Privacy Policy

YMIT Solutions is a registered software house and IT services company operating under the laws of the Islamic Republic of Pakistan. We provide custom software development, web and mobile application development, enterprise resource planning (ERP), CRM, UI/UX design, and related technology services to clients domestically and internationally.

• Registered Name: YMIT Solutions
• Country of Incorporation: Pakistan
• FBR National Tax Number (NTN): 7265935-1
• PSEB Registration No.: Z-25-17988/25 (Pakistan Software Export Board (G) Ltd)
• Primary Contact Email: support@ymitsolutions.com
• Phone: +92-300-0443888
• Website: https://ymitsolutions.com

For all privacy-related inquiries, please contact our designated Data Protection Officer (DPO) at the email above with the subject line "Privacy Inquiry".

We collect personal data only to the extent necessary for legitimate business purposes. The categories of personal data we collect include:

a) Information You Provide Directly

• Contact Form Submissions: Name, email address, phone number, company name, project description, and message.
• Job Applications: Full name, email address, phone number, CV/resume, portfolio links, cover letter, educational qualifications, and work experience.
• Client Engagements: Business name, contact person details, billing address, email, phone, project requirements, and payment information (invoices only; no card data is stored on our servers).
• Account Registration (Admin Panel): Full name, email address, password (hashed), role, and profile photo.

b) Information Collected Automatically

• Log Data: IP address, browser type and version, operating system, referring URL, pages visited, time and date of visit, and time spent on pages.
• Device Data: Device type, screen resolution, and language preferences.
• Cookies & Local Storage: Session identifiers, preferences, and analytics data (see Section 8).

c) Information from Third Parties

• Referral data from business partners or job boards, where you have consented to share your information.
• Publicly available professional information (e.g., LinkedIn profiles) when relevant to a job vacancy or business proposal, to the extent permitted by applicable law.

We do not collect sensitive personal data (e.g., biometric data, racial or ethnic origin, political opinions, religious beliefs, health data) unless explicitly required for a specific service and with your express consent.

We use the personal data we collect for the following purposes:

• Service Delivery: To respond to inquiries, prepare proposals, execute service agreements, and deliver software development services.
• Recruitment: To process job applications, schedule interviews, and communicate with candidates.
• Communication: To send project updates, invoices, and service-related notifications.
• Marketing (opt-in only): To send newsletters, company updates, or promotional material — only if you have expressly opted in. You may opt out at any time.
• Legal Compliance: To comply with applicable laws, regulations, court orders, or lawful government requests, including obligations under PECA 2016 and PDPA 2023.
• Security & Fraud Prevention: To monitor, detect, and prevent fraudulent activity, unauthorized access, and security breaches on our systems.
• Analytics & Improvement: To understand how our website is used and improve our services, user experience, and content.
• HR & Payroll (Employees): To manage employee records, attendance, payroll processing, leave management, and statutory filings (EOBI, SESSI, Income Tax).

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

Under the Personal Data Protection Act, 2023 (PDPA), we rely on the following lawful bases for processing your personal data:

We do not share your personal data with third parties except in the following circumstances:

• Service Providers: We may share data with trusted sub-processors (e.g., cloud hosting providers, email services, analytics platforms) who process data on our behalf under strict data processing agreements that bind them to confidentiality and security obligations consistent with the PDPA 2023.
• Client Deliverables: In the course of providing software development services, your provided data may form part of the developed system. This is governed by the signed service agreement.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. You will be notified of any such change.
• Legal Requirements: We may disclose your data to government authorities, law enforcement, courts, or regulators when required by Pakistani law, including upon lawful orders under PECA 2016, PDPA 2023, or the Pakistan Telecommunication Act, 1996.
• With Your Consent: In any other case where you have given explicit consent for a specific disclosure.

Current third-party sub-processors include: Amazon Web Services / Hetzner / DigitalOcean (cloud hosting), Mailgun / SMTP providers (transactional email). A full and up-to-date list is available upon request.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Contact Inquiries: 2 years from the date of last communication, unless a contract is formed.
• Job Applications (unsuccessful): 6 months from notification of outcome, unless you consent to a longer retention period for future vacancies.
• Client Data: 7 years from the end of the contract, as required by Pakistani tax law (Income Tax Ordinance 2001) and Companies Act 2017.
• Employee Data: 7 years post-employment, in compliance with the Employees' Old-Age Benefits Act, 1976, Income Tax Ordinance 2001, and other applicable employment laws.
• Website Access Logs: 90 days (rolling), except where retention is required by law enforcement request.
• Marketing Opt-in Lists: Until you withdraw consent or 3 years of inactivity, whichever is earlier.

