Privacy Policy

1. INTRODUCTION

Alpha Global Connect (“AGC,” “we,” “us,” or “our”) is a Business Process Outsourcing (BPO) company headquartered in Pakistan. We are committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our services, visit our website, or interact with us as a client, employee, contractor, or other individual (collectively, “data subjects”).

We comply with applicable data protection laws, including the provisions of the forthcoming Pakistan Personal Data Protection Bill 2023 (PDPB) , the EU General Data Protection Regulation (GDPR) where applicable , the California Consumer Privacy Act (CCPA/CPRA) , and the framework for Privacy Information Management Systems (PIMS) . This policy applies to both the personal data of our clients and our employees.

By engaging with our services or working with us, you acknowledge that you have read and understood this policy.

2. SCOPE

This policy applies to all personal data we process in the course of our business, including but not limited to:

  • Client Data: Information of employees and end-customers of our clients that we process in the performance of BPO services.
  • Employee Data: Information of our own current, former, and prospective employees and contractors.

3. DEFINITIONS

  • Personal Data means any information that relates directly or indirectly to an identified or identifiable natural person (a “Data Subject”) .
  • Sensitive Personal Data includes financial information, health data, CNIC or passport numbers, biometric data, religious beliefs, criminal records, political affiliations, ethnicity, and other similar categories of data as defined under applicable law .
  • Processing means any operation performed on personal data, such as collection, recording, storage, use, disclosure, or deletion .
  • Data Controller means the entity that determines the purposes and means of processing personal data (typically AGC for employee data, and our clients for their end-customer data) .
  • Data Processor means the entity that processes personal data on behalf of the Data Controller (typically AGC for client data) .
  • Data Subject is the identifiable individual to whom the personal data relates (e.g., an employee of a client, or an AGC employee) .

4. PERSONAL DATA WE COLLECT

A. For Client Services (Data processed as a Data Processor):

We process only the personal data necessary to perform our contracted BPO services. The specific types of data we process on behalf of our clients will be detailed in our Data Processing Agreements (DPAs). This may include categories such as:

  • Contact information (name, email, phone, address).
  • Financial and transactional data.
  • Customer service interaction records.
  • Usage data and analytics related to client systems.
  • Any other data our clients instruct us to process.

B. For Our Employees and Contractors (Data processed as a Data Controller):

We collect and process personal data necessary to manage the employment or contractual relationship. This includes:

  • Name, contact details, date of birth, and gender.
  • Government-issued identification (CNIC, passport), passport-sized photographs.
  • Financial information for payroll (bank account details).
  • Health and medical information for insurance and benefits.
  • Performance and disciplinary records.
  • Emergency contact information.

5. HOW WE USE YOUR DATA

We process personal data for the following specific purposes:

A. Client Data (As Data Processor):
We process this data strictly according to the documented instructions of our clients to provide contracted BPO services. We do not use this data for our own separate purposes unless required by law.

B. Employee and Contractor Data (As Data Controller):
We process employee data for purposes related to the employment relationship, including:

  • Recruitment, hiring, and onboarding.
  • Payroll processing and benefits administration.
  • Performance management, training, and development.
  • Compliance with legal and regulatory obligations (e.g., tax laws, social security).
  • Ensuring workplace safety, security, and IT support.
  • Internal administration and communication.

6. LEGAL BASIS FOR PROCESSING

We ensure we have a lawful basis for all processing activities. Depending on the type of data and the context, these bases include :

  • Performance of a Contract: Processing is necessary to deliver services to our clients or perform an employment contract with our employee.
  • Consent: We may obtain explicit consent for specific processing activities, especially for sensitive data. You have the right to withdraw consent at any time.
  • Legitimate Interests: We may process data for our legitimate business interests (e.g., improving our internal services, preventing fraud), provided these interests do not override your fundamental rights and freedoms.
  • Legal Obligation: Processing is necessary for compliance with applicable Pakistani laws and regulations.

For Sensitive Personal Data, we will only process it under strict conditions, such as obtaining your explicit consent or where it is necessary for employment-related obligations or vital interests as permitted by law .

