Privacy Policy

Shaako ("we," "our," "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application or visit our website (shaako.bd). By using the Platform, you consent to the data practices described in this policy.

We collect the following types of information:

• Identity Information: Name, email address, username, and profile picture (provided during registration or via Google Sign-In).
• Phone Number: Collected for account verification via OTP.
• KYC (Know Your Customer) Data: National ID (NID) number and a selfie/face photograph, collected for seller identity verification. This constitutes sensitive biometric-adjacent data and is handled with strict confidentiality.
• Transaction Data: Details of purchases, sales, order history, payment method selections, payout information, and vault slot usage.
• Payment Information: We do not store full payment card numbers. Payment transactions are processed by EPS (Electronic Payment Solutions), a third-party payment gateway. We store only transaction references, payment status, and selected payment methods (e.g. bKash, Nagad, Rocket).
• User-Generated Content: Chat messages (P2P, support/customer care), listing descriptions, appeal evidence files (PDF, images, documents), product reviews, and vault resource files (URLs, keys, credentials) uploaded by sellers.
• Reviews Data: Review text, ratings, and associated order metadata submitted by buyers.
• Vault Data: For Vault listings, we store the digital resources (credentials, keys, links) provided by sellers in encrypted form. This data is revealed to buyers only after payment confirmation.
• Boost & Voucher Data: Records of boost activations, voucher redemptions, and associated payment references.
• Device & Usage Information: Device type, operating system, IP address, Firebase Cloud Messaging (FCM) tokens for push notifications, and app usage analytics via Firebase Analytics.

We use collected information to:

• Create and manage your account and verify your identity.
• Facilitate P2P marketplace transactions between buyers and sellers.
• Process payments via EPS and send transaction confirmations.
• Verify seller identity through KYC (NID and selfie) to maintain marketplace trust.
• Operate the Shaako Vault escrow system, including storing and releasing digital resources to buyers upon confirmed payment.
• Display and moderate buyer reviews on listings.
• Process boost activations and voucher redemptions.
• Send push notifications (via Firebase Cloud Messaging) about orders, appeals, vault access grants, reviews, and account activity.
• Resolve disputes, process appeals, and review evidence submitted by users.
• Detect fraud, enforce our policies, and maintain platform security.
• Improve our Platform through usage analytics.

We may share your information in the following circumstances:

• Between Users: Necessary details (username, order status, listing info) are shared between buyers and sellers to facilitate transactions. Vault resource data is shared exclusively with the confirmed buyer upon payment. Reviews are publicly visible on listing pages.
• Payment Processor (EPS): When you make a payment, relevant transaction details are shared with EPS to process the payment. EPS operates under its own privacy policy.
• Infrastructure Providers: We use Supabase (database and authentication), Firebase (push notifications, analytics, crash reporting), and Google Cloud Services. These providers process data on our behalf under data processing agreements.
• Google Sign-In: If you use Google Sign-In, your basic Google profile (name, email, profile picture) is shared with us by Google.
• Legal Requirements: We may disclose your information where required by law, court order, or government authority.
• KYC Data: Your KYC information (NID, selfie) is used solely for identity verification and is accessible only to authorised Shaako administrators.

Vault listings contain sensitive digital resources (e.g. account credentials, license keys, private links) provided by sellers. This data is:

• Stored securely in our database with Row-Level Security (RLS) policies.
• Visible only to Shaako administrators and the confirmed buyer after payment.
• Never shared with any third party or other users outside the transaction.
• Retained for a minimum of 30 days post-transaction to support dispute resolution and appeals, after which it may be purged at our discretion.

Shaako provides in-app messaging between buyers and sellers, and a Customer Care chat for support. We retain chat messages to:

• Facilitate order communication and dispute resolution.
• Allow our admin team to review evidence during appeals.
• Protect users from fraud and policy violations.

Chat messages related to active orders are retained for the order duration plus 90 days. Customer care conversations may be retained longer for quality and compliance purposes. Do not share sensitive personal financial information (e.g. card numbers, PINs) via chat.

We retain your personal data as follows:

• Account data: Retained as long as your account is active.
• Transaction & order history: Retained for a minimum of 1 year for compliance.
• KYC data: Retained as required by applicable regulations.
• Chat messages: Retained for the duration of the order plus 7 days.
• Customer care conversations: Retained for up to 1 year.
• Appeal evidence: Retained for 12 months post-resolution.
• Vault resources: Retained for at least 30 days post-transaction.
• Reviews: Retained indefinitely unless removed for policy violations.
• Boost and voucher records: Retained for 1 year for financial compliance.

You may request deletion of your account and associated data at any time via the app (Settings → Privacy & Security → Delete Account). Some data may be retained for fraud prevention or legal compliance even after account deletion.

We implement industry-standard security measures including:

• Encrypted data transmission (TLS/HTTPS)
• Security (RLS) on database
• Server-side secured management for payment credentials
• Restricted access controls for KYC submissions and vault resource data
• App Check to prevent unauthorized API access

Despite these measures, no system is completely secure. We encourage you to use strong, unique passwords and to report any security concerns to us immediately.

Our Platform integrates:

• Firebase (Google)
• Supabase
• EPS — Payment gateway processing for buyer payments and seller payouts
• Google Sign-In — OAuth authentication

Each third party operates under its own privacy policy. We encourage you to review those policies.

You have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data.
• Request a copy of the data associated with your account.

To exercise these rights, contact us via in-app support or email: [email protected]

Our Platform is not directed to children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child has provided us personal data, please contact us immediately at [email protected].

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy in the app and updating the "Last Updated" date. Continued use of the Platform after changes constitutes acceptance of the updated policy.