Privacy Policy
ZIMMA SOLUTIONS (PRIVATE) LIMITED
PRIVACY POLICY
Company: Zimma Solutions (Private) Limited
SECP Incorporation Number: 0331469
NTN: I782094
Registered Address: plot no 01-B sector, Street 10, G-14/4 G 14/4 G-14, Islamabad, Pakistan
Website: www.zimma.com.pk
Contact: hello@zimma.com.pk
Effective Date: 07 April 2026
Last Updated: 07 April 2026
Version: 1.0
IMPORTANT NOTICE
Please read this Privacy Policy carefully before using the Zimma application or any services offered by Zimma Solutions (Private) Limited. This Privacy Policy governs how we collect, process, store, share, and protect your personal data in connection with your use of our escrow and buyer protection services. By registering on the Zimma platform, completing our Know Your Customer (KYC) process, or initiating any escrow transaction, you acknowledge that you have read, understood, and agreed to this Privacy Policy in full.
If you do not agree with any part of this Privacy Policy, you must not use the Zimma platform or services.
TABLE OF CONTENTS
1. Who We Are
2. Definitions
3. Applicable Laws and Legal Framework
4. Scope of This Privacy Policy
5. Personal Data We Collect
6. How We Collect Your Personal Data
7. Legal Basis for Processing Your Personal Data
8. How We Use Your Personal Data
9. Escrow-Specific Data Processing
10. Biometric Data — Special Category
11. Third Parties With Whom We Share Your Personal Data
12. Cross-Border Data Transfers
13. Data Retention
14. Data Security
15. Your Rights as a Data Subject
16. Cookies and Device-Level Data
17. Children's Privacy
18. Changes to This Privacy Policy
19. Complaints and Grievances
20. Contact Us
1. Who We Are
Zimma Solutions (Private) Limited ("Zimma," "we," "us," or "our") is a private limited company incorporated under the Companies Act, 2017, bearing SECP Incorporation Number 0331469, with its registered office at House 1123, Street 10, G-14/4, Islamabad Urban, ICT 42600, Pakistan.
Zimma operates Pakistan's first dedicated escrow and buyer protection mobile application. Our core service is the holding of funds in escrow on behalf of buyers and sellers engaged in online transactions, and the conditional release of those funds upon satisfaction of agreed transaction conditions by both parties.
Zimma is not a bank and is not an Electronic Money Institution (EMI) licensed by the State Bank of Pakistan. We do not issue electronic money, accept deposits, or provide banking services as defined under the Banking Companies Ordinance, 1962. Our escrow function involves the temporary holding of Pakistani Rupees (PKR) in a designated bank account maintained with United Bank Limited (UBL), IBAN: PK17UNIL0109000358906012, on behalf of transacting parties, pending fulfillment of agreed conditions.
As the data controller of personal data collected through the Zimma platform, we are responsible for ensuring that your personal data is processed lawfully, fairly, and transparently, in accordance with applicable laws of Pakistan.
2. Definitions
For the purposes of this Privacy Policy, the following terms shall have the meanings assigned to them below. Terms not defined here carry the meanings assigned to them under applicable Pakistani law.
"Applicable Laws" means all laws, regulations, orders, directives, and guidelines applicable to Zimma's operations in Pakistan, including but not limited to those listed in Section 3 of this Privacy Policy.
"AWS Rekognition" means the cloud-based facial recognition and biometric analysis service provided by Amazon Web Services, Inc., which Zimma uses during the KYC process to perform biometric face matching between a user's live selfie and the photograph on their Computerized National Identity Card (CNIC).
"Biometric Data" means any personal data resulting from specific technical processing relating to the physical or physiological characteristics of a natural person that allows or confirms the unique identification of that natural person, including facial recognition data and live selfie images processed through AWS Rekognition.
"Buyer" means a registered user of the Zimma platform who initiates an escrow transaction by depositing funds into escrow for the purchase of goods or services from a Seller.
"CNIC" means a Computerized National Identity Card issued by the National Database and Registration Authority (NADRA) of Pakistan.
"Escrow Account" means the designated PKR bank account maintained with United Bank Limited (UBL), Account No. 358906012, IBAN: PK17UNIL0109000358906012, into which Buyers deposit funds that Zimma holds in trust pending completion of an escrow transaction.