7. DATA SHARING AND DISCLOSURE

We do not sell your personal data. We share personal data only in the following circumstances:

  • With Clients (for Employee Data): We may share employee data with our clients to the extent necessary for service delivery or project performance as per our contractual agreements.
  • With Service Providers: We engage trusted third-party service providers (e.g., cloud hosting, payroll processors, IT support) to perform certain business-related functions. These providers are contractually bound to protect your data and process it only according to our instructions, with appropriate technical and organizational security measures in place .
  • For Legal Purposes: We may disclose information if required to do so by law, in response to valid requests by public authorities (e.g., a court or government agency), or to protect the rights, property, or safety of AGC, our clients, employees, or others .
  • Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred as a business asset, subject to the same privacy protections.

8. INTERNATIONAL DATA TRANSFERS

As a BPO serving international clients, your personal data may be transferred to and processed in countries outside of Pakistan. We ensure such transfers comply with all applicable laws, including the PDPB 2023’s requirement that the destination country offers an adequate level of protection . We rely on approved transfer mechanisms to safeguard your data, such as:

  • Transferring data to a country that has been deemed to provide an adequate level of protection.
  • Entering into EU Standard Contractual Clauses (SCCs) or other legally approved data processing and transfer agreements with the data importer .
  • Obtaining your explicit, informed consent for the transfer.
  • Ensuring Critical Personal Data as defined by the law remains processed solely on servers within Pakistan .

9. DATA SECURITY

We implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Our measures include:

  • Data Classification: Categorizing all data based on sensitivity (Public, Internal, Confidential, Restricted) .
  • Encryption: Using AES-256 encryption for data at rest and TLS 1.2+ for data in transit .
  • Access Controls: Implementing Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC) based on the principle of least privilege .
  • Organizational Measures: Regular staff training on data protection and security, and robust incident response procedures .

10. DATA RETENTION

We will only retain personal data for as long as is necessary to fulfill the purposes for which it was collected, or as required to comply with legal, regulatory, or contractual obligations. The specific criteria used to determine our retention periods include the nature and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, and the purpose for which we process it.

When personal data is no longer required, we will take all reasonable steps to securely destroy or permanently de-identify it .

11. YOUR RIGHTS AS A DATA SUBJECT

Depending on your location and the context of processing, you may have the following rights regarding your personal data:

  • Right to Access: You can request confirmation of whether we process your data and receive a copy in an intelligible form.
  • Right to Rectification: You can request that inaccurate, incomplete, or misleading data be corrected .
  • Right to Erasure: In certain circumstances, such as when the data is no longer necessary or consent is withdrawn, you have the right to request deletion, which we will comply with within 14 days of the request .
  • Right to Object: You may object to the processing of your data on grounds relating to your particular situation, and we may be required to cease processing .
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format to transmit it to another controller .

To exercise any of these rights, please contact us using the details provided in Section 13. We will respond to your request within the timeframe specified by applicable law (e.g., within 30 days as per the PDPB 2023 for access requests) . For client data, we will promptly forward your request to our client (the Data Controller) and assist them as needed.

12. BREACH NOTIFICATION

In the event of a personal data breach, we maintain an incident response plan to detect, assess, and contain the breach. In accordance with applicable laws, we will:

  • Notify the relevant supervisory authority (e.g., the National Commission for Personal Data Protection of Pakistan, once established, or other applicable authorities) within 72 hours of becoming aware of the breach .
  • Notify affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

13. CONTACT US AND DATA PROTECTION OFFICER

Alpha Global Connect (AGC) has appointed a Data Protection Officer (DPO) to oversee compliance with this privacy policy. If you have any questions, concerns, or wish to exercise your data subject rights, please contact us at:

Alpha Global Connect (AGC)
Address: Office SF26, Empress tower, Empress Rd, near Shimla Pahari Road, Muhammad Nagar Garhi Shahu, Lahore, 54000, Pakistan
Email: hr@alphagconnect.com
Phone: +92314-8789272

14. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. If we make material changes, we will provide notice of the update by revising the “Last Updated” date at the top of this policy and, in some cases, may provide more prominent notice (such as an email notification). Your continued use of our services after the effective date of any revised policy constitutes your acceptance of the terms.