accessible to members of the relevant workspace in accordance with their assigned roles and permissions.
• API and webhook consumers: If you configure API keys or webhook endpoints, data will be transmitted to the systems you designate. You are responsible for the security and privacy practices of those systems.
• Legal requirements: We may disclose data if required to do so by law, in response to valid legal process (e.g., court orders, subpoenas), to protect the rights, property, or safety of MASK, our users, or the public, or to enforce our Terms of Service.
• Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred to the acquiring entity. We will provide notice of any such transfer and any changes to applicable privacy practices.

We retain Personal Data only for as long as necessary to fulfil the purposes outlined in this policy, or as required by law:

• Account data: Retained for the duration of your account and for thirty (30) days following account deletion to allow for data export.
• Analytics data: Retention periods vary by subscription plan. Free plans retain thirty (30) days of click and page view data. Paid plans retain data according to their plan entitlements. Enterprise customers may negotiate custom retention periods.
• Billing and transaction data: Retained for a minimum of seven (7) years to comply with tax and financial reporting requirements.
• Security and audit logs: Retained for up to twelve (12) months for security investigation and compliance purposes.
• Anonymised and aggregated data: May be retained indefinitely as it cannot be used to identify individuals.

You may request deletion of your data at any time. Upon verified request, we will delete or anonymise your Personal Data within thirty (30) days, except where retention is required by law.

If you are located in the European Economic Area (EEA), the United Kingdom, or any jurisdiction with equivalent data protection legislation, you have the following rights regarding your Personal Data:

• Right of access (Art. 15): You have the right to request a copy of the Personal Data we hold about you.
• Right to rectification (Art. 16): You have the right to request correction of inaccurate or incomplete Personal Data.
• Right to erasure (Art. 17): You have the right to request deletion of your Personal Data, subject to legal retention requirements.
• Right to restriction of processing (Art. 18): You have the right to request that we restrict the processing of your Personal Data in certain circumstances.
• Right to data portability (Art. 20): You have the right to receive your Personal Data in a structured, commonly used, machine-readable format and to transfer it to another controller.
• Right to object (Art. 21): You have the right to object to processing based on legitimate interests, including profiling.
• Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, please contact us at privacy@mask.pk. We will respond to verified requests within thirty (30) days. We may request additional information to verify your identity before processing your request.

The Service may be hosted on infrastructure located outside Pakistan and the European Economic Area. Where Personal Data is transferred to countries that have not received an adequacy decision from the European Commission, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Data processing agreements with all sub-processors that include equivalent data protection obligations.
• Technical security measures including encryption in transit (TLS 1.2+) and encryption at rest.

You may request information about the specific safeguards applied to international transfers of your data by contacting privacy@mask.pk.

Essential cookies: We use strictly necessary cookies to maintain your authentication session, remember your preferences, and ensure the Service functions correctly. These cookies cannot be disabled as they are essential to the operation of the Service.

Analytics cookies: We may use first-party analytics cookies to understand how registered users interact with the platform in order to improve the Service. These cookies do not track you across third-party websites.

Blog and content cookies: We may use cookies to remember your reading preferences and to provide a personalised content experience on our blog and documentation pages.

No third-party advertising cookies: We do not use third-party advertising cookies, nor do we participate in cross-site tracking or behavioural advertising networks.

You can manage cookie preferences through your browser settings. Please note that disabling essential cookies may impair the functionality of the Service.

We implement appropriate technical and organisational measures to protect Personal Data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS and encryption at rest for sensitive data stores.
• Cryptographic hashing of passwords using industry-standard algorithms (passwords are never stored in plaintext).
• One-way hashing of API keys so that raw key values are not stored on our systems.
• Two-factor authentication (TOTP) available for all user accounts.
• Role-based access control (RBAC) within workspaces with granular permission levels.
• Regular security assessments and code reviews.
• Audit logging of administrative and security-relevant actions.
• IP anonymisation and truncation for analytics data.

Despite these measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents in accordance with our incident response procedures and applicable breach notification laws.

The Service is not directed at individuals under the age of sixteen (16). We do not knowingly collect Personal Data from children under 16. If we become aware that we have inadvertently collected data from a child under 16, we will take prompt steps to delete such data. If you believe a child has provided us with Personal Data, please contact us at privacy@mask.pk.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay, as required by GDPR Article 34.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to registered users via email or in-app notification at least thirty (30) days before the revised policy takes effect.

We encourage you to review this policy periodically. Your continued use of the Service after the effective date of any revisions constitutes your acknowledgement of the updated policy.

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

• Privacy and data protection: privacy@mask.pk
• Security incidents: security@mask.pk
• General legal enquiries: legal@mask.pk
• General support: support@mask.pk

We will endeavour to respond to all enquiries within thirty (30) days.