"Escrow Transaction" means a transaction facilitated through the Zimma platform in which a Buyer deposits PKR funds into escrow, which Zimma holds until both the Buyer and Seller have confirmed satisfaction with the transaction, or until a dispute is resolved in accordance with Zimma's Dispute Resolution Policy.
"KYC" means Know Your Customer — the identity verification process that all users must complete before creating or participating in any escrow transaction on the Zimma platform.
"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to name, CNIC number, phone number, email address, biometric data, device information, and financial transaction data.
"Platform" means the Zimma mobile application and any associated website, interface, or system through which users access Zimma's services.
"Processing" means any operation performed on personal data, whether or not by automated means, including collection, recording, storage, use, disclosure, transmission, restriction, or deletion.
"Seller" means a registered user of the Zimma platform who receives funds from escrow upon successful completion of a transaction.
"User" means any natural person who registers on the Zimma platform, whether as a Buyer, a Seller, or both.
"Veevo Tech" means the SMS gateway service provider engaged by Zimma for delivery of One-Time Passwords (OTPs) via SMS using the sender ID "ZIMMA."
3. Applicable Laws and Legal Framework
Zimma processes personal data in compliance with the following laws and regulations of Pakistan:
a. Personal Data Protection Bill, 2023 ("PDPB 2023"): The primary data protection framework governing the collection, processing, storage, and transfer of personal data. All processing activities described in this Privacy Policy are conducted in accordance with the principles and obligations established thereunder, including lawfulness, purpose limitation, data minimization, accuracy, storage limitation, security, and accountability.
b. Payment Systems and Electronic Fund Transfers Act, 2007 ("PS&EFT Act 2007"): Section 70 of the PS&EFT Act 2007 imposes secrecy and privacy obligations in relation to information concerning consumers' electronic fund transfers. Zimma complies with these obligations to the extent applicable to its escrow operations. Section 7 governs the retention of electronic records of transactions.
c. Prevention of Electronic Crimes Act, 2016 ("PECA 2016"): Sections 3, 4, 5, 6, 14, and 21 of PECA 2016 govern unauthorized access to information systems, interception of data, privacy violations, and identity fraud. Zimma's data security practices are designed to prevent violations under this Act, and any unauthorized access to user data may constitute a criminal offence thereunder.
d. Electronic Transactions Ordinance, 2002 ("ETO 2002"): Section 6 of the ETO 2002 governs the retention of electronic records, and its provisions apply to the storage and integrity of transaction records maintained by Zimma. Electronic records generated through the Zimma platform have legal validity under this Ordinance.
e. Consumer Protection Act, 2019: Section 11 of this Act guarantees consumers the right to access information about services they are using. This Privacy Policy fulfils Zimma's disclosure obligations under this section.
f. NADRA Ordinance, 2000: Zimma collects and verifies users' CNIC information, which is issued by NADRA. Section 20 of the NADRA Ordinance imposes restrictions on the use and disclosure of NADRA data, and Zimma uses CNIC data solely for identity verification purposes in compliance with these restrictions.
g. SECP AML/CFT Regulations, 2018: Zimma, as a SECP-registered private limited company engaged in financial intermediation in the form of escrow services, is required to maintain AML/CFT compliance obligations. Our data collection and retention practices are designed to fulfil these obligations, including Customer Due Diligence (CDD) requirements.
h. Anti-Money Laundering Act, 2010 ("AML Act"): Section 7 imposes record-keeping obligations on reporting entities. To the extent Zimma constitutes a reporting entity under this Act, all transaction records and KYC data are retained in compliance with the prescribed retention periods.
i. Companies Act, 2017: Section 452 requires the maintenance of books of account and related financial records. Data processed in connection with Zimma's financial operations is retained in compliance with this provision.
j. General Data Protection Regulation ("GDPR"): While GDPR is a European Union regulation and is not directly applicable to Zimma, Zimma voluntarily aligns its data protection practices with GDPR standards as international best practice, particularly in relation to the processing of biometric data, special category data, and cross-border transfers.
4. Scope of This Privacy Policy
This Privacy Policy applies to:
a. All natural persons who register on the Zimma platform, whether as Buyers, Sellers, or prospective users;
b. All personal data collected, processed, stored, or shared by Zimma in connection with the provision of its escrow and buyer protection services;
c. All data processing activities conducted on the Zimma mobile application, website (www.zimma.com.pk), and any associated systems;
d. Personal data of users who do not complete registration but who interact with the Zimma platform in a manner that results in data collection.
