1Who We Are
DropMandi ("we", "us", "our") is Pakistan's AI-powered dropshipping marketplace, operated at dropmandi.com. We connect buyers, sellers and dropshippers across Pakistan.
| Detail | Information |
|---|---|
| Platform Name | DropMandi |
| Website | dropmandi.com |
| Contact Email | customercare@dropmandi.com |
| Privacy Email | customercare@dropmandi.com |
| Operating Country | Islamic Republic of Pakistan |
| Applicable Law | Pakistan Electronic Crimes Act 2016 (PECA), E-Commerce Policy 2019, Prevention of Electronic Crimes Act |
2Information We Collect
2.1 Information You Provide
- Registration Data: Full name, email address, phone number, city, province, password
- KYC Documents: CNIC number, CNIC front/back photos, selfie, business registration (for businesses)
- Bank Details: Bank name, account title, IBAN for payout processing
- Business Information: Business name, NTN number, SECP registration, GST number
- Product Listings: Product names, descriptions, images, videos, prices
- Order Information: Shipping address, phone, delivery instructions
- Communications: Complaints, tickets, chat messages with Dua AI
2.2 Information We Collect Automatically
- Location Data: City/province detected via browser geolocation (with your permission)
- Device Information: Browser type, operating system, device type
- Usage Data: Pages visited, products viewed, search queries, time spent
- IP Address: For security, fraud prevention and location detection
- Login Activity: Login times, login counts, last active date
Geolocation: We request your location during registration to auto-fill your city. This is optional and you can skip it. We never track your location continuously.
2.3 Information from Third Parties
- Payment processors (JazzCash, EasyPaisa) — transaction status only
- Courier companies (TCS, Leopard) — tracking information
- FBR — tax filer status verification
- Facebook/Meta — Public Profile (name, profile picture) and email address when you use Facebook Login See Section 12
3How We Use Your Information
| Purpose | Legal Basis |
|---|---|
| Create and manage your account | Contract performance |
| Process orders and payments | Contract performance |
| KYC identity verification | Legal obligation (SBP, FBR) |
| Calculate and deduct withholding tax | Legal obligation (FBR) |
| Send order updates and notifications | Contract performance |
| Send marketing emails (with consent) | Consent |
| Fraud detection and prevention | Legitimate interest |
| Improve our platform | Legitimate interest |
| Comply with court orders | Legal obligation |
| Resolve complaints and disputes | Contract performance |
| Facebook Login — account creation & identity verification | Contract performance |
4Information Sharing
We do NOT sell your personal data. We share data only in these circumstances:
- Between Buyers & Sellers: Shipping address and phone shared with seller for order fulfillment
- Dropshippers: See product info and order details — NOT buyer's personal contact details
- Payment Partners: Name, amount and transaction ID to JazzCash/EasyPaisa/bank
- Courier Partners: Name, phone and address to TCS/Leopard for delivery
- FBR (Federal Board of Revenue): Transaction data for tax compliance as legally required
- Law Enforcement: When required by Pakistani law, court order or FIA
- Fraud Prevention: With banks and financial institutions when fraud is suspected
We Never Share: Your CNIC details, bank account numbers, passwords, or Facebook/Meta personal data with any third party except as legally required by FBR or court order.
5Data Security
- Passwords: Encrypted using bcrypt hashing — never stored in plain text
- SSL/TLS: All data transmitted over HTTPS encrypted connection
- Database: Access restricted to authorized personnel only
- KYC Documents: Stored in secured server folders, not publicly accessible
- OTP Verification: All sensitive actions require OTP verification
- Session Security: Secure session management with automatic timeout
- Upload Security: PHP execution disabled in upload folders
Data Breach Notification: In case of a data breach affecting your personal data, we will notify you via email within 72 hours of becoming aware of the breach, as required by Pakistan's cyber crime laws. If the breach involves Facebook Login data, we will also notify Meta Platforms as required by their Data Processing Terms.
6KYC & Identity Verification
KYC (Know Your Customer) is mandatory for sellers and dropshippers who wish to receive payouts above Rs 5,000.
We Collect for KYC:
- CNIC number and expiry date
- CNIC front and back photos
- Live selfie for liveness verification
- Business registration documents (for businesses)
- NTN certificate (for sole proprietors and companies)
- For GCC-based dropshippers: Passport or Resident ID (Iqama)
KYC Data Usage:
- Identity verification only — not used for marketing
- Shared with FBR when required for tax compliance
- Retained for 7 years as required by financial regulations
- Deleted upon account closure (except where legally required to retain)
CNIC Security: Your CNIC details are encrypted and stored securely. DropMandi staff can only view the last 4 digits of your CNIC for verification purposes.
7Cookies & Tracking
We Use:
- Session Cookies: To keep you logged in during your visit (deleted when you close browser)
- Preference Cookies: To remember your language and display preferences
- Security Cookies: To protect against CSRF attacks and fraudulent logins
We Do NOT Use:
- Third-party advertising or tracking cookies from external platforms
- Cross-site tracking
- Fingerprinting or device tracking
| Cookie | Purpose | Duration |
|---|---|---|
| PHPSESSID | Session management — keeps you logged in | Session |
| dm_cookie_consent | Remembers your cookie preference | 1 year |
| dm_cart | Shopping cart contents | 7 days |
| dm_lang | Language preference | 1 year |
You can disable cookies in your browser settings, but this may affect login functionality.
