Privacy Policy

1. Who We Are

Fbrly ("Fbrly", "the Service", "we", "us", "our") is a software-as-a-service (SaaS) platform for digital invoicing, business management, and Federal Board of Revenue (FBR) e-invoicing compliance in Pakistan. The Service is owned and operated by 41stack, the data controller for the purposes of this Policy.

This Privacy Policy explains what information we collect when you create an Fbrly account or use the Service, how we use it, who we share it with, how long we keep it, and the choices and rights you have. It applies to all visitors of fbrly.41stack.com and any related Fbrly mobile or native applications.

2. Scope & Your Acceptance

By signing up for, accessing, or using Fbrly, you confirm that you have read and understood this Privacy Policy and consent to the practices described here. If you do not agree, please do not use the Service.

If you use Fbrly on behalf of a registered business, you confirm that you have authority to bind that business to this Policy and to the Terms of Service.

3. Information We Collect

We collect only what we need to operate the Service and meet our legal obligations. Specifically:

a. Account & Identity Information

Your name, email address, password (stored as a one-way hash — we never see the original), and your role within the business (owner or team member). If you accept an invitation from an existing Fbrly business, we associate your user account with that business.

b. Business & Tax Information

Information you enter to onboard your business, including business name, business address, province, seller email and phone, Sales Tax Registration Number (STRN), National Tax Number (NTN), and your business logo if you upload one.

c. FBR Credentials & API Tokens

To upload invoices to FBR's digital invoicing system on your behalf, you provide us with your FBR authentication token (and indicate whether you are using FBR's Sandbox or Production environment). These tokens are encrypted at rest using strong, industry-standard symmetric encryption before they are written to our database. We use them only to perform actions you explicitly request, such as uploading an invoice and retrieving an Invoice Reference Number (IRN) and QR code.

d. Customer, Supplier, Product & Invoice Data

Content you create or upload to run your business — including customer records (customer name, NTN, STRN, email, phone, address, province), supplier records, product catalogues, purchase orders, sales invoices, line items, tax rates, and payment status. You are the controller of this data; we process it on your behalf as your data processor.

e. Payment & Billing Information

Fbrly currently operates on manual, post-paid billing via bank transfer. We do not store credit card numbers, debit card numbers, CVVs, or online banking credentials. When you submit a payment proof (for example, a screenshot or PDF of a bank transfer receipt), we store that document together with the amount, date, bank reference, and any notes you add so our team can verify and apply the payment to your account.

f. Usage, Device & Log Data

When you use Fbrly, our servers automatically record information such as your IP address, browser type and version, operating system, the pages you view, the actions you perform (for example, creating an invoice or uploading to FBR), timestamps, and approximate location derived from IP. These logs help us diagnose errors, prevent abuse, and improve performance.

g. Cookies & Similar Technologies

We use strictly necessary cookies (for example, your session cookie so you stay signed in and a CSRF token so forms are secure) and a small set of preference cookies (for example, light or dark theme). We may also use privacy-friendly analytics to understand aggregate usage. We do not use advertising trackers and we do not sell behavioural data.

h. Communications

If you email us, message us on WhatsApp, or contact our support team, we keep a record of that correspondence so we can answer you and improve the Service.

4. How We Use Your Information

We use the information described above only for the following purposes:

• Providing the Service. Creating and managing your account, generating invoices, calculating sales tax and further tax, producing PDF invoices and QR codes, uploading invoices to FBR on your behalf, and storing your business records.
• Billing & subscriptions. Generating monthly billing invoices, verifying payment proofs you submit, tracking usage against your plan limits, recording overage usage, and applying credits or refunds where applicable.
• Communications. Sending transactional emails such as confirmation links, password resets, team invitations, subscription receipts, billing reminders, payment-received confirmations, and expiry notices. We may also occasionally send product updates and important security notices.
• Security & fraud prevention. Detecting and blocking abuse, brute-force attacks, scraping, and other misuse; investigating suspicious activity; and enforcing our Terms of Service.
• Service improvement. Diagnosing bugs, monitoring performance, analyzing aggregate usage patterns, and improving the design, features, and reliability of Fbrly.
• Legal compliance. Meeting our obligations under Pakistani tax, corporate, and electronic-transactions law, and responding to lawful requests from courts or regulators.

