Privacy Policy

Browser-based speed tests measure throughput and latency between your device and our measurement endpoints. During a session, servers and browsers necessarily exchange IP addresses, TCP ports, TLS metadata, user-agent strings, timing samples, and application-level payloads sized to stress links responsibly. These exchanges are inherent to how the web works; the privacy question is what we retain afterward and for how long.

Our architectural goal is to compute results ephemerally and display them to you without building a centralized dossier of every test. In practice, transient web server access logs may exist for seconds to days depending on hosting configuration, intrusion detection, and incident response needs. We do not use speed tests to build marketing profiles tied to your identity.

DNS lookup, ping, Whois/RDAP, IP geolocation, and subdomain tools accept strings you type—hostnames, domains, or IPs—and issue queries to public resolvers, registries, or APIs. Those third parties have their own logging policies. We discourage entering secrets, credentials, or personal identifiers into fields meant for hostnames.

Optional map features may invite you to share coarse location or city labels so we can plot anonymized performance trends. Participation should be clearly labeled as opt-in, and withdrawing consent should stop future contributions even if historical aggregates remain in statistical form.

Anti-abuse systems may temporarily fingerprint high-volume automated clients to enforce rate limits. Fingerprints are not used for advertising and are rotated or discarded when no longer needed to mitigate attacks.

If you contact us, we process whatever identifiers and narrative you supply—typically name, email address, subject line, and message body. Do not send government ID numbers, full payment card data, or medical information unless absolutely necessary; we rarely need such data to answer product questions.

Crash diagnostics, if enabled in future builds, might collect stack traces and device class. We would disclose categories before activation and offer opt-out where feasible.

We do not require accounts for core features today, which reduces the volume of stored credentials. If accounts arrive later, this policy will add authentication, password reset, and session management sections explicitly.

Strictly necessary cookies, if any, enable security, load balancing, or bot mitigation. They are not used to track you across unrelated sites for advertising. Many experiences can be implemented with first-party storage only; we prefer that when reliability permits.

LocalStorage may persist speed test history, theme preferences, language selection, and UI flags entirely on your device. Clearing site data removes them from your browser; we cannot remotely wipe your localStorage because we do not operate a back channel into your disk.

Google Tag Manager (GTM) or similar tag orchestration may load JavaScript configured in our container. Tags might include analytics or conversion pixels subject to their vendors’ policies. Use browser extensions, DNS filters, or OS privacy settings if you wish to block such scripts; functionality may degrade slightly when blocked.

We avoid deceptive cookie banners. If we present a notice, it should describe purposes truthfully—performance measurement, fraud prevention, product analytics—not vague “improve your experience” without specifics.

Session cookies expire when you close the browser tab or after a server-defined timeout. They can help correlate a sequence of diagnostic requests without storing long-term identifiers.

Do Not Track signals historically lacked uniform industry support; we instead focus on granular disclosures and lawful bases rather than relying on a single browser flag.

If we integrate content delivery networks or font providers, those networks may see your IP address when assets load. Where possible we self-host critical assets or use privacy-preserving configurations.

Future service workers for offline gauges would disclose cache scope, update cadence, and how to unregister if you want a pristine state.

We process data to deliver the service you request, secure our infrastructure, understand aggregate usage patterns, comply with law, and communicate with people who contact us. Where GDPR-style frameworks apply by virtue of targeting or processing in the EU/UK, we map activities to lawful bases such as contract necessity, legitimate interests, and consent for optional marketing.

Legitimate interests include debugging latency spikes, preventing credential stuffing, measuring feature adoption, and publishing high-level statistics about Pakistan’s connectivity. We balance those interests against your rights and provide opt-outs when reasonable.

Retention should be proportionate. Web logs may roll automatically; backups may persist longer in cold storage but are access-controlled. Email threads may be kept until the issue resolves plus a modest grace period for follow-ups unless legal holds apply.

