• Our official website www.dMAC.ac.pk.  
• Social media accounts and platforms operated by dMAC.  
• Mobile applications developed and maintained by dMAC.  
• Digital marketing services provided to clients.  
• Analytics tools and platforms used in our services.  
• Client data processing activities.  
• Newsletter and email communications.  
• forms and surveys.  
• Customer support interactions.  

• Pakistan Laws
  • Prevention of Electronic Crimes Act (PECA) 2016
  • Electronic Transactions Ordinance 2002
  • Pakistan Telecommunications Act 1996
• International Laws
  • General Data Protection Regulation (GDPR) Compliance

• Consent: Explicit consent for marketing communications, newsletter subscriptions, and non-essential cookies.  Example: When you opt-in to receive updates about new courses or promotions.  
• Contractual Necessity: Processing required to fulfill services (e.g., course enrollment, payment processing, and account management).  Example: Collecting payment details to complete your course registration.  
• Legitimate Interests: Balancing our business needs with user rights, such as fraud prevention, network security, and service improvements.  Example: Analyzing anonymized website usage data to enhance platform performance.  
• Legal Obligation: Compliance with applicable laws (e.g., tax reporting, regulatory audits etc.).  

• Purpose Limitation: Data is collected for clear, explicit objectives (e.g., email addresses for account creation, payment details for transactions etc.).  
• Relevance: We avoid requesting irrelevant information (e.g., we do not require marital status for course enrollment).  
• Storage Restriction: Data is retained only as long as needed (e.g., payment information is deleted after 7 years to comply with financial regulations).  

• System Design: Security features (e.g., encryption, access controls) are integrated during product development.  Example: End-to-end encryption for all student-instructor communications.  
• Default Settings: User accounts are configured with the highest privacy settings (e.g., opting out of non-essential cookies by default).  
• Regular Audits: Annual reviews of IT infrastructure to align with evolving privacy standards.

• Risk Identification: Evaluating projects that involve large-scale data processing, sensitive data, or new technologies.  Example: Assessing risks before launching AI-driven analytics tools.  
• Mitigation Measures: Implementing safeguards such as pseudonymization or enhanced encryption.  
• Documentation: Maintaining records of assessments and remedial actions for regulatory review.  

• Standard Contractual Clauses (SCCs): Legally binding agreements with third-party vendors (e.g., cloud providers like AWS).  
• Adequacy Decisions: Transferring data to countries recognized by the EU as having adequate protections (e.g., Canada, Japan).  
• Binding Corporate Rules (BCRs): For intra-organizational transfers within dMAC’s offices.
• User Consent: Explicit consent for transfers to non-adequate countries (e.g., for specialized analytics partnerships).  

a) Age Verification Mechanisms

• Age Screening
  • Mandatory age prompts during account creation or service access.  
  • Date of birth verification for users registering for age-restricted services.  
  • Third-party age verification tools (e.g., AgeChecker.Net) for high-risk activities.  
• Account Restrictions
  • Automatic blocking of accounts created with birthdates indicating underage users.  
  • Limited functionality for unverified accounts until age confirmation is completed.  
• Persistent Monitoring
  • Regular audits of user accounts to identify potential underage users.  
  • AI-driven pattern recognition to flag suspicious account activity.  

• Consent Workflow
  • Notification: Parents receive an email/SMS notification when a child attempts to register.  
  • Verification: Parents must submit:
    • One. A signed consent form (digital or physical).  
    • Two. Government-issued ID for identity verification.  
    • Three. Proof of guardianship (e.g., birth certificate, court order).  
  • Confirmation: Parents receive a unique verification code to activate the child’s account.  
• b) Consent Revocation
  • Parents may withdraw consent at any time by contacting complaints@dMAC.ac.pk.  
  • All data collected from the child will be deleted within 30 days of revocation.  

• Data Minimization
  • Collect only essential information required for service delivery (e.g., username, parent’s email).  
  • Prohibit collection of sensitive data (e.g., geolocation, photos) from children.  
• Access Controls
  • Role-based access restrictions to limit internal staff access to children’s data.  
  • Encryption of all children’s data in transit and at rest (AES-256 standard).  
• Retention Limits
  • Children’s data is retained only for the duration of service use and deleted upon account closure.  
  • Annual reviews of stored data to ensure compliance with retention policies.  
• Advertising Restrictions
  • No behavioral advertising targeting children.  
  • Prohibition of third-party trackers on child-directed content.  

