Tapsys Merchant · A Tapsys product · Last updated 25 May 2026
This Privacy Policy explains how Tapsys (Private) Limited ("Tapsys", "we", "us") collects, uses, stores, and shares information when you use the Tapsys Merchant Android application (the "App") and the related backend services (the "Service").
Tapsys Merchant operates within the State Bank of Pakistan ("SBP") RAAST instant-payment framework and settles to your own SBP-regulated bank account. This policy is written to satisfy Google Play, the Meta (Facebook) Platform Terms, and the data-handling expectations of an SBP-regulated payment workflow.
1. Information we collect
1.1 Information you provide directly
Mobile number in +92 format — used as your account identifier and to deliver one-time passwords (OTPs).
CNIC (Computerised National Identity Card) number — required by SBP KYC rules for onboarding.
Business profile — shop name, category, address (city, area).
Bank account information — IBAN, bank name, branch identifier, and the account holder's name. Used to route your daily settlement payouts.
1.2 Information collected automatically
Device identifiers — Firebase Cloud Messaging (FCM) registration token, used to deliver real-time payment alerts. The Google Advertising ID may be collected by the Meta SDK (see Section 4).
Session metadata — opaque session token bound to a single device, server-side issue/expiry timestamps, IP address of the request, and a user-agent fingerprint.
Transaction records — for every payment accepted via RAAST QR, we store amount, timestamp, payer reference, RAAST RRN, and the recipient IBAN you registered. Refunds are stored with the same fields plus the refund reason category.
App-event metadata — non-PII counters for screen views and button taps (e.g. payouts_viewed, khata_list_viewed) used for product analytics. See Section 4 for the Meta SDK details.
1.3 Information stored only on your device
The Khata (customer ledger) feature is privacy-isolated. Customer names, phone numbers, amounts owed, memos, and reminder text live exclusively in your phone's local storage. Tapsys servers never receive any of this data. Android's standard "Backup & Restore" service may copy the local Khata database to your own Google Drive (encrypted by Google); this happens between your device and Google, with no Tapsys involvement.
2. How we use information
Provide the payment service — issue OTPs, verify your identity, generate your RAAST-enabled QR code, route incoming payments to your registered IBAN, and execute the daily settlement payout.
Communicate with you — payment alerts, refund confirmations, payout notifications, and security notices, delivered via FCM push messages and via SMS through the MPAY SMS gateway (Pakistan).
Improve and secure the App — debug crashes, detect fraudulent or abusive behaviour, throttle abusive OTP requests.
Analytics and ad attribution — Meta App Events / Facebook SDK (see Section 4).
3. Who we share information with
We do not sell your personal information. We share narrowly defined categories of data with the following processors, each strictly necessary to operate the Service:
Banking partner(s) regulated by SBP
To route incoming RAAST payments to your IBAN and to execute outgoing settlement payouts. Receives your IBAN, settlement amount, and a per-payout reference.
Google (Firebase Cloud Messaging)
Receives your device's FCM registration token and the payload of push notifications we send to you (e.g. "Rs 1,200 received from Hassan Raza"). Governed by Google's Privacy Policy.
Meta Platforms, Inc.
Receives app-event names (e.g. fb_mobile_activate_app), the Google Advertising ID where available, and your mobile number hashed locally by the SDK for cross-device attribution. Governed by Meta's Privacy Policy. See Section 4.
MPAY SMS gateway (Pakistan)
Receives your mobile number and the OTP body when an SMS-channel OTP is dispatched. Used only for OTP delivery; no analytics.
SBP, FBR, or other Pakistani authorities
On a valid legal request, we may disclose transaction records as required by Pakistani law.
4. Meta (Facebook) SDK disclosure
The App integrates the Meta SDK (react-native-fbsdk-next, App ID 2067476170503882) for app analytics and ad attribution. Specifically:
The SDK auto-logs three standard events: fb_mobile_activate_app (on cold start), fb_mobile_complete_registration (on first successful OTP verify), and fb_mobile_login (on returning sign-in).
We log a defined set of custom events around onboarding, payment, refund, payout, and notification interactions. No customer names, customer phone numbers, or Khata ledger entries are sent to Meta.
On Android we collect the Google Advertising ID via the SDK; on iOS the IDFA is collected only after you grant App Tracking Transparency consent.
Your mobile number is hashed (SHA-256) on your device by the SDK before it is sent to Meta for advanced matching. Meta never receives the unhashed value from us.
How to opt out of Meta tracking
Android — open Settings → Privacy → Ads (or Google → Ads on some devices) and turn on Opt out of Ads Personalisation, or tap Delete advertising ID. Meta will no longer receive a per-device identifier.
iOS — when the App first launches, the OS shows an App Tracking Transparency prompt. Tap Ask App Not to Track. You can change this later under Settings → Privacy & Security → Tracking.
5. Data retention
Account, KYC and bank-account records — retained for the lifetime of your account plus the period mandated by SBP regulations (currently 5 years) after account closure.
Transaction and settlement records — retained for 5 years after the transaction date, as required by SBP.
OTP challenges — invalidated after first use or 10 minutes, then purged.
Session tokens — invalidated on sign-out, on device change, or after 7 days of inactivity.
Meta event payloads — governed by Meta's retention policy (see their Privacy Policy).
Khata data — stored only on your device; you control retention by uninstalling the App or clearing its data via Android Settings.
6. Security
All client-server communication is over HTTPS / TLS 1.2+ with certificate pinning planned for v1.0.
Mobile-number + OTP sign-in — we do not use shared passwords.
Each session is bound to a single device. Signing in on a new device automatically invalidates the previous session.
Refund actions are gated behind a hold-to-confirm gesture with haptic feedback so a finger-slip cannot send money out by accident.
Server-side data at rest is stored in an SBP-jurisdiction database with restricted, audited access.
7. Your rights and choices
Access — request a copy of the personal data we hold about you by emailing [email protected].
Correction — update your business profile or IBAN from within the App. CNIC corrections require a support request because of the KYC re-check.
Deletion — request deletion of your account and personal data by emailing [email protected]. Transaction records and KYC documents required by SBP for the 5-year retention window cannot be deleted before that window expires.
Opt out of Meta tracking — see Section 4.
Opt out of analytics entirely — uninstall the App. Server-side anonymous service-health logs may persist for up to 90 days.
8. Children
Tapsys Merchant is a B2B payment tool intended for adult merchants and is not directed at children under the age of 18. We do not knowingly collect data from children. If you believe a child has provided us information, contact [email protected] and we will delete it.
9. International transfers
Some of our processors (Google / Firebase, Meta) operate servers outside Pakistan. By using the App you consent to your data being transferred to those processors under their respective privacy frameworks.
10. Changes to this policy
We may update this Policy from time to time. Material changes will be announced inside the App and the "Last updated" date at the top of this page will change. Continued use of the App after a change constitutes acceptance of the revised policy.