After the applicable retention period, data is securely deleted or anonymised.

Under the Personal Data Protection Act, 2023, you have the following rights with respect to your personal data held by us:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data where there is no overriding legal basis for retention.
• Right to Restrict Processing: Request that we restrict the processing of your data in certain circumstances.
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: File a complaint with the National Commission for Personal Data Protection (NCPDP) if you believe your rights have been violated.

To exercise any of these rights, submit a written request to support@ymitsolutions.com with the subject line "Data Rights Request". We will respond within 30 days as required by the PDPA 2023. We may need to verify your identity before processing the request.

Note: Certain rights may be limited where processing is required to fulfil legal obligations, exercise legal claims, or protect the vital interests of others.

Our website uses cookies and similar tracking technologies to enhance your browsing experience. Cookies are small text files stored on your device.

Types of Cookies We Use

• Strictly Necessary Cookies: Required for the website to function (e.g., session authentication, CSRF protection). Cannot be disabled.
• Performance & Analytics Cookies: Help us understand how visitors interact with our website (page views, bounce rates). Used anonymously.
• Functionality Cookies: Remember your preferences (e.g., language, region).
• Marketing Cookies: Used only if you have explicitly consented to receive targeted communications.

Managing Cookies

You can control and delete cookies through your browser settings. Please refer to your browser's help documentation. Note that disabling certain cookies may affect website functionality. For more details, visit allaboutcookies.org.

We implement appropriate technical and organisational security measures to protect your personal data against accidental loss, unauthorised access, alteration, disclosure, or destruction. Our security practices include:

• Encrypted data transmission via TLS/SSL (HTTPS)
• Hashed storage of passwords (using bcrypt) — plaintext passwords are never stored
• Role-based access control (RBAC) on all internal systems
• Regular security audits and penetration testing
• Secure server infrastructure with firewalls and intrusion detection
• Employee confidentiality agreements and security training

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the affected individuals and the relevant authority as required by the PDPA 2023 and any applicable rules made thereunder, without undue delay.

No method of data transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

YMIT Solutions is a PSEB-registered software export company (Reg. No. Z-25-17988/25) and approximately 99% of our clients are international, spanning the European Union, United Kingdom, United States, Canada, Australia, and the Middle East. Data flows are therefore inherently cross-border in nature.

Where personal data is transferred outside Pakistan, we ensure adequate safeguards consistent with the PDPA 2023, including:

• Transferring to countries with an adequate level of data protection as recognised by the NCPDP;
• Using standard contractual clauses or equivalent data transfer agreements;
• Obtaining your explicit consent for specific cross-border transfers, where required.

EU & UK Data Subjects

If you are located in the European Economic Area (EEA), your data may be subject to the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679). If you are in the United Kingdom, the UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018) applies. We respect and honour the rights granted under these frameworks, including:

• The right to access, rectify, erase, restrict, and port your personal data;
• The right to object to processing based on legitimate interests;
• The right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or the relevant EU DPA).

Our legal basis for processing data from EU/UK clients is typically contractual necessity (Art. 6(1)(b) GDPR) and, where applicable, your consent (Art. 6(1)(a) GDPR). We do not transfer EU/UK personal data to third parties without appropriate GDPR-compliant safeguards.

Other International Clients

For clients based in the United States, Canada, Australia, the Gulf Cooperation Council (GCC) countries, and other jurisdictions, we commit to processing your data with the same high standard of care and in accordance with applicable international best practices. We will cooperate with applicable data protection requirements on a case-by-case basis as part of our service agreements.

Our website and services are not directed to individuals under the age of 18 years. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a person under 18 without appropriate parental consent, we will take prompt steps to delete that information. If you believe a child has provided us with personal data, please contact us immediately.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The updated Policy will be posted on this page with a revised "Last Updated" date.

We encourage you to review this Policy periodically. If we make material changes that significantly affect your rights, we will notify you by prominently displaying a notice on our website or by contacting you directly, as appropriate.

Your continued use of our website or services after any changes constitutes your acceptance of the updated Policy.

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our Data Protection Officer:

If you are not satisfied with our response to your complaint, you have the right to lodge a complaint with the National Commission for Personal Data Protection (NCPDP), which is the supervisory authority established under the Personal Data Protection Act, 2023 of Pakistan.