We collect personal data only to the extent necessary for the purposes described in this policy. The categories of data we may collect include:

A. Data you provide directly:

• Full name, designation and organisation
• Contact details: email address, telephone number, postal address
• Enquiry details, messages submitted via our contact form or chat widget
• Information provided during client onboarding (NTN, CNIC/Passport, company registration details, financial data necessary for the engagement)

B. Data collected automatically when you visit our website:

• IP address and approximate geographic location
• Browser type, version, and device information
• Pages visited, time on site, referral source
• Cookie identifiers (see our Cookie Policy)

C. Data received from third parties:

• Publicly available information (company registry, regulatory databases)
• Referrals from existing clients or professional contacts
• Information obtained from IECnet network member firms for cross-border engagements

We use your personal data for the following purposes:

• Responding to enquiries — to answer questions submitted via our website, email, or telephone.
• Providing professional services — to fulfil our contractual obligations to clients, including audit, tax, advisory, secretarial, and related services.
• Client relationship management — to maintain records of our interactions, manage ongoing engagements, and communicate relevant updates.
• Regulatory & statutory compliance — to comply with ICAP, FBR, SECP, and other legal obligations imposed on a professional services firm.
• Website analytics — to understand how our website is used and improve its functionality and content (using anonymised/aggregated data where possible).
• Marketing communications — to send newsletters, professional updates, and service announcements to existing clients and opted-in contacts. You may unsubscribe at any time.
• Security & fraud prevention — to protect our website, systems, and clients from unauthorised access, fraud, or abuse.

We will not use your personal data for purposes incompatible with those stated above without your prior consent.

We process personal data on the following legal grounds:

• Contract — processing is necessary for the performance of a contract with you (e.g., providing professional services).
• Legal Obligation — processing is required to comply with applicable laws and regulations (e.g., ICAP Code of Ethics, Anti-Money Laundering Act, Companies Act 2017, Income Tax Ordinance 2001).
• Legitimate Interest — processing is necessary for our legitimate business interests (e.g., website security, client relationship management, service improvements), provided such interests are not overridden by your rights.
• Consent — where we rely on your consent (e.g., marketing emails, certain cookies), you may withdraw that consent at any time without detriment.

We do not sell, rent, or trade your personal data to third parties. We may share it in the following limited circumstances:

• Service providers — trusted third parties who support our operations (e.g., cloud hosting, IT services, email delivery, accounting software) under strict data processing agreements.
• IECnet network member firms — where cross-border or specialist services are required, with your knowledge and in accordance with applicable data protection laws.
• Regulatory authorities — ICAP, FBR, SECP, FATF-related bodies, courts, or law enforcement where we are legally required or permitted to do so.
• Professional advisors — legal, insurance, and financial advisors bound by confidentiality obligations.
• Business transfers — in the event of a merger, acquisition, or restructuring, your data may be transferred as part of that transaction, subject to the same privacy protections.

All third-party data processors are bound by appropriate contractual safeguards and are not permitted to use your data for their own purposes.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, audit, and professional obligations.

• Client engagement records — retained for a minimum of seven (7) years after the conclusion of an engagement, as required by ICAP professional standards and Pakistani tax law.
• Website enquiries & chat logs — retained for up to twelve (12) months unless a client relationship follows.
• Marketing contact data — retained until you unsubscribe or withdraw consent.
• Website analytics data — aggregated data is retained indefinitely; individual identifiable data is retained for up to twenty-six (26) months.

When data is no longer required, it is securely deleted or anonymised in accordance with our data destruction procedures.

Subject to applicable law, you have the following rights regarding your personal data:

To exercise any of these rights, please contact us at info@iecnet.com.pk. We will respond within 30 days. Note that some rights may be limited where we have overriding legal obligations (e.g., statutory retention requirements).

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:

• SSL/TLS encryption for data transmitted to and from our website
• Access controls and role-based permissions for staff
• Secure cloud-based storage with reputable providers
• Regular staff training on data protection and information security
• Periodic review of our security practices and privacy controls
• Confidentiality obligations embedded in all staff contracts and client engagement letters

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and the relevant authority without undue delay, as required by applicable law.

As a member firm of the global IECnet network, we may in limited circumstances transfer personal data to network firms or service providers located outside Pakistan. Where such transfers occur, we ensure they are subject to appropriate safeguards, including:

• Standard contractual clauses approved by the relevant data protection authority;
• Transfers to countries recognised as providing an adequate level of data protection; or
• Your explicit informed consent where required.

We will not transfer your data internationally unless we have a lawful basis and appropriate safeguards in place.

Our website and professional services are directed exclusively at business professionals and adult individuals. We do not knowingly collect personal data from anyone under the age of 18.

If you believe we have inadvertently collected personal data from a minor, please contact us immediately at info@iecnet.com.pk and we will take prompt steps to delete such information.

Our website may contain links to third-party websites, including regulatory bodies (ICAP, FBR, SECP), professional associations, and our global network. This Privacy Policy does not apply to those external sites.

We are not responsible for the privacy practices of third-party websites and encourage you to read their privacy notices before providing any personal information.

We review and update this Privacy Policy periodically to reflect changes in our practices, applicable law, or regulatory guidance. The "Last Reviewed" date at the top of this page indicates when the policy was most recently revised.

For material changes that significantly affect how we process your data, we will provide notice via a prominent website announcement or direct communication to existing clients. Your continued use of our website or services after any update constitutes acceptance of the revised policy.

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact our Data Protection Officer:

• IECnet SKSSS, Chartered Accountants
• Suite 209, Parsa Tower, Plot 31-1-A, Block-6, PECHS, Main Sharea Faisal, Karachi, Pakistan
• Email: info@iecnet.com.pk
• Tel: +92 (0)21 34150811-3

If you are not satisfied with our response, you have the right to lodge a complaint with the Pakistan Telecommunication Authority (PTA) as the designated supervisory authority under the PDPA, or with the supervisory authority in your country of residence if you are located in the EEA.

We take all privacy complaints seriously and will acknowledge receipt within five (5) working days.