Privacy Policy

Xora Studio (“we,” “us,” “our,” or “Company”) is committed to protecting your privacy and ensuring you have a positive experience on our website and when using our services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, contact us, or engage us for our digital solutions services, including web design and development, branding and identity, AI automation systems, and digital marketing.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our website or services. By accessing our website or using our services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

2. Information We Collect

2.1 Information You Provide Directly

We collect personal information that you voluntarily provide when you:

• Contact us through our website, email, phone, or other communication channels
• Request a project quote or consultation
• Submit contact forms or inquiry forms
• Engage us to provide services
• Subscribe to our newsletter or communications
• Make payment for our services

Types of information collected: name, email address, phone number, company name, job title; project details, requirements, and preferences; business information relevant to your service request; payment information (bank account details, Payoneer account, EasyPaisa information, or card details processed through secure payment gateways); and any other information you choose to provide.

2.2 Information Collected Automatically

When you visit our website, we automatically collect certain technical information, including device type, operating system, browser type and version, IP address, cookies and similar technologies (see Section 7), pages visited and time spent on them, general location based on IP address (not GPS-level precision), and analytics data via Google Analytics 4.

2.3 Information from Third Parties

We may receive information about you from third-party service providers (hosting, email, communication platforms), analytics and advertising partners, business partners and referral sources, publicly available information and databases, and social media platforms if you interact with us there.

3. Legal Basis for Processing Your Data

We collect and process your personal information on the following lawful bases:

• Consent: We process data with your explicit consent for specific purposes (e.g., newsletter signup, communication preferences).
• Contract: Processing is necessary to fulfill a contract with you or to provide services you have requested.
• Legal obligation: We are required to process certain data to comply with legal obligations (e.g., tax records, Pakistan E-Commerce Ordinance compliance).
• Legitimate interests: We process data for our legitimate business interests, such as improving services, security, analytics, and marketing, always balanced against your privacy rights.

4. How We Use Your Information

4.1 Service Delivery

We use your information to respond to enquiries and communicate with you about services; provide, deliver, and improve our web design, development, branding, AI automation, and digital marketing services; develop customised solutions; manage projects via our Client Portal (portal.xorastudio.com); process invoices and payments; and maintain project records (drafts kept as needed; final deliverables deleted after 28 days).

4.2 Communication and Marketing

We use your information to send service updates, newsletters, and promotional communications (with your consent); share industry insights and case studies; conduct surveys and feedback requests; provide customer support; and send legal and administrative notices.

4.3 Website and Service Improvement

We analyse website traffic and user behaviour via Google Analytics 4, identify technical issues, test new features, and personalise your experience on our website.

4.4 Marketing and Advertising

We create targeted marketing campaigns and retargeting ads (currently via Google Ads; Facebook and LinkedIn ads may be used in the future), measure campaign effectiveness, and conduct market research. We create only aggregated, non-identifiable analytics reports for external use.

4.5 AI and Automation

We use AI tools (including ChatGPT and Claude) for content generation, optimisation, and analysis; automated email responses and client communication; Google Analytics automation for predictive analytics and reports; and AI automation services delivered to clients as part of our core offerings. Both manual and automated decision-making processes are used for client management and service delivery. See Section 13 for full details.

4.6 Security and Compliance

We use your information to detect, prevent, and address fraud, abuse, and security incidents; protect our legal rights; comply with legal obligations and court orders; and maintain accurate records for business and legal purposes.

4.7 Business Operations

We use your information for internal business analytics, staff training and quality assurance, improving service delivery, and strategic planning.

5. Third-Party Services & Data Sharing

5.1 Service Providers

We work with trusted third-party service providers who process data on our behalf, including:

• Hosting & infrastructure: Hostinger (website hosting and email), cloud storage and backup services, CDN providers
• Communication & collaboration: Gmail, Hostinger Email Service, Microsoft Teams, Zoom
• Client management: Custom Client Portal (portal.xorastudio.com)
• Analytics & performance: Google Analytics 4
• Advertising & marketing: Google Ads (currently active); Facebook Pixel and LinkedIn Ads (planned for future use)
• Payment processing: Bank transfer and wire transfer processors, Payoneer, EasyPaisa, and future processors such as Stripe or 2Checkout
• Design, development & AI: Adobe Suite, ChatGPT, Claude, and other AI tools for content optimisation and analysis

5.2 Data Sharing Practices

We do not sell, rent, trade, or lease your personal information to third parties, share your data for unauthorised marketing purposes, or disclose personal information without your consent (except as required by law).

