Privacy Policy

Tapsys Merchant · A Tapsys product · Last updated 25 May 2026

This Privacy Policy explains how Tapsys (Private) Limited ("Tapsys", "we", "us") collects, uses, stores, and shares information when you use the Tapsys Merchant Android application (the "App") and the related backend services (the "Service").

Tapsys Merchant operates within the State Bank of Pakistan ("SBP") RAAST instant-payment framework and settles to your own SBP-regulated bank account. This policy is written to satisfy Google Play, the Meta (Facebook) Platform Terms, and the data-handling expectations of an SBP-regulated payment workflow.

1. Information we collect

1.1 Information you provide directly

1.2 Information collected automatically

1.3 Information stored only on your device

The Khata (customer ledger) feature is privacy-isolated. Customer names, phone numbers, amounts owed, memos, and reminder text live exclusively in your phone's local storage. Tapsys servers never receive any of this data. Android's standard "Backup & Restore" service may copy the local Khata database to your own Google Drive (encrypted by Google); this happens between your device and Google, with no Tapsys involvement.

2. How we use information

3. Who we share information with

We do not sell your personal information. We share narrowly defined categories of data with the following processors, each strictly necessary to operate the Service:

Banking partner(s) regulated by SBP To route incoming RAAST payments to your IBAN and to execute outgoing settlement payouts. Receives your IBAN, settlement amount, and a per-payout reference.
Google (Firebase Cloud Messaging) Receives your device's FCM registration token and the payload of push notifications we send to you (e.g. "Rs 1,200 received from Hassan Raza"). Governed by Google's Privacy Policy.
Meta Platforms, Inc. Receives app-event names (e.g. fb_mobile_activate_app), the Google Advertising ID where available, and your mobile number hashed locally by the SDK for cross-device attribution. Governed by Meta's Privacy Policy. See Section 4.
MPAY SMS gateway (Pakistan) Receives your mobile number and the OTP body when an SMS-channel OTP is dispatched. Used only for OTP delivery; no analytics.
SBP, FBR, or other Pakistani authorities On a valid legal request, we may disclose transaction records as required by Pakistani law.

4. Meta (Facebook) SDK disclosure

The App integrates the Meta SDK (react-native-fbsdk-next, App ID 2067476170503882) for app analytics and ad attribution. Specifically:

How to opt out of Meta tracking

5. Data retention

6. Security

7. Your rights and choices

8. Children

Tapsys Merchant is a B2B payment tool intended for adult merchants and is not directed at children under the age of 18. We do not knowingly collect data from children. If you believe a child has provided us information, contact [email protected] and we will delete it.

9. International transfers

Some of our processors (Google / Firebase, Meta) operate servers outside Pakistan. By using the App you consent to your data being transferred to those processors under their respective privacy frameworks.

10. Changes to this policy

We may update this Policy from time to time. Material changes will be announced inside the App and the "Last updated" date at the top of this page will change. Continued use of the App after a change constitutes acceptance of the revised policy.

11. Contact

Tapsys (Private) Limited
Email: [email protected]
For privacy-specific concerns: [email protected]