Privacy Policy

2.1 Account data

Name, email, phone number, country of residence, role indicator (buyer / seller / partner), and authentication identifiers issued by Wenme. We do not store passwords because authentication is passwordless.

2.2 KYC and identity data

National ID (NID), passport scans, Trade Licence, Certificate of Incorporation, RJSC Form XII, TIN certificate, address proof, source-of-funds declaration, beneficial ownership disclosure, and (for foreign buyers) Bangladesh Bank approval letters. Liveness checks may be performed during onboarding.

2.3 Transactional data

Listing details, financial summaries you choose to upload, NDA execution records, Deal Room access logs, Secure Chat messages, offer history, and escrow milestone events.

2.4 Usage and device data

IP address, user agent, device identifiers, login timestamps, page views, click events, and authorisation decisions logged by Darwan.

2.5 Communications

Emails, SMS and WhatsApp messages we send via BitsPath, and any support correspondence you send us.

We use personal data to (a) operate the marketplace and match Sellers with Buyers, (b) verify identity and prevent fraud, money-laundering and sanctions breaches, (c) execute and audit NDAs, Deal Rooms and escrow transactions, (d) send transactional notifications and service updates, (e) provide customer support, (f) improve our products through aggregated, de-identified analytics, and (g) comply with legal and regulatory obligations including Bangladesh Bank reporting and tax filings.

We do not sell personal data. We do not use your data to train third-party AI models. We do not engage in cross-context behavioural advertising.

KYC documents are uploaded directly to encrypted object storage on MinIO inside our private network. Each object is encrypted at rest with AES-256 server-side encryption and additionally field-encrypted at the application layer for the most sensitive fields (NID number, TIN, passport number, bank account details).

Access to KYC documents is gated by Darwan policy — every access decision is logged with the requesting user, the document, the purpose code, and the resulting allow / deny. Only authorised compliance staff with a documented review purpose may decrypt KYC files; engineering and product staff have no production access.

We do not transmit KYC documents to third parties except (a) to our regulated escrow partner Hold.bd / Prime Bank PLC where required to fund a transaction, (b) to government authorities under lawful order, or (c) where you explicitly consent (for example, to share with your own legal advisor).

Authentication is provided by Wenme using OAuth 2.1 with PKCE and Ed25519 / EdDSA-signed JSON Web Tokens. Because the system is passwordless, there is no password database to leak — even internally. Sessions are short-lived and refreshed via secure, httpOnly cookies bound to the originating origin.

Authorisation is delegated to Darwan, which evaluates RBAC and ABAC policies against each request and writes an immutable audit record. You can request a copy of the audit log entries relating to your own account by contacting us via the DSAR channel below.

We share personal data only with sub-processors who are contractually bound to confidentiality and data-protection obligations consistent with this Policy. Our principal sub-processors are:

• 01Wenme (KaritKarma) — Authentication.
• 02Darwan (KaritKarma) — Authorisation and audit logging.
• 03Hold.bd (KaritKarma) and Prime Bank PLC — Escrow and settlement.
• 04BitsPath (KaritKarma) — Transactional email, SMS and WhatsApp.
• 05Cloudflare — DNS, CDN and DDoS mitigation.
• 06MinIO (self-hosted) — Object storage for KYC and Deal Room documents.

We may disclose data to government, regulatory or law enforcement authorities where required by Bangladeshi law, court order, or to protect the rights and safety of Exit.bd and its users.

We retain personal data only for as long as needed for the purposes set out in this Policy, the durations required by law, or the period necessary to defend potential legal claims — whichever is longer.

Indicative retention periods: Account data — for the life of the account plus 12 months. KYC records — 7 years from the date of the last transaction (Bangladesh AML guidance). Deal Room documents and audit logs — 7 years from deal closure. Secure Chat messages — 3 years from deal closure or 12 months from account deletion. Marketing communications — until you unsubscribe. Aggregated analytics — indefinitely in de-identified form.

You have the right to (a) access the personal data we hold about you, (b) request correction of inaccurate data, (c) request deletion subject to our retention obligations, (d) object to or restrict certain processing, (e) request a portable export of your data, (f) withdraw consent where consent is the legal basis for a specific processing activity, and (g) lodge a complaint with the relevant supervisory authority in Bangladesh.

We aim to respond to verifiable requests within thirty (30) calendar days. We will verify your identity before responding to any data subject request to protect against impersonation.

Exit.bd’s primary data residency is Bangladesh. Where data is transmitted outside Bangladesh — for example, when you access the Platform from abroad, when we use Cloudflare for edge security, or when we send communications through global carriers — we apply transport-layer encryption and contractual safeguards.

We do not store production user data or KYC files outside Bangladesh.

Security controls are described in detail on our security page. In short: passwordless auth, externalised authorisation with audit log, AES-256 at-rest encryption, field-level encryption on financial data, watermarked Deal Room documents, regex contact-info filtering inside Secure Chat, and a documented vulnerability disclosure programme at security@exit.bd.