• Access: Request a copy of all data collected from their child.  
• Correction: Update or correct inaccuracies in the child’s profile.  
• Deletion: Request permanent deletion of the child’s data and account.  
• Opt-Out: Block future data collection or processing activities.  

• Email to complaints@dMAC.ac.pk with the subject line: “COPPA Request – [Child’s Username]”. 
• Call our helpline at +92 3326 113 555.  

• Parent Guides
  • “Protecting Your Child’s Privacy Online” handbook.  
  • Video tutorials on managing parental controls.  
• Child-Friendly Content
  • Age-appropriate privacy tutorials.  
  • Interactive modules on digital safety.  
• School Partnerships
  • Workshops for educators on COPPA compliance.  
  • Classroom resources for teaching digital literacy.  

• Annual COPPA compliance training.  
• Background checks and confidentiality agreements.  
• Simulated scenarios for identifying and reporting COPPA violations.  

• Personal Information
  • Identity Information: Full name, date of birth, national ID numbers, professional titles, and affiliations.  
  • Contact Information: Email address, phone numbers, postal address, and business address.  
  • Professional Information: Company name, job title, industry sector, and professional qualifications.  
  • Financial Information: Billing address, payment card details (processed securely through authorized providers), transaction history, and banking information for B2B services.  
• Technical Information
  • Device Information: IP address, browser type and version, operating system, device identifiers, and screen resolution.  
  • Usage Data: Pages visited, time spent on pages, navigation paths, click patterns, and feature usage statistics.  
  • Location Data: GPS data (with consent), IP-based location, and regional settings.  

• Primary Purposes
  • Service Delivery: Account creation and management, service personalization, performance optimization, technical support, and feature updates.  
  • Communication: Service updates, marketing communications (with consent), newsletter distribution, support responses, and event invitations.  
  • Analytics and Improvement: Service optimization, user experience enhancement, performance monitoring, market research, and product development.  
• Legal Basis for Processing
  • Contractual Necessity: Service delivery, account management, payment processing, and support provision.  
  • Legal Obligations: Tax compliance, business records, legal proceedings, and regulatory reporting.  
  • Legitimate Interests: Service improvement, security measures, fraud prevention, and market research.  
  • Consent: Marketing communications, cookie usage, location tracking, and profile enrichment.  

• Security Measures
  • Encryption: TLS 1.3 for data in transit, AES-256 encryption for data at rest, and secure key management systems.  
  • Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and regular access reviews.  
  • Network Security: Next-generation firewalls, intrusion detection systems, and 24/7 monitoring.  
  • Employee Security: Regular security training, background checks, and confidentiality agreements.  
• Data Storage
  • Storage Infrastructure: Tier-4 data centers, redundant systems, and regular security audits.  
  • Retention Policies: Data minimization principles, automated deletion processes, and compliance with legal requirements.  

• Categories of Recipients
  • Service Providers: Cloud hosting providers, payment processors, and analytics services.  
  • Business Partners: Integration partners, marketing agencies, and professional service providers.  
  • Legal Authorities: Law enforcement, regulatory bodies, and government agencies.  
• Data Transfer Safeguards
  • Contractual Measures: Data processing agreements and standard contractual clauses.  
  • Technical Measures: Encryption in transit, secure file transfer protocols, and access logging.  

• Your Rights Include
  • Right to Access: Request data copies and confirm processing activities.  
  • Right to Rectification: Correct inaccurate or incomplete data.  
  • Right to Erasure: Request deletion of your data (subject to legal constraints).  
  • Right to Portability: Receive your data in a structured, machine-readable format.  
• Exercise of Rights
  • Request Submission: Online form submission, email requests, or written requests.  
  • Verification Process: Identity verification and security checks.  

• Email: complaints@dMAC.ac.pk  
• Phone: +92 3326 113 555 
• Mailing Address: 9 Noon Avenue, Canal Road, Muslim Town, Lahore, Pakistan.
• For general inquiries, please email to info@dMAC.ac.pk.