This Privacy Policy does not apply to:
a. Third-party websites, applications, or services that may be linked from the Zimma platform but are not operated by Zimma;
b. Personal data of Zimma employees, directors, or contractors, which is governed by separate internal policies.
5. Personal Data We Collect
5.1 Identity and Registration Information
Full legal name (as it appears on your CNIC), mobile phone number (used as your primary identifier and for OTP delivery), email address, date of birth, gender, and residential address.
5.2 CNIC Information
CNIC number (13-digit national identification number), digital image of the front of your CNIC, digital image of the back of your CNIC, and CNIC expiry date. This information is collected as a mandatory component of Zimma's KYC process. No user may initiate or participate in an escrow transaction without completing CNIC-based identity verification.
5.3 Biometric Data
A live selfie image captured through your device camera at the time of KYC completion, and biometric facial recognition data generated by AWS Rekognition when it compares your live selfie against the photograph on your CNIC. Biometric data constitutes a special category of sensitive personal data. The processing of this data is addressed separately in Section 10 of this Privacy Policy.
5.4 Financial and Escrow Transaction Data
PKR amounts deposited into escrow by Buyers, escrow transaction identifiers, descriptions of goods or services underlying each escrow transaction, names and contact details of counterparties to each escrow transaction, transaction status (pending, active, completed, disputed, cancelled), dates and timestamps of all escrow events, and bank account or payment source information provided by users in connection with depositing or receiving funds from escrow.
5.5 Device and Technical Data
Device type, model, and operating system version, app version, IP address, unique device identifiers, app usage logs (screens accessed, features used, session duration), and timestamps of logins and transactions.
5.6 Communications Data
The content of messages you send to Zimma through in-app support channels or by email, records of your interactions with Zimma's customer support team, and dispute submissions and supporting materials uploaded in connection with escrow disputes.
5.7 OTP Delivery Data
When an OTP is generated and delivered via SMS through Veevo Tech using the sender ID "ZIMMA," Zimma records the mobile phone number to which the OTP was sent, the timestamp of OTP delivery, and whether the OTP was successfully verified. Zimma does not store the OTP value itself after it has expired.
6. How We Collect Your Personal Data
6.1 Directly From You
We collect personal data directly from you when you download and register on the Zimma application; complete the KYC process by submitting your CNIC images and live selfie; create or participate in an escrow transaction; contact Zimma's customer support; submit a dispute in relation to an escrow transaction; or update your profile or account settings.
6.2 Automatically
We automatically collect certain technical and usage data when you access or use the Zimma platform, including device identifiers, IP addresses, and app interaction logs. This data is collected through standard technical mechanisms built into the Zimma application.
6.3 From Third Parties
We may receive or verify personal data from the following third parties:
AWS Rekognition: Returns the results of the biometric comparison between your live selfie and your CNIC photograph, confirming whether the faces match and the confidence level of that match.
Veevo Tech: Provides delivery confirmation and status reports for SMS OTPs sent to users' registered mobile numbers.
United Bank Limited (UBL): May provide transaction confirmation and settlement data related to funds deposited into or released from the Escrow Account.
NADRA: To the extent that Zimma uses NADRA's verification services or NADRA data to validate the authenticity of a user's CNIC, such verification data is obtained from NADRA through permissible channels under the NADRA Ordinance, 2000.
7. Legal Basis for Processing Your Personal Data
Zimma processes your personal data on the following legal grounds, consistent with the principles established under the Personal Data Protection Bill, 2023:
a. Performance of a Contract: The processing of your identity data, CNIC information, and escrow transaction data is necessary to provide you with Zimma's escrow services and to fulfil our contractual obligations to you as a user.
b. Legal Obligation: We are required to collect and retain certain categories of personal data to comply with our obligations under the SECP AML/CFT Regulations 2018, the AML Act 2010, the PS&EFT Act 2007, and other Applicable Laws. We cannot waive or limit the processing required by these legal obligations.
c. Legitimate Interests: We process device data, usage logs, and certain communications data on the basis of our legitimate interest in operating a secure, functional, and fraud-resistant platform, provided that such processing does not override your fundamental privacy rights.
d. Consent: We process your biometric data on the basis of your explicit consent, which you grant during the KYC process. You may not withdraw consent to biometric processing while remaining an active user of the Zimma platform, as biometric verification is a mandatory requirement of our KYC process. If you withdraw consent to biometric processing, your Zimma account will be suspended pending re-verification or closure.