Processors and subprocessors—hosting providers, DNS APIs, email delivery services—may sit in multiple countries. We endeavor to select vendors with strong security practices and, where required, standard contractual clauses or equivalent safeguards for cross-border transfers.

Governmental requests for data are reviewed for validity and narrowed scope. We may be legally prohibited from notifying you of certain demands; where not prohibited, we strive for transparency.

We do not sell personal data in the crass sense of exchanging lists for cash. If we ever run advertising partnerships involving personal data, we will update this policy and provide appropriate controls or notices.

Automated decisions with legal or similarly significant effects are not a core part of the current product. If that changes, we will describe logic, significance, and human review options.

Aggregated map tiles or histograms may be published openly; they should be designed to resist re-identification of households or individuals.

Depending on jurisdiction, you may have rights to access personal data we hold, correct inaccuracies, request erasure, restrict certain processing, object to direct marketing, and receive a portable copy in machine-readable form. We respond within statutory timelines when applicable, or within a reasonable period otherwise.

Because many features avoid accounts, we may not be able to locate data absent corroborating details (approximate time of contact, subject line). We may request proof of identity for privacy requests to prevent fraudulent erasure attacks.

Erasure may be incomplete where retention is required for security logs, tax records, or unresolved disputes. We will explain limitations when they apply.

Portability applies to data you provided and that we store in structured, commonly used formats. Ephemeral server variables may not be exportable per event.

Objection to legitimate-interest processing will be evaluated case by case. Direct marketing objections are honored promptly where marketing exists.

You may lodge complaints with supervisory authorities where such rights exist. We welcome good-faith dialogue before escalation.

Nothing in this section limits emergency disclosures necessary to protect life, health, or public safety.

If you exercise rights through an authorized agent, we may require signed authorization consistent with fraud prevention.

We implement administrative, technical, and organizational measures appropriate to the risk: TLS in transit, access controls, patching cadence, secrets management, and least-privilege credentials for production systems. No online service can guarantee absolute security.

Developers are encouraged to use code review, dependency scanning, and environment separation between staging and production. Infrastructure-as-code reduces configuration drift that attackers exploit.

Vendors with logical access to data undergo lightweight diligence—terms review, security pages, and history of breaches. High-risk vendors may require questionnaires or SOC reports when feasible.

Incident response includes detection, containment, eradication, recovery, and post-incident review. Affected users and regulators receive notifications as required by law and conscience.

Passwords, if ever collected, must be stored using strong one-way hashing with modern algorithms and salts. We prefer passwordless or delegated identity providers when practical.

Client-side-only features reduce server-side attack surface but shift responsibility to users’ device hygiene—keep browsers updated.

Penetration tests or bug bounty programs may be introduced; coordinated disclosure protects users more than premature public exploits.

Physical security of laptops and phones used by maintainers matters; full-disk encryption and screen locks are baseline expectations.

Privacy questions, requests, and complaints may be sent through the contact channels published on the site. Use “Privacy” in the subject line to speed triage. We may ask clarifying questions to fulfill requests accurately.

Pakistan’s legislative environment may introduce registration, data localization, or data protection officer requirements. We monitor developments through counsel and industry groups and will amend operations as needed.

We believe transparency strengthens trust. When trade secrets or security are not jeopardized, we explain outages, methodology changes, and data practices in blog posts or changelog notes.

Thank you for reading carefully. Privacy is not a one-time compliance checkbox—it is an ongoing engineering and cultural commitment. We aim to treat your diagnostics with the same seriousness we treat our own families’ connections.

If portions of this policy are held unenforceable, remaining portions continue in effect to the maximum extent permitted.

Translations into Urdu or other languages may be provided for convenience; in case of conflict with the English legal meaning, the English version prevails unless local law requires otherwise.

Your continued trust enables us to advocate for better broadband in Pakistan with credible, community-grounded evidence.

For the canonical text, refer to the privacy page on speedtester.pk and note the last updated date before relying on printed copies.