Privacy & Cookie Policy

CONTENTS

1. Who We Are
2. Data We Collect
3. How We Use Your Data
4. Third-Party Services
5. Cookies & Local Storage
6. Data Retention
7. Your Rights
8. Children's Privacy
9. International Transfers
10. Changes to This Policy
11. Contact & Data Requests

Summary: We collect the data you provide to run valuations and issue certificates. We use Supabase for auth and storage, Stripe for payments, and Anthropic's Claude API for AI. We use essential session cookies and optional analytics. You may request deletion of your account and data at any time by emailing mail@npm.works.

SECTION 01

Who We Are

Tasdeeq is a digital asset valuation platform operated by NPM ("NPM", "we", "us", "our"), a company registered in Dubai, UAE.

This Privacy & Cookie Policy explains how we collect, use, store, and protect your personal information when you use the Tasdeeq platform at tasdeeq.npm.works ("the Platform"). By using the Platform, you agree to the practices described in this Policy.

For questions about this Policy, contact us at mail@npm.works.

SECTION 02

Data We Collect

We collect the following categories of personal data:

Account data: Name, email address, password (hashed — never stored in plain text), and authentication method (email or Google OAuth).
Valuation inputs: Asset details you submit — including vehicle make/model/year/condition, property subtype/location/size/condition, and valuation purpose. This data is used to generate your AI estimate and/or certified report.
Certificate request data: All valuation inputs plus any additional information you provide (e.g. previous valuation values, asset descriptions, contact details for field inspection). Property location data including GPS coordinates and locality may be collected.
Payment data: We do not store card numbers or payment credentials. Stripe processes all payments and provides us with a transaction reference, amount, and credit quantity only. See Section 4 for Stripe's data practices.
Usage data: IP address, browser type, pages visited, and approximate geolocation derived from IP. This is collected automatically when you access the Platform.
Communications: If you contact us by email, we retain those communications for support and compliance purposes.

We do not collect sensitive personal data such as biometrics, health information, political opinions, or religious beliefs.

SECTION 03

How We Use Your Data

We use your data for the following purposes:

Service delivery: Running AI valuations, processing certificate requests, issuing PDF reports, and managing your account and credits.
Authentication & security: Verifying your identity, maintaining session integrity, and detecting fraudulent or abusive use of the Platform.
Payments: Facilitating credit purchases via Stripe and crediting your account on successful payment.
Communication: Sending transactional emails (e.g. certificate delivery, payment confirmation). We do not send marketing emails without your explicit consent.
Platform improvement: Analysing usage patterns in aggregate to improve AI accuracy, UI design, and service reliability. Individual valuation inputs may be used to fine-tune or evaluate AI performance, subject to anonymisation where technically feasible.
Legal compliance: Maintaining records as required under Pakistani law, responding to lawful government or court requests.

We do not sell your personal data to third parties. We do not use your data for advertising profiling.

SECTION 04

Third-Party Services

The Platform integrates the following third-party services. Each has its own data handling practices:

Supabase (Supabase Inc., USA): We use Supabase for user authentication, database storage (profiles, estimates, certificate requests), and file storage (survey photos, PDF certificates). Data is stored on AWS infrastructure. Supabase's Privacy Policy is available at supabase.com/privacy.
Stripe (Stripe, Inc., USA): Payments are processed exclusively by Stripe. Stripe is PCI-DSS Level 1 certified. We receive only non-sensitive transaction metadata. Stripe's Privacy Policy is available at stripe.com/privacy.
Anthropic (Anthropic, PBC, USA): Your valuation inputs (asset type, location, condition, and related details) are transmitted to Anthropic's Claude API to generate AI valuation estimates. Inputs are not linked to your name or email when sent to Anthropic — only asset data is transmitted. Anthropic's Privacy Policy is available at anthropic.com/privacy.
Google Fonts: Fonts are loaded from Google's CDN. This involves a DNS lookup and may log your IP address per Google's standard practices.
Cloudflare: The Platform may be served through Cloudflare's network for performance and security. Cloudflare's Privacy Policy is available at cloudflare.com/privacypolicy.

