Privacy Terms
This page is a plain-language companion to our formal Privacy Policy. It explains, in practical terms, how Slex Pay collects, uses, and protects information; how cookies and tracking technologies work on our platform; what rights you have; how end-customers paying our merchants are protected; and how to contact us about privacy matters. If anything here conflicts with the formal Privacy Policy, the Privacy Policy prevails.
Last Updated: 5 May 2026 · Effective Date: 5 May 2026
1. What This Page Is For
Privacy Terms is a quick-reference document that helps you understand how your information flows through Slex Pay without having to read a full legal policy. We explain who we are, what we do with information, the choices you have, and the safeguards we apply. For a complete legal description, please see the Privacy Policy, the Terms of Service, and the AML & KYC Policy.
2. Privacy at a Glance (TL;DR)
- We collect what we need for onboarding, payments, security, and support — nothing more.
- We do not sell your personal information to anyone.
- We share with our banking partners and payment networks only as needed to process transactions.
- We retain records as long as the law requires (typically five to six years for KYC, transactions, and tax records).
- We protect your data with encryption, tokenization, access controls, and continuous monitoring.
- You have rights of access, correction, deletion (within legal limits), portability, and complaint.
- Cookies are explained in detail below; you can control most of them through your browser.
- If something goes wrong, contact us via Support — we respond within thirty (30) calendar days.
3. Who Should Read This Page
- Visitors — anyone browsing our website, even without signing up.
- Merchants — businesses using Slex Pay to accept payments online or in-person.
- End-customers — people who pay one of our merchants via cards, wallets, QR, or Raast.
- Authorized users — staff, accountants, or developers who access a merchant account.
- Partners & vendors — banks, networks, integrators, and service providers.
4. What Data We Collect — In Plain Words
Here is what we typically collect, with everyday examples so you know exactly what we mean:
4.1 Things You Tell Us Directly
- Example: Your name, CNIC, business name, NTN, address, mobile number, and email when you sign up as a merchant.
- Example: Your bank account / IBAN so we can settle your sales.
- Example: Documents you upload such as your shop photo, utility bill, or partnership deed.
4.2 Things We Learn from Your Transactions
- Example: A list of payments you accept — date, amount, method, status, and reference.
- Example: Refunds, chargebacks, and disputes raised by customers.
- Example: Settlement files we deliver to your bank.
4.3 Things We Pick Up Automatically
- Example: Your IP address, browser, and device when you log in.
- Example: Pages and features you use (this helps us fix bugs and improve performance).
- Example: Suspicious activity signals such as unusual login locations or rapid card retries.
4.4 Things We Verify with Trusted Third Parties
- Example: CNIC verification through NADRA Verisys.
- Example: Sanctions and PEP screening against UN, OFAC, and NACTA lists.
- Example: Business registry and tax-status checks via SECP eServices and FBR IRIS.
5. Why We Collect Each Type of Data
We do not collect data "just in case". Each item maps to a clear purpose:
- Identity & KYC — required by AML/CFT law to verify who you are.
- Bank account / IBAN — needed to send your settlement payouts.
- Business documents — required by SBP and our acquiring partners to underwrite merchants.
- Transaction data — needed to process, settle, refund, and dispute payments.
- Device & behavior data — used to detect fraud and protect your account.
- Support communications — needed to resolve your queries and improve our service.
- Marketing data — only used with your consent and you can opt out anytime.
6. Cookies & Tracking Technologies
Cookies are small text files placed on your device by a website. We use cookies and similar technologies (web beacons, pixels, local storage, SDK identifiers) to operate, secure, and improve our services. This section explains them in detail.
6.1 Categories of Cookies We Use
- Strictly necessary — for login sessions, CSRF protection, fraud screening, and load balancing. These cannot be disabled because the platform will not work without them.
- Functional — remember preferences such as language, currency, or saved merchant settings.
- Performance & analytics — help us understand which pages are slow, which features are used, and where users get stuck. We typically aggregate this data so it does not identify any individual.
- Advertising & marketing — placed only with your consent. They help us measure campaign effectiveness and show relevant content.
6.2 Indicative Cookies & Durations
This is an indicative (not exhaustive) list. Actual cookies may change as we improve the platform.
