OurBazaar
Updated May 2026

Privacy Policy

OurBazaar (“we”, “our”, or “us”) is committed to protecting your personal information and being transparent about how we handle it. This Privacy Policy explains what we collect, why we collect it, who we share it with, and what rights you have over your data when you use our marketplace platform — whether through our mobile application, our website (ourbazaar.pk), or any related service (collectively, the “Platform”). Please read this policy carefully. By creating an account or otherwise using OurBazaar, you confirm that you have read, understood, and agreed to the practices described below.

1. Information We Collect

1.1 Information You Provide Directly

  • Full name, email address, mobile phone number, date of birth, and a self-selected username when you register
  • Profile photo, biography, and a city / region location you choose to share
  • Listing content: photographs, videos, titles, descriptions, prices, condition, brand, material, country of origin, and a pickup city + suburb when you offer direct pickup
  • Order content: shipping address (recipient name, phone, full street address), delivery option chosen, and any notes you attach to the order
  • Payment instrument metadata (card brand, last-4 digits, expiry month/year, billing name) — full card numbers and CVVs are never stored by OurBazaar; they are tokenised by our payment processor
  • Identity documents you submit for KYC: a copy of your CNIC (front and back) and a selfie or short video used for liveness / face-match verification
  • Messages you send to other users via in-app chat (one-to-one and product-anchored chats), plus the metadata our backend logs about those messages (sender, recipient, conversation id, timestamps)
  • Support tickets you raise (subject, description, attached evidence photos / PDFs) and the full correspondence with our support team
  • Reviews, ratings, comments, friend requests, blocks, and any other social interactions you perform on the Platform

1.2 Information Collected Automatically

  • Device identifiers (device model, OS, OS version, app version, unique device ID, screen resolution)
  • Network information (IP address, ISP, approximate location derived from IP, mobile carrier on cellular)
  • App usage analytics: screens visited, features used, taps on key CTAs, session start / end, time on screen, in-app search queries
  • Push notification token issued by Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM)
  • Crash reports, performance metrics, and error logs (no message content or KYC document content is captured in these)
  • Precise location ONLY when you explicitly grant permission, and only for the duration you keep the permission active (used for nearby listings and direct-pickup distance estimates)

1.3 Information From Third Parties

  • OAuth providers: when you sign in with Google or Apple, we receive your name, email, and profile photo from that provider. We never receive your Google / Apple account password.
  • Payment gateway: transaction status, transaction reference id, fraud-screening signals, and refund status from our payment partner.
  • SMS / WhatsApp delivery confirmations from the OTP / messaging providers that send your verification codes.
  • Public reports about you that we may receive from other users (abuse reports, listing complaints).

1.4 Biometric Data (KYC Only)

Where you complete identity verification, we process biometric data in the form of facial geometry derived from your selfie / liveness video, and we compare it against the photo on your CNIC. We store the underlying photo and video as documentary evidence of the verification result, and the biometric template solely for the duration needed to complete the match. We do not use biometric data for any purpose other than KYC, do not share it with advertisers, and do not use it to identify you outside of the verification flow itself.

2. How We Use Your Information

  • Create and manage your account, verify your identity (KYC), and authenticate you on each visit
  • Display your listings, profile, and ratings to other users, and personalise your home feed and search results
  • Facilitate buy-now, auction, and direct-pickup transactions between you and other users
  • Process payments, payouts, refunds, and fraud prevention checks with our payment partner
  • Coordinate shipping with logistics partners (where the platform-shipping delivery option is used)
  • Send transactional notifications you have not opted out of: order updates, OTPs, security alerts, bid outbid warnings, auction-won notices, refund confirmations, and support replies
  • Send marketing communications only where you have opted in, and only until you opt out
  • Provide customer support, mediate disputes, and enforce these Terms and our community guidelines
  • Improve the Platform: identify and fix bugs, measure feature adoption, run A/B tests on UI changes, and tune fraud-detection thresholds
  • Comply with our legal obligations under Pakistani law (including the Prevention of Electronic Crimes Act 2016, applicable tax law, and lawful court / regulator orders)

3. Sharing of Your Information

We do not sell your personal data. We share information only in the limited circumstances listed below, and only the minimum data needed for each purpose:

