Privacy Policy
- Introduction
- Accountability and Privacy Officer
- Information We Collect
- Purposes for Collecting Personal Information
- Consent
- Disclosure of Personal Information
- International Data Transfers
- Data Retention
- Safeguards
- Your Rights
- Children’s Privacy
- Breach Notification
- Changes to This Privacy Policy
- Complaints and Dispute Resolution
1. Introduction
Quwa Group Inc., a Canadian corporation (“we,” “our,” or “us”), operates Quwa Pakistan Defence Journal at quwa.org (the “Website”). This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you visit our Website, subscribe to our services, or otherwise interact with us.
We are committed to protecting your privacy in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s Anti-Spam Legislation (CASL), the General Data Protection Regulation (GDPR) where applicable to European visitors, and all other applicable privacy laws.
2. Accountability and Privacy Officer
In accordance with PIPEDA’s accountability principle, the following individual is responsible for our compliance with this Privacy Policy and applicable privacy legislation:
| Field | Details |
|---|---|
| Privacy Officer | Bilal Khan, CEO and Editor-in-Chief |
| Organization | Quwa Group Inc. |
| [email protected] | |
| Website | https://quwa.org/contact |
All inquiries, complaints, or access requests regarding your personal information should be directed to the Privacy Officer at the contact details above.
3. Information We Collect
3.1 Information You Provide Directly
We collect personal information that you voluntarily provide when you:
- Register for a free account or subscribe to Quwa Plus or Quwa Pro
- Complete a newsletter signup form or contact form
- Submit comments on articles or participate in discussions
- Make a payment through our subscription system
- Correspond with us via email or other channels
This information may include:
- Name (first and last)
- Email address
- Billing address and payment information (processed by Stripe; we do not store full credit card numbers)
- Account credentials (username and password, stored in hashed form)
- Any information you include in communications with us
3.2 Information Collected Automatically
When you visit or interact with our Website, we automatically collect certain technical and usage information through cookies, analytics tools, and similar technologies:
- IP address (anonymized where required by law)
- Browser type, version, and language preferences
- Device type, operating system, and screen resolution
- Pages visited, time spent on pages, and navigation paths
- Referring URL and exit pages
- Campaign attribution data (UTM parameters, source tracking)
- Click and impression data related to calls-to-action (CTAs) and subscription prompts
- Scroll depth and content engagement metrics
For a detailed description of the cookies and tracking technologies we use, please refer to our Cookie Policy.
3.3 Information from Third-Party Sources
We may receive limited information from third-party service providers, including:
- Stripe: Transaction confirmations, subscription status, and payment metadata (no full card numbers)
- Brevo / MailerLite: Email engagement data (opens, clicks, bounces, unsubscribes)
- Google Analytics 4: Aggregated and pseudonymized website usage data
- Google Search Console: Search query performance data (aggregated)
- MemberPress: Subscription lifecycle events (creation, renewal, cancellation)
4. Purposes for Collecting Personal Information
We collect and use your personal information for the following identified purposes:
| Purpose | Types of Data | Legal Basis |
|---|---|---|
| Account management and authentication | Name, email, password | Contractual necessity |
| Subscription fulfillment (Quwa Plus / Pro) | Name, email, payment data | Contractual necessity |
| Payment processing via Stripe | Billing details, transaction data | Contractual necessity |
| Email newsletters and editorial updates | Name, email, preferences | Consent (CASL) |
| Website analytics and performance | Usage data, device info, IP | Legitimate interest |
| Content personalization and paywall | Reading history, subscription tier | Legitimate interest |
| Growth marketing optimization | CTA impressions, click data | Legitimate interest |
| Campaign attribution | UTM parameters, referral source | Legitimate interest |
| Security and fraud prevention | IP address, login patterns | Legal obligation |
| Responding to inquiries | Name, email, message content | Consent / Legitimate interest |
We will not use your personal information for purposes other than those identified above without first obtaining your consent, except where permitted or required by law.
5. Consent
We rely on the following forms of consent as appropriate under PIPEDA:
- Express consent: For email marketing, newsletter subscriptions, and any processing of sensitive information. You provide express consent when you actively opt in to receive communications.
- Implied consent: For information reasonably necessary to fulfil a subscription or transaction you have initiated, or for analytics purposes essential to operating our Website.
- Opt-out consent: For certain non-sensitive data processing activities where we rely on legitimate interest (such as basic analytics). You may opt out at any time.
You may withdraw your consent at any time by:
- Clicking the “unsubscribe” link in any marketing email
- Adjusting your cookie preferences through our cookie consent banner
- Contacting our Privacy Officer at [email protected]
- Deleting your account through your account settings
Withdrawal of consent may affect our ability to provide certain services (e.g., if you withdraw consent for essential account communications, we may be unable to maintain your subscription).