We do share data with third-party service providers under contractual Data Processing Agreements (DPAs); when required by law, court order, or government request; with your explicit permission or at your direction; in aggregated or anonymised form for research and analytics; and to protect our legal rights, privacy, security, or safety.

Our Data Processing Agreements define each party’s roles, required security standards, restrictions on subcontracting, data deletion obligations, and breach notification procedures. All service providers bound by a DPA are prohibited from using your data for their own purposes and must comply with applicable data protection laws.

6. Data Retention

We retain personal information only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required by law or business necessity.

• Project files & deliverables: Final output deleted 28 days after project completion
• Project drafts & working files: Retained as long as reasonably necessary for business, reference, and support purposes
• Client contact information: Retained for 1 year after the last interaction or service completion
• Enquiry data: Retained for 1 year after the last enquiry
• Newsletter subscribers: Retained until unsubscribed
• Analytics and usage data: Typically 14 months (per Google Analytics default)
• Backup data: 30–90 days before permanent deletion
• Payment records: 3–7 years for legal, tax, and accounting compliance

When data is no longer needed, we securely delete or anonymise it, unless legal or regulatory requirements demand longer retention.

7. Cookies & Tracking Technologies

7.1 What Are Cookies?

Cookies are small data files stored on your device that help us recognise you and enhance your experience on our website. We use cookies and similar technologies to remember your preferences, track website usage, enable essential functionality, measure marketing effectiveness, and serve personalised or retargeted advertisements.

7.2 Cookie Categories at a Glance

7.3 Cookie Consent and Management

For EU/UK visitors (GDPR compliance): A cookie consent banner is displayed on first visit. Non-essential cookies require prior explicit consent. Users can accept all, decline non-essential, or customise preferences. Consent preferences are saved and respected.

For all visitors: You can manage cookie preferences through your browser settings. Disabling non-essential cookies may affect website functionality and personalised experience.

7.4 Opt-Out Options

• Google Analytics opt-out
• Google Ads opt-out
• Facebook Pixel opt-out
• LinkedIn opt-out

8. Data Security & Protection

8.1 Security Measures

We implement comprehensive technical, organisational, and administrative safeguards including SSL/TLS encryption (HTTPS) for data in transit; restricted access controls so only authorised staff can access personal data; multi-factor authentication for staff accounts and the Client Portal; regular security assessments and vulnerability testing; data minimisation practices; secure storage on access-restricted servers (Hostinger); regular data backups; staff training on data protection; and documented incident response procedures.

8.2 Data Breach Notification Updated

In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by GDPR or applicable law
• Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• Investigate the incident promptly and implement corrective measures to prevent recurrence
• Cooperate fully with relevant authorities

You are responsible for maintaining the confidentiality of your Client Portal login credentials, protecting your device from unauthorised access, and notifying us immediately of any suspected security breach.

8.3 Security Limitations

While we implement strong security measures, no method of online transmission or electronic storage is completely secure. We cannot guarantee the absolute security of your data.

9. International Data Transfers

9.1 Transfer Mechanisms Clarified

We operate in Pakistan and provide services worldwide. When we transfer your personal data internationally (for example, to cloud services hosted in the United States or EU), we rely on the following safeguards as applicable:

• Standard Contractual Clauses (SCCs): We use the European Commission’s approved SCCs for transfers of EU/EEA personal data to countries without an adequacy decision, including transfers to our service providers in Pakistan or the United States.
• Adequacy decisions: Where the European Commission or another competent authority has determined that a third country provides an adequate level of data protection, we rely on that decision.
• Processor agreements: All third-party processors receiving personal data from EEA or UK data subjects are bound by Data Processing Agreements (DPAs) that incorporate appropriate transfer safeguards.
• Consent: Where no other mechanism applies and the transfer is non-repetitive, we may rely on your explicit consent.

You may request information about the specific transfer mechanism used for your data by contacting us at contact@xorastudio.com.

9.2 Your Rights Regarding International Transfers

You have the right to request information about the mechanisms used for international transfers, withdraw consent for international transfers (which may affect service delivery), and contact us if you have concerns about your data being transferred outside your country.