- slx_session — strictly necessary, session cookie for authentication. Expires when you close the browser.
- slx_csrf — strictly necessary, CSRF token to protect form submissions. Lifetime: session.
- slx_pref — functional, remembers your UI preferences. Lifetime: up to 12 months.
- slx_analytics — performance, anonymized usage analytics. Lifetime: up to 13 months.
- _ga, _gid — performance, Google Analytics (if enabled with consent). Lifetimes per Google's documentation.
- slx_consent — functional, records your cookie-consent choice. Lifetime: 12 months.
6.3 Web Beacons & Pixels
We may use 1×1 transparent pixels in emails to learn whether a message was opened or a link was clicked. This helps us measure engagement and reduce spammy outreach.
6.4 Mobile SDKs & Device Identifiers
If you use our mobile application or one of our merchant’s apps with our SDK embedded, we may collect mobile-specific identifiers (advertising ID, vendor ID) for fraud prevention and crash reporting. You can reset these identifiers in your phone settings.
6.5 How to Manage Cookies
- Use our consent banner (where presented) to accept or reject non-essential cookies.
- Use your browser’s settings to block, delete, or limit cookies. Most browsers allow per-site control.
- Use private/incognito mode to prevent persistent cookies altogether.
- Install reputable ad-blocking or privacy-protection extensions.
Note: blocking strictly necessary cookies may break login, payments, and security features.
6.6 Do Not Track (DNT) Signals
We currently do not respond to browser DNT signals because there is no industry-wide standard for honoring them. We may revisit this position when standards mature.
7. Privacy Notice for End-Customers
If you are paying a Slex Pay merchant for goods or services (rather than running a merchant account yourself), this section is for you.
- Who is your data controller? The merchant you are paying is the primary data controller for your customer information (name, contact details, order). Slex Pay processes the payment on the merchant’s behalf and is responsible for the payment-side data.
- What does Slex Pay see? Typically your card or wallet identifier (in tokenized form), the amount, the merchant name, and a transaction reference. We do not store your full card number or CVV.
- How long do we keep it? Transaction records are kept for at least five years to meet AML and tax laws.
- Will you receive marketing from us? No — we do not market to merchants’ customers. The merchant may market to you separately under their own privacy notice.
- Can you raise a dispute? Yes. Contact the merchant first; if unresolved, you may dispute the charge with your card issuer or contact us via Support.
8. Data-Processing Roles (Controller vs. Processor)
Privacy laws often distinguish between a "data controller" (the party that decides why and how data is used) and a "data processor" (the party that handles data on someone else’s instructions). Slex Pay plays both roles depending on context:
- Slex Pay as Controller — for our merchant onboarding, KYC records, fraud-prevention databases, marketing communications, website analytics, and corporate operations.
- Slex Pay as Processor — for payment data we process on behalf of a merchant (for example, when a merchant uploads customer-contact details to issue invoices).
Where Slex Pay acts as a Processor, our handling is governed by the agreement with the merchant (the Controller) and by applicable law. Merchants remain responsible for the legality of the data they share with us.
9. Sub-Processors & Vendors
Slex Pay uses carefully selected sub-processors to deliver its services. We require each sub-processor to:
- Sign a contract that includes confidentiality, data-protection, and information-security obligations.
- Process data only for the purposes we direct.
- Implement controls at least as strong as our own.
- Cooperate with audits, incident response, and regulatory inquiries.
- Notify us promptly of any actual or suspected security incident.
Categories of sub-processors include cloud hosting, KYC and identity verification, fraud-prevention and risk-scoring, email/SMS/push delivery, customer-support tooling, analytics and error monitoring, and professional services (auditors, lawyers, tax advisors).
We review the sub-processor list periodically and may add or remove vendors as our service evolves. Material changes affecting merchants will be communicated through our merchant portal or by email.
10. Security in Practice
Beyond the formal commitments in our Privacy Policy, here is what security looks like day-to-day at Slex Pay:
- Strong authentication for all internal admin access, including hardware-key MFA for sensitive systems.
- Network segregation with separate environments for production, staging, and development.