6. Disclosure of Personal Information
We do not sell, rent, or trade your personal information. We may share your personal information only with the following categories of recipients and only to the extent necessary for the purposes described in this Policy:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Stripe, Inc. (USA) | Payment processing | Billing details, transaction data |
| Brevo / MailerLite (EU/USA) | Email delivery and marketing automation | Name, email, engagement data |
| Google LLC (USA) | Website analytics (GA4, GSC) | Pseudonymized usage data, IP (anonymized) |
| MemberPress (USA) | Subscription management (WordPress plugin) | Account data, subscription status |
| Hosting provider | Website infrastructure | All data transiting through servers |
| Law enforcement / regulators | Legal obligations or valid court orders | As required by applicable law |
All third-party service providers are contractually obligated to protect your personal information and to use it only for the purposes for which it was disclosed. Where data is transferred outside of Canada, we ensure that adequate safeguards are in place, including contractual protections consistent with PIPEDA requirements.
7. International Data Transfers
As a Canadian organization with an international readership, your personal information may be transferred to and processed in countries outside of Canada, including the United States and countries within the European Union/European Economic Area. These transfers occur because our third-party service providers (Stripe, Google, Brevo, MailerLite) operate servers and infrastructure in those jurisdictions.
We take the following measures to protect your information during international transfers:
- Contractual clauses requiring service providers to maintain equivalent privacy protections
- Selection of service providers that maintain industry-recognized security certifications (SOC 2, ISO 27001, or equivalent)
- Encryption of data in transit (TLS 1.2+) and at rest where applicable
- Regular review of third-party data handling practices
By using our Website and services, you acknowledge and consent to the transfer of your personal information to jurisdictions outside of Canada as described in this section.
8. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
| Data Category | Retention Period |
|---|---|
| Active account data | Duration of account existence plus 30 days after deletion request |
| Subscription and billing records | 7 years from the date of the transaction (as required by Canadian tax law) |
| Email marketing data | Until you unsubscribe or request deletion, plus 30 days for processing |
| Website analytics data | 26 months (Google Analytics default retention) |
| Cookie and tracking data | See Cookie Policy for specific cookie lifespans |
| Server access logs | 90 days |
| Customer support correspondence | 3 years from last interaction |
When personal information is no longer needed, we securely delete or anonymize it using industry-standard methods.
9. Safeguards
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction, including:
- Encryption: All data transmitted between your browser and our Website is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256 or equivalent.
- Access controls: Access to personal information is restricted to authorized personnel on a need-to-know basis. Administrative accounts are protected with strong passwords and, where available, multi-factor authentication.
- Payment security: We do not store credit card numbers. All payment processing is handled by Stripe, which is PCI DSS Level 1 certified.
- Password storage: User passwords are stored using strong, one-way cryptographic hashing (bcrypt or equivalent).
- Regular updates: We keep our WordPress installation, plugins, themes, and server software up to date with security patches.
- Incident response: We maintain procedures for identifying, containing, and reporting personal information breaches in accordance with PIPEDA’s mandatory breach reporting requirements.
10. Your Rights
10.1 Rights Under PIPEDA (All Users)
Under PIPEDA, you have the right to:
- Access: Request access to the personal information we hold about you.
- Correction: Request correction of any inaccurate or incomplete personal information.
- Withdraw consent: Withdraw your consent for any processing based on consent.
- Challenge compliance: File a complaint if you believe we have not complied with our privacy obligations.
We will respond to access and correction requests within 30 calendar days. If we are unable to comply within that period, we will notify you of the extension and the reasons for it. There is no fee for a standard access request; however, if your request is manifestly unfounded or excessive, we may charge a reasonable fee.
10.2 Additional Rights Under GDPR (European Residents)
If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following additional rights:
- Right to erasure (“right to be forgotten”): Request deletion of your personal data, subject to legal retention obligations.
- Right to restriction of processing: Request that we limit how we use your data.
- Right to data portability: Receive your personal data in a structured, machine-readable format.
- Right to object: Object to processing based on our legitimate interests.
- Right to lodge a complaint: File a complaint with your local supervisory authority.
To exercise any of these rights, please contact our Privacy Officer at [email protected]. We will verify your identity before processing your request.
11. Children’s Privacy
Our Website and services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16 without verifiable parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child under 16, please contact us at [email protected].
12. Breach Notification
In accordance with PIPEDA’s mandatory breach notification provisions, if a breach of security safeguards involving your personal information creates a real risk of significant harm, we will:
- Notify you as soon as feasible after discovering the breach
- Report the breach to the Office of the Privacy Commissioner of Canada
- Notify any other organizations or government institutions that may be able to reduce the risk of harm
- Keep records of all breaches of security safeguards for a minimum of 24 months
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. When we make material changes, we will notify you by posting the updated Policy on our Website with a revised effective date, and where appropriate, by email notification. We encourage you to review this Policy periodically. Your continued use of our Website after any changes constitutes your acceptance of the updated Policy.
14. Complaints and Dispute Resolution
If you are dissatisfied with our handling of your personal information, you are entitled to:
- Contact our Privacy Officer to discuss your concern. We will investigate and respond within 30 days.
- If unsatisfied with our response, file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or by calling 1-800-282-1376.
- If you are a European resident, you may also lodge a complaint with your local data protection supervisory authority.