Last Updated: March 17, 2026
Effective Date: March 17, 2026
1.1 Purpose of This Policy
At Jafar Ali Tech, we are committed to protecting the privacy and personal data of all individuals, particularly those residing in the European Economic Area (EEA), European Union (EU) member states, and the United Kingdom. This GDPR Policy outlines how we collect, process, store, and protect personal data in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation) and the UK GDPR.
1.2 Scope of Application
This policy applies to:
All personal data processing activities involving EU/EEA residents
All employees, contractors, and processors handling such data
All systems, databases, and processes containing EU/EEA personal data
All third-party services and subprocessors engaged in data processing
1.3 Data Controller Information
Jafar Ali Tech acts as the Data Controller for personal data collected through our platform.
Contact Details:
Email: support@jafaralitech.com
Website: www.jafaralitech.com
Data Protection Officer (DPO): dpo@jafaralitech.com
For the purposes of this policy, the following definitions apply:
Table
TermDefinition
Personal Data
Any information relating to an identified or identifiable natural person ("Data Subject")
Processing
Any operation performed on personal data (collection, recording, storage, alteration, retrieval, use, disclosure, erasure, etc.)
Data Subject
The identified or identifiable natural person whose personal data is processed
Data Controller
The entity that determines the purposes and means of processing personal data
Data Processor
The entity that processes personal data on behalf of the Controller
Consent
Freely given, specific, informed, and unambiguous indication of the Data Subject's wishes
Personal Data Breach
A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access
Special Categories
Data revealing racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic/biometric data, health data, or sex life/orientation
We process personal data only when at least one of the following legal bases applies:
When Used: Marketing communications, optional cookies, feature enhancements
Requirements: Freely given, specific, informed, unambiguous, easily withdrawn
Method: Clear affirmative action (checkbox, button click, settings toggle)
When Used: Account creation, purchase processing, service delivery, customer support
Scope: Processing necessary to fulfill our contractual obligations to you
When Used: Tax record keeping, regulatory compliance, fraud prevention, court orders
Scope: Processing required to comply with EU, member state, or UK law
When Used: Emergency situations involving life or death
Scope: Rarely applicable; processing necessary to protect someone's life
When Used: Not typically applicable to our commercial operations
When Used: Analytics, security, fraud prevention, service improvement, direct marketing (where consent not required)
Requirements: Balancing test conducted; interests do not override Data Subject rights
Documentation: Legitimate Interest Assessments (LIA) maintained internally
We respect and facilitate the exercise of all GDPR rights:
Provided through:
This GDPR Policy
Privacy Policy at www.jafaralitech.com/privacy
Just-in-time notices at data collection points
Layered notice approach (summary + detailed information)
You have the right to obtain:
Confirmation that we process your personal data
Copy of your personal data undergoing processing
Information about processing purposes, categories, recipients, retention periods
Information about data sources (if not collected from you)
Information about automated decision-making
How to Exercise:
Email: support@jafaralitech.com with subject "GDPR Access Request"
In-account: "Download My Data" feature (Settings > Privacy)
Response Time: Within 30 days (extendable to 60 days for complex requests)
Format: Electronic format (JSON, CSV, or PDF)
Cost: Free for first copy; reasonable fee for additional copies
You may request correction of inaccurate or incomplete personal data.
