গোপনীয়তা নীতিPrivacy Policy

1. Who we are

BharaKhata (“we”, “us”) is a property and rent management app published by [BUSINESS NAME], registered in Bangladesh ([REGISTRATION NUMBER]). For privacy questions, contact us at [CONTACT EMAIL] or write to [POSTAL ADDRESS].

2. What data we collect

2a. From every user (owner, tenant, caretaker)

• Mobile phone number — required for sign-in via OTP. We share it with Supabase (our backend) and bdbulksms.net (our SMS provider) only to deliver the code.
• Full name and preferred language — what you type during onboarding.
• In-app activity — notifications you read, messages you send, and the buildings/leases/payments you view, in order to render the app.

2b. From owners and tenants on a lease

• Lease terms — rent amount, start/end dates, deposit, contract PDF.
• Payment records — amount, date, method (cash/bKash/bank), and proof photos you upload.
• Invoice records — generated monthly from your lease.

2c. From tenants during onboarding (KYC)

• National ID card photo (NID) — you upload front and back images for the owner’s verification. Stored encrypted at rest.
• Optional passport-style photo — also stored encrypted at rest.

2d. From caretakers and staff

• Walk-through reports and photos of common areas.
• Visitor gate-pass entries (visitor name, phone, OTP).

2e. From the device (Android, iOS, Web)

• Push notification token (FCM) — to send you notifications.
• App version, device model, OS version — for crash diagnostics.
• We do not collect your contacts, call log, photos other than those you explicitly upload, precise location, microphone, or browser history.

3. Why we collect it

4. Who we share it with

We use the following processors. They access only what is needed:

• Supabase Inc. (backend hosting, AWS ap-northeast-1, Tokyo) — stores the database. SOC 2 Type 2 certified.
• Cloudflare R2 (object storage) — stores larger uploads (walk-through photos, refund receipts, NID images). Encrypted at rest.
• Google Firebase Cloud Messaging — delivers push notifications.
• bdbulksms.net — sends SMS (OTP, reminders).
• Meta WhatsApp Business (optional, if your owner enabled it) — sends WhatsApp messages.

We never sell your data. We share with law enforcement only on a valid written legal order from a Bangladeshi authority.

5. Where it is stored

• Database in AWS Tokyo (ap-northeast-1).
• Object storage (photos, PDFs) in Cloudflare’s global network.
• Push tokens held by Google FCM.

6. How long we keep it

• Active accounts — for as long as your account is open.
• Closed accounts — 24 months after closure, then deleted, except records we must retain for tax/regulatory reasons (max 7 years).
• Notifications — auto-archived after 90 days.
• NID images — kept until lease ends + 24 months, then deleted.
• Audit logs — 24 months.

7. Your rights

• Access — request a copy of your data.
• Correction — fix errors in your profile from Settings.
• Deletion — delete your account from Settings → Account → Delete. We remove personal data within 30 days except items we must retain by law.
• Export — request a machine-readable export.
• Withdraw consent — disable specific channels (SMS, push, WhatsApp) in Settings → Notifications.

Send requests to [CONTACT EMAIL].

8. Security

• All data transferred over HTTPS / TLS 1.2+.
• Database at rest is encrypted by AWS.
• Object storage at rest is encrypted by Cloudflare R2.
• Passwords are never used — we use one-time SMS codes only.
• Access to internal admin tools is limited to [NAMED STAFF MEMBERS].

9. Children

BharaKhata is not directed at users under 18 and we do not knowingly collect data from them. If you believe a child has signed up, write to us and we will delete the account.

10. Changes

If we materially change this policy, we’ll send an in-app notice and update the “Last updated” date. Continued use after the change means you accept the new policy.

11. Bangladesh law

This policy is governed by the laws of Bangladesh. Disputes go to the courts of [CITY].