Privacy Policy

1. Introduction

This Privacy Policy governs the manner in which Karnival Pvt ("the Platform") collects, uses, maintains, and discloses information collected from users (each, a "User") of the platform. This document is aligned with the legal frameworks provided under the Pakistan Electronic Crimes Act (PECA) 2016, Contract Act 1872, and other applicable local and international standards, such as the General Data Protection Regulation (GDPR) for global compliance where applicable.

By using the Platform, you agree to the terms of this policy and consent to the processing of your personal data as outlined here. Failure to comply with the principles outlined herein may result in suspension of services, civil liabilities, or criminal prosecution under the relevant laws of Pakistan.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person, including names, addresses, identification numbers, location data, and other factors specific to a person's identity.

• Data Controller: Karnival Pvt acts as the Data Controller with respect to the collection, use, and management of personal information provided by users.

• Data Processor: Third-party services that process data on behalf of Karnival Pvt, including payment gateways and cloud storage providers, as specified by Pakistan's draft Personal Data Protection Bill.

• Processing: Any operation or set of operations performed on personal data, including collection, recording, organization, storage, alteration, retrieval, and disclosure.

3. Legal Basis for Data Processing

We collect and process personal data under the following legal bases:

• 3.1 Contractual Necessity: When users enter into a contract to buy or sell items, their personal data is processed as part of the contractual obligations under the Contract Act 1872. Failure to provide necessary data may result in the inability to complete transactions.

• 3.2 Legitimate Interests: Karnival Pvt processes certain data to further its legitimate interests in improving user experience, fraud detection, risk management, and marketing activities, as long as these interests are not overridden by users' fundamental rights and freedoms.

• 3.3 Consent: Where legally required, such as for direct marketing or the use of cookies, Karnival Pvt obtains explicit user consent.

4. Data Collection and Usage

4.1 Categories of Data Collected:

• User Profile Data: Name, email address, phone number, and mailing address.

• Transaction Data: Payment details, history of transactions, and other data relevant to completing sales or purchases.

• Device Information: IP address, operating system, browser type, and unique device identifiers.

• Usage Data: Information on how users navigate through and interact with the Platform.

4.2 Sensitive Data: Sensitive personal data such as government-issued identification (CNIC, passports) or bank account details may be processed under the Personal Data Protection Bill (PDPB) 2020. Sensitive data will be encrypted using the latest cryptographic protocols.

4.3 Data Minimization Principle: We only collect data necessary for the purpose of fulfilling our services, in alignment with the PDPB's minimization principle.

5. Purpose of Data Processing

• 5.1 Transaction Fulfillment: Personal data is used to complete transactions between buyers and sellers, including managing orders, payment processing, and coordinating delivery under Section 74 of the Contract Act 1872.

• 5.2 Fraud Detection & Prevention: We collect and process user data to authenticate transactions, monitor suspicious activities, and identify fraudulent actors in compliance with ISO 27001 and PECA 2016.

• 5.3 Direct Marketing: Subject to your consent, personal data may be used to send you direct marketing communications. You can opt out at any time.

6. Sharing and Disclosure of Personal Data

• 6.1 Third-Party Service Providers: We work with third-party providers (e.g., payment processors, marketing agencies) who process your data on our behalf and must comply with PECA 2016.

• 6.2 Legal Obligations: We may share personal data in response to a valid legal request from governmental authorities, governed by the Electronic Transactions Ordinance (ETO) 2002 and PECA 2016.

• 6.3 Cross-Border Data Transfers: Any personal data transferred outside Pakistan will only be to jurisdictions offering adequate data protection, as stipulated in GDPR Article 46.

7. User Rights

• 7.1 Right of Access: You may request a copy of your personal data. We will respond within 30 days of a verified request.

• 7.2 Right to Rectification: You may request corrections to any inaccuracies in your personal data under Section 27 of the PDPB.

• 7.3 Right to Data Portability: You can request your data be transferred to another platform, where technically feasible.

• 7.4 Right to Erasure: You may request deletion of your personal data, subject to retention obligations under tax laws and PECA 2016.

8. Data Retention

We retain personal data for as long as necessary to fulfill the purposes outlined in this policy. User data related to financial transactions will be retained for 7 years to comply with Pakistan's Income Tax Ordinance 2001 and anti-money laundering (AML) obligations.

9. Data Security

• Encryption: All personal data is encrypted using AES-256 standards during transmission and at rest.

• Firewalls & Network Security: We employ firewalls, DDoS protection, and intrusion detection systems.

• Access Controls: Only authorized personnel have access to personal data based on the principle of least privilege.

In compliance with ISO/IEC 27001, we perform regular security audits, vulnerability assessments, and penetration testing.

10. Breach Notification

In the event of a data breach, Karnival Pvt will notify affected users within 72 hours of discovery as required by PECA 2016 and GDPR Article 33, detailing the nature of the breach, data impacted, and steps to mitigate harm.

11. International Compliance

We adhere to international best practices for data protection, including the General Data Protection Regulation (GDPR) for users within the European Economic Area (EEA) and the California Consumer Privacy Act (CCPA) for users in the United States.

12. Changes to the Privacy Policy

We may update this Privacy Policy from time to time. Significant changes will be communicated via email or through notifications on the platform. Your continued use of the Platform following such updates constitutes acceptance of the revised policy.