Privacy Policy

1. Information We Collect

We collect information that you provide directly to us, as well as information generated through your use of the Platform. The types of information we collect include:

Account Information

• Full name as it appears on your National Identity Document
• Email address
• Mobile phone number
• Date of birth
• Residential address
• Password (stored in encrypted form)

KYC Documentation

• National Identity Document (NID) number and scanned copy, as issued by the Bangladesh Election Commission
• Tax Identification Number (TIN) issued by the National Board of Revenue (NBR), where applicable
• Facial photograph for identity verification
• Proof of address documents (utility bills, bank statements)
• Business registration documents, including trade licence and certificate of incorporation, for business accounts

Transaction Information

• Escrow transaction details including amounts, milestones, and terms
• Payment method details (bank account, mobile wallet IDs)
• Transaction history and status records
• Communications between parties within the Platform messaging system
• Dispute-related documentation and correspondence

Automatically Collected Information

• Device information (browser type, operating system, device identifiers)
• IP address and approximate geolocation
• Usage data (pages visited, features used, time spent on the Platform)
• Log data (access times, error logs, referral URLs)

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To create and manage your account, process escrow transactions, facilitate milestone tracking, and enable fund releases and refunds.
• Identity Verification: To verify your identity through KYC procedures as required by Bangladesh Bank regulations, the Money Laundering Prevention Act, 2012, and the Anti-Terrorism Act, 2009.
• Fraud Prevention: To detect, investigate, and prevent fraudulent transactions, money laundering, and other prohibited activities on the Platform.
• Communication: To send you transaction notifications, security alerts, account updates, and service announcements via email, SMS, and in-app notifications.
• Dispute Resolution: To facilitate the investigation and resolution of disputes between transaction parties, including review of transaction evidence and communications.
• Legal Compliance: To comply with applicable laws, regulations, and directives from Bangladesh Bank, the Bangladesh Financial Intelligence Unit (BFIU), the National Board of Revenue, and other regulatory authorities.
• Service Improvement: To analyse usage patterns, improve Platform features, and enhance overall user experience through aggregated, anonymised data analysis.

3. KYC Data Handling

We recognise the sensitive nature of KYC documentation and apply the highest standards of care in its handling. Your NID numbers, TIN details, and identity documents are treated with the following safeguards:

• Encryption at Rest: All KYC documents and sensitive identity data are encrypted using AES-256 encryption at rest in our secure storage systems.
• Encryption in Transit: All data transmitted between your device and our servers is protected with TLS 1.3 encryption.
• Access Controls: Access to KYC data is strictly limited to authorised personnel who require it for verification, compliance, or dispute resolution purposes. All access is logged and audited.
• Minimisation: We collect only the KYC information that is necessary for regulatory compliance. NID and TIN numbers are partially masked in user-facing displays.
• Verification Partners: Where we use third-party verification services to validate NID or TIN information against government databases, we do so under strict data processing agreements that limit their use and retention of your data.

KYC verification results (approved, pending, or rejected) are stored separately from the underlying identity documents. In most operational contexts, only the verification status is accessed, not the original documents.

4. Data Sharing

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We may share your information only in the following circumstances:

• Transaction Counterparties: Limited information (your name and KYC verification status) is shared with the other party in an escrow transaction. We do not share your NID, TIN, contact details, or financial account information with counterparties.
• Partner Bank: Necessary transaction and identity information is shared with our partner bank to facilitate the holding and release of escrowed funds, in compliance with banking regulations.
• Payment Processors: Information required to process payments is shared with our partner bank under strict data processing agreements.
• Regulatory Authorities: We may disclose information to Bangladesh Bank, the BFIU, law enforcement agencies, or other regulatory authorities when required by law, regulation, or valid legal process (court order, subpoena, or regulatory directive).
• Service Providers: We engage trusted third-party service providers for hosting, analytics, customer support, and other operational functions. These providers are contractually bound to protect your data and use it only for the specific services they provide to us.
• Business Transfers: In the event of a merger, acquisition, or sale of assets by KaritKarma Limited, your information may be transferred as part of the transaction. We will notify you of any such transfer and any changes to applicable privacy practices.