We do not use your customer lists, products, invoice content, or FBR credentials to train any machine-learning model, and we do not sell, rent, or trade your data to advertisers or data brokers.

5. Legal Bases for Processing

Where applicable law requires a lawful basis for processing personal data, we rely on the following:

• Performance of a contract — to provide the Service you have signed up for.
• Legitimate interests — to keep the Service secure, prevent abuse, and improve our product.
• Legal obligation — to comply with Pakistani law, including tax record-keeping and lawful disclosure to authorities such as the FBR.
• Consent — for any processing that is not covered by the bases above, where you have given us clear permission (you can withdraw consent at any time).

6. How We Share Information

We share data only with the following categories of recipients and only for the purposes described:

a. Federal Board of Revenue (FBR), Pakistan

When you choose to upload an invoice to FBR, we transmit the invoice payload (seller details, buyer details, line items, taxes, and your FBR token) to FBR's digital invoicing API in either the Sandbox or Production environment you have selected. The data shared is the minimum required by FBR to issue an Invoice Reference Number (IRN). FBR's handling of this data is governed by FBR's own regulations and notifications, which are outside our control.

b. Buyers of Shared Invoices

When you generate a public share link for an invoice and send it to your customer, anyone with that link can view the invoice. Treat share links as sensitive and only send them to the intended buyer.

c. Trusted Sub-Processors

We use a small number of carefully selected service providers (sub-processors) to run Fbrly. Each is contractually bound to handle your data securely and only on our instructions:

• Digital Ocean — cloud hosting and database storage.
• Cloudflare — DNS, CDN, and DDoS protection at the network edge.
• Brevo (formerly Sendinblue) — transactional email delivery (sign-up confirmations, password resets, invoices, expiry notices).
• Payment gateways (where used) — if you choose an online payment method in future, the gateway processes your card or wallet details directly under its own privacy policy; we do not see or store the underlying card number.

d. Professional Advisers

Lawyers, accountants, and auditors who are bound by professional confidentiality, where strictly necessary.

e. Legal & Safety Requests

We may disclose information where we believe in good faith that disclosure is necessary to comply with a lawful court order, regulatory request, or statutory obligation under Pakistani law (including the Prevention of Electronic Crimes Act, 2016 and the Sales Tax Act, 1990), or to protect the rights, property, or safety of Fbrly, our users, or the public.

f. Business Transfers

If 41stack is involved in a merger, acquisition, financing, or sale of all or part of its assets, your data may be transferred to the successor entity. We will notify you and give you an opportunity to exercise your rights before any material change in ownership of your data.

We do not sell your personal data. We do not share customer lists, invoices, products, or FBR data with advertisers, brokers, or any third party for marketing purposes.

7. Data Security

We take security seriously and use a layered set of controls that includes:

• Encryption in transit — all traffic between you and Fbrly is served over HTTPS/TLS.
• Encryption at rest for sensitive credentials — your FBR token is encrypted in our database using authenticated symmetric encryption (Active Record Encryption).
• Strong password hashing — passwords are stored as bcrypt one-way hashes; we cannot recover your password and never see it.
• Tenant isolation — every record in Fbrly belongs to a specific business, and access is gated by ownership checks on every request, so one business cannot see another business's data.
• Access controls — only authorized 41stack engineers have administrative database access, and only when necessary for support, debugging, or operations.
• Network protection — rate limiting, DDoS mitigation, and Web Application Firewall rules at the edge.
• Backups — encrypted automated backups taken on a regular schedule.

No method of transmission or storage is 100% secure. If we ever become aware of a personal-data breach that is likely to materially affect you, we will notify you and the relevant authorities without undue delay, as required by Pakistani law.

