Privacy policy

1. Introduction

Welcome to Swich, Pakistan's merchant-focused online payment gateway and QR-based retail ecosystem, operated by Numbers Private Limited ("we," "us," or "Swich"). We are committed to protecting the privacy and personal data of all individuals who interact with our platform including merchants, end users, business partners, and website visitors.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the Swich website (www.swichnow.), the Swich Merchant Portal, the Swich Retail Portal, our mobile applications, payment APIs, and any related products or services (collectively, the "Platform").

By accessing or using the Platform, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Platform immediately.

2. Information We Collect

We collect the following categories of personal and non-personal information:

2.1 Information You Provide Directly

Identity information: full name, CNIC/NICOP number, date of birth, photograph
Contact information: email address, mobile number, mailing address
Business information: business name, NTN, STRN, business category, merchant registration details
Financial information: bank account details, IBAN, payment card information (tokenised), settlement preferences
Account credentials: username, password (stored in encrypted form), security questions
Communications: messages, support tickets, feedback, and complaints submitted to us

2.2 Information Collected Automatically

Device information: IP address, device type, operating system, browser type and version
Usage data: pages visited, features used, transaction flow interactions, session duration
Transaction data: transaction amounts, timestamps, merchant IDs, QR scan events, payment statuses
Location data: general geolocation derived from IP address; precise location only with your explicit consent
Cookies and tracking technologies (see Section 9)

2.3 Information from Third Parties

Identity verification data from eCIB (SBP Credit Information Bureau), Tasdeeq, NADRA, or other authorised bureaus
KYC/AML screening data from SBP-authorised partners
Bank confirmation data from RAAST, 1LINK, or partner financial institutions
Data shared by merchants about their end customers in connection with payment processing

3. How We Use Your Information

We process your personal data for the following purposes:

3.1 Service Delivery

Processing payment transactions, settlements, and refunds
Onboarding and verifying merchants and users (KYC/AML compliance)
Providing access to and managing accounts on the Swich Portal and Retail Portal
Generating QR codes and facilitating QR-based payments
Delivering Pay In, Pay Out, Bill Out, and Retail payment services

3.2 Legal & Regulatory Compliance

Complying with SBP Payment Systems regulations, FATF recommendations, and AML/CFT obligations
Responding to lawful requests from regulators, courts, or law enforcement authorities
Maintaining transaction records as required by applicable law
Credit risk assessment and NBFC lending compliance where applicable

3.3 Security & Fraud Prevention

Detecting, investigating, and preventing fraud, unauthorised access, and suspicious activity
Monitoring transactions for compliance with SBP transaction limits and sanctions screening
Securing systems and data against cyber threats

3.4 Platform Improvement & Analytics

Analysing usage patterns to improve product features and user experience
Conducting internal research, business intelligence, and cohort analysis
Generating aggregated, anonymised reports for internal and investor purposes

3.5 Communications & Marketing

Sending transactional notifications (payment confirmations, OTPs, alerts)
Providing customer support and responding to queries
Sending promotional offers, product updates, and service announcements (with your consent, where required)

4. How We Share Your Information

We do not sell your personal data. We may share your information in the following circumstances:

4.1 With Service Providers

We engage third-party processors who assist in delivering our services (e.g., cloud infrastructure providers, KYC verification partners, SMS/email gateway providers, fraud detection vendors). All such processors are bound by data processing agreements requiring equivalent protections.

4.2 With Financial Institutions & Payment Networks

Your payment data is shared with acquiring banks, issuing banks, RAAST, 1LINK, and relevant interbank networks as necessary to process transactions.

4.3 With Regulatory & Government Authorities

We will disclose your information to SBP, FBR, FIA, SECP, or other competent authorities where required by law, court order, or regulatory direction, without notice to you where legally prohibited.

4.4 With Group Companies

We may share data with Numbers Global PTE Ltd (Singapore) and other affiliated entities within the Swich group for operational, treasury, and compliance purposes, subject to equivalent data protection standards.

4.5 Business Transfers

In the event of a merger, acquisition, restructuring, or asset sale involving Swich, your personal data may be transferred to the successor entity, subject to the same protections as this Policy.

4.6 With Your Consent

We may share your information with third parties where you have given explicit, informed consent to do so.

5. Data Retention

We retain your personal data only as long as necessary for the purposes set out in this Policy, and in accordance with applicable legal and regulatory requirements:

Transaction records

Minimum 5 years (SBP PSO/PSP Regulations)

KYC & identity documents

5 years from end of relationship or last transaction

Account data

Duration of account + 5 years post-closure

Communication & support logs

3 years

Marketing consent records

Until withdrawal of consent + 1 year

Cookies & analytics data

Up to 13 months from collection

Fraud investigation records

7 years or as directed by competent authority

Upon expiry of retention periods, data is securely deleted or anonymised.

6. Data Security

We implement industry-standard technical and organisational measures to protect your personal data, including:

AES-256 encryption for data at rest; TLS 1.2+ for data in transit
Payment Card Industry Data Security Standards (PCI-DSS) compliant infrastructure
Multi-factor authentication (MFA) for all portal access
Role-based access controls limiting employee access to data on a need-to-know basis
Regular penetration testing, vulnerability assessments, and security audits
Incident response and breach notification procedures

No system is completely secure. In the event of a data breach that is likely to result in risk to your rights, we will notify you and relevant authorities in accordance with applicable law.

7. Your Rights

Subject to applicable Pakistani law and SBP regulations, you have the following rights regarding your personal data:

Right of Access

Request a copy of the personal data we hold about you

Right to Rectification

Request correction of inaccurate or incomplete data

Right to Erasure

Request deletion of your data (subject to legal retention obligations)

Right to Object

Object to processing for direct marketing purposes

Right to Withdraw Consent

Withdraw consent for any processing based on consent, at any time

Right to Complain

Lodge a complaint with the relevant regulatory authority

To exercise any of the above rights, please contact us at privacy@swich.com. We will respond within 30 days. We may need to verify your identity before processing your request.

8. Cookies & Tracking Technologies

Our website and applications use cookies and similar technologies to enhance your experience, analyse usage, and support security.

Essential Cookies

Required for platform functionality, login sessions, and security. Cannot be disabled.

Analytics Cookies

Help us understand how users navigate the Platform (e.g., Google Analytics, internal BI tools). Anonymised where possible.

Preference Cookies

Remember your language, currency, and display settings.

Marketing Cookies

Used to deliver relevant advertising and measure campaign effectiveness. Set only with your consent.

You can control cookie settings through your browser preferences or our cookie consent banner. Disabling essential cookies may impair Platform functionality.

9. Cross-Border Data Transfers

Swich operates primarily in Pakistan. Where data is transferred to or processed by entities outside Pakistan (e.g., cloud servers, Numbers Global PTE Ltd in Singapore), we ensure equivalent protections are in place through contractual safeguards, including data processing agreements that meet or exceed the requirements of applicable Pakistani law.

10. Third-Party Links

Our Platform may contain links to third-party websites, merchant storefronts, or partner services. This Privacy Policy does not apply to those external sites. We encourage you to review the privacy policies of any third-party services you access through our Platform.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. We will notify you of material changes by posting the updated Policy on our website with a revised "Last Updated" date. Where required by law, we will seek your consent before making material changes. Continued use of the Platform following any update constitutes your acceptance of the revised Policy.