Privacy Policy
This Privacy Policy describes how Slex Pay ("we", "our", "us") collects, uses, discloses, retains, and safeguards personal and business information that we receive from merchants, end-customers, website visitors, and other parties who interact with our payment infrastructure, websites, applications, and merchant services. By using our services or accessing our website, you confirm that you have read and understood this Privacy Policy.
1. Introduction & Scope
Slex Pay is a fintech service brand offering payment processing, hosted checkout, invoicing, QR collections, point-of-sale, and settlement infrastructure to businesses operating in Pakistan. Banking and money-movement services are provided through licensed banking and financial-institution partners under applicable regulatory frameworks issued by the State Bank of Pakistan (SBP) and other competent authorities.
This Privacy Policy applies to:
- Visitors to our public website (slexpay.pk and related domains).
- Merchants and prospective merchants who submit signup, onboarding, KYC, or support requests.
- Authorized representatives, beneficial owners, partners, and signatories of merchant entities.
- End-customers of our merchants who initiate or receive payments via Slex Pay rails.
- Recipients of marketing or transactional communications from Slex Pay.
- Vendors, contractors, applicants, and other counterparties engaging with us.
This Policy does not govern third-party websites, applications, or services that may be linked from our platform. Please review those parties' own privacy notices for details on how they handle your information.
2. Information We Collect
Depending on your relationship with Slex Pay and the services you use, we may collect the following categories of information. Some categories are mandatory for compliance and service delivery; others are optional and provided at your discretion.
2.1 Identity & Contact Information
- Full legal name, father's name, nationality, gender, date of birth, and CNIC / SNIC / NICOP / Passport number.
- Residential and mailing addresses, postal codes, and country of residence.
- Email addresses, mobile and landline numbers.
- Photographs, signature samples, and biometric verification artifacts (such as NADRA Verisys outputs) where applicable.
2.2 Merchant & Business Information
- Registered business name, trading name, legal structure (sole proprietorship, partnership, AOP, Pvt. Ltd., Public Ltd., NGO, etc.), and date of incorporation.
- National Tax Number (NTN), Sales Tax Registration Number (STRN), Chamber of Commerce membership, and other regulatory registrations.
- Business address(es), branch details, registered office, website URL, social media handles, and merchant category code (MCC).
- Beneficial-ownership disclosures (typically 25% or higher), shareholder details, and authorized signatory information.
- Onboarding documentation: Memorandum & Articles of Association, partnership deed, Form A / Form 29, board resolutions, utility bills, tenancy or ownership agreements, bank-account proof, and similar evidence.
- Expected transaction volumes, average ticket size, customer-base profile, and operational geography.
2.3 Payment & Transaction Information
- Bank account titles, IBAN, account numbers, and bank/branch details for settlement.
- Card data (PAN, expiry, CVV) and wallet/UPI/QR identifiers — handled in tokenized form by our PCI-DSS-compliant partners. We do not store full card numbers, CVV codes, or PINs in clear text on our systems.
- Transaction details including amount, currency, timestamp, status, reference codes, descriptors, payment method, channel (web, mobile, POS, QR, link, in-app), and originating/destination identifiers.
- Settlement records, refund records, chargeback files, dispute correspondence, and reconciliation logs.
2.4 Technical & Device Information
- Device identifiers, hardware model, operating-system family and version, browser type and version, language, and time-zone settings.
- IP address, geolocation derived from IP, network/ASN information, and connection type.
- Application logs, error reports, crash diagnostics, and session recordings (where deployed for debugging or fraud review).
- Cookies, web beacons, pixels, local-storage entries, SDK identifiers, and similar tracking technologies.
2.5 Behavioral & Usage Information
- Pages visited, features used, clicks, scroll depth, time-on-page, navigation paths, and referral sources.
- Search queries within the platform, support-ticket history, and chat interactions.
- Email open and click-through events for transactional and marketing communications.
- Heatmap and journey analytics where deployed for product-experience improvement.
2.6 Risk, Compliance & Screening Data
- Sanctions-screening results (UNSC, OFAC, EU, UK, NACTA proscribed lists, etc.).
