Privacy Policy
Your privacy and the confidentiality of your counselling are foundational to everything we do. Here is exactly what we collect, why, how we protect it, and the rights you have under Pakistani and international law.
Last updated:
1. Who we are and what this policy covers
Ultimate Counselling Cloud (“UCC”, “we”, “us”, “our”) operates an online marketplace at https://ultimatecounsellingcloud.com that connects clients with independent, verified counsellors. We are operated from Pakistan and are in the process of incorporation as a private limited company under the Companies Act, 2017; once incorporation completes, the incorporated entity will be the data controller under this policy and this page will be updated with its registered details.
This policy applies to everyone who uses the platform — clients, counsellors, and visitors — wherever they are located. Because we operate on a globally accessible .com domain, it is written to meet Pakistani law first and to respect major international privacy frameworks for users who visit from abroad.
2. The legal framework we follow
Pakistan does not yet have a comprehensive data-protection statute in force. Until the Personal Data Protection Bill is enacted, we voluntarily apply its core principles — lawful and consented processing, purpose limitation, data minimisation, security safeguards, and breach notification — alongside the laws that do apply today:
- Constitution of Pakistan, Article 14 — the fundamental right to dignity and privacy, which guides how we treat everything you share.
- Prevention of Electronic Crimes Act, 2016 (PECA), as amended by the Prevention of Electronic Crimes (Amendment) Act, 2025 — criminalises unauthorised access to, and misuse of, personal data and information systems.
- Electronic Transactions Ordinance, 2002 — gives legal recognition to the electronic records, communications, and consents we rely on.
- Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguards) Rules, 2021 — content and grievance-handling obligations for online systems in Pakistan.
- Provincial consumer protection laws (including the Punjab Consumer Protection Act 2005 and Sindh Consumer Protection Act 2014) — fair-dealing and disclosure duties towards clients.
If you access the platform from the European Economic Area or the United Kingdom, we honour the rights framework of the GDPR / UK GDPR as described in section 12. If you are a California resident, section 12 also describes your rights under the CCPA/CPRA. We never sell personal information, so no “Do Not Sell” opt-out is needed — there is nothing to opt out of.
3. Information we collect
- Account information — name, email address, phone number, password (stored only as a cryptographic hash), and role (client or counsellor).
- Counsellor verification information — qualifications, licence and registration details, identity and credential documents, specialties, languages, rates, availability, and payout bank details.
- Health and session information — intake forms, goals, journal entries, session notes, and care plans that you or your counsellor create. This is sensitive personal data and receives our highest level of protection (section 5).
- Payment information — bank-transfer receipts, mobile-wallet references, and transaction records. We do not store full card numbers; any card payments are handled by payment partners.
- Technical data — IP address, device and browser type, pages visited, and security logs used to keep the service safe and reliable.
- Communications — messages you exchange through the platform and with our support team (including email and WhatsApp support threads).
4. Why we use your information (and our lawful bases)
- To provide the service — creating your account, matching you with counsellors, scheduling and delivering sessions, and issuing meeting links (performance of a contract).
- To process payments — collecting session fees, verifying bank transfers, holding funds until a session is delivered, and paying counsellors (performance of a contract; legal obligation for financial record-keeping).
- To handle health and session data — only as needed to deliver the counselling you booked (your explicit consent).
- To verify counsellors — credential checks at onboarding and periodically afterwards, to maintain trust and safety (legitimate interests; contract).
- To communicate with you — service notifications and appointment reminders (contract); marketing updates only with your consent, which you can withdraw at any time.
- To secure and improve the platform — fraud and abuse prevention, debugging, and aggregate analytics (legitimate interests).
- To meet legal obligations — tax, accounting, and responses to valid legal process under Pakistani law (legal obligation).
We do not use your personal or health information for advertising, and we do not sell it to anyone.
5. Health information and confidentiality
Everything you share with your counsellor — intake answers, session content, notes, and journals — is treated as sensitive personal data. It is encrypted, access-controlled, and visible only to you, your counsellor, and the minimum platform staff needed to operate the service under strict confidentiality duties. Counsellors on the platform are bound by professional confidentiality obligations.