8. Where Your Data Is Stored

Fbrly is operated from Pakistan and serves Pakistani businesses. Our production servers and database are currently hosted with Digital Ocean. Some sub-processors (for example, the email-delivery provider and edge CDN) may process certain personal data outside Pakistan. By using the Service, you consent to such cross-border processing where strictly necessary for the operation of the Service, subject to appropriate contractual safeguards.

9. Data Retention

We keep your data only as long as we need it:

• Active accounts — for as long as your account is active.
• Cancelled or expired accounts — for a reasonable transition period (usually up to 90 days) so you can reactivate or export your records.
• Tax & financial records — Pakistani tax law (including the Sales Tax Act, 1990 and the Income Tax Ordinance, 2001) generally requires sellers to retain books and records for at least six years. Invoices, billing records, and FBR-related artefacts may therefore be retained for that period after account closure even if you request deletion of your account.
• Backups — encrypted backups roll off on their own schedule (typically within 30 days of the underlying record being deleted).
• Logs — application and security logs are retained for a limited period (typically 30–90 days) and then deleted or anonymized.

10. Your Rights & Choices

You have meaningful control over your data on Fbrly. Subject to applicable law and our legal record-keeping obligations, you can:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information (you can edit most account, business, and customer fields yourself).
• Export your invoices and records as PDF or other formats from inside the app, or by request.
• Delete your account and the personal data associated with it, except where retention is required by law.
• Revoke your FBR token at any time; you can clear it from inside the app or rotate it on FBR's portal.
• Unsubscribe from non-essential emails. Transactional emails (security alerts, billing, expiry notices) cannot be opted out of while your account is active.
• Object to specific processing activities, where applicable law permits.

To exercise any of these rights, email us at [email protected]. We will respond within a reasonable time and in any event within 30 days. We may ask you to verify your identity before acting on a request.

11. Team Members & Invitations

If a business owner invites you to join their Fbrly workspace, you will be able to view, create, and edit data inside that business according to the role you are assigned. The business owner is the controller of that data. If you leave the team, the owner can remove your access. Your personal account email and login remain yours; only your association with that business is removed.

12. Shareable Invoice Links

When you generate a public share URL for an invoice (for example, to send to a buyer via WhatsApp or email), that URL contains a long random token. Anyone with the token can view the invoice page, including line items and totals. Do not share the link beyond the intended recipient. If a link is exposed, you can delete the invoice or regenerate a new one to invalidate the old URL.

13. Children

Fbrly is a business tool and is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us personal data, please contact us and we will delete it.

14. Marketing Communications

We may occasionally send you product news, feature announcements, or educational content related to FBR compliance and digital invoicing. You can opt out of these at any time by clicking the unsubscribe link in the email or by emailing us. We will continue to send transactional and service emails (for example, password resets, billing receipts, and expiry warnings) regardless of marketing preferences while your account is active.

15. Third-Party Links & Integrations

Fbrly may link to or integrate with external systems such as FBR, banks, payment gateways, blogs, or government portals. We are not responsible for the privacy practices, content, or availability of those external systems. We encourage you to read their privacy policies separately.

16. Automated Decision-Making

Fbrly does not make decisions about you using solely automated processing that would produce legal or similarly significant effects. Tax calculations performed by the Service are based on the rates and rules you and FBR provide; you remain responsible for reviewing them before submitting to FBR.

17. Changes to This Policy

We may update this Privacy Policy from time to time, for example to reflect new features, sub-processors, or changes in Pakistani law. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you by email or through an in-app notice before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

18. Governing Law & Jurisdiction

This Privacy Policy is governed by the laws of the Islamic Republic of Pakistan. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts in Pakistan.

19. Contact Us

If you have any questions, requests, or complaints about this Privacy Policy or how we handle your data, please contact 41stack at:

Email: [email protected]
Website: fbrly.41stack.com

We aim to acknowledge every privacy request within 7 business days.