- Politically Exposed Person (PEP) and adverse-media screening outcomes.
- AML/CFT risk scores, transaction-monitoring alerts, and suspicious-activity indicators.
- Regulatory filings such as STRs / CTRs (Suspicious Transaction Reports / Currency Transaction Reports) submitted to the Financial Monitoring Unit (FMU) where required by law.
2.7 Communications & Support Information
- Records of your communications with us — emails, support tickets, in-app chats, call recordings (with applicable notice), and meeting notes.
- Feedback, surveys, ratings, testimonials, and any content you voluntarily share with us.
- Information you provide during dispute or chargeback proceedings.
2.8 Information from Third Parties
- NADRA Verisys, credit bureaus (e.g., DataCheck, eCIB), sanctions/PEP databases, business registries (SECP eServices, FBR IRIS), and litigation/court databases.
- Partner banks, payment networks, and acquiring/issuing institutions.
- Marketing partners, referral sources, and analytics providers.
- Public sources such as company websites, social-media profiles, news media, and government gazettes.
2.9 Information We Do Not Knowingly Collect
- Sensitive personal data such as health, religious beliefs, political opinions, or sexual orientation, unless required for a specific lawful purpose and provided voluntarily.
- Information from individuals under the legal age of contracting in Pakistan (eighteen years), other than as may be permitted via lawful guardians.
3. Sources of Information
We obtain information from the following sources:
- Directly from you — through signup forms, KYC submissions, contracts, onboarding interviews, support requests, surveys, and other communications.
- From your devices — automatically through cookies, SDKs, server logs, and analytics tools when you use our website or services.
- From your transactions — when you initiate, receive, refund, or dispute payments through our infrastructure.
- From third parties — including banking partners, NADRA, FBR, payment networks, sanctions databases, fraud-prevention services, credit bureaus, and publicly available sources.
- From referrals — when an existing merchant, partner, or affiliate introduces you to us.
4. Legal Basis for Processing
We process your information only where we have a lawful basis under Pakistan law and applicable international standards. The legal bases we rely on include:
- Performance of a contract — to onboard you, deliver requested services, process payments, and fulfill our contractual obligations.
- Legal obligation — to comply with the Anti-Money Laundering Act 2010, AML/CFT Regulations issued by the State Bank of Pakistan (SBP) and Securities and Exchange Commission of Pakistan (SECP), Federal Board of Revenue (FBR) requirements, the Prevention of Electronic Crimes Act 2016 (PECA), and other applicable laws.
- Legitimate interests — to operate, secure, and improve our services; prevent fraud and abuse; pursue or defend legal claims; and conduct internal administration.
- Consent — where required, for example for marketing communications or non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.
- Vital interests / public interest — in rare circumstances where processing is necessary to protect a person's vital interests or to comply with public-interest mandates.
5. How We Use Your Information
We use the information we collect for the purposes described below.
5.1 Account Onboarding & Identity Verification
- Validating your identity, business credentials, beneficial ownership, and authorized representatives.
- Performing customer due diligence (CDD), enhanced due diligence (EDD), and ongoing monitoring where applicable.
- Screening against domestic and international sanctions, PEP, and adverse-media lists at onboarding and on a periodic basis.
5.2 Service Delivery
- Provisioning merchant accounts, hosted-checkout pages, invoicing tools, QR codes, POS terminals, APIs, webhooks, and developer credentials.
- Routing, processing, authorizing, clearing, and settling payment transactions through partner banks and networks.
- Issuing receipts, settlement reports, account statements, and transaction notifications.
- Configuring user roles, permissions, and merchant-account preferences.
5.3 Risk, Fraud & Security Management
- Detecting and preventing fraud, money laundering, terrorist financing, and other illicit activity.
- Performing transaction monitoring, velocity checks, behavioral analysis, device-fingerprinting, and chargeback prevention.
- Investigating disputes, complaints, and suspicious activity, and reporting to regulators where required.
- Maintaining audit trails, forensic records, and breach-investigation evidence.