- Continuous monitoring of system logs, with alerts on anomalies routed to a 24x7 on-call team.
- Regular patching of operating systems, libraries, and dependencies based on severity.
- Periodic penetration tests by independent security firms, with findings tracked to closure.
- Quarterly access reviews to ensure only the right people retain access to sensitive systems.
- Phishing simulations and security training for all employees and contractors.
- Encrypted backups stored in geographically separate locations.
- Disaster-recovery drills to ensure we can restore service in a defined recovery time and recovery-point objective.
11. Your Privacy Rights — with Real Examples
Subject to applicable law, you have the following rights:
- Right of access — Example: You can ask us for a copy of the KYC documents we hold for your merchant account.
- Right to correction — Example: If your registered phone number is wrong, you can ask us to correct it.
- Right to erasure — Example: You can ask us to delete your marketing-preferences profile. (Note: KYC and transaction records cannot be deleted because the law requires us to retain them.)
- Right to restrict processing — Example: If you contest the accuracy of data we hold, you can ask us to pause processing until we verify it.
- Right to object — Example: You can object to receiving marketing emails or to profiling-based product suggestions.
- Right to data portability — Example: You can request your transaction history in CSV format to migrate to another provider.
- Right to withdraw consent — Example: If you previously opted in to non-essential cookies, you can change your mind anytime.
- Right to lodge a complaint — Example: If you believe we mishandled your data, you can complain to the relevant regulator after raising it with us first.
12. How to Make a Privacy Request
To exercise any of your rights, follow these steps:
- Open the Support page and submit a request describing what you need.
- Choose the category "Privacy / Data Request" in the form.
- Provide enough information so we can locate your account and verify your identity (we will not act on requests we cannot authenticate, to protect you).
- Wait for our acknowledgement (usually within 2 business days) and our substantive response (within 30 calendar days).
- If our response does not satisfy you, you may escalate to the relevant regulator or authority.
We do not charge a fee for ordinary requests. We may charge a reasonable fee or refuse to act if a request is manifestly unfounded, repetitive, or excessive, and we will explain the reason.
13. International Data Transfers
Most of your data is processed inside Pakistan. Some service providers may host or process data abroad. When that happens, we require contractual safeguards (such as standard contractual clauses), check that the destination offers adequate protection, and follow SBP outsourcing and data-flow guidelines. Where the law requires regulatory pre-approval for cross-border transfers of certain categories of data, we obtain it before transfer.
14. Children's Privacy
Our services are designed for adults and businesses. We do not knowingly accept signups from anyone under eighteen (18) years of age. If you suspect a child has shared personal data with us, please contact Support so we can investigate and delete it.
15. Marketing Preferences & Communication Choices
We send three kinds of messages:
- Transactional — receipts, settlement notices, payment alerts, security warnings, and account updates. These cannot be turned off because they are necessary for the service.
- Service updates — product changes, policy updates, regulatory notices. These are largely required and cannot be fully turned off, but we keep them concise.
- Marketing — newsletters, partner offers, surveys. These are sent only with your consent and you can unsubscribe at any time.
To update your preferences, log in to your merchant portal or use the unsubscribe link in any marketing email.
16. Sharing With Banking & Network Partners
To process payments, settle funds, and meet regulatory obligations, we share necessary information with:
- Acquiring banks, sponsor banks, and microfinance banks.
- Payment networks: Visa, Mastercard, PayPak, UnionPay, JazzCash, Easypaisa, Raast, 1LINK, 1Bill.
- Issuing banks for chargebacks and dispute resolution.
- Settlement and reconciliation platforms operated by our partners.
These parties have their own privacy policies. We share only what is needed for them to play their role in the payment cycle.
17. Compliance with Pakistani Laws
- AML Act 2010 & AML/CFT Regulations — we conduct KYC, screen for sanctions/PEP/adverse media, monitor transactions, and file suspicious-activity reports with the Financial Monitoring Unit (FMU) where required.
- SBP regulations — for payment-systems operators, EMIs, and outsourcing arrangements with banks.
- Prevention of Electronic Crimes Act 2016 — we cooperate with lawful investigations by the Federal Investigation Agency’s NR3C.