7.1 Automated Decision Making
DropMandi uses automated systems for:
- Tier upgrades: Automatically calculated based on your performance metrics
- Product recommendations: Based on browsing and purchase history
- Risk assessment: Automated fraud detection on transactions
- KYC screening: Initial automated review before human verification
You have the right to request human review of any automated decision that significantly affects you. Contact customercare@dropmandi.com.
8Your Rights
Under Pakistan's data protection principles and E-Commerce Policy 2019, you have the right to:
| Right | How to Exercise | Response Time |
|---|---|---|
| Access — Get a copy of your data | Email customercare@dropmandi.com | 7 business days |
| Correction — Fix incorrect data | Edit in your profile settings | Immediate |
| Deletion — Delete your account & data | Dashboard → Account Settings | 30 days |
| Portability — Export your data | Email customercare@dropmandi.com | 14 business days |
| Opt-out — Marketing emails | Unsubscribe link in emails | Immediate |
| Facebook Data Deletion | Email customercare@dropmandi.com | 30 days |
| Complaint — Data misuse | PTA or FIA Cybercrime Wing | Per authority SLA |
Data Requests: Send all data-related requests to customercare@dropmandi.com with your DM ID and registered email address for verification.
9Children's Privacy
DropMandi is strictly for users aged 18 years and above. We do not knowingly collect personal data from minors.
- Age verification is performed during KYC (CNIC shows date of birth)
- If we discover a user is under 18, their account will be immediately suspended
- Parents/guardians who believe their child has registered should contact us immediately at customercare@dropmandi.com
10FBR & Tax Compliance
As a marketplace operating in Pakistan, DropMandi complies with Federal Board of Revenue (FBR) requirements:
- Withholding Tax (WHT): Deducted from seller payouts as per applicable rates
- Tax Filer Status: We verify filer/non-filer status through FBR IRIS system
- Transaction Reporting: Marketplace transactions reported to FBR as legally required
- NTN Requirement: Corporate and sole proprietor sellers must provide NTN
- Tax Invoices: Generated for each transaction for record keeping
| Seller Type | WHT Rate (Filer) | WHT Rate (Non-Filer) |
|---|---|---|
| Individual Seller | 0.1% | 0.2% |
| Sole Proprietor | 0.1% | 0.2% |
| Corporate | 0.1% | 0.2% |
Tax Records: We maintain transaction records for a minimum of 6 years as required by FBR regulations. These records may be shared with FBR upon request.
11Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Data | Life of account + 2 years | Business records |
| KYC Documents | 7 years | Financial regulation |
| Transaction Records | 6 years | FBR requirement |
| Order History | 5 years | Consumer protection |
| Chat/Support Logs | 1 year | Quality & training |
| Login Logs | 90 days | Security monitoring |
| OTP Codes | 10 minutes | Security (auto-deleted) |
| Facebook Login Data | Life of account (deleted on request within 30 days) | Account management — Meta Data Deletion Policy |
Facebook & Meta Data Integration
DropMandi offers users the option to register and sign in using Facebook Login, a service provided by Meta Platforms, Inc. This integration is designed solely to streamline the account creation process and eliminate the need for manual form entry. When a user chooses to sign in via Facebook, DropMandi requests access only to their Public Profile (which includes their name and profile picture) and their Email Address. We do not request access to friends lists, posts, messages, or any other personal Facebook data beyond what is explicitly stated in this section.
12.1 What Data We Access from Facebook
- Public Profile: Your full name and profile picture
- Email Address: The primary email associated with your Facebook account
We do not access, store, or process any of the following Facebook data: friends list, timeline posts, private messages, likes, check-ins, phone number from Facebook, date of birth from Facebook, or any other permission beyond those stated above.
12.2 How We Use Facebook Data
The information obtained through Facebook Login is used exclusively for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Creating and managing your DropMandi account | Contractual necessity |
| Verifying your identity for platform security | Legitimate interest |
| Sending order confirmations, receipts and account notifications | Contractual necessity |
| Pre-filling your registration form for faster sign-up | Contractual necessity |
This data is stored securely on our servers and is never used for marketing profiling, behavioural tracking, or any purpose beyond those directly necessary to operate your DropMandi account. We process this data on the legal basis of contractual necessity, in full accordance with the General Data Protection Regulation (GDPR) and Meta's Platform Terms of Service.
12.3 Data Protection & Third-Party Sharing
DropMandi does not sell, rent, or share your Facebook-sourced personal data with any third-party advertisers, data brokers, or external organisations. Your data is handled strictly in accordance with this Privacy Policy and applicable data protection laws, including GDPR and Pakistan's PECA 2016.
12.4 Your Right to Delete Facebook Data
Users have the right to request the deletion of their Facebook-sourced personal data at any time. To exercise this right:
- Email us at customercare@dropmandi.com with subject line: "Facebook Data Deletion Request"
- Or submit a data deletion request through your account settings in your DropMandi dashboard
- Or revoke DropMandi's access directly from your Facebook App Settings
Upon receiving a verified deletion request, we will permanently remove all associated Facebook-sourced personal data from our systems within 30 days, in full compliance with our obligations under GDPR and Meta's Data Deletion Requirements. Please note that deleting Facebook data may result in account deactivation if no alternative login method has been set up.
12.5 Meta's Privacy Policy
For information about how Meta collects and uses data in connection with Facebook Login, please refer to Meta's Privacy Policy. DropMandi is an independent controller of the data we collect through this integration and is solely responsible for its processing as described in this section.