10. Your Privacy Rights

10.1 GDPR Rights (EU/EEA/UK Residents)

• Right of access: Request access to personal data we hold about you
• Right of rectification: Request correction of inaccurate or incomplete data
• Right to erasure (“right to be forgotten”): Request deletion of your data under certain circumstances
• Right to restrict processing: Request that we limit how we use your data
• Right to data portability: Request your data in a portable, machine-readable format
• Right to object: Object to certain types of processing, including direct marketing
• Right to withdraw consent: Withdraw consent for data processing at any time, without affecting the lawfulness of prior processing
• Right to lodge a complaint: File a complaint with your local data protection authority
• Right to explanation: Receive an explanation of any automated decision-making or profiling that significantly affects you

10.2 CCPA Rights (California Residents)

• Right to know: Request what personal information we collect, use, and share
• Right to delete: Request deletion of personal information collected from you
• Right to correct: Request correction of inaccurate personal information
• Right to opt-out: Opt-out of the sale or sharing of personal information
• Right to limit: Limit use and disclosure of sensitive personal information
• Right to non-discrimination: Exercise privacy rights without discrimination

10.3 Other Privacy Rights

Depending on your jurisdiction, you may have additional rights under PIPEDA (Canada), LGPD (Brazil), PDPA (Thailand), POPIA (South Africa), the Pakistan Electronic Commerce Ordinance (2005), or applicable state and provincial privacy laws. We are committed to honouring all applicable privacy rights within your jurisdiction.

To exercise any of these rights, see Section 16 (Submitting Privacy Requests).

11. Marketing & Communication Preferences

We send marketing emails, newsletters, and promotional content only to individuals who have opted in or with whom we have an existing business relationship. Every marketing email includes a clear unsubscribe link.

You can manage your preferences by clicking the “Unsubscribe” link in any marketing email, updating your preferences in your Client Portal account, or contacting us at contact@xorastudio.com. We will honour opt-out requests within 5–7 business days. Note: we may still send transactional emails related to services you have requested, project updates, or your Client Portal account.

California residents: We do not sell or share your personal information in exchange for monetary compensation. If you believe we are doing so contrary to this policy, please contact us immediately.

12. External Links & Third-Party Websites

Our website may contain links to third-party websites, social media platforms, and external services. We are not responsible for the privacy practices, content, accuracy, or security of external sites, data collection by third parties, or third-party payment processors. When you click external links or leave our website, you are subject to the privacy policies of those services. We encourage you to review their privacy policies before providing personal information.

13. AI, Automation & Automated Decision-Making

13.1 Use of AI and Automation

As a digital studio offering AI automation services, we use artificial intelligence and automated systems both internally and for client services. Internally, we use ChatGPT and Claude for content generation, analysis, and creative assistance; Google Analytics 4 for automated reporting and predictive analytics; automated email responses and client communication workflows; and automated lead scoring and client prioritisation. For clients, we develop AI automation solutions including content generation, data analysis, marketing automation, customer journey mapping, and predictive analytics.

13.2 Automated Decision-Making & Profiling Clarified

We use automated tools to assist our team in prioritising responses and allocating resources. These tools use signals such as enquiry volume, project type, and communication history to surface information for our team — they do not make decisions about clients independently.

All consequential decisions — including those affecting service delivery, pricing, and client relationships — are made by a human member of our team. Automated outputs are a reference aid only; they are never the sole basis for any decision that affects you.

14. Children’s Privacy Updated

14.1 Our Own Services

Our website and direct services are not directed to children under the age of 13 (or under 16 where required by applicable law, such as GDPR). We do not knowingly collect personal information directly from children. If we become aware that we have independently collected personal information from a child under the applicable minimum age without verifiable parental consent, we will promptly delete that information. If you believe we have collected information from a child, please contact us immediately at contact@xorastudio.com.

