Legal

Privacy Policy

Effective date: 1 January 2026 — Last updated: April 2026

1. Who We Are

Voosha (Private) Limited (“Voosha,” “we,” “us,” or “our”) operates the voosha.io web application and associated mobile applications. This Privacy Policy explains how we collect, use, store, and share your personal data, and the rights you have over that data.

We are committed to protecting your privacy in accordance with the Pakistan Electronic Data Protection Act (in force as applicable) and any successor legislation.

2. Data We Collect

2.1 Account information

  • Name, email address, and a securely hashed password.
  • Account type (Brand, Creator, or Consumer) and registration date.
  • For brands: company name, address, and Stripe billing identifiers.
  • For creators: CNIC number and a scan of your CNIC document (required for identity verification), demographic data (age, city, gender, primary language), and availability preferences.

2.2 Social account data

  • Platform name (Instagram, TikTok, YouTube, etc.), profile URL, follower count, post count, and audience demographic ranges you provide.

2.3 Campaign and transaction data

  • Campaign briefs, deal terms, content submissions, and approval history.
  • Attributed clicks logged when a consumer follows a creator's short link (device type, country, referrer).
  • Discount code redemptions including recorded sale values.
  • Payment records (amounts, status, timestamps). We do not store card numbers — those are handled exclusively by Stripe.

2.4 Usage data

  • Server-side request logs (IP address, endpoint, timestamp) retained for up to 30 days for security and debugging.
  • In-app notification read status and preferences.

3. How We Use Your Data

  • Providing the service — account management, campaign orchestration, short-link generation and tracking, content approval workflows, and payout processing.
  • Identity verification — reviewing CNIC documents to verify creator identity before payouts are enabled.
  • Analytics — generating per-campaign ROI reports visible to the relevant brand and creator. Aggregated, anonymised data may be used to improve the platform.
  • Communications — sending in-app and (where opted in) email notifications about campaign status, payments, and platform updates.
  • Safety and compliance — detecting fraud (e.g. artificial click inflation), resolving disputes, and complying with lawful requests from Pakistani authorities.
  • Billing — managing brand subscriptions and payout transactions through Stripe and local payment rails.

4. Legal Bases for Processing

We process your data on the following bases:

  • Contract — to fulfil our obligations under the Terms of Service you accepted on registration.
  • Legitimate interests — platform security, fraud prevention, and service improvement.
  • Legal obligation — identity verification and financial record-keeping as required by Pakistani law.
  • Consent — marketing emails and optional notification preferences, which you may withdraw at any time.

5. Data Sharing

We do not sell your personal data. We share data only in the following limited circumstances:

  • Between brands and creators — when a brand approves an application, both parties can see campaign-relevant data (deal terms, code performance, earnings). Neither party receives the other's private account or payment credentials.
  • Payment processors — Stripe (subscriptions and escrow) and local rails (JazzCash, EasyPaisa, Raast, bank transfer) receive only the data necessary to process each transaction.
  • Infrastructure providers — cloud hosting and database services bound by data processing agreements.
  • Legal requirements — we may disclose data to government authorities where required by Pakistani law or a valid court order.

6. Data Retention

  • Account and campaign data is retained for as long as your account is active and for 5 years thereafter for financial record-keeping.
  • CNIC documents are retained for the duration required by Pakistani financial regulations and deleted thereafter.
  • Click-event logs are retained for 2 years for analytics and dispute resolution.
  • Server request logs are deleted after 30 days.

7. Security

Passwords are hashed with bcrypt before storage; we never store plain-text passwords. Access tokens are short-lived (24 hours) and signed with a private secret. All data in transit is encrypted via TLS. Access to production systems is restricted to authorised personnel. We conduct periodic security reviews.

8. Your Rights

Subject to applicable law, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to correct inaccurate or incomplete data.
  • Deletion — request deletion of your account and associated personal data, subject to legal retention obligations.
  • Objection — object to processing based on legitimate interests, including direct marketing.
  • Withdrawal of consent — withdraw consent for optional processing (e.g. marketing emails) at any time via your account settings or by contacting us.

To exercise any of these rights, email neelam.idrees@devsinc.com. We will respond within 30 days.

9. Cookies and Tracking

We use session cookies solely to maintain authenticated sessions. We do not use third-party advertising cookies or cross-site tracking pixels. The short-link redirect system records server-side click events without placing cookies on the consumer's device.

10. Children

Voosha is not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has registered, please contact us immediately at neelam.idrees@devsinc.com and we will delete the account.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via in-app notification at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

12. Contact

Privacy-related enquiries: neelam.idrees@devsinc.com

General legal matters: neelam.idrees@devsinc.com