5. Data Security

We implement comprehensive security measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. Our security practices include:

• Industry-standard encryption (AES-256) for data at rest and TLS 1.3 for data in transit
• Multi-factor authentication (MFA) available for all user accounts
• Regular security audits and vulnerability assessments conducted by qualified professionals
• Role-based access controls with the principle of least privilege for all employees and contractors
• Secure data centres with physical security measures, redundant systems, and disaster recovery capabilities
• Automated monitoring and alerting systems for detecting suspicious activity or potential security incidents
• Employee security training and strict confidentiality agreements for all staff handling personal data

While we take extensive measures to secure your data, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security but commit to promptly notifying affected users and relevant authorities in the event of a data breach, in accordance with applicable regulations.

6. Data Retention

We retain your personal information for as long as is necessary to fulfil the purposes for which it was collected, and as required by applicable law. Specific retention periods include:

• Account Information: Retained for the duration of your account and for 5 years following account closure, as required by Bangladesh Bank record-keeping regulations.
• KYC Documentation: Retained for a minimum of 5 years from the date of the last transaction, in compliance with the Money Laundering Prevention Act, 2012 and BFIU directives.
• Transaction Records: Retained for a minimum of 5 years from transaction completion, as required by Bangladesh Bank and the National Board of Revenue.
• Communication Records: In-platform messages related to transactions are retained for the same period as the associated transaction records.
• Log Data: Server logs and access records are retained for 12 months for security and operational purposes.

After the applicable retention period, personal data is securely deleted or anonymised so that it can no longer be associated with you. Anonymised data may be retained indefinitely for statistical and analytical purposes.

7. Your Rights

Subject to applicable laws and regulatory requirements, you have the following rights regarding your personal information:

• Right of Access: You may request a copy of the personal information we hold about you. We will provide this information within 30 days of receiving a verified request.
• Right to Rectification: You may request correction of any inaccurate or incomplete personal information. Certain information (such as NID details) may require re-verification after correction.
• Right to Deletion: You may request deletion of your personal information, subject to our legal obligations to retain certain data as described in the Data Retention section. Data required for regulatory compliance cannot be deleted before the mandatory retention period expires.
• Right to Restriction: You may request that we restrict processing of your personal information in certain circumstances, such as when you contest the accuracy of the data or object to our processing activities.
• Right to Data Portability: You may request a machine-readable copy of the personal information you have provided to us, to the extent technically feasible.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

To exercise any of these rights, please contact us at [email protected] with a clear description of your request. We may require identity verification before processing your request to protect against unauthorised access to personal information.

8. Cookies

Hold.bd uses cookies and similar tracking technologies to enhance your experience on the Platform. Cookies are small text files stored on your device that help us recognise your browser and remember your preferences.

Types of Cookies We Use

• Essential Cookies: Required for the Platform to function properly. These include session cookies for authentication, security tokens for CSRF protection, and cookies that remember your login status. These cannot be disabled.
• Functional Cookies: Used to remember your preferences such as language settings, display options, and notification preferences. These enhance your experience but are not strictly necessary.
• Analytics Cookies: Used to collect anonymised usage data that helps us understand how users interact with the Platform, identify areas for improvement, and measure the effectiveness of features. We use this data only in aggregated form.

You can manage your cookie preferences through your browser settings. Please note that disabling essential cookies may prevent you from using certain features of the Platform, including logging in and conducting transactions.

9. Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, technology, legal requirements, or business operations. When we make material changes to this policy, we will:

• Update the "Last updated" date at the top of this policy
• Notify registered users via email at least 15 days before the changes take effect
• Display a prominent notice on the Platform for at least 30 days following the change

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the revised policy, you should discontinue use of the Platform and contact us to discuss your options.

10. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact us:

• Email: [email protected]
• Address: KaritKarma Limited, Dhaka, Bangladesh

For privacy-specific enquiries, including data access requests and complaints about our data handling practices, please include "Privacy Request" in the subject line of your email. We aim to acknowledge all privacy-related enquiries within 3 business days and provide a substantive response within 30 days.