RetailSaaS
Sign inStart free trial

Privacy Policy

Last updated: May 2026

1. Information We Collect

We collect information you provide directly when you create an account or use the Service:

  • Account data: your full name, email address, and password (stored as a bcrypt hash).
  • Business data: organisation name, store name(s), and subscription plan selection.
  • Transaction data: sales records, inventory movements, customer profiles, and payment references you enter while using the platform.
  • Usage data: pages visited, features used, browser type, IP address, and timestamps — collected to improve reliability and performance.
  • Communications: any messages you send to our support team.

We do not collect payment card numbers directly. All payment processing is handled by certified third-party processors (bKash, Nagad, SSL Wireless) under their own privacy policies.

2. How We Use Your Information

  • To create and manage your account and workspace.
  • To provide and operate the RetailSaaS platform and all its features.
  • To send transactional emails: email verification, password resets, invoices, low-stock alerts, and staff invitations.
  • To calculate, collect, and remit subscription fees in BDT.
  • To detect, investigate, and prevent fraudulent transactions and abuse of the Service.
  • To comply with legal obligations, including NBR (National Board of Revenue) tax record-keeping requirements.
  • To analyse aggregate usage patterns and improve the platform (using anonymised data only).

We will not use your data for advertising, sell it to data brokers, or share it with third parties for their own marketing purposes.

3. Data Sharing

We share personal data only in the following circumstances:

  • Service providers: hosting (cloud infrastructure), transactional email delivery, error monitoring, and analytics tools that process data on our behalf under strict data processing agreements.
  • Payment processors: only the minimum data required to complete a transaction is shared with bKash, Nagad, or SSL Wireless.
  • Legal compliance: if required by Bangladeshi law, court order, or regulatory authority (including NBR audit requests), we may disclose data to the extent mandated.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you in advance.

4. Data Retention

Account & business data: retained while your account is active and for 30 days after account deletion, after which it is permanently purged.

Transaction records: retained for 7 years to comply with Bangladesh income tax and VAT record-keeping requirements under the NBR.

Audit logs: retained for 90 days, then automatically deleted.

Security tokens (email verification, password reset, staff invitations): purged after 7 days regardless of whether they have been used.

Support communications: retained for 2 years.

After the applicable retention period, data is securely and irreversibly deleted from all production systems and backups.

5. Security

We implement industry-standard technical and organisational measures to protect your data:

  • All data is transmitted over TLS 1.2 or higher — plain HTTP is rejected.
  • Passwords are hashed using bcrypt with a work factor of 12.
  • Sensitive tokens (email verification, password reset) are stored as SHA-256 hashes; plaintext is never persisted.
  • API endpoints are protected by JWT authentication and per-route role authorisation.
  • Rate limiting is applied to authentication endpoints to mitigate brute-force attacks.
  • All privileged actions are recorded in tamper-evident audit logs retained for 90 days.
  • Database access is restricted to application servers via private network; no public database ports are exposed.

No security system is perfect. In the event of a data breach affecting your personal information we will notify you within 72 hours of becoming aware of it.

6. Your Rights

You have the following rights regarding your personal data:

  • Access & portability: export a copy of all personal data associated with your account in JSON format via Account Settings → Data & Privacy → Export data (API endpoint: /account/data-export).
  • Correction: update your name, email, and business information at any time from your profile settings.
  • Deletion: request permanent deletion of your account and personal data via Account Settings → Data & Privacy → Delete account (API endpoint: /account/data-deletion-request). Note that transaction records may be retained for the legally required 7-year period.
  • Restriction of processing: you may object to certain uses of your data by contacting us at privacy@retailsaas.app.

We will respond to all data rights requests within 30 days. Identity verification may be required before we process a request.

7. Cookies

We use only essential session cookies required for authentication and CSRF protection. We do not set any advertising, tracking, or analytics cookies. Third-party payment widgets (bKash, Nagad) may set their own cookies when you interact with them; please refer to their respective privacy policies.

8. Bangladesh Data Protection

RetailSaaS is operated by RetailSaaS Ltd., a company registered in Bangladesh. We comply with applicable Bangladeshi data protection requirements, including:

  • Digital Security Act 2018 / Cyber Security Act 2023: we maintain appropriate safeguards for digital personal data and report material security incidents to the relevant authorities as required.
  • NBR compliance: financial transaction data is retained for the 7-year period required by Bangladesh income tax and VAT regulations.
  • Cross-border transfers: some service providers (e.g., cloud hosting, error monitoring) may process data outside Bangladesh. We ensure that such transfers are subject to adequate data protection safeguards.

9. Contact

For questions, concerns, or to exercise your data rights, please contact our Data Protection team:

RetailSaaS Ltd.

Dhaka, Bangladesh

Email: privacy@retailsaas.app

Support: support@retailsaas.app

For terms of service questions, see our Terms of Service.