This Privacy Policy governs the manner in which Karnival Pvt (“the Platform”) collects, uses, maintains, and discloses information collected from users (each, a “User”) of the platform. This document is aligned with the legal frameworks provided under the Pakistan Electronic Crimes Act (PECA) 2016, Contract Act 1872, and other applicable local and international standards, such as the General Data Protection Regulation (GDPR) for global compliance where applicable.
By using the Platform, you agree to the terms of this policy and consent to the processing of your personal data as outlined here. Failure to comply with the principles outlined herein may result in suspension of services, civil liabilities, or criminal prosecution under the relevant laws of Pakistan.
Personal Data:
Any information relating to an identified or identifiable natural person. This includes but is not limited to identifiers such as names, addresses, identification numbers, location data, and other factors specific to a person’s identity.
Data Controller:
Karnival Pvt acts as the Data Controller with respect to the collection, use, and management of personal information provided by users.
Data Processor:
Third-party services that process data on behalf of Karnival Pvt, including payment gateways and cloud storage providers, fall under the definition of Data Processors, as specified by Pakistan’s draft Personal Data Protection Bill.
Processing:
Any operation or set of operations performed on personal data or on sets of personal data, including collection, recording, organization, storage, alteration, retrieval, and disclosure.
We collect and process personal data under the following legal bases:
3.1 Contractual Necessity:
When users enter into a contract to buy or sell items on our platform, their personal data is processed as part of the contractual obligations under the Contract Act 1872. Failure to provide necessary data may result in the inability to complete transactions.
3.2 Legitimate Interests:
Karnival Pvt processes certain data to further its legitimate interests in improving user experience, fraud detection, risk management, and marketing activities, as long as these interests are not overridden by users’ fundamental rights and freedoms.
3.3 Consent:
Where legally required, such as in the case of direct marketing activities or the use of cookies, Karnival Pvt obtains explicit user consent.
4.1 Categories of Data Collected:
We collect several categories of personal and non-personal data, including:
4.2 Sensitive Data:
In certain circumstances, sensitive personal data such as government-issued identification (CNIC, passports) or bank account details may be processed under the Personal Data Protection Bill (PDPB) 2020 in Pakistan. Sensitive data will be encrypted using the latest cryptographic protocols.
4.3 Data Minimization Principle:
We only collect data necessary for the purpose of fulfilling our services. This aligns with the PDPB’s minimization principle, ensuring we don’t over-collect or store excessive information that is not relevant to the user’s transaction.
5.1 Transaction Fulfillment:
Personal data collected is used primarily to complete transactions between buyers and sellers, including managing orders, payment processing, and coordinating delivery. These are critical processing activities under the performance of a contract as per Section 74 of the Contract Act 1872.
5.2 Fraud Detection & Prevention:
To protect users from fraud or unauthorized access, we collect and process user data to authenticate transactions, monitor suspicious activities, and identify fraudulent actors. Fraud detection tools comply with international standards (e.g., ISO 27001) and local cybersecurity laws under PECA 2016.
5.3 Direct Marketing:
Subject to your consent, personal data may be used to send you direct marketing communications about offers, promotions, and new features on the platform. You can opt out of these communications at any time.
6.1 Third-Party Service Providers:
We work with third-party service providers (e.g., payment processors, marketing agencies) who process your data on our behalf. All third-party processors are required to adhere to the privacy and data security standards outlined in this policy and comply with PECA 2016.
6.2 Legal Obligations:
We may share personal data in response to a valid legal request from governmental authorities or if required to do so by law, such as in the event of a criminal investigation. Disclosure will be governed by the Electronic Transactions Ordinance (ETO) 2002, PECA 2016, and applicable criminal laws.
6.3 Cross-Border Data Transfers:
Any personal data transferred outside of Pakistan will only be to jurisdictions that offer an adequate level of data protection or based on contractual clauses, as stipulated in GDPR Article 46, applicable to global operations.
7.1 Right of Access:
Users have the right to request a copy of their personal data held by Karnival Pvt under the Freedom of Information Ordinance 2002. We will respond within 30 days of receiving a verified request.
7.2 Right to Rectification:
Users may request corrections to any inaccuracies or omissions in their personal data. Corrections will be made in line with the obligations under Section 27 of the PDPB.
7.3 Right to Data Portability:
Under the proposed Data Protection Bill, users can request that their data be transferred to another platform or service, where technically feasible.
7.4 Right to Erasure (“Right to be Forgotten”):
You may request the deletion of your personal data, and we will comply unless the retention is necessary for legal obligations (e.g., Tax Laws). This right is subject to conditions outlined in PECA 2016 and GDPR Article 17 for international users.
We retain personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. User data related to financial transactions will be retained for a period of 7 years to comply with Pakistan’s Income Tax Ordinance 2001 and anti-money laundering (AML) obligations.
We implement various security measures, both technical and organizational, to protect personal data from unauthorized access, alteration, disclosure, or destruction. These include:
In compliance with ISO/IEC 27001, we perform regular security audits, vulnerability assessments, and penetration testing.
We may update this Privacy Policy from time to time. Significant changes will be communicated via email or through notifications on the platform. Your continued use of the Platform following such updates constitutes acceptance of the revised policy.