5.4 Communication & Support
- Responding to your inquiries, support tickets, and dispute escalations.
- Sending operational notifications such as service outages, security alerts, policy changes, and account updates.
- With your consent, sending product updates, newsletters, surveys, and promotional offers.
5.5 Service Improvement & Analytics
- Analyzing usage patterns to improve performance, reliability, and user experience.
- Conducting A/B tests, feature experimentation, and product research.
- Generating aggregated and de-identified statistics for internal reporting and benchmarking.
5.6 Legal, Regulatory & Audit Compliance
- Meeting our obligations under SBP regulations, AML Act 2010, FATF guidance, FBR requirements, PECA 2016, and other applicable laws.
- Responding to lawful requests from courts, regulators, and law-enforcement authorities.
- Defending or pursuing legal claims and exercising legal rights.
- Cooperating with internal and external auditors.
5.7 Corporate Actions
- Conducting due diligence in connection with mergers, acquisitions, financing, restructuring, or asset transfers, subject to appropriate confidentiality safeguards.
6. Sharing & Disclosure of Information
We do not sell your personal information. We share your information only with the parties listed below, and only to the extent necessary for the stated purpose.
6.1 Banking & Financial Partners
Licensed commercial banks, microfinance banks, Electronic Money Institutions (EMIs), payment-system operators (PSOs/PSPs), and acquiring partners that enable transaction processing, settlement, and cash-management services.
6.2 Payment Networks & Schemes
Card networks (e.g., Visa, Mastercard, PayPak, UnionPay), wallet providers (e.g., JazzCash, Easypaisa), and instant-payment systems (e.g., Raast, 1LINK, 1Bill) for the routing, authorization, and clearing of transactions.
6.3 Service Providers & Sub-Processors
Vendors that support our operations, including:
- Cloud hosting and infrastructure providers.
- KYC, identity-verification, and biometric-screening services.
- Fraud-prevention, transaction-monitoring, and risk-scoring providers.
- Email, SMS, push-notification, and OTP-delivery services.
- Customer-support, ticketing, and CRM platforms.
- Analytics, error monitoring, and product-experimentation tools.
- Auditors, accountants, tax advisors, and external legal counsel.
All sub-processors are contractually bound to maintain confidentiality and to process information only for the purposes we direct, in accordance with this Privacy Policy and applicable law.
6.4 Regulators & Public Authorities
- State Bank of Pakistan (SBP), Securities and Exchange Commission of Pakistan (SECP), Federal Board of Revenue (FBR), Financial Monitoring Unit (FMU), Pakistan Telecommunication Authority (PTA), NADRA, and other regulators with statutory authority.
- Courts, tribunals, and law-enforcement agencies in response to lawful orders, subpoenas, or written requests.
6.5 Group Entities & Affiliates
Our group companies, subsidiaries, and affiliates, where relevant for service delivery, internal administration, or shared compliance functions, under appropriate intra-group safeguards and binding internal policies.
6.6 Business Transfers
In the event of a merger, acquisition, financing, asset sale, restructuring, insolvency, or similar transaction, your information may be transferred as part of the business assets, subject to confidentiality obligations and continuity of this Privacy Policy.
6.7 With Your Consent
Where you have explicitly consented, we may share information with third parties for purposes specified at the time of consent (for example, enabling a third-party integration, accountant access, or referral attribution).
6.8 Aggregated & De-Identified Data
We may share aggregated or de-identified information that does not directly identify any individual, for analytics, research, benchmarking, regulatory reporting, or marketing purposes.
7. International Data Transfers
Slex Pay primarily processes data within Pakistan. However, certain service providers may host or process data outside Pakistan. Where such transfers occur, we ensure that:
- The receiving party offers an adequate level of data protection.
- Appropriate contractual safeguards (such as standard contractual clauses or equivalent measures) are in place.
- Transfers comply with the State Bank of Pakistan's data-localization, outsourcing, and cross-border-flow guidelines applicable to financial services.
- Where regulatory pre-approval is required for cross-border transfer of certain categories of data, such approval is obtained before transfer.
