1. Scope & data controller
This Privacy Policy describes how TW IP BARE Portal Security (“we”, “us”, “our”) processes personal data when you visit https://tw.bareip.com, create an account, place orders, complete identity verification, use community or support features, or otherwise interact with our Platform.
We are established in and primarily operate under the laws of the Islamic Republic of Pakistan. For EU/UK GDPR purposes, we are generally the data controller for personal data described in this policy. Where the Personal Data Protection Act, 2023 (PDPA) applies, we process personal data in accordance with its principles of lawful processing, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.
When you register, you must accept this Privacy Policy together with our Terms of Service. We record your acceptance (version, timestamp, and related metadata) as described in Section 2.1 and our Terms.
This policy should be read together with our Terms of Service.
2. Data we collect
We collect only what we need to operate the Platform, fulfill orders, meet legal obligations, and protect users. Categories include:
2.1 Account & authentication data
- Username, email address, internal user ID, role, and account status;
- Firebase authentication identifiers and session tokens;
- Password reset and sign-in activity (handled via Firebase; we do not store plaintext passwords);
- Terms acceptance records — version of Terms and Privacy Policy accepted, timestamp, and IP address at registration (and on re-acceptance if required).
2.2 Order, billing & payout data
- Service type, country, duration, payment method references, amounts, and order status;
- Client name and order notes you submit;
- Payout preferences such as Airtm email or Binance ID for share-earnings features;
- Renewal and replacement request details.
2.3 Delivery data
- Credentials, setup instructions, package titles, and delivery messages sent to your account;
- Delivery timestamps, reference numbers, and delivery history.
2.4 Identity verification (KYC) data
Where required, we may collect:
- Government-issued identity documents and photographs you upload;
- Selfie or liveness images where enabled;
- Verification status, reviewer notes, rejection reasons, and audit metadata;
- Approximate location or device signals used for fraud prevention where permitted and disclosed at collection.
2.5 Communications
- Support tickets, contact-form messages, mailbox notifications, and community posts;
- Transactional emails (order updates, delivery notices, KYC outcomes).
2.6 Technical & security data
- IP address, browser type, device information, and timestamps;
- Security logs, anti-abuse signals, Turnstile verification tokens, and audit trails;
- API and session logs needed to investigate incidents and prevent fraud.
2.7 Data you choose not to provide
If you do not provide required data (for example, KYC documents where mandated), we may be unable to provide some or all services.
3. Purposes & legal bases
We process personal data only where we have a lawful basis under applicable law — including PDPA 2023 (Pakistan), GDPR Article 6, and comparable frameworks:
| Purpose | Typical data | Legal basis |
|---|---|---|
| Creating and managing your account | Account & auth data | Contract (Art. 6(1)(b)) |
| Processing orders, renewals, replacements & deliveries | Order, delivery, billing data | Contract |
| Share-earnings & payout administration | Payout details, transaction history | Contract / Legal obligation |
| Identity verification & fraud prevention | KYC data, security logs | Legal obligation, Legitimate interests (Art. 6(1)(f)), or Consent where required |
| Platform security & abuse prevention | Technical data, Turnstile signals | Legitimate interests — securing the Platform and users |
| Transactional notifications | Email, order status | Contract / Legitimate interests |
| Support & dispute handling | Communications, account history | Contract / Legitimate interests |
| Legal, tax & regulatory compliance | Records required by law | Legal obligation (Art. 6(1)(c)) |
| Recording Terms & Privacy acceptance at registration | Account data, acceptance metadata | Contract / Legal obligation / Consent |
Where we rely on legitimate interests, we balance our interests against your rights and implement safeguards such as access controls and data minimization. You may object to certain processing as described in Section 9.
Special-category data in KYC documents (which may reveal biometric or nationality information) is processed only where necessary for verification, fraud prevention, or legal compliance, with appropriate safeguards.
6. International data transfers
Your data may be processed in Pakistan and in other countries where our infrastructure providers operate, including the United States (Firebase and related cloud services).
Under the PDPA 2023, cross-border transfers of personal data from Pakistan are permitted where adequate safeguards exist, the data subject has consented, or another lawful mechanism applies. We use contractual and technical safeguards with subprocessors and limit transfers to what is necessary to operate the Platform.
When we transfer personal data from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on appropriate safeguards such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission or UK authorities;
- supplementary technical and organizational measures (encryption in transit, access controls, minimization);
- provider certifications or frameworks where applicable.
You may request more information about transfer safeguards by contacting us.
7. Data retention
We keep personal data only as long as necessary for the purposes above:
- Account data — for the life of your account plus a reasonable period after closure for disputes, fraud prevention, and legal compliance;
- Orders & deliveries — typically for the service relationship and audit period required for business and tax records;
- KYC documents — for as long as required by applicable anti-fraud and compliance obligations, then deleted or anonymized unless law requires longer retention;
- Security logs — generally rolling retention appropriate to incident investigation (often 30–365 days depending on log type);
- Support messages — retained while the ticket is open and for a follow-up period for quality and dispute resolution.
When data is no longer needed, we delete or irreversibly anonymize it. Backups may persist for a limited technical window before overwrite.
8. Security measures
We apply measures proportionate to the sensitivity of the data, including:
- HTTPS encryption for data in transit;
- role-based access controls for administrative functions;
- authentication via Firebase and session management best practices;
- audit logging for sensitive admin actions;
- anti-abuse and bot protection on public forms;
- restricted access to KYC document storage.
