Legal

Privacy Policy

Your privacy is fundamental to the trust that makes ielaan work for both advertisers and space owners. This policy explains exactly what we collect, why we need it, and how it stays safe.

Last updated: May 28, 2025Effective: May 28, 2025

1. Overview

ielaan (“we”, “us”, “our”) operates an AI-powered marketplace connecting advertisers with space owners who display ads on smart LED screens. This Privacy Policy describes how we handle personal information across our platform, which is accessible at ielaan.com and via our mobile applications.

By creating an account or using any ielaan service, you agree to the practices described in this policy. If you disagree with any part, please discontinue use and contact us to close your account.

This policy covers all ielaan services: the advertiser web app, the space-owner web app, the Android smart-screen client, and our backend APIs. It does not cover third-party services linked from our platform.

2. Information We Collect

2.1 Information you give us

  • Account data: first name, last name, email address, password (hashed via bcrypt, never stored in plain text), phone number (optional).
  • Business profile: company name, business address, tax registration number, logo, and a short bio visible to counterparties on proposals.
  • Identity verification (KYC): government-issued ID number and document scan for space owners receiving payouts above threshold limits. KYC fields are stored with AES-256 field-level encryption at rest.
  • Ad creative assets: images, videos, and text you upload for campaigns. Stored on AWS S3 and served via CloudFront.
  • Communications: messages sent via the platform's in-app proposal and dispute messenger.

2.2 Information we collect automatically

  • Device & browser: IP address, user agent, browser type, operating system, screen resolution.
  • Usage data: pages visited, features used, click paths, session duration, and error logs.
  • Location: approximate city-level location inferred from IP address for ad-targeting features. We do not collect precise GPS coordinates from web browsers without explicit consent.
  • Device heartbeats (Android client): screen-owner devices send periodic status pings (uptime, current ad playing, device ID). No camera or microphone data is ever collected from smart-screen devices.

2.3 Information from third parties

  • Social sign-in: if you authenticate via Google or LinkedIn, we receive your name, email, and profile photo. We do not receive your contacts or other profile data.
  • Payment processors: Stripe shares tokenised payment method details and transaction status. We never see or store raw card numbers.

3. How We Use Your Information

PurposeLegal Basis
Create and manage your accountContract performance
Process bookings and escrow paymentsContract performance
Verify ad delivery and trigger payoutsContract performance
Send transactional emails (booking confirmations, dispute updates)Contract performance
AI-powered ad creative generation (AI Studio)Consent (opt-in per generation)
Fraud prevention and account securityLegitimate interest
Platform analytics and product improvementLegitimate interest
Marketing emails about new featuresConsent (can be withdrawn any time)
Comply with legal obligations (AML, KYC)Legal obligation

We do not sell your personal data to advertisers, data brokers, or any third party for their own commercial purposes.

4. Sharing & Disclosure

We share your data only in the following circumstances:

  • Between advertisers and space owners: when a proposal is created, limited profile information (name, business name, verified status) is shared with the counterparty to facilitate the booking. Full contact details are not exposed without mutual acceptance.
  • Service providers: AWS (hosting, S3, SES), Stripe (payments), Firebase (push notifications), OpenAI (AI creative generation), Google Maps (location features). Each provider is bound by data-processing agreements.
  • Legal compliance: we may disclose data when required by law, court order, or a government authority with jurisdiction over our operations in Pakistan or Saudi Arabia.
  • Business transfers: in the event of a merger, acquisition, or asset sale, user data may be transferred. We will notify you 30 days in advance and give you the option to delete your account.

5. Payments & Financial Data

All payment processing is handled by Stripe (international) and local PSP partners (Pakistan, Saudi Arabia). ielaan acts as the escrow agent holding funds in a neutral account until ad delivery is verified.

We apply field-level encryption (AES-256) to all stored payment-related fields in our database. Payout bank account details are encrypted at rest and transmitted over TLS 1.3. Raw card numbers are never processed or stored on ielaan servers.

Transaction records (booking amounts, fees, payout history) are retained for seven (7) years to satisfy financial-record obligations in our operating jurisdictions.

6. Cookies & Tracking

We use cookies and similar technologies for authentication, security, and platform analytics. We do not use third-party advertising cookies or cross-site tracking pixels.

CookiePurposeDuration
ielaan_sessionAuthentication (JWT refresh token)30 days
ielaan_csrfCSRF protection on form submissionsSession
ielaan_localeYour preferred language1 year
_analyticsAnonymous platform usage metrics90 days

You can control cookies through your browser settings. Disabling authentication cookies will prevent you from staying signed in.

7. Data Retention

  • Active accounts: retained for as long as your account is open.
  • Closed accounts: personal identifiers are anonymised within 90 days of closure. Aggregated analytics data is retained indefinitely in anonymised form.
  • Financial records: transaction history retained for 7 years per legal obligation.
  • Ad creative assets: deleted 30 days after the associated campaign expires, unless saved to your asset library.
  • Dispute records: retained for 3 years after resolution to support any regulatory review.

8. Security

We implement multiple layers of security to protect your data:

  • TLS 1.3 in transit for all client ↔ server communication.
  • AES-256 encryption at rest for sensitive database fields (KYC, payment data).
  • Mutual TLS (mTLS) between internal microservices in production.
  • JWT access tokens with short expiry (15 min); refresh tokens rotated on use.
  • Signed, short-lived S3 URLs (15 min) for sensitive media; 1 hour for ad creatives.
  • Regular penetration testing and dependency audits via GitHub Dependabot.

In the event of a data breach affecting your personal data, we will notify you and relevant authorities within 72 hours of becoming aware, as required by applicable law.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: request a copy of all personal data we hold about you.
  • Correction: update inaccurate or incomplete data via your account settings.
  • Erasure: request deletion of your account and personal data (subject to legal retention requirements).
  • Restriction: ask us to stop processing your data while you contest its accuracy.
  • Portability: receive your data in a machine-readable format (JSON).
  • Withdraw consent: opt out of marketing communications at any time via account settings or the unsubscribe link in emails.

To exercise any of these rights, email privacy@ielaan.com. We will respond within 30 days.

10. International Transfers

ielaan operates in Pakistan and Saudi Arabia, with cloud infrastructure on AWS (regions: ap-south-1, me-south-1). If you access the platform from the European Economic Area or United Kingdom, your data may be transferred to these regions. We rely on Standard Contractual Clauses (SCCs) as the appropriate transfer mechanism.

11. Children's Privacy

ielaan is a business-to-business platform. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has created an account, contact us at privacy@ielaan.com and we will delete the account promptly.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email and an in-app banner at least 14 days before they take effect. Continued use of ielaan after the effective date constitutes acceptance of the updated policy.

Previous versions of this policy are available on request.

13. Contact Us

For privacy-related enquiries or to exercise your rights:

Data Controllerielaan Technologies Pvt Ltd
Privacy Emailprivacy@ielaan.com
General Supportsupport@ielaan.com
Registered AddressKarachi, Pakistan