Last updated May 13, 2026
Privacy Policy
1. Who we are
Iqbal Technologies operates the client portal at iqbaltechnologies.site. We act as the data controller for personal data you provide when you place an order, communicate through the portal, or use any of our services.
2. Data we collect
- Account profile: name, email, phone, company, country, optional avatar and bio.
- Order and invoice records, including amounts, currency, and any reference numbers you supply.
- Project content: briefs, files you upload, messages you send through project or direct chats.
- Authentication metadata: hashed password (via Supabase Auth), two-factor enrollment status, recovery codes, login timestamps, IP address and user-agent string for security-sensitive events.
- Operational telemetry: error logs (scrubbed of password and token material) and rate-limit counters.
We do not use marketing cookies, advertising trackers, or behavioural analytics. The portal sets only the session cookies that Supabase Auth needs to keep you signed in.
3. How we use it
- To run the portal — create your account, deliver services you ordered, and let you communicate with our team.
- To send transactional email (account setup, password reset, email verification, deletion confirmation, data-export notifications).
- To detect and respond to security incidents (failed logins, role-denial patterns, suspicious uploads).
- To meet legal and tax obligations (invoice and payment record retention).
We do not sell, rent, or share your personal data with anyone for marketing purposes.
4. Retention
We retain data only as long as needed for the purposes above. Specific windows:
| Category | Window | Enforced by |
|---|---|---|
| Audit log entries | 2 years | cron |
| Security event stream (Sentry) | 90 days | sentry |
| Operational error logs (Sentry) | 30 days | sentry |
| In-app notifications (after read) | 90 days | cron |
| Project chat messages (after project completion) | 1 year | cron |
| Direct (1:1 admin↔client) messages | Indefinite while account active | none |
| Orders, invoices, payment records | 7 years | manual |
| Generated data-export ZIPs | 14 days | cron |
Order and payment records are retained 7 years under tax law. When an account is deleted, those records stay but their personally-identifying fields are anonymised in place.
5. Sub-processors
We share data only with the third-party services strictly necessary to run the portal:
- Supabase — Primary database, authentication, file storage. Their privacy policy.
- Vercel — Application hosting, edge delivery, scheduled cron. Their privacy policy.
- Resend — Transactional email delivery. Their privacy policy.
- Sentry — Error monitoring and security-event alerting. Their privacy policy.
- Upstash — Redis-backed rate limiting. Their privacy policy.
See the full sub-processors registry for data categories and regions.
Payoneer. Payoneer is a payment method some clients use externally. The portal collects a Payoneer reference number you paste in yourself, but we do not transmit any data to Payoneer or interact with their systems on your behalf.
6. Your rights
You can:
- Access and export a copy of your data from the portal's Settings page. We email a downloadable ZIP within 24 hours of your request.
- Correct your name and other profile fields from Settings, or email us to correct any field you cannot edit yourself.
- Delete your account from Settings. Deletion is immediate (sign-out + deactivation) and your data is permanently anonymised after a 90-day grace period. Order and payment records stay for tax law with personal fields removed.
- Object to any specific use — email us and we will respond within 30 days.
For all data-subject requests, write to iqbaltechnologies@gmail.com.
7. Security
The portal enforces role-based access control, row-level security on every table, mandatory email verification, optional two-factor authentication for clients and mandatory for admins, file-upload MIME and magic-byte validation, rate limiting on auth endpoints, HTML escaping in all transactional emails, and centralised error monitoring with PII scrubbing. Security-sensitive events (login failures, MFA enrollment, role denials, admin actions) are recorded with IP and user-agent metadata.
8. International transfers
Our infrastructure runs across globally distributed services (Supabase, Vercel, Resend, Sentry, Upstash). See the sub-processors registry for the region each vendor operates in.
9. Changes
When we change this policy materially, we update the "Last updated" date at the top and notify active users by email. Minor wording corrections are made silently.
10. Contact
Privacy questions and data-subject requests: iqbaltechnologies@gmail.com.