Note on AI data: When you run an AI valuation, your asset details are processed by Anthropic's Claude API. While we do not transmit your name or account email, the asset data itself (location, size, condition, etc.) is processed on Anthropic's servers subject to their data handling policies.

SECTION 05

Cookies & Local Storage

We use browser cookies and localStorage to enable core functionality and improve your experience. The table below describes what we use and why.

Name / Prefix	Type	Purpose	Expires
`sb-*`	Essential	Supabase authentication session. Required to keep you logged in. Cannot be disabled without breaking platform functionality.	Session / 1 week
`tasdeeq_cookie_consent`	Essential	Stores your cookie consent choice (accepted/rejected) so we don't show the banner repeatedly.	1 year (localStorage)
`est_state`, `ep_state`, `dash_payment`	Functional	Preserves your form state across Stripe payment redirects so you return to the right step after purchasing credits.	Session (sessionStorage)
Analytics cookies	Analytics	Not currently in use. If we introduce analytics in the future, this policy will be updated and your consent re-requested.	N/A

Managing cookies: You can configure your browser to block or delete cookies at any time. Note that blocking sb-* cookies will prevent you from logging in. You may also change your consent choice at any time by clearing your browser's localStorage for this site.

Consent: When you first visit the Platform, a banner will invite you to accept or reject non-essential cookies. Essential cookies (authentication and consent record) are always active as they are necessary for the Platform to function.

SECTION 06

Data Retention

Account data: Retained for as long as your account is active. On account deletion, your profile and personal details are deleted within 30 days, subject to legal hold obligations.
Valuation records: AI estimates and certificate requests are retained for a minimum of 7 years for professional liability and regulatory compliance. Valuation certificates are official documents and are retained indefinitely in our records.
Payment records: Transaction logs are retained for 7 years per standard accounting requirements.
Usage logs: Server access logs are retained for up to 90 days. Anonymised aggregate analytics may be retained indefinitely.
Beta data: During the beta period, additional data may be retained for debugging and model improvement as disclosed in our Terms & Conditions.

SECTION 07

Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

Access: You may request a copy of the personal data we hold about you.
Correction: You may request correction of inaccurate personal data.
Deletion: You may request deletion of your account and associated personal data. Note that valuation certificates and financial records may be retained for the periods described in Section 6.
Portability: You may request your valuation history and account data in a machine-readable format (JSON/CSV).
Objection: You may object to use of your data for platform improvement or AI training purposes.
Withdraw consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.

To exercise any of these rights, email mail@npm.works with the subject line "Data Rights Request". We will respond within 14 days. Identity verification may be required before processing sensitive requests.

SECTION 08

Children's Privacy

The Platform is intended for users aged 18 and above. We do not knowingly collect personal data from children under 18. If you believe a minor has registered an account, please contact us at mail@npm.works and we will promptly delete the account and associated data.

SECTION 09

International Data Transfers

Tasdeeq is operated from Pakistan. However, some of our third-party service providers (Supabase, Stripe, Anthropic) are based in the United States. By using the Platform, you acknowledge that your data may be transferred to and processed in countries outside Pakistan, including the USA.

We ensure such transfers are covered by appropriate safeguards (including the third parties' own compliance frameworks) and we only engage providers that maintain high data security standards.

SECTION 10

Changes to This Policy

We may update this Privacy & Cookie Policy from time to time. The "Last updated" date at the top of this page will reflect any changes. For material changes, we will notify registered users via email or an in-platform notice at least 14 days before the change takes effect.

Your continued use of the Platform after any changes constitutes acceptance of the revised Policy.

SECTION 11

Contact & Data Requests

For all privacy-related enquiries, data access or deletion requests, or concerns about how we handle your data:

Email: mail@npm.works
Subject line: "Privacy" or "Data Rights Request"
Company: NPM

We aim to acknowledge all privacy requests within 5 working days and resolve them within 14 working days.