  • With other users: your public profile (name, username, photo, listings, ratings, member-since date) is visible to anyone on the Platform. Your shipping address is shared with the seller of an order only after payment is confirmed, and the seller's pickup city / suburb is shared with the buyer only after they pick the direct-pickup option at checkout.
  • Service providers (processors): we disclose the minimum data needed to engaged third-party vendors who process data on our behalf under written agreements that restrict their use. The named list appears in “Third-Party Service Providers” below.
  • Law enforcement and regulators: we may disclose data where we are compelled by Pakistani law (PECA 2016, the Federal Investigation Agency's Cyber Crime Wing, the Federal Board of Revenue, the State Bank of Pakistan, or a court order), or where we believe disclosure is necessary to protect the safety of our users or the public.
  • Business transfers: in the event of a merger, acquisition, restructuring, or sale of substantially all of our assets, your data may transfer to the successor entity, subject to the same protections as this Policy. We will notify you in-app at least 30 days in advance where reasonably practicable.
  • With your consent: any other sharing will happen only after we explicitly ask and you explicitly agree.

4. KYC & Identity Verification

To build trust on the Platform and to comply with applicable anti-fraud and anti-money-laundering regulations, certain features (selling items, withdrawing earnings, high-value bidding) may require successful KYC. The verification flow asks for:

  • A photo of the front and back of your CNIC (Computerised National Identity Card)
  • A short selfie video used for liveness check (to confirm a live person is present and not a static photo)
  • A face-match comparison between your selfie and the photo on your CNIC

CNIC images, selfie video, and the derived biometric template are encrypted in transit (TLS 1.2+) and at rest (AES-256), accessed only by authorised KYC reviewers under audit logging, and retained for the longer of: (a) the lifetime of your account, or (b) seven (7) years after deletion, in line with Pakistani record-keeping rules for financial-services intermediaries. You may withdraw consent for further KYC processing at any time, but doing so will close your seller account and disable any feature that requires verified status.

5. Push Notifications & Messaging

OurBazaar sends two categories of push notifications:

  • Transactional pushes — OTPs, order status changes, bid outbids, auction wins, refund confirmations, security alerts. These are sent automatically when you trigger the corresponding action and cannot be turned off without breaking that action; you may still suppress them at the OS level via your device's notification settings.
  • Marketing pushes — promotional campaigns, feature announcements, suggested listings. These are sent only with your explicit opt-in and can be turned off at any time from Profile → Settings → Notifications, or by tapping the in-notification “unsubscribe” shortcut.

We rely on Apple Push Notification service (APNs) for iOS devices and Google's Firebase Cloud Messaging (FCM) for Android. Push payloads contain the smallest metadata needed for routing (a notification id, an order id, etc.); we do not transmit your chat message bodies through FCM in clear text.

6. Automated Decision-Making

We use automated rules and statistical models in a limited set of places. None of these produce a legally binding decision on you without human review available on request:

  • Fraud detection on payment, OTP, and account-registration flows — abnormal patterns may trigger a temporary block or step-up verification
  • Listing review: prohibited-content keyword scans on titles, descriptions, and uploaded photos
  • KYC document validation: optical character recognition (OCR) on your CNIC, plus the biometric face match described in Section 4
  • AI-assisted listing descriptions and category suggestions, where you explicitly request the “Generate description” feature; the AI provider used today is OpenAI (named under Service Providers below)
  • Search relevance and home-feed ranking, which order what you see but do not change what is available to you

You have the right to request human review of any automated decision that materially affects you (e.g., a listing removal, an account suspension, a KYC rejection). Email support@ourbazaar.pk with the relevant order / listing / ticket id within 30 days of the decision.

7. Third-Party Service Providers

We engage the following categories of processors. Each operates under a written data processing agreement that limits their use to the services we instruct, requires equivalent security standards, and prohibits onward transfer.

  • Cloud infrastructure & database hosting: Amazon Web Services (AWS), Mumbai region (ap-south-1)
  • Authentication, real-time chat & push: Google Firebase — Firebase Authentication, Cloud Firestore, Cloud Functions, Firebase Cloud Messaging
  • Apple push notifications: Apple Push Notification service (APNs)
  • Payment processing: our Pakistani payment gateway partner(s) and the bank rails they connect to; full card numbers and CVVs never reach OurBazaar systems
  • SMS & WhatsApp OTP delivery: regulated Pakistani aggregators integrated with mobile network operators
  • AI / LLM features: OpenAI, used only when you explicitly request an AI-generated listing description; your request payload (title, brand, condition, basic specs) is sent for that purpose only and is not retained by us beyond logging the API call for quota and audit
  • Application monitoring & analytics: CloudWatch logs (AWS) and similar observability services covering errors, performance, and structured product events
  • Email delivery: a transactional email provider used for account, security, and password emails (no marketing lists are sold to third parties)

8. International Data Transfers

Some of the processors listed above (Firebase, OpenAI, certain analytics tools) host data outside Pakistan, including in the United States and the European Union. Where data crosses borders we rely on the processor's published safeguards (Standard Contractual Clauses, equivalent technical and organisational measures, and the EU–US Data Privacy Framework where applicable). If you are uncomfortable with this transfer, you may opt out of optional features (AI description, push notifications, the chat feature) and continue to use the core marketplace, although some functionality will be limited.

