DIFBR - CE360
Home Blog Features Pricing Partners Knowledge Base Contact
Login Register Book Demo
Data Protection

Privacy Policy

We take your privacy seriously. This policy outlines our comprehensive data protection practices in accordance with national and international data privacy standards, operated by CLOUD ERP 360 (PRIVATE) LIMITED, the owner of the DIFBR - CE360 platform.

Last Updated: June 18, 2026

1. Information We Collect

In the course of providing our services, we collect various types of information, including:

  • Personal & Business Registration Data: Information you provide during registration and onboarding, such as taxpayer names, official business entity details, business NTN, STRN, CNIC, email addresses, phone numbers, physical addresses, and official FBR integration credentials (API keys, passwords, and security certificates).
  • User Access & Role Management Data: Information regarding sub-users, cashiers, accountants, and operators created under your business profile, including their contact info, authentication activity, action logs, and system permissions assigned to them.
  • Digital Invoicing & Transaction Data: Comprehensive details of your sales, purchases, withholding taxes, buyer NTN/CNIC/STRN, HS Codes, Unit of Measure (UOM), descriptions of goods/services, tax rates, total invoice amounts, and FBR digital invoicing integration/electronic submission logs.
  • Alerts, Notifications & Audit Logs: Logs of system alerts generated, failed transmission notices, SMS/email notifications sent to you or your operators, and security audit records (such as password changes, login attempts, and API credential access).
  • Automated & System Information: We automatically collect usage data, IP addresses, browser types, operating systems, session data, and access times when you interact with our platform.

2. Purpose of Data Collection & Management

We process and manage your data for the following lawful purposes in relation to FBR digital invoicing and compliance:

  • To provide, operate, maintain, and optimize the digital invoicing and cloud ERP platform.
  • To facilitate real-time integration, data processing, formatting, and submission of digital invoices to the Federal Board of Revenue (FBR) systems.
  • To enforce role-based user access controls, allowing you to segment and manage who in your organization has authority to create, edit, or submit tax data.
  • To deliver essential compliance alerts, FBR API connection failures, token expiration warnings, and real-time email/SMS system notifications.
  • To process subscription payments, generate billing details, and manage your account lifecycle.
  • To monitor platform performance, detect security breaches, prevent fraud, audit access logs, and troubleshoot technical connection issues.
  • To generate sales tax registers, withholding tax records, and internal analytics for your business operations.

3. Data Sharing & Disclosure

We do not sell, rent, or trade your personal or business data to third parties. We disclose your information only in the following regulatory and operational circumstances:

  • Federal Board of Revenue (FBR): As a digital invoicing intermediary platform, we transmit your transaction and compliance data (including HS codes, sales volumes, STRN, buyer/seller credentials, and calculated taxes) directly to FBR's servers or endpoints. This transmission is automatically initiated by your operational actions (such as finalizing or saving an invoice) on our platform. In this context, you act as the Data Controller, and the Company acts as the Data Processor.
  • Third-Party Service Providers: We share data with trusted cloud infrastructure providers (e.g., servers, database hosts) and payment gateways under strict data protection and confidentiality agreements.
  • Legal Requirements: We may disclose information if required to do so by law, subpoena, or in response to valid requests by public authorities or courts of competent jurisdiction in Pakistan.

4. Data Security, Local Caching & Retention Policy

We implement advanced technical and organizational measures to protect your sensitive invoicing and tax data, and we outline our practices as follows:

  • Data Encryption & Transmission: We encrypt your data in transit (using SSL/TLS) and at rest on our secure database servers. All integrated government authentication credentials, including FBR API keys, passwords, and security certificates, are stored in encrypted format (using strong industry standard AES-256 envelope encryption protocols) to prevent unauthorized decryption or system exposure.
  • Logical Tenant Isolation: We isolate subscriber data logically on a database and application level using unique tenant identifiers. This ensures that your business profile, invoicing metrics, employee records, and integration configurations are kept completely separated, preventing cross-tenant data leaks or unauthorized access by other businesses.
  • Audit Trails & Security Monitoring: We continuously log platform interactions, including user login events, dynamic IP addresses, API requests, changes to roles and permissions (role-based access models), and FBR submission activities. These audit logs are processed for security analysis and to prevent unauthorized access.
  • Session Protection & Multi-Factor Authentication (MFA): We employ secure session handling, automatic session timeouts, and support Multi-Factor Authentication (MFA) on administrator logins to protect accounts against brute-force attacks, phishing, or session hijacking at office workstations.
  • Local Browser & ERP Client Caching: To support billing continuity, prevent data loss during internet latency, and maintain operational stability, the platform may cache transactional inputs (including customer names, items, and tax rates) temporarily in local browser storage (such as LocalStorage or IndexedDB) on your ERP host servers, user terminals, or software clients. It is your responsibility to secure these local hosts and user terminals from unauthorized physical or network access.
  • Regulatory Retention Period: Due to statutory tax audit requirements in Pakistan, we retain digital invoicing, FBR submission logs, and transactional records for the mandatory data retention period of seven (7) years to ensure compliance with tax audit and record-keeping laws, even if you deactivate or terminate your account.

5. User Rights regarding Personal Data

Depending on your jurisdiction, you may have the right to access, correct, update, or request deletion of your personal data. You may also have the right to restrict processing or request data portability. Please note that data already transmitted to FBR cannot be deleted or altered through our platform, and any amendments or credit/debit notes must be processed in compliance with FBR rules. To exercise your rights, please contact our Data Protection Officer.

6. Changes to this Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the updated policy on our website and updating the "Last Updated" date. Continued use of our platform after such modifications constitutes your acknowledgment of the modified Privacy Policy.

Privacy Inquiries & Data Protection Officer

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact our Legal and Privacy team.

Email Privacy Officer