Privacy Policy

Credminds is operated jointly by two affiliated legal entities, each of which acts as a Data Controller for the Personal Data described in this Policy:

• CREDMINDS (SMC-PRIVATE) LTD. — registered in the Islamic Republic of Pakistan; registered office: Credminds, 2nd Floor, 902B, Faisal Town, Lahore, Pakistan.
• CREDMINDS TECHNOLOGIES — registered in the United Arab Emirates.

For all data-protection enquiries, requests, or complaints relating to this Policy, please contact: info@credminds.com.

• Personal Data means any information relating to an identified or identifiable natural person.
• Processing means any operation performed on Personal Data, whether or not automated (collection, recording, storage, use, disclosure, erasure).
• Controller means the entity that determines the purposes and means of Processing.
• Processor means a third party that Processes Personal Data on behalf of the Controller.
• Data Subject means the natural person to whom the Personal Data relates.
• Cookies means small text files placed on your device when you visit a website. See the Cookie Policy for details.

We collect and Process the following categories of Personal Data:

• Identification and contact data — full name, email address, company name.
• Enquiry data — service of interest, indicative budget range, industry, project timeline, and the free-text message you submit through our contact form.
• Technical and usage data — IP address, user-agent string, referrer URL, page views, session timestamps, approximate location derived from IP, and similar information automatically collected when you interact with the website.
• Cookie and analytics data — identifiers and event data collected via Google Analytics 4 and strictly necessary cookies, as further described in our Cookie Policy.
• Correspondence data — the content of any emails or other messages you exchange with us.

We do not knowingly collect Special Categories of Personal Data (such as health, racial or ethnic origin, religious beliefs, or biometric data) and request that you do not submit such information through our website.

We obtain Personal Data from the following sources:

• Directly from you, when you complete the contact form, send us an email, schedule a call, or otherwise communicate with us.
• Automatically, when you interact with the website, through cookies, server logs, and analytics tools.
• From third-party service providers who facilitate our infrastructure (e.g., hosting and analytics providers).

We Process Personal Data for the following purposes:

• To respond to enquiries submitted through the contact form;
• To negotiate, conclude, and perform engagements with prospective and existing clients;
• To operate, secure, and maintain the website, including rate limiting, fraud prevention, and abuse detection;
• To analyse traffic patterns and improve the website’s content, structure, and performance;
• To comply with legal obligations applicable to us, including tax, accounting, and regulatory requirements; and
• To establish, exercise, or defend legal claims, where necessary.

Where Processing falls within the scope of the EU General Data Protection Regulation (“GDPR”) or the United Kingdom General Data Protection Regulation (“UK GDPR”), we rely on the following legal bases under Article 6(1):

• Article 6(1)(b) — Contract. Processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.
• Article 6(1)(c) — Legal obligation. Processing is necessary for compliance with legal obligations to which we are subject.
• Article 6(1)(f) — Legitimate interests. Processing is necessary for the legitimate interests pursued by us or by a third party, except where such interests are overridden by your fundamental rights and freedoms. Our legitimate interests include securing our infrastructure, preventing fraud and abuse, analysing aggregate website performance, and direct B2B communications with prospective clients.
• Article 6(1)(a) — Consent. Where required by applicable law, we rely on your consent — including for analytics cookies and any future marketing communications. You may withdraw consent at any time without affecting the lawfulness of Processing carried out before withdrawal.

We disclose Personal Data only to the categories of recipients listed below, and only as necessary for the purposes set out in Section 5:

• Email and analytics infrastructure. Google LLC — provides Gmail-based SMTP for transmission of notification emails arising from your enquiries, Google Analytics 4 for website traffic measurement, and Google Fonts for typography delivery. Google may transfer Personal Data to the United States and other jurisdictions.
• Recruitment. Hirestream Pvt. Ltd. (operator of credminds.hirestream.io) — processes job applications submitted via the “Careers” link, subject to its own privacy policy.
• Professional advisors and authorities. We may disclose Personal Data to our legal, accounting, or other professional advisors, and to courts, regulators, or law-enforcement authorities, where required by law or to protect our legal rights.

We do not sell Personal Data, and we do not share Personal Data for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act (CCPA) as amended.

Because we and our subprocessors operate across multiple jurisdictions, your Personal Data may be transferred to, stored in, and Processed in countries other than the country in which you are resident, including the United States, the European Economic Area, the United Kingdom, Pakistan, and the United Arab Emirates.

