আইনি তথ্য

গোপনীয়তা নীতি

সর্বশেষ আপডেট: 29 April 2026

PRIVACY POLICY

DueTrack — Hisab Sahakari

Effective Date: February 10, 2026 | Last Updated: April 29, 2026

DueTrack ("we," "our," or "us") is an IT-enabled service operated by Monirujjaman Monjil, Gala Union Parishad, Tangail Sadar, Tangail, Dhaka, Bangladesh (Trade License No: 12196163946). This Privacy Policy explains how we collect, use, store, and protect your information when you use our software at duetrack.com.bd, app.duetrack.com.bd, the DueTrack Android app (available on Google Play Store), and the DueTrack iOS app (available on the Apple App Store). By using DueTrack, you agree to the terms described in this Policy. If you do not agree, please discontinue use of the Service.

1. Information We Collect

1.1 Information You Provide Directly

  1. Account Registration: Mobile phone number, business name, full name, and password (stored encrypted using industry-standard hashing algorithms).
  2. Profile Information: Optional profile picture and business address.
  3. Business Data: Names, phone numbers, and financial records of your debtors and customers, which you voluntarily enter into the application.
  4. Transaction Records: Income, expense, stock, sales, and due payment entries that you create.
  5. Field Visit Data: When you use the field expense management module, you may voluntarily record visit details, including starting location, destination, kilometers traveled, expense descriptions, and meal or transport notes. This information is stored only when you choose to record it.
  6. Communications: Messages, support queries, and feedback submitted to our support channels.

1.2 Information Collected Automatically

  1. Usage Data: Pages visited, features used, and actions taken within the app to help us improve the Service.
  2. Device Information: Browser type, operating system, screen resolution, and language preferences.
  3. Session Data: Login timestamps, session duration, and authentication tokens.
  4. IP Address: Collected for security monitoring, fraud prevention, and rate limiting.
  5. Cookies: Minimum necessary cookies for session management and user preferences (see Section 7).

1.3 Location Data (Optional Feature — Field Expense Module Only)

The DueTrack web service and Android app include an optional Field Expense Management feature that may use your device's location to assist with logging field visits. We collect location data only under these strict conditions:

  1. The location feature is OPTIONAL and is never used unless you explicitly tap the "GPS" button within the Add Expense form.
  2. We collect approximate or precise location ONLY at the moment you tap the GPS button — never in the background and never continuously.
  3. The collected coordinates (latitude and longitude) are sent to OpenStreetMap's Nominatim service (operated by the OpenStreetMap Foundation) solely to convert your coordinates into a human-readable place name (reverse geocoding). The resulting place name is then stored alongside your expense entry.
  4. We do NOT track your movement, store coordinate trails, or build location histories.
  5. We do NOT share your location data with advertisers, marketers, or any third parties other than OpenStreetMap for reverse geocoding.
  6. You can use the entire app without ever granting location access. The expense form accepts manually typed locations as a complete alternative.
  7. On Android, the app requests ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permissions only when you initiate the GPS button. You may revoke these permissions at any time in your device settings. We do not request background location access.

1.4 Android App — Firebase

When you use the DueTrack Android app, we collect a Firebase Cloud Messaging (FCM) token to deliver push notifications to your device. Firebase Analytics may access the Android Advertising ID (AD_ID) solely for internal app analytics and performance monitoring. This data is anonymized and is never shared with advertisers or used to serve ads to you. The FCM token is not shared with third parties beyond Firebase (Google LLC) for the sole purpose of notification delivery.

1.5 iOS App — No Independent Data Collection

The DueTrack iOS app does not independently collect any personal data. The app is a secure WebView wrapper that connects to our web service at app.duetrack.com.bd. All account data and business records are processed and stored exclusively by our web service, subject to the terms of this Privacy Policy. The iOS app contains no analytics, advertising, or tracking SDKs.

1.6 Information We Do NOT Collect

We do not collect:

  1. Credit card numbers or banking credentials
  2. National ID or government identification numbers
  3. Biometric data (Face ID and Touch ID are processed entirely on-device by Apple's Secure Enclave and are never accessible to us)
  4. Background or continuous GPS location data
  5. Contacts list, calendar, photo library, or microphone data
  6. Health, fitness, or medical data
  7. Browsing history outside our application

2. How We Use Your Information

We use your information for the following purposes only:

  1. Service Delivery: To operate, maintain, and improve DueTrack.
  2. Account Management: To authenticate users and manage account access.
  3. SMS Reminders: To send due reminders via SMS on your behalf to phone numbers you provide for your debtors.
  4. Push Notifications: To deliver important alerts via Firebase FCM (Android only).
  5. Field Expense Logging: To save the place name returned from the optional GPS button alongside your voluntarily-entered expense entries.
  6. Customer Support: To respond to queries and resolve issues.
  7. Security: To detect and prevent unauthorized access, abuse, or fraud.
  8. Legal Compliance: To fulfill obligations under applicable Bangladesh law.

We do NOT serve any advertisements within DueTrack, nor do we use your data for user profiling, ad targeting, behavioral analysis, or sale to third parties under any circumstances.

3. Data Storage and Security

3.1 Storage Location

All user data is stored on servers physically located within Bangladesh. We do not transfer your business data to servers outside of Bangladesh. The exceptions are: (a) Firebase Cloud Messaging tokens, which are processed by Google's global infrastructure solely for push notification delivery, and (b) location coordinates briefly transmitted to OpenStreetMap Nominatim for reverse geocoding (these are not stored by us and are subject to OpenStreetMap's privacy policy at https://osmfoundation.org/wiki/Privacy_Policy).