How to Exercise:
Update directly in account settings (instant)
Email support for data requiring verification
Response Time: Without undue delay; typically within 7 days
You may request deletion of personal data when:
Data is no longer necessary for original purposes
You withdraw consent (and no other legal basis applies)
You object to processing (and no overriding legitimate grounds exist)
Data was unlawfully processed
Data must be erased for legal compliance
Data was collected in relation to information society services (child users)
Exceptions (when we may retain data):
Exercise of freedom of expression and information
Compliance with legal obligations
Public interest or official authority
Legal claims establishment, exercise, or defense
How to Exercise:
Email: support@jafaralitech.com with subject "GDPR Erasure Request"
In-account: "Delete My Account" feature
Response Time: Without undue delay; typically within 30 days
Verification: Identity confirmation required
You may request processing restriction when:
You contest accuracy of data (for verification period)
Processing is unlawful but you oppose erasure
We no longer need data but you require it for legal claims
You have objected to processing (pending verification of overriding grounds)
Effect of Restriction:
Data may be stored but not processed
Processing resumes only with consent or for legal claims, protection of rights, or important public interest
You have the right to receive personal data in:
Structured, commonly used, machine-readable format (JSON, XML, CSV)
Format that allows transmission to another controller
Scope:
Data provided by you (not derived or inferred data)
Data processed by automated means
Data processed based on consent or contract performance
How to Exercise:
In-account: "Export My Data" feature
Email request to support@jafaralitech.com
Direct transfer to another controller where technically feasible
Objection to Direct Marketing:
Absolute right to object at any time
Immediate cessation upon objection
Opt-out available in every marketing communication
Settings: Account > Notifications > Marketing Preferences
Objection to Legitimate Interests Processing:
Right to object to processing based on legitimate interests
We must demonstrate compelling legitimate grounds that override your interests, rights, and freedoms
Or demonstrate processing for legal claims
Objection to Research/Statistics Processing:
Right to object unless processing necessary for public interest
We do not engage in solely automated decision-making, including profiling, that produces legal effects or significantly affects you.
If implemented in future:
We will inform you of the logic involved
Significance and envisaged consequences explained
Right to human intervention, express point of view, and contest decision
We implement privacy-by-design principles:
Table
MeasureImplementation
Data Minimization
Collect only necessary data; pseudonymization where possible
Purpose Limitation
Data used only for specified, explicit, legitimate purposes
Storage Limitation
Automatic deletion schedules; data retention policies
Integrity and Confidentiality
Encryption, access controls, security monitoring
Accuracy
Regular data quality checks; update mechanisms
Privacy-friendly defaults (opt-in, not opt-out)
Minimal data collection by default
Restricted data sharing by default
Shortest possible retention periods by default
Technical Measures:
AES-256 encryption for data at rest
TLS 1.3 for data in transit
Multi-factor authentication (MFA) for sensitive operations
Regular security patching and updates
Intrusion detection and prevention systems
Automated backup and disaster recovery
Organizational Measures:
Role-based access control (RBAC)
Regular security training for staff
Confidentiality agreements with processors
Incident response procedures
Regular security audits and penetration testing
Detection and Assessment:
72-hour internal assessment window
Documentation of breach facts, effects, and remedial action
Notification to Supervisory Authority:
Within 72 hours of becoming aware (if high risk to rights and freedoms)
Includes: nature of breach, categories and approximate number of data subjects, likely consequences, measures taken
Communication to Data Subjects:
Without undue delay if high risk
Clear and plain language
Description of breach, DPO contact, measures taken, recommended steps
Our Breach Contact: breach@jafaralitech.com (24/7 monitored)
We have appointed a Data Protection Officer responsible for:
Monitoring compliance with GDPR and our data protection policies
Advising on data protection impact assessments
Cooperating with supervisory authorities
Serving as contact point for data subjects and authorities
Name: [DPO Name - if public] Email: dpo@jafaralitech.com Postal Address: [Physical address if required] Phone: [Optional, for urgent matters]
Response Time: Within 48 hours for standard inquiries; urgent matters prioritized
We maintain detailed records including:
Processing purposes
Categories of data subjects and personal data
Categories of recipients
International transfers documentation
Retention schedules
Security measures summary
Available to supervisory authorities upon request.