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on appropriate safeguards including the European Commission’s Standard Contractual Clauses (2021/914), the UK International Data Transfer Agreement or Addendum, or your explicit consent. You may request a copy of the safeguards in place by writing to info@credminds.com.

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected and to comply with applicable legal, accounting, or reporting obligations.

• Contact-form submissions and pre-contract correspondence: retained for up to 24 months from the date of last interaction, unless an active engagement is in progress, in which case the data is retained for the duration of the engagement and for such longer period as is required by applicable law.
• Client engagement records: retained for the duration of the engagement and for such period thereafter as is required to comply with our legal and contractual obligations.
• Analytics data: retained according to the configuration of our analytics provider (Google Analytics 4 default: 14 months).
• Server logs and security records: retained for a limited period consistent with security best practices and applicable law.

Once retention periods expire, Personal Data is securely deleted or anonymised.

We implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access, including:

• Encryption of data in transit using HTTPS/TLS;
• Encryption of data at rest at our infrastructure providers;
• Role-based access control and the principle of least privilege;
• Audit logging of administrative actions;
• IP-based rate limiting and abuse prevention on our public endpoints;
• A contractual prohibition on the use of customer Personal Data to train third-party machine-learning models.

Despite these measures, no system can be guaranteed to be completely secure. If you believe your Personal Data has been compromised, please contact us at info@credminds.com.

Depending on the jurisdiction in which you reside, you may have certain rights in relation to your Personal Data. To exercise any of the rights below, please contact us at info@credminds.com. We may need to verify your identity before fulfilling your request.

11.1 GDPR / UK GDPR

If the Processing of your Personal Data is subject to the GDPR or UK GDPR, you have the following rights:

• The right of access to your Personal Data (Article 15);
• The right to rectification of inaccurate Personal Data (Article 16);
• The right to erasure (“right to be forgotten”) (Article 17);
• The right to restriction of Processing (Article 18);
• The right to data portability (Article 20);
• The right to object to Processing carried out on the basis of legitimate interests (Article 21);
• The right to withdraw consent at any time (Article 7(3));
• The right to lodge a complaint with a supervisory authority in your jurisdiction.

11.2 UAE Personal Data Protection Law

If the Processing of your Personal Data is subject to UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (“UAE PDPL”), you have rights substantially equivalent to those listed in Section 11.1, including the right to access, correct, delete, restrict, transfer, and object to the Processing of your Personal Data. You also have the right to lodge a complaint with the UAE Data Office.

11.3 Pakistan

If the Processing of your Personal Data is subject to applicable Pakistani data-protection law, you have rights as enacted under such law, including (subject to the final form of the legislation) the right to access, correct, and delete your Personal Data. Once the National Commission for Personal Data Protection (NCPDP) is operational, you will have the right to lodge a complaint with the Commission.

11.4 CCPA / US State Privacy Laws

If you are a resident of California or another US state with a comprehensive privacy law, you have the following rights, subject to certain exceptions:

• The right to know the categories and specific pieces of Personal Data we have collected about you, the sources, the business or commercial purpose for collection, and the categories of third parties to whom Personal Data has been disclosed;
• The right to request deletion of your Personal Data;
• The right to request correction of inaccurate Personal Data;
• The right to opt out of the sale or sharing of Personal Data — we do not sell or share Personal Data as those terms are defined under the CCPA;
• The right not to be discriminated against for exercising any of the rights above;
• The right to designate an authorised agent to make a request on your behalf, subject to our verification procedures.

Our website and services are intended for business-to-business audiences and are not directed to children under the age of 16 (or the equivalent minimum age under applicable law). We do not knowingly collect Personal Data from children. If we become aware that we have inadvertently collected Personal Data from a child without verifiable parental consent, we will take steps to delete that information.

We use cookies and similar technologies, including Google Analytics 4, to operate the website and to understand how it is used. For full details, including the categories of cookies we use and how to manage your preferences, please refer to our Cookie Policy.

We may update this Policy from time to time to reflect changes in our practices, applicable law, or the operation of our services. The “Effective” and “Last updated” dates at the top of this Policy indicate when it was most recently revised. Where changes are material, we will provide additional notice (for example, by email or by a prominent notice on the website) before the changes take effect.

For questions about this Policy or to exercise any of the rights described above, please contact us at info@credminds.com, or write to one of the controllers below:

• CREDMINDS (SMC-PRIVATE) LTD. — Credminds, 2nd Floor, 902B, Faisal Town, Lahore, Pakistan.
• CREDMINDS TECHNOLOGIES — Office 603-84, Acico Building, Port Saeed, Dubai, UAE.