- FBR & provincial revenue laws — for tax-related disclosures, withholding, and reporting.
- Personal Data Protection legislation — we are tracking the development of Pakistan’s upcoming personal-data-protection regime and will align our practices with applicable requirements as they come into force.
18. Frequently Asked Questions (FAQ)
Q1. Does Slex Pay sell my personal information?
No. We never sell personal information to anyone for advertising or any other purpose.
Q2. Can I see what data Slex Pay holds about me?
Yes. Submit a request via Support and we will provide a copy within 30 days, subject to identity verification and applicable legal limits.
Q3. How long do you keep my data after I close my account?
Most KYC, transaction, and tax records are retained for at least five to six years to comply with the law. After that, we securely delete or anonymize the data.
Q4. Is my card information stored on Slex Pay servers?
No. Card data is handled by PCI-DSS-compliant partners in tokenized form. We do not store full card numbers, CVVs, or PINs in clear text.
Q5. What if I notice unauthorized access to my account?
Contact us immediately via Support. We will lock the account, investigate, and notify you and the regulator (if required) about any breach.
Q6. Do you use my data to train AI models?
We may use aggregated and de-identified data to improve internal fraud-detection and risk models. We do not use identifiable customer data to train third-party generative-AI models without consent.
Q7. Will you tell me before sharing my data with regulators?
In most cases yes, but the AML Act and PECA prohibit us from tipping off subjects of suspicious-activity reports. In those cases we are legally required to remain silent.
Q8. Can I take my data to another payment provider?
Yes. You can request your transaction history in a portable format. Some data (e.g., regulator filings, sub-processor logs) cannot be transferred for legal reasons.
Q9. What happens if Slex Pay is acquired or merges with another company?
Your data may transfer to the new entity, subject to confidentiality obligations and continuity of this Privacy Policy. We will notify merchants of any material change in data control.
Q10. How do I report a privacy concern?
Email privacy@slexpay.pk or use the Support form. If our response does not satisfy you, you may escalate to the appropriate regulator or data-protection authority in Pakistan.
19. Privacy Glossary
- Personal Data — any information that identifies a person directly or indirectly.
- Processing — anything done with personal data: collecting, storing, viewing, sharing, deleting, etc.
- Data Controller — the party that decides why and how data is used.
- Data Processor — a party that handles data on the controller’s instructions.
- Sub-Processor — a vendor we use to deliver part of our service.
- KYC — Know Your Customer; identity-verification procedures.
- AML / CFT — Anti-Money Laundering / Combating the Financing of Terrorism.
- PEP — Politically Exposed Person.
- Tokenization — replacing sensitive data (e.g., a card number) with a non-sensitive substitute (a token).
- Encryption — scrambling data so only authorized parties can read it.
- FMU — Financial Monitoring Unit, Pakistan’s financial-intelligence unit.
- STR / CTR — Suspicious Transaction Report / Currency Transaction Report.
- SBP — State Bank of Pakistan.
- SECP — Securities and Exchange Commission of Pakistan.
- PCI-DSS — Payment Card Industry Data Security Standard.
- Cookie — a small file stored by your browser that helps a site remember you.
- Pixel / Beacon — a tiny image used to detect email opens or page views.
- Profiling — using data to predict behavior, preferences, or risk.
- DPA — Data Processing Addendum, the contract between a controller and a processor.
20. Updates to These Privacy Terms
We may update this page from time to time to reflect changes in our practices, technology, or law. When we make material changes we will:
- Update the "Last Updated" date at the top of this page.
- Notify registered merchants by email or in-app notice where appropriate.
- Provide a short summary of significant changes when reasonably practicable.
If you continue to use Slex Pay after the new effective date, you accept the updated Privacy Terms.
21. Read the Full Policies
- Privacy Policy — the formal, full-length policy with detailed legal language.
- Terms of Service — the contract that governs your use of Slex Pay.
- AML & KYC Policy — details on identity, screening, and monitoring controls.
- Refund & Dispute Policy — how refunds and disputes are handled.
- Prohibited & Restricted Businesses — the list of business types we cannot serve.
By using Slex Pay’s services or our website, you acknowledge that you have read these Privacy Terms together with the formal Privacy Policy.