The only exceptions, which your counsellor will also explain in your first session, are:
- an imminent risk of serious harm to you or another person;
- safeguarding concerns involving a child or vulnerable person; or
- a valid legal requirement, such as a court order.
6. Cookies and analytics
We use essential cookies to keep you signed in securely, a browser preference for your theme choice, and — in production only — Google Tag Manager / Google Analytics to understand aggregate usage of our public pages. We do not use advertising cookies. Full details, including how to control or block cookies, are in our Cookie Policy.
7. When we share information
- With your counsellor — the information needed to prepare for and deliver your sessions.
- With service providers — hosting, email delivery, video conferencing (Google Meet), and analytics providers who process data on our instructions and are bound to protect it.
- With authorities, when legally required — only in response to valid legal process under Pakistani law (including PECA and the Code of Criminal Procedure), and limited to what the request lawfully covers.
- In a business transfer — including the planned transfer of the business to our incorporated private limited company, or any future merger or acquisition, in which case this policy continues to apply to your data.
We never sell personal information, and we never share health or session content for marketing or advertising purposes.
8. International data transfers
We serve users primarily in Pakistan, but our infrastructure and service providers may store or process data on servers located outside Pakistan. Wherever your data is processed, it is protected by the same safeguards described in this policy — encryption in transit and at rest, contractual data-protection commitments from our providers, and access limited to what is necessary. For users in the EEA/UK, we rely on our providers’ standard contractual protections for onward transfers.
9. How we protect your data
We encrypt data in transit with TLS 1.3 and at rest with AES-256, hash all passwords with an industry-standard algorithm, enforce role-based access controls, and keep an audit trail of sensitive actions. Access to health information is limited to the smallest possible set of people. No system is perfectly secure, but security is designed into the platform rather than added on.
10. Data breach notification
If a breach affecting your personal data occurs, we will contain and investigate it, notify affected users without undue delay with clear information about what happened and what we are doing, and notify regulators where the law requires it.
11. How long we keep data
- Account and profile data — for as long as your account is active, then deleted or anonymised within a reasonable period after closure.
- Financial and transaction records — retained as required by Pakistani tax and accounting law, then securely deleted.
- Health and session records — retained while your account is active so your care history stays available to you; on account deletion they are deleted or anonymised unless a legal obligation requires longer retention.
- Security logs — kept for a limited rolling window for fraud and abuse prevention.
12. Your rights
Every user, regardless of location, can:
- access a copy of the personal data we hold about them;
- correct inaccurate data;
- export their data in a portable format;
- request deletion of their account and data;
- withdraw consent (including for marketing) at any time; and
- object to processing based on legitimate interests.
EEA/UK users additionally have the rights to restrict processing, to data portability, and to lodge a complaint with their local supervisory authority. California residents have the rights to know, correct, and delete, the right to opt out of sale or sharing (we do neither), and the right not to be discriminated against for exercising these rights.
To exercise any right, email [email protected]. We will verify your identity and respond within 30 days. Some requests may be limited where we must retain data to meet a legal obligation — we will tell you if that applies.
13. Children
The platform is for adults aged 18 and over (or the age of majority in your jurisdiction). We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact us at [email protected] and we will delete the account and its data.
14. Third-party services
Sessions are delivered over Google Meet, calendar invites via Google Calendar, and emails via our email provider. These providers process the minimum data needed to deliver their function and are governed by their own privacy policies in addition to their contractual duties to us. Links from our blog or resources to external sites are subject to those sites’ own policies.
15. Grievances and contact
Privacy questions, complaints, and grievances go to [email protected] or our contact page. We acknowledge complaints promptly and aim to resolve them within 7 days, in line with the grievance-handling timelines in Pakistan’s online content rules. If you are unsatisfied with our response, you may escalate to the relevant authority in your jurisdiction.
16. Changes to this policy
We may update this policy as the platform and the law evolve — including when Pakistan’s Personal Data Protection Bill is enacted and when our incorporation completes. Material changes will be announced on the platform or by email before they take effect, with the “last updated” date above revised. See also our Terms of Service, Refund Policy, and Platform Disclaimer.