14.2 Client Projects Involving Children’s Data New

Xora Studio may be engaged to design or develop websites and digital tools for educational institutions (schools, colleges, universities) or other organisations that serve children. In these cases:

• The client institution acts as the data controller for any children’s personal data processed through the platform we build.
• Xora Studio acts solely as a data processor operating on the instructions of the client institution.
• We require all client institutions engaging us for such projects to confirm they hold appropriate legal authority and parental consent (where required) to collect and process children’s data.
• We do not use children’s personal data processed on behalf of a client institution for any of our own marketing, analytics, or profiling purposes.
• If our services for such a project involve the deployment of third-party analytics tools (e.g., Google Analytics) on pages accessible to children, we will work with the client institution to configure those tools in a manner appropriate for children’s data, such as disabling personalisation features and advertising cookies.
• Where applicable, such projects are governed by a separate Data Processing Agreement (DPA) that sets out our obligations as a processor.

If you are a parent or guardian and believe that a website or platform built by Xora Studio has collected your child’s personal data without appropriate consent, please contact us at contact@xorastudio.com and we will work with the relevant client institution to address your concern.

15. Data Protection Contact New

Xora Studio does not currently meet the thresholds that mandate the formal appointment of a Data Protection Officer (DPO) under GDPR Article 37. However, we have designated a responsible contact for all privacy and data protection enquiries:

We will respond to data protection enquiries within 5–7 business days, and within the legally required timeframes for formal rights requests (30 days under GDPR, 45 days under CCPA).

Founders & Leadership

• Muhammad Ahmad — Founder
• Muhammad Usman — CEO

16. Submitting Privacy Requests

To exercise your privacy rights (access, correction, deletion, portability, opt-out, etc.), please submit a request to contact@xorastudio.com with the subject line: “Privacy Request – [Your Name]”, including your full name and contact information, the specific nature of your request, relevant dates or timeframes, and proof of identity (for security verification).

We will verify your identity to protect your privacy, respond within applicable legal timeframes (5–7 days for standard requests; 30 days for GDPR; 45 days for CCPA), and provide the requested information or explain why we cannot fulfil the request. We make no charge for reasonable requests; excessive or repetitive requests may incur a small administrative fee.

Filing a Formal Complaint

If you are not satisfied with our response, you have the right to file a formal complaint with your local data protection authority:

• EU/UK: Your national Data Protection Authority (e.g., ICO in the UK, CNIL in France)
• California: California Attorney General
• Canada: Office of the Privacy Commissioner of Canada
• Pakistan: Relevant legal or regulatory authority, where applicable

17. Payment Information Security

We accept bank transfers (Pakistan and international wire transfers), Payoneer, EasyPaisa. Bank account details and payment information are treated with the highest confidentiality. Payment data is never stored on our website servers. All payment transactions comply with Pakistani banking regulations and international standards. Payment processors maintain their own regulatory and security compliance. We do not retain full payment card information after transactions are completed.

18. Client Portal Security

Our Client Portal (portal.xorastudio.com) provides secure project management and service order tracking. Login credentials are sent via secure email upon service engagement. Multi-factor authentication is available for enhanced security. Sessions time out after inactivity. All communications within the portal are encrypted. Access is restricted to authorised client users only.

All project files, communications, and orders are stored securely. Final deliverables are deleted 28 days after project completion. Clients can request data export or deletion as per their privacy rights under Section 10.

19. Policy Updates & Amendments

We may update this Privacy Policy periodically to reflect changes in our data collection and processing practices; new technologies, services, or AI tools we introduce; changes in applicable laws and regulations; feedback from users and stakeholders; and business expansions or new service offerings.

When we make material changes, we will update the “Last Updated” date at the top of this page. For significant changes affecting your rights, we will provide prominent notice via email notification, a website banner, or a Client Portal notification. Changes take effect immediately upon posting unless stated otherwise. Your continued use of our website or services after changes constitutes acceptance of the updated policy.

20. Compliance with Applicable Laws

This Privacy Policy is designed to comply with:

• GDPR (General Data Protection Regulation) — EU/UK
• CCPA and CPRA (California Consumer Privacy Act / California Privacy Rights Act) — USA
• PIPEDA (Personal Information Protection and Electronic Documents Act) — Canada
• Pakistan Electronic Commerce Ordinance (2005) — Pakistan
• Pakistan Personal Data Protection Bill — we are monitoring this legislation and will update this policy promptly upon enactment
• LGPD (Brazil), PDPA (Thailand), POPIA (South Africa)
• Universal Declaration of Human Rights — Article 12 (right to privacy)
• Other applicable data protection and privacy laws in jurisdictions where we operate

We are committed to ongoing compliance with all applicable regulations in jurisdictions where we operate and serve clients globally.