We conduct DPIAs for:
Systematic and extensive profiling activities
Large-scale processing of special categories or criminal convictions data
Large-scale systematic monitoring of public areas
New technologies that may impact privacy
Any processing with high risk to rights and freedoms
DPIA includes:
Systematic description of processing
Assessment of necessity and proportionality
Risk assessment to rights and freedoms
Measures to address risks (safeguards, security, mechanisms)
Permitted without additional safeguards
Same GDPR protections apply
Mechanisms Used:
Adequacy Decisions: Transfers to countries with EU adequacy decision (e.g., UK, selected countries)
Standard Contractual Clauses (SCCs): EU Commission-approved SCCs with processors
Binding Corporate Rules (BCRs): For intra-group transfers (if applicable)
Certifications: EU-US Data Privacy Framework (for US transfers, where applicable)
Current Subprocessors and Locations:
Cloud Infrastructure: [Provider], [Location], [Transfer Mechanism]
Payment Processing: [Provider], [Location], [Transfer Mechanism]
Analytics: [Provider], [Location], [Transfer Mechanism]
Email Services: [Provider], [Location], [Transfer Mechanism]
Full list available at: www.jafaralitech.com/subprocessors
Transfer Impact Assessments (TIAs) conducted
Supplementary measures implemented where necessary
Regular review of adequacy decisions and mechanisms
We generally do not process special category data (racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic/biometric data, health data, sex life/orientation).
If processing occurs (rare and exceptional):
Explicit consent obtained
Employment/social security/protection law obligations
Vital interests protection
Medical diagnosis/treatment (with professional secrecy)
Substantial public interest (with appropriate safeguards)
Legal claims establishment, exercise, or defense
Standard: 16 years old for information society services
Member State Variation: May be lowered to 13 with parental consent
Our Policy: 16 years old; parental consent required for 13-16
Reasonable efforts to verify parental responsibility
Credit card verification or signed consent form
Parental dashboard for monitoring child's activity
Easy withdrawal of consent
Prior consent required for non-essential cookies
Granular consent options (by purpose/category)
Easy withdrawal mechanism
No pre-ticked boxes or assumed consent
Table
CategoryConsent RequiredPurpose
Strictly Necessary
No
Essential for website functionality
Preferences
Yes
Remember settings and choices
Statistics/Analytics
Yes
Understand website usage
Marketing
Yes
Deliver relevant advertisements
Cookie Policy: www.jafaralitech.com/cookies
Dedicated email: privacy@jafaralitech.com
In-account privacy dashboard
Web form: www.jafaralitech.com/gdpr-request
Identity verification required to prevent unauthorized access
Government ID or account-specific information requested
Third-party requests require signed authorization
Standard: Within 30 days of receipt
Extension: Up to 60 days for complex requests (with notification)
Urgent: Expedited processing for time-sensitive matters
Reasons provided if request refused
Right to lodge complaint with supervisory authority explained
Internal appeal process available
For cross-border processing, our lead supervisory authority is: [Name of Data Protection Authority in our main establishment]
You have the right to lodge a complaint with:
The supervisory authority in your country of residence
The supervisory authority in your place of work
The supervisory authority of the alleged infringement
List of EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en
For UK residents, complaints may be lodged with: Information Commissioner's Office (ICO)
Website: www.ico.org.uk
Helpline: 0303 123 1113
We may update this policy to reflect:
Changes in legal requirements
Changes in our processing activities
New products or services
Improvements to privacy practices
Notification:
Material changes: Email notification to registered users
Minor changes: Posted on website with updated date
Review: Annual review and update minimum
General Privacy Inquiries:
Email: support@jafaralitech.com
Data Protection Officer:
Email: dpo@jafaralitech.com
Response Time: 48 hours
Data Subject Rights Requests:
Email: privacy@jafaralitech.com
Subject Line: "GDPR Request - [Type of Request]"
In-Account: Settings > Privacy > Exercise My Rights
Security Breaches:
Email: breach@jafaralitech.com (24/7)
Postal Address (for formal notices): Jafar Ali Tech [Full Physical Address] [City, Postal Code] [Country]
Table
AttributeDetails
Document Title
GDPR Policy
Version
1.0
Effective Date
March 17, 2026
Last Review
March 17, 2026
Next Review
March 17, 2027
Approved By
Data Protection Officer
Owner
Legal & Compliance Department
© 2026 Jafar Ali Tech. All rights reserved.