No method of transmission or storage is 100% secure. Please use strong passwords and protect delivered credentials.
If we discover a breach affecting your personal data, we will notify you and relevant authorities as required by applicable law — including PDPA breach-notification obligations (once in force), GDPR Articles 33–34, and comparable Pakistan requirements under PECA 2016 where applicable.
9. Your privacy rights
Depending on your location, you may have the following rights:
- Right of access — obtain confirmation and a copy of your data;
- Right to rectification — correct inaccurate or incomplete data;
- Right to erasure — request deletion where grounds apply (for example, data no longer needed or consent withdrawn);
- Right to restriction — limit processing in certain circumstances;
- Right to data portability — receive data you provided in a structured, machine-readable format where processing is automated and based on contract or consent;
- Right to object — object to processing based on legitimate interests or direct marketing;
- Right to withdraw consent — where processing is consent-based, without affecting prior lawful processing;
- Right not to be subject to solely automated decisions — see Section 13.
How to exercise your rights: email admin@tw.bareip.com with the subject “Privacy rights request”. Include your username, email, and the right you wish to exercise. We will verify your identity before acting on sensitive requests. We respond within 30 days (extendable where permitted by law, including complex GDPR requests, with notice).
Under the PDPA, you may also have rights to correction, erasure, restriction, data portability, and withdrawal of consent where processing is consent-based. We will honor PDPA rights to the extent the Act applies to our processing.
We do not charge a fee unless requests are manifestly unfounded or excessive.
10. Pakistan — PDPA, PECA & local rights
This section applies to individuals in Pakistan and supplements the rest of this policy.
10.1 Constitutional & statutory framework
We respect the right to privacy under Article 14 of the Constitution of Pakistan. Our processing is designed to comply with:
- Personal Data Protection Act, 2023 (PDPA) — lawful, fair, and transparent processing; purpose and storage limitation; security; accountability; and data-subject rights;
- Prevention of Electronic Crimes Act, 2016 (PECA) — we do not authorize unlawful access, harassment, or misuse of personal data, and we cooperate with lawful requests from competent authorities;
- Electronic Transactions Ordinance, 2002 — electronic records of consent and transactions may be relied upon where the law permits.
10.2 Cross-border processing
Where personal data of Pakistan residents is transferred outside Pakistan, we implement safeguards described in Section 6 and processor agreements appropriate to the PDPA.
10.3 Complaints in Pakistan
Please contact us first at admin@tw.bareip.com. You may also lodge a complaint with the National Commission for Personal Data Protection (NCPDP) once it is fully operational under the PDPA, or pursue remedies before competent courts in Pakistan where applicable law allows.
10.4 Sensitive & KYC data
Identity documents and related KYC data may include sensitive personal data. We process such data only where necessary for verification, fraud prevention, or legal compliance, with restricted access and retention limits as described in Sections 2 and 7.
11. GDPR & UK GDPR — additional information
11.1 Lawful processing summary
We process personal data transparently, for specified purposes, and limit collection to what is adequate and relevant (data minimization). We maintain accuracy and integrity through account tools and support channels.
11.2 Data Protection Officer
We have not appointed a formal DPO where not required by law. Privacy inquiries are handled by our team at admin@tw.bareip.com.
11.3 Supervisory authority complaints
If you are in the EU or EEA, you may lodge a complaint with your local data protection authority. UK residents may contact the Information Commissioner’s Office (ICO). We encourage you to contact us first so we can address your concern.
11.4 Records of processing
We maintain internal records of processing activities as required by GDPR Article 30 for organizations subject to that obligation.
12. California & US state privacy
If you are a California resident, you may have rights under the CCPA/CPRA including:
- to know what personal information we collect, use, and disclose;
- to delete personal information (subject to exceptions);
- to correct inaccurate personal information;
- to opt out of “sale” or “sharing” — we do not sell or share personal information for cross-context behavioral advertising;
- to non-discrimination for exercising privacy rights.
Submit requests to admin@tw.bareip.com. We will verify your request as permitted by law. Authorized agents may submit requests with proof of authorization.
Residents of other US states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, and others) may have similar rights — contact us and we will honor applicable requirements.
13. Children & age limits
The Platform is not directed to anyone under 18 years of age (the age of majority in Pakistan for contractual eligibility on this Platform). We do not knowingly collect personal data from children. If you believe someone under 18 has provided data to us, contact admin@tw.bareip.com and we will delete it promptly.
In the EU/EEA or UK, where a lower age of digital consent applies (typically 13–16), we still require users to meet our minimum age of 18 to register for paid services and KYC-related features.
14. Automated decision-making & profiling
We use automated systems for fraud prevention, bot detection (including Turnstile), and routing security events. KYC outcomes involve human review by authorized administrators — we do not make solely automated decisions that produce legal or similarly significant effects about you without human oversight.
15. Changes to this policy
We may update this Privacy Policy to reflect legal, technical, or business changes. The effective date at the top will be revised. Material changes will be communicated through the Platform or email where appropriate. Please review this page periodically.
16. Contact & complaints
Data controller: TW IP BARE Portal Security (Pakistan)
Privacy & data protection inquiries: admin@tw.bareip.com
Website: https://tw.bareip.com
General terms: Terms of Service