← Policy Center

Data Protection Policy

The security discipline behind every dashboard, CRM, and ad account we touch.

2 min read Effective  1 August 2026 Last updated  1 August 2026 Privacy & Data Protection

Purpose

Beyond our own website, Fanaar is frequently entrusted with access to a client's CRM, advertising accounts, and customer data in order to deliver commercial growth Services. This policy describes the standards we apply to that data, distinct from the personal data addressed in our Privacy Policy.

Scope

Applies to personal data Fanaar processes in the course of delivering Services to a client — for example, customer records in a CRM, advertising audience data, or analytics data — as well as Fanaar's own operational data. Specific data-handling instructions agreed in a Master Services Agreement or Statement of Work take precedence over this general policy in the event of a conflict.

Policy Statement

Our role

Where Fanaar processes a client's customer data to deliver Services (for example, running a CRM or ad platform on the client's behalf), we act on the client's documented instructions, comparable to a "data processor" role under internationally recognised data protection frameworks. Where Fanaar collects data directly through our own website or enquiries, we act in a "data controller" capacity, as described in our Privacy Policy.

Security measures

  • Access to client systems and data is restricted to team members who need it to deliver the relevant Service;
  • Multi-factor authentication and secure password practices on all Company and client-facing accounts, where available;
  • Encrypted device storage and secure networks for handling client data;
  • No storage of client data on personal or unmanaged devices or cloud accounts.

Data minimisation

We request and retain only the data reasonably necessary to deliver the agreed Services, and do not repurpose a client's customer data for any use outside that client's engagement.

Breach notification

Should Fanaar become aware of a security incident affecting a client's data, we will notify the affected client without undue delay, consistent with international best practice of notification within 72 hours of becoming aware of a confirmed breach, and will take reasonable steps to investigate and remediate.

Retention & deletion

Upon termination of an engagement, Fanaar will return or delete client data in our possession within a reasonable period, save for data we are required to retain by law or under the record-retention terms of the relevant Master Services Agreement (including, where applicable, Financial Records retained for Performance Fee verification purposes).

Regulatory context

As with our Privacy Policy, this Data Protection Policy is applied as a matter of Company standard ahead of comprehensive Pakistani data protection legislation, and will be updated as that legislation develops.

Client Responsibilities

  • Ensure you have a lawful basis and, where applicable, consent for any personal data you provide to Fanaar or grant us access to.
  • Provide clear, documented instructions regarding how your customer data should be handled.

Fanaar's Responsibilities

  • Process client data only on documented instructions and for the purposes of the engagement.
  • Maintain the security measures described above.
  • Notify clients promptly of any confirmed security incident affecting their data.
  • Return or delete client data at the end of an engagement, subject to lawful retention requirements.

Contact Information

Data protection queries can be directed to [email protected] with the subject line "Data Protection".

Fanaar
Lahore, Punjab, Pakistan