8. Cookies & Tracking Technologies
We use cookies and similar technologies to operate, secure, analyze, and personalize our services. The categories include:
- Strictly necessary cookies — required for authentication, session management, CSRF protection, and security. These cannot be disabled.
- Performance & analytics cookies — help us understand usage patterns and improve services.
- Functional cookies — remember preferences such as language, currency, or display settings.
- Marketing cookies — used with your consent to deliver relevant communications and measure campaign effectiveness.
You can control cookies through your browser settings or our consent banner where presented. Disabling certain cookies may limit functionality. For more details, please review our Privacy Terms.
9. Data Retention
We retain your information only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. Indicative retention periods include:
- KYC & onboarding records: Retained for at least five (5) years after account closure, as required under the AML Act 2010 and SBP AML/CFT Regulations.
- Transaction & settlement records: Retained for a minimum of five (5) years from the date of the transaction, or longer where mandated by law or court order.
- Tax & accounting records: Retained for at least six (6) years to satisfy FBR and statutory audit requirements.
- Support & communications records: Retained for up to three (3) years for quality assurance and dispute resolution.
- Marketing data: Retained until you withdraw consent, plus a reasonable period thereafter for suppression-list and audit purposes.
- Logs & technical telemetry: Retained for up to twelve (12) months for security and operational diagnostics, longer if required for an active investigation.
Where retention is no longer required, we securely delete, anonymize, or archive the information using industry-standard methods.
10. Data Security
We implement administrative, technical, and physical safeguards designed to protect your information against unauthorized access, loss, alteration, or disclosure. Our security program includes:
- Encryption: TLS 1.2+ for data in transit and AES-256 (or equivalent) for sensitive data at rest.
- Tokenization: Card and account data are tokenized via PCI-DSS-compliant partners; we do not store sensitive authentication data such as full PAN, CVV, or PIN in clear text.
- Access controls: Role-based access, least-privilege principles, multi-factor authentication for privileged accounts, and periodic access reviews.
- Network security: Segmented production environments, web application firewalls (WAF), DDoS mitigation, and intrusion-detection systems.
- Application security: Secure-coding practices, code reviews, dependency scanning, vulnerability assessments, and periodic penetration testing.
- Logging & monitoring: Centralized log collection, tamper-evident audit trails, anomaly detection, and 24x7 security operations.
- Personnel: Background checks, confidentiality undertakings, and ongoing security and privacy training.
- Vendor risk: Due diligence, contractual obligations, and periodic reassessment of sub-processors.
- Incident response: Documented playbooks, defined escalation paths, regulator-notification procedures, and post-incident reviews.
- Business continuity: Regular backups, disaster-recovery testing, and resilience planning to minimize service disruption.
Despite these controls, no system can guarantee absolute security. If you suspect a security incident affecting your account, please contact us immediately via Support.
11. Data Breach Notification
In the unlikely event of a personal-data breach that is likely to result in a risk to your rights and interests, we will:
- Investigate and contain the incident promptly.
- Notify affected individuals and regulators (such as the SBP and FMU) in accordance with applicable timelines.
- Provide guidance on protective steps you may take, where appropriate.
- Document the incident, root cause, and remediation actions for audit and supervisory review.
12. Your Rights & Choices
Subject to applicable law and the legitimate interests of Slex Pay, our regulators, and our partners, you may exercise the following rights with respect to your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to correction: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your data, subject to applicable retention obligations.
- Right to restrict processing: Request restriction of certain processing activities.
- Right to object: Object to processing based on legitimate interests, including for direct marketing.
- Right to data portability: Receive your data in a structured, commonly used, machine-readable format where technically feasible.
- Right to withdraw consent: Withdraw consent at any time where processing is based on consent.
- Right to lodge a complaint: Submit a complaint to the appropriate data-protection or sectoral authority.
To exercise any of these rights, please contact us via the Support page. We will respond within thirty (30) calendar days, or sooner where required by law. Where requests are manifestly unfounded, repetitive, or excessive, we may charge a reasonable fee or decline to act, and will explain the reason.
