Legal, Risk & Compliance
The formal policies that keep TechAbout and its people protected — confidentiality, intellectual property, anti-bribery, whistleblowing, data privacy, and responsible use of AI.
Data Protection & Privacy
This policy explains how TechAbout collects, uses, protects, shares and disposes of personal data — information that identifies a living person. It is the formal policy layer for everyone at TechAbout who handles data, and it protects the people who trust us with theirs: our clients, the candidates who apply to us, and our own employees.
Purpose
People give us their data because they must in order to work with us, apply to us, or be employed by us. That is a form of trust, and this policy sets the rules that keep it. It states the principles we hold ourselves to, so that our handling of personal data is lawful, fair and predictable — not left to chance or to individual habit.
This is the policy layer: what we must do and why. The technical controls that enforce it — encryption, access management, device rules, logging — live in our Information Security book and in Data Security, Devices & Passwords.
Scope / Who This Applies To
This policy applies to every TechAbout employee, contractor and intern, and to any personal data we hold, regardless of where it lives — ERPNext/Frappe, our HRMS and payroll, the ATS recruiting pipeline, our CRM, email, spreadsheets, and any client system we operate. It covers three groups of people whose data we hold:
- Clients and their users — contacts, billing details, and any personal data inside the projects and services we deliver.
- Job candidates — CVs, contact details, application history and interview notes in the ATS and the careers@techabout.com inbox.
- Employees — HR, payroll, identity and performance records.
The Policy
We handle personal data according to a set of principles that map to Pakistan's developing personal data protection framework and, for international-client work, to standards such as the GDPR. Everyone who touches data is expected to follow them:
- Lawful and fair use. Collect and use personal data only when there is a proper basis for it — a contract, a legal obligation, a clear legitimate interest, or the person's consent. Never obtain data by deception.
- Clear purpose. Use data only for the purpose it was collected for. A CV sent to careers@techabout.com is for recruiting, not marketing. If you want to use data for a genuinely new purpose, get a fresh basis first.
- Data minimisation. Collect only what the task needs. Do not ask for extra fields "just in case", and do not copy full datasets when a subset will do.
- Accuracy. Keep records correct and up to date, and fix or delete data you know to be wrong.
- Storage limitation and retention. Do not keep personal data forever. Candidate records, client data and employee files each have a retention period appropriate to their purpose and to law; when it lapses, the data is deleted or anonymised. Do not create private, off-system copies that escape this rule.
- Security. Protect data against loss, theft and unauthorised access using the controls defined in the Information Security book. Access is on a need-to-know basis.
Consent, transfers and third parties
- Consent where needed. Where consent is the basis — for example, keeping a candidate on file for future roles — it must be freely given and specific, and the person must be able to withdraw it.
- Cross-border transfers. We serve clients billed in several currencies, so data sometimes crosses borders. Transfers involving international clients are handled in line with the applicable contract and, where relevant, recognised data-transfer safeguards.
- Vendors and sub-processors. Only share personal data with third parties under an agreement that binds them to protect it, and only for the purpose we engaged them for.
What To Do / How To Report
People have the right to ask what data we hold about them and to have it corrected or deleted, subject to law. When you receive such a data-subject request — or if you suspect data has been exposed, lost or accessed without authorisation — do this:
- Do not attempt to resolve it silently on your own, and do not delete anything to "clean up".
- Forward the request or concern to ethics@techabout.com promptly; report suspected security incidents to security@techabout.com immediately.
- Preserve the relevant records so the request can be handled properly.
Responsibility for coordinating data-protection matters sits with the People and Ethics function; one person may currently hold this role until the team grows.
If you are unsure whether something counts as personal data, treat it as if it does.
Consequences
Mishandling personal data can harm real people and expose TechAbout to legal and financial risk, including under Pakistan's Prevention of Electronic Crimes Act 2016. Breaches of this policy are treated seriously and may lead to disciplinary action under the Code of Conduct, up to and including termination, as well as any action required by law.
The legal references in this policy are general context, not legal advice, and specifics are subject to review by qualified local counsel and current law as Pakistan's data protection framework continues to develop.
Questions? Contact ethics@techabout.com.
Have a compliance question?
When in doubt, ask before you act. Email ethics@techabout.com for anything sensitive.