9. Data Breach Notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights or freedoms, we will:

  • Notify the relevant Pakistani authority (the Federal Investigation Agency's Cyber Crime Wing and the National Computer Emergency Response Team) within 72 hours of becoming aware, where the breach falls within their reporting thresholds
  • Notify affected users by email and in-app message without undue delay, describing what happened, what data was involved, what we are doing, and what you can do to protect yourself
  • Publish a post-incident summary on the Platform once the immediate response is complete

10. Data Retention

We retain your personal data for as long as your account is active and for as long as needed to provide the Platform. The default retention windows below apply unless a longer period is required by law:

  • Account profile, listings, and order history — for the life of the account, then 7 years after deletion (tax and fraud-prevention obligations)
  • KYC documents and biometric evidence — 7 years from the date of verification
  • Chat messages — 2 years after the conversation’s last message
  • Support tickets and dispute evidence — 5 years from closure
  • Background job audit logs (job_runs) — 90 days for successful runs, 1 year for failed runs
  • CloudWatch operational logs — 90 days
  • Anonymous, aggregated analytics — retained indefinitely; cannot be re-linked to you

11. Data Security

We protect your data with industry-standard technical and organisational measures, including:

  • TLS 1.2+ for every connection between the app, website, and our backend
  • AES-256 encryption at rest for the database, file storage, and backups
  • Hashed + salted passwords using bcrypt; password resets are time-limited and rate-limited
  • JWT-based access tokens with short expiry and rotating refresh tokens
  • Role-based access controls and least-privilege access on production data, with full audit logging
  • Regular security reviews and dependency-vulnerability scanning
  • Hashed IDs in all client-facing surfaces so user numeric identifiers are not exposed in URLs or responses

No system is ever completely secure. If you suspect unauthorised access to your account, change your password and contact support@ourbazaar.pk immediately.

12. Your Rights

Subject to applicable law, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete information directly from your profile screen, or by contacting support
  • Erasure — request deletion of your account and associated data (subject to the retention obligations described above)
  • Portability — request a machine-readable export of your account data (profile, listings, orders, messages)
  • Restriction — ask us to pause certain types of processing while we investigate a complaint
  • Objection — opt out of marketing communications and out of optional automated processing
  • Withdraw consent — for any processing that we rely on consent for; withdrawal does not affect the lawfulness of past processing
  • Lodge a complaint — with the Federal Investigation Agency Cyber Crime Wing or any other relevant Pakistani authority if you believe your rights have been violated

To exercise any of these rights, email support@ourbazaar.pk from the address registered to your account. We respond within 30 days. If we need more time for a complex request, we will tell you within that 30-day window and explain why. We may ask you to verify your identity before processing a rights request to prevent unauthorised disclosure.

13. Cookies & Tracking

13.1 Mobile App

Our mobile app does not use browser cookies. We rely on standard mobile identifiers (advertising id, vendor id, install id) and on the SDKs of the service providers named in Section 7. You can reset your advertising id and revoke notification or location permission at any time from your device settings.

13.2 Website (ourbazaar.pk)

Our website uses a small number of strictly-necessary cookies (authentication session, CSRF protection) which load without consent because the site does not function without them. We do not use third-party advertising, retargeting, or cross-site tracking cookies on the marketing site. If we add analytics in the future we will surface a consent banner and a granular cookie preferences screen before any non-essential cookie is set.

14. Children's Privacy

OurBazaar is not intended for individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that a minor has registered, we will delete the account and all associated data without delay. Parents and guardians who believe a minor has registered may report it to support@ourbazaar.pk.

15. Governing Law

This Privacy Policy is governed by the laws of the Islamic Republic of Pakistan, including the Prevention of Electronic Crimes Act 2016 and the Personal Data Protection Bill once enacted. Any disputes shall be subject to the exclusive jurisdiction of the courts of Pakistan.

16. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page always reflects the current revision. We will notify you of material changes by displaying a prominent in-app notice and by email at least 14 days before they take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy. We keep an archive of previous versions available on request.

17. Contact Us

If you have any questions, concerns, or a rights request relating to this Privacy Policy, please reach out:

OurBazaar — Privacy Team

Email: support@ourbazaar.pk

Address: Pakistan