3.2 Security Measures

We implement the following safeguards:

  1. SSL/TLS encryption for all data in transit
  2. Industry-standard password hashing (passwords are never stored in plain text)
  3. OTP-based login verification for sensitive actions
  4. Session timeout protection
  5. Persistent login tokens stored as SHA-256 hashes
  6. Automated cloud backups
  7. iOS Keychain storage for sensitive session data on Apple devices
  8. iOS App Sandboxing to isolate app data from other applications
  9. CSRF protection on all forms
  10. Rate limiting on authentication endpoints

3.3 Data Retention

We retain your data for as long as your account is active. Upon account deletion request, all personal information is permanently and immediately erased once verified and approved by our admin team. Anonymized financial transaction audit logs (with all personally identifiable information removed) may be retained for up to 90 days after account deletion for legal and regulatory compliance purposes, after which they are automatically and permanently removed.

4. Information Sharing

We do not sell, rent, or share your personal information with third parties except in these limited cases:

4.1 Service Providers

  1. SMS Provider (mimsms.com): Receives only the recipient's phone number and message content to deliver your reminders. Bound by their own privacy and security obligations.
  2. Firebase (Google LLC): Receives your FCM token solely to deliver push notifications to your Android device. Subject to Google's Privacy Policy.
  3. OpenStreetMap Nominatim: When you tap the GPS button in the field expense form, your latitude and longitude coordinates are sent for reverse geocoding only. No personal identifiers are sent. Subject to OpenStreetMap Foundation Privacy Policy.

4.2 Apple Inc.

The DueTrack iOS app does not transmit any personal data to Apple. The iOS app does not use Apple's analytics, advertising, or tracking services.

4.3 Legal Obligations

We may disclose information if required by a valid court order or government authority in Bangladesh, or if necessary to protect our legal rights, prevent fraud, or address security threats.

4.4 Business Transfer

In the event of a merger, acquisition, or sale of business assets, users will be notified in advance and given the option to delete their data before any transfer occurs.

5. Your Rights

You have the following rights regarding your personal data:

  1. Right to Access: Request a copy of the personal data we hold about you
  2. Right to Correction: Update or correct inaccurate information through your account settings or by contacting support
  3. Right to Deletion: Request permanent deletion of your account and all data (see Section 6)
  4. Right to Data Portability: Request a portable export of your business data in a machine-readable format
  5. Right to Withdraw Consent: For optional features such as location access, you may revoke device permissions at any time
  6. Right to Object: Object to specific processing activities by contacting our support team

To exercise any right, contact us at support@duetrack.com.bd. We will respond within 30 days.

6. Account and Data Deletion

In compliance with Google Play Store and Apple App Store policies, you may request permanent deletion of your DueTrack account and all associated data at any time through the following methods:

Method 1 — Online Self-Service (Recommended)

Visit our dedicated account deletion page at: https://duetrack.com.bd/account-deletion

Enter your registered mobile number, verify your identity through an OTP sent to that number, and submit your deletion request directly. Our admin team will review and process your request, typically within 3 to 7 business days.

Method 2 — By Email

Send an email to support@duetrack.com.bd with the subject line "Account Deletion Request" and include your registered mobile number for verification. We will process your request within 7 business days of verification.

What Will Be Deleted

Once your deletion request is verified and approved by our admin team, all your personal information is permanently and immediately erased from our systems, including:

  1. Account credentials (phone number, password hash, name)
  2. Business profile and business names
  3. All debtor records and contact information you have stored
  4. Complete transaction history (income, expense, stock, due entries)
  5. Stock records and product catalogs
  6. SMS reminder logs and delivery reports
  7. Field visit records and location data captured through the GPS feature
  8. Uploaded profile pictures
  9. Push notification tokens
  10. All session data

What May Be Retained for Legal Compliance

Anonymized financial transaction audit logs (with all personally identifiable information, including your name, phone number, and user ID removed) may be retained for up to 90 days after deletion for legal and regulatory compliance purposes, after which they are automatically and permanently removed.

Important Notes

  1. Deleted data cannot be recovered once deletion is complete
  2. Deleting your account does not entitle you to a refund for any unused subscription period or SMS credit balance
  3. A confirmation will be communicated through the same channel you used to request deletion
  4. If you have an active premium subscription, future billing will stop automatically after deletion

7. Cookies and Tracking

DueTrack uses only the minimum cookies necessary:

  1. Session cookies to maintain your login across app uses (including persistent login cookies for Android and iOS apps)
  2. Preference cookies to remember display settings
  3. Analytics cookies (Google Analytics 4 and Google Tag Manager) to understand aggregate platform usage. No personally identifiable data is shared with analytics providers, and IP anonymization is enabled where applicable.

We do NOT use third-party advertising cookies, retargeting pixels, or behavioral tracking. The iOS app does not use any tracking or analytics SDKs. The Android app uses Firebase Analytics solely for internal performance monitoring with anonymized data.

You can disable cookies through your browser settings; however, doing so may affect core functionality such as login persistence.

8. Mobile App — Local Data Storage

8.1 Android App

The Android app may store the following data locally on your device:

  1. Login session cookies to keep you logged in between app uses
  2. Firebase FCM token for push notifications
  3. Cached web content for faster loading

8.2 iOS App

The iOS app stores the following data locally on your device only:

  1. Login session cookies to keep you logged in between app uses