8. How We Use Your Personal Data
8.1 Identity Verification and KYC Compliance
We use your full name, CNIC number, CNIC images, live selfie, and biometric matching results to verify your identity before granting you access to escrow transaction services. This process complies with Customer Due Diligence (CDD) requirements under the SECP AML/CFT Regulations 2018 and the AML Act 2010. No user may create or participate in an escrow transaction on the Zimma platform without successfully completing this verification.
8.2 Escrow Account Opening and Management
We use your verified identity data and contact information to create and maintain your Zimma account, associate you with escrow transactions, and maintain accurate records of your role (Buyer or Seller) in each transaction.
8.3 Escrow Transaction Processing
We use your financial data and transaction details to receive and hold funds deposited by Buyers into the Escrow Account; record the terms and status of each escrow transaction; release funds to the Seller upon confirmed satisfaction, or return funds to the Buyer where applicable; and maintain an auditable trail of all escrow events for regulatory and dispute resolution purposes.
8.4 Dispute Resolution
Where a dispute arises in relation to an escrow transaction, we use the data you and your counterparty have submitted — including transaction records, communications, and supporting evidence — to investigate and resolve the dispute in accordance with Zimma's Dispute Resolution Policy.
8.5 OTP Authentication
We use your registered mobile number to deliver OTPs via SMS through Veevo Tech for account registration, login verification, and transaction authorization. OTPs are time-limited and single-use.
8.6 Anti-Money Laundering and Counter-Terrorism Financing
We use your identity data and transaction data to screen for suspicious activity, monitor transaction patterns, and file Suspicious Transaction Reports (STRs) with the Financial Monitoring Unit (FMU) where required under Applicable Laws.
8.7 Fraud Prevention and Security
We use device data, usage logs, and behavioral information to detect and prevent unauthorized access, fraud, account compromise, and other malicious activities on the Zimma platform.
8.8 Regulatory Compliance and Legal Obligations
We process and retain personal data to the extent necessary to comply with our obligations to the Securities and Exchange Commission of Pakistan (SECP), the Financial Monitoring Unit (FMU), NADRA, law enforcement agencies, and courts of competent jurisdiction, including in response to lawful orders, subpoenas, and regulatory enquiries.
8.9 Customer Support
We use your contact information and communications data to respond to your queries, complaints, and support requests.
8.10 Platform Improvement
We use anonymized and aggregated usage data (which does not identify individual users) to analyze platform performance, improve features, and enhance user experience.
9. Escrow-Specific Data Processing
Given the nature of Zimma's business as Pakistan's first dedicated escrow and buyer protection service, the following additional data processing considerations apply to escrow transactions:
9.1 Transaction Counterparty Disclosure
When you create or join an escrow transaction, Zimma will share your verified name and certain contact details with your counterparty (Buyer or Seller) to the extent necessary to facilitate the transaction. This is a necessary and unavoidable feature of escrow operations and does not constitute a breach of confidentiality.
9.2 Escrow Record Integrity
All records of escrow transactions — including the amounts deposited, the agreed conditions, transaction statuses, and event timestamps — are maintained with a high standard of integrity and cannot be unilaterally altered by either the Buyer or the Seller after the transaction has been created. Zimma maintains these records for the protection of both parties.
9.3 Fund Release Authorization
Zimma processes instructions to release funds from escrow only upon receiving the required authorization triggers as defined in the applicable transaction terms. The processing of release instructions constitutes a data processing event and is logged in full.
9.4 Disputed Transactions
Where an escrow transaction is placed in dispute, Zimma will retain all data associated with that transaction — including communications, evidence uploaded by both parties, and transaction records — for the duration of the dispute process and for a period thereafter as required by Applicable Laws.
9.5 Failed Transactions
Where an escrow transaction is cancelled, voided, or otherwise fails to complete, Zimma retains the associated transaction data in accordance with the retention schedule set out in Section 13.
10. Biometric Data — Special Category
10.1 What We Collect and Why
During the KYC verification process, Zimma captures a live selfie of you using your device's camera. This live selfie image, together with the photograph extracted from your CNIC, is submitted to AWS Rekognition, which performs an automated facial comparison to determine whether the two images belong to the same individual. Biometric data is classified as a special category of sensitive personal data under the Personal Data Protection Bill, 2023, and under internationally recognized data protection standards. We process this data exclusively for the purpose of mandatory identity verification.