Please note that certain data — such as KYC records, transaction histories, and regulatory filings — must be retained to comply with statutory obligations and cannot be erased on request.
13. Marketing & Promotional Communications
With your consent, we may send you marketing communications about our products, features, partner offers, and industry updates. You may opt out at any time by:
- Clicking the "unsubscribe" link in any marketing email.
- Replying STOP (or the local equivalent) to SMS communications.
- Updating preferences in your merchant account.
- Contacting us via Support.
Opting out of marketing does not affect transactional or service-related communications, which are necessary for the operation of your account and for compliance with our regulatory duties.
14. Automated Decision-Making
Certain processes — such as fraud screening, risk scoring, sanctions matching, and transaction-monitoring — may involve automated decision-making or profiling. These systems use objective rules and statistical models to identify potentially risky activity. Where an automated decision produces a significant effect on you (e.g., declining a transaction, restricting an account, or holding settlement), you may request human review by contacting Support, subject to applicable legal exceptions and operational constraints.
15. Children's Privacy
Our services are intended for businesses and individuals aged eighteen (18) years or older. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected such data, we will delete it promptly. Parents or guardians who believe their child has provided personal data to us may contact Support.
16. Third-Party Links & Services
Our website and services may contain links to third-party websites, applications, or integrations (e.g., banking partners, e-commerce plugins, analytics providers, social-media platforms). Slex Pay is not responsible for the privacy practices of these third parties. We encourage you to review their respective privacy policies before sharing personal information.
17. Confidentiality of Merchant & Transaction Data
Information regarding our merchants, their customers, and their transaction volumes is treated as commercially confidential. Slex Pay does not disclose merchant transaction data to competitors or unauthorized parties. Aggregated and anonymized statistics may be used for benchmarking, regulatory reporting, and product analytics without identifying any specific merchant or end-customer.
18. Specific Notices for Pakistan-Based Users
- SBP regulations: Where Slex Pay or its banking partners are required to share data with the SBP under prudential regulations, electronic-money guidelines, branchless-banking rules, or AML/CFT supervisory directives, such disclosures are made strictly within the scope of those obligations.
- PECA 2016 compliance: Slex Pay processes data in accordance with the Prevention of Electronic Crimes Act 2016, including obligations regarding data preservation, lawful interception requests, and cybercrime investigations conducted by the FIA's National Response Centre for Cyber Crime (NR3C).
- Personal Data Protection Bill: We monitor the development of Pakistan's Personal Data Protection legislation and will update this Policy and our internal practices to remain aligned with applicable requirements as they come into force.
- Tax & FBR matters: Tax-relevant data (e.g., NTN, withholding details, settlement summaries, sales-tax-on-services applicability) is shared with FBR, provincial revenue authorities, and authorized tax intermediaries as required by law.
- FMU reporting: Where suspicious or threshold transactions are detected, Slex Pay or its banking partners may file STRs/CTRs with the Financial Monitoring Unit. Such filings are confidential under law and cannot be disclosed to the subject of the report.
19. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Where appropriate, notify registered merchants via email or in-product notice.
- Provide a summary of significant changes when reasonably practicable.
Your continued use of our services following the effective date of an update constitutes acknowledgement of the revised Policy. We encourage you to review this page periodically.
20. Definitions
- "Personal Data" — any information relating to an identified or identifiable individual.
- "Processing" — any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- "Merchant" — a business or sole proprietor that uses Slex Pay services to accept or process payments.
- "End-Customer" — an individual or entity that initiates or receives a payment via a Merchant using Slex Pay.
- "KYC" — Know Your Customer; identity-verification and due-diligence procedures required under AML/CFT laws.
- "AML/CFT" — Anti-Money Laundering / Combating the Financing of Terrorism regulations.
- "PEP" — Politically Exposed Person.
- "PCI-DSS" — Payment Card Industry Data Security Standard.
- "Sub-Processor" — a third party engaged by Slex Pay to process personal data on its behalf.
By using Slex Pay's services or accessing our website, you confirm that you have read, understood, and agreed to the terms of this Privacy Policy.