Legal

Privacy Policy

Read the Privacy Policy and learn how your information is handled.

Last updated

Privacy Policy

Effective date: 2026-04-03

This Privacy Policy (the “Policy”) explains how Abdul Rafay (“I,” “me,” “my,” or the “Operator”) collects, uses, stores, and protects personal data in connection with the website located at https://rafay99.com and all subdomains (collectively, the “Website”). This Policy is incorporated by reference into the Terms and Conditions governing use of the Website.

By accessing, browsing, or using the Website in any manner, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree with this Policy, you must immediately cease all use of the Website.

Article 1. Definitions

1.1. “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection law.

1.2. “Processing” means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.3. “User,” “you,” or “your” means any natural person who accesses or uses the Website.

1.4. “Third-Party Processor” means any entity engaged by the Operator to process Personal Data on behalf of the Operator.

1.5. “Consent” means any freely given, specific, informed, and unambiguous indication of the User’s wishes by which the User, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to them.

1.6. “Essential Processing” means Processing strictly necessary for the operation of the Website and for which Consent is not required under applicable law.

1.7. “Non-Essential Processing” means Processing that is not Essential Processing, including analytics, advertising, and functionality enhancement, for which Consent is required.

Article 2. Data controller and contact information

2.1. The data controller responsible for Processing under this Policy is Abdul Rafay, an individual operating from Pakistan. The Operator may be contacted at [email protected].

2.2. The Operator has not appointed a Data Protection Officer, as the nature, scope, context, and purposes of Processing do not require such appointment under Article 37 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

Article 3. Categories of personal data collected

3.1. Essential Data. The Operator automatically collects the following categories of Personal Data through standard server operations, which constitute Essential Processing: (a) Internet Protocol (IP) addresses, anonymized to the /24 subnet level; (b) HTTP request headers, including browser type and version, operating system, and device type; (c) requested URLs and timestamps; (d) HTTP referrer information; (e) Transport Layer Security (TLS) handshake metadata; and (f) error logs and diagnostic information. This data is processed for the purposes of network security, fraud prevention, technical diagnostics, and compliance with legal obligations. The legal basis for Essential Processing is the Operator’s legitimate interest in maintaining Website security and functionality, pursuant to Article 6(1)(f) GDPR, and compliance with legal obligations pursuant to Article 6(1)(c) GDPR where applicable.

3.2. Non-Essential Data. With the User’s explicit Consent, the Operator collects the following categories of Personal Data: (a) full, unanonymized IP addresses; (b) precise geolocation data derived from IP addresses or device capabilities; (c) unique device identifiers and browser fingerprints; (d) detailed browsing behavior, including pages visited, time spent, scroll depth, click patterns, and navigation paths; (e) demographic inferences and interest categories; and (f) cross-site tracking identifiers. This data is processed for the purposes of traffic analytics, content optimization, and personalized advertising. The legal basis for Non-Essential Processing is Consent pursuant to Article 6(1)(a) GDPR.

3.3. The Operator does not collect special categories of Personal Data as defined in Article 9 GDPR, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. The Operator does not knowingly collect Personal Data from children under sixteen (16) years of age.

Article 4. Mechanisms of collection

4.1. Server Logs. All requests to the Website are logged by the hosting infrastructure. Log entries include the data categories described in Section 3.1 and are retained for thirty (30) days, after which they are automatically deleted through automated processes.

4.2. Cookies and Similar Technologies. The Website uses cookies, web beacons, local storage, and similar tracking technologies. Cookies are classified as follows: (a) Strictly Necessary Cookies, which enable core functionality and cannot be disabled; (b) Analytics Cookies, which collect information about how Users interact with the Website; and (c) Marketing Cookies, which are used to deliver personalized advertisements.

4.3. Consent Management. Upon first accessing the Website, Users are presented with a cookie consent mechanism that requires affirmative, granular selection of cookie categories. Pre-ticked boxes or implied consent through continued browsing are not used. Users may withdraw Consent at any time through the cookie settings interface or by contacting the Operator. Records of Consent, including timestamp, scope, and method of acquisition, are maintained for twelve (12) months.

4.4. Do Not Track. The Website detects and respects Do Not Track (“DNT”) signals transmitted by User browsers. When a DNT signal is detected, only Strictly Necessary Cookies are loaded. The Website also supports the Global Privacy Control (“GPC”) signal.

Article 5. Third-party processors and data transfers

5.1. The Operator engages the following Third-Party Processors:

  • (a) Google LLC, located in the United States, for web analytics and advertising services. Google processes Personal Data under the terms of the Google Ads Data Processing Terms and the Google Analytics Data Processing Amendment. Google participates in the EU-US Data Privacy Framework and processes EU personal data in accordance with Standard Contractual Clauses approved by the European Commission.
  • (b) Vercel Inc., located in the United States, for website hosting and edge analytics. Vercel processes Personal Data under its Data Processing Agreement and participates in the EU-US Data Privacy Framework.
  • (c) Cloudflare, Inc., located in the United States, for content delivery network services and DDoS protection. Cloudflare processes Personal Data under its Data Processing Addendum and participates in the EU-US Data Privacy Framework.

5.2. The Operator has executed Data Processing Agreements with each Third-Party Processor that impose obligations equivalent to those under Article 28 GDPR. Copies of these agreements are available upon request.