10.2 Consent and Purpose Limitation
Your explicit consent to biometric processing is obtained during the KYC onboarding flow. This consent is specific to the purpose of identity verification for escrow platform access. Zimma does not use your biometric data for any other purpose, including marketing, profiling, or the training of artificial intelligence models.
10.3 AWS Rekognition
AWS Rekognition is a service provided by Amazon Web Services, Inc. When your live selfie and CNIC photograph are submitted for comparison, this data is transmitted to AWS Rekognition's processing infrastructure. Zimma has entered into appropriate data processing agreements with Amazon Web Services to ensure that biometric data is processed solely for the purpose of performing the comparison and is not retained by AWS Rekognition for any independent purpose. Users should also review Amazon Web Services' privacy documentation for further information on their data handling practices.
10.4 Storage of Biometric Data
Zimma retains your CNIC photographs and live selfie image in encrypted storage for the duration of your account existence and for the legally required retention period thereafter. Biometric facial recognition data generated by AWS Rekognition (i.e., the comparison output, confidence score, and associated metadata) is retained as part of your KYC record.
10.5 Withdrawal of Consent
If you wish to withdraw your consent to biometric processing, you must notify Zimma in writing at hello@zimma.com.pk. Please note that because biometric verification is mandatory for escrow platform access, withdrawal of consent will result in the suspension or closure of your Zimma account and the return of any escrowed funds in accordance with applicable transaction terms.
11. Third Parties With Whom We Share Your Personal Data
Zimma does not sell your personal data to third parties. We do not share your personal data with third parties for advertising or marketing purposes. We share your personal data only in the circumstances and with the parties described below:
11.1 AWS Rekognition (Biometric Verification)
Your live selfie and CNIC photograph are transmitted to AWS Rekognition for biometric facial comparison during the KYC process. This transmission is governed by our data processing agreement with Amazon Web Services, Inc.
11.2 Veevo Tech (SMS OTP Delivery)
Your registered mobile phone number is shared with Veevo Tech solely for the purpose of delivering OTPs via SMS. Veevo Tech is contractually restricted from using your mobile number for any purpose other than OTP delivery on Zimma's behalf.
11.3 United Bank Limited (UBL) — Escrow Bank
Certain transaction-level data, including PKR amounts and transaction references, is necessarily shared with UBL in connection with the operation of Zimma's Escrow Account. UBL is subject to its own regulatory obligations under applicable Pakistani banking law.
11.4 Transaction Counterparties
As set out in Section 9.1, your verified name and necessary contact details are shared with your counterparty in an escrow transaction for the purpose of facilitating that transaction.
11.5 Regulatory and Law Enforcement Authorities
Zimma will disclose personal data to competent authorities, including but not limited to: the Securities and Exchange Commission of Pakistan (SECP); the Financial Monitoring Unit (FMU) of Pakistan, in the form of Suspicious Transaction Reports (STRs) or Currency Transaction Reports (CTRs) where required under the AML Act, 2010 and the SECP AML/CFT Regulations 2018; the National Database and Registration Authority (NADRA), for identity verification purposes; law enforcement agencies, upon receipt of a lawful order, warrant, or direction from a competent authority under Pakistani law; and courts of competent jurisdiction, in connection with any legal proceedings to which Zimma or a user is a party. Such disclosures will be made strictly to the extent required by law and will be documented by Zimma.
11.6 Professional Advisors
Zimma may share personal data with its legal advisors, auditors, and accountants where necessary for the provision of professional services, subject to appropriate confidentiality obligations.
11.7 Corporate Transactions
In the event of a merger, acquisition, restructuring, or sale of all or part of Zimma's business, personal data may be disclosed to prospective or actual buyers and their advisors as part of due diligence, subject to appropriate confidentiality undertakings. Users will be notified of any such transfer that materially affects the processing of their personal data.
12. Cross-Border Data Transfers
Zimma is a Pakistani company and operates primarily within Pakistan. However, the use of AWS Rekognition may involve the transmission of biometric data to Amazon Web Services' cloud infrastructure, which may be hosted in data centers located outside Pakistan.
Where such cross-border transfers occur, Zimma ensures that:
a. The transfer is made pursuant to a data processing agreement with Amazon Web Services, Inc. that includes appropriate data protection safeguards;
b. The receiving party processes the data only for the specific purpose for which it was shared (biometric comparison) and in accordance with applicable data protection standards;
c. Such transfers are conducted in compliance with the cross-border data transfer provisions of the Personal Data Protection Bill, 2023, as and when those provisions come into full force.
All escrow transaction data, KYC records (excluding the biometric comparison computation performed by AWS), financial records, and user account data are stored on servers within Pakistan or on cloud infrastructure subject to equivalent protections.
13. Data Retention
Zimma retains your personal data for the following periods:
13.1 KYC and Identity Data
KYC records, including your CNIC number, CNIC images, live selfie, biometric comparison results, and verified identity data, are retained for a minimum of five (5) years from the date of account closure or the last active escrow transaction, whichever is later. This retention period is consistent with the record-keeping requirements under the SECP AML/CFT Regulations 2018 and the AML Act, 2010.
13.2 Escrow Transaction Records
All records of escrow transactions, including deposit confirmations, transaction terms, status history, fund release records, and dispute records, are retained for a minimum of ten (10) years from the date of the transaction, in accordance with Section 12 of the Rules for Payment System Operators and Payment Service Providers (SBP) and Section 7 of the PS&EFT Act 2007, to the extent applicable to Zimma's operations.
13.3 Account Data
General account information (name, phone number, email address, device data) is retained for the duration of your account and for five (5) years after account closure.
13.4 Communications and Support Records
Records of communications with Zimma's support team are retained for three (3) years from the date of the communication.
13.5 OTP Records
OTP delivery records (mobile number, timestamp, delivery status) are retained for one (1) year from the date of delivery.
13.6 Legal Hold
Notwithstanding the above retention periods, Zimma may retain personal data for longer periods where required by a court order, regulatory direction, or ongoing legal proceeding, or where such data is relevant to an unresolved dispute, investigation, or AML/CFT concern. In such circumstances, data will be retained until the relevant matter is finally resolved.
13.7 Deletion
Upon the expiry of the applicable retention period, personal data will be securely deleted or anonymized such that it can no longer be associated with an identifiable individual, subject to any obligations that require its continued retention.
14. Data Security
Zimma implements technical, organizational, and physical security measures designed to protect your personal data against unauthorized access, disclosure, alteration, loss, or destruction. These measures include:
Encryption: Personal data, including CNIC images and biometric selfie images, is stored in encrypted form using industry-standard encryption protocols. Data transmitted between your device and Zimma's systems is protected using Transport Layer Security (TLS) encryption.
Access Controls: Access to personal data is restricted to Zimma personnel and authorized service providers who have a legitimate need to access it for the purposes described in this Privacy Policy. Access is governed by role-based access control policies.
OTP Authentication: All user logins and critical transaction actions require OTP verification via SMS, delivered through Veevo Tech using sender ID "ZIMMA," to authenticate that the action is being performed by the registered account holder.
Biometric Verification: AWS Rekognition biometric matching is used during KYC to confirm that the person registering is the genuine holder of the CNIC presented.
Audit Trails: All data access events, transaction processing events, and administrative actions on user data are logged and maintained in audit trails.
Incident Response: Zimma maintains a data breach response procedure. In the event of a personal data breach that poses a risk to users' rights, Zimma will notify affected users and, where required, the relevant regulatory authority, without undue delay and within the timeframe required by Applicable Laws.
Third-Party Security: Zimma requires all third-party service providers who process personal data on its behalf — including AWS and Veevo Tech — to maintain appropriate technical and organizational security measures.
Notwithstanding the foregoing, no security system is impenetrable. Zimma cannot guarantee that its security measures will prevent all unauthorized access. Users are responsible for maintaining the security of their own devices, login credentials, and registered mobile numbers.
15. Your Rights as a Data Subject
Subject to the provisions of the Personal Data Protection Bill, 2023, and other Applicable Laws, you have the following rights in relation to your personal data:
15.1 Right to Access
You have the right to request confirmation of whether Zimma holds personal data about you, and to receive a copy of that data, together with information about the purposes for which it is processed.
15.2 Right to Correction
You have the right to request the correction of inaccurate personal data that Zimma holds about you. Where your CNIC data is incorrect, you must provide updated CNIC documentation as evidence before a correction can be made.
15.3 Right to Erasure
You may request the deletion of your personal data. However, Zimma cannot delete data that it is legally required to retain under Applicable Laws, including KYC and transaction records subject to mandatory retention periods under AML/CFT regulations. In such cases, we will inform you of the specific legal obligation preventing deletion.
15.4 Right to Restrict Processing
You may request that Zimma restrict the processing of your personal data in certain circumstances, for example where you contest the accuracy of the data or where you have objected to processing.
15.5 Right to Data Portability
To the extent provided for under Applicable Laws, you may request that Zimma provide your personal data in a structured, machine-readable format.
15.6 Right to Object
You may object to the processing of your personal data where Zimma relies on legitimate interests as the legal basis for processing. Zimma will assess your objection and cease the relevant processing unless it can demonstrate compelling legitimate grounds that override your interests.
15.7 Right to Withdraw Consent
Where processing is based on your consent — in particular, biometric data processing — you may withdraw your consent at any time. As noted in Section 10.5, withdrawal of consent to biometric processing will result in the suspension or closure of your Zimma account.
15.8 How to Exercise Your Rights
To exercise any of the rights described above, please submit a written request to:
Email: hello@zimma.com.pk
Subject Line: Data Subject Rights Request
Post: Zimma Solutions (Private) Limited, House 1123, Street 10, G-14/4, Islamabad Urban, ICT 42600, Pakistan
Zimma will verify your identity before processing any data subject rights request. We will respond to valid requests within thirty (30) calendar days, or within any shorter period required by Applicable Laws. Zimma reserves the right to refuse requests that are manifestly unfounded, excessive, or would require the deletion of data subject to mandatory legal retention obligations. Where a request is refused, we will provide you with a written explanation.
16. Cookies and Device-Level Data
The Zimma mobile application does not use browser cookies. However, the application does collect certain device-level data as described in Section 5.5 of this Privacy Policy, including device identifiers, operating system information, and app usage logs. This data is used solely for the purposes described in this Privacy Policy, including security, fraud prevention, and platform improvement.
Zimma's website (www.zimma.com.pk) may use standard web cookies for analytics and operational purposes. Any such cookie usage will be disclosed separately through a cookie notice on the website.
17. Children's Privacy
The Zimma platform is intended for use exclusively by adults. To register on the Zimma platform, you must be at least eighteen (18) years of age and be the holder of a valid CNIC issued by NADRA. NADRA issues CNICs to Pakistani citizens who have reached the age of majority.
Zimma does not knowingly collect personal data from persons under the age of eighteen (18). If Zimma becomes aware that it has inadvertently collected personal data from a minor, it will take immediate steps to delete that data and close the associated account.
18. Changes to This Privacy Policy
Zimma may update this Privacy Policy from time to time to reflect changes in our services, data processing activities, or Applicable Laws. When we make material changes to this Privacy Policy, we will:
a. Publish the updated Privacy Policy on the Zimma application and website with a revised "Last Updated" date;
b. Notify registered users via in-app notification and, where appropriate, by SMS to their registered mobile number or by email;
c. Where required by Applicable Laws, obtain your renewed consent to any new processing activities.
Your continued use of the Zimma platform following notification of changes to this Privacy Policy shall constitute your acceptance of the revised Privacy Policy. If you do not agree to the revised Privacy Policy, you must cease using the Zimma platform and may request account closure by contacting hello@zimma.com.pk.
19. Complaints and Grievances
If you have a complaint about the way Zimma has processed your personal data, you are encouraged to contact us in the first instance using the details in Section 20. We will acknowledge your complaint within forty-eight (48) hours and endeavour to resolve it within fourteen (14) calendar days.
If you are not satisfied with Zimma's response to your complaint, you may escalate the matter to the relevant regulatory authority. Currently, data protection complaints in Pakistan may be directed to:
Securities and Exchange Commission of Pakistan (SECP)
SECP building, Constitution Avenue, Islamabad
Website: www.secp.gov.pk
As the PDPB 2023 regime matures and a formal data protection authority is established under Pakistani law, Zimma will update this section accordingly.
20. Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact us:
Zimma Solutions (Private) Limited
House 1123, Street 10, G-14/4
Islamabad Urban, ICT 42600
Pakistan
Email: hello@zimma.com.pk
Website: www.zimma.com.pk
We are committed to addressing your concerns promptly and transparently.
This Privacy Policy is published in English and constitutes the legally binding version. In the event of any conflict between this Privacy Policy and any translated or summarized version, the English version shall prevail.
Governing Law: This Privacy Policy is governed by and shall be construed in accordance with the laws of the Islamic Republic of Pakistan. Any dispute arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Islamabad, Pakistan.