5.3. Personal Data may be transferred to and processed in jurisdictions outside the User’s country of residence, including the United States, the European Union, and Pakistan. Such transfers are effected through: (a) adequacy decisions issued by the European Commission where applicable; (b) Standard Contractual Clauses with supplemental technical measures including encryption in transit and at rest; or (c) the EU-US Data Privacy Framework certification of the recipient.

Article 6. Purposes and legal bases of processing

6.1. The Operator processes Personal Data for the following purposes: (a) operating, maintaining, and securing the Website; (b) analyzing Website traffic and User behavior to improve content and functionality; (c) displaying personalized advertisements to Users who have provided Consent; (d) complying with legal obligations and responding to lawful requests from public authorities; and (e) establishing, exercising, or defending legal claims.

6.2. The legal bases for Processing are: (a) legitimate interests pursuant to Article 6(1)(f) GDPR for Essential Processing; (b) Consent pursuant to Article 6(1)(a) GDPR for Non-Essential Processing; and (c) compliance with legal obligations pursuant to Article 6(1)(c) GDPR where applicable.

Article 7. Data retention

7.1. Personal Data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.

7.2. Retention periods are as follows: (a) server logs containing IP addresses: thirty (30) days; (b) analytics data collected with Consent: twenty-six (26) months, as configured in Google Analytics 4; (c) Consent records: twelve (12) months from the date of withdrawal or expiration; and (d) correspondence and contract records: seven (7) years from the conclusion of the relevant engagement, or as required by applicable statute of limitations.

7.3. Upon expiration of the applicable retention period, Personal Data is deleted or anonymized in a manner that precludes identification of the data subject.

Article 8. Data subject rights

8.1. Users have the following rights regarding their Personal Data, subject to applicable law:

  • (a) Right of Access. The right to obtain confirmation of whether Personal Data concerning them is being processed, and if so, access to that Personal Data and specified information about the Processing.
  • (b) Right to Rectification. The right to obtain without undue delay the rectification of inaccurate Personal Data concerning them, and to have incomplete Personal Data completed.
  • (c) Right to Erasure (“Right to be Forgotten”). The right to obtain the erasure of Personal Data concerning them without undue delay, where one of the grounds specified in Article 17 GDPR applies.
  • (d) Right to Restriction of Processing. The right to obtain restriction of Processing where one of the conditions specified in Article 18 GDPR applies.
  • (e) Right to Data Portability. The right to receive Personal Data concerning them in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance, where the Processing is based on Consent or a contract and is carried out by automated means.
  • (f) Right to Object. The right to object at any time to Processing of Personal Data concerning them which is based on legitimate interests, including profiling. Where Personal Data is processed for direct marketing purposes, the right to object at any time to such Processing.
  • (g) Right to Withdraw Consent. The right to withdraw Consent at any time, without affecting the lawfulness of Processing based on Consent before its withdrawal.
  • (h) Right to Lodge a Complaint. The right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement.

8.2. To exercise any of these rights, Users may contact the Operator at [email protected]. The Operator will respond to requests within thirty (30) days of receipt, which period may be extended by two (2) months where necessary, taking into account the complexity and number of requests. The Operator will inform the User of any such extension within one (1) month of receipt of the request, together with the reasons for the delay.

8.3. Where the Operator has reasonable doubts concerning the identity of the natural person making the request, additional information may be requested to confirm identity.

Article 9. Data security

9.1. The Operator implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: (a) encryption of Personal Data in transit using TLS 1.3; (b) encryption of Personal Data at rest where applicable; (c) access controls limiting access to Personal Data to authorized personnel; (d) regular security assessments and vulnerability management; and (e) incident response procedures.

9.2. In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, the Operator will notify the affected Users without undue delay and, where feasible, not later than seventy-two (72) hours after having become aware of the breach, unless the breach is unlikely to result in such risk. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the Operator will also communicate the breach directly to the affected Users.

Article 10. Children’s privacy

10.1. The Website is not directed at children under sixteen (16) years of age, and the Operator does not knowingly collect Personal Data from children. If the Operator becomes aware that Personal Data of a child has been collected without verification of parental consent, such data will be deleted as soon as practicable.

10.2. If you believe that the Operator may have collected Personal Data from a child, please contact the Operator immediately at [email protected].

Article 11. Changes to this policy

11.1. The Operator reserves the right to modify this Policy at any time. Material changes will be notified to Users by posting a prominent notice on the Website for a period of thirty (30) days prior to the effective date of the changes. Non-material changes, including typographical corrections and clarifications, will take effect immediately upon posting.

11.2. Continued use of the Website following the posting of changes constitutes acceptance of those changes. If you do not agree to the modified Policy, you must cease using the Website.

Article 12. Dispute resolution

12.1. This Policy is governed by and construed in accordance with the laws of Pakistan, without regard to its conflict of law provisions.

12.2. Any dispute arising out of or in connection with this Policy, including any question regarding its existence, validity, or termination, shall be finally resolved by arbitration in accordance with the London Court of International Arbitration (LCIA) Rules, which rules are deemed to be incorporated by reference into this clause. The seat of arbitration shall be Singapore. The tribunal shall consist of one arbitrator. The language of arbitration shall be English.

12.3. Notwithstanding Section 12.2, Users residing in the European Union or the United Kingdom retain the right to lodge complaints with their local supervisory authority or to seek remedies before the courts of their Member State of residence, as provided under Articles 77 and 79 GDPR.

Article 13. Contact information

For any questions, concerns, or requests regarding this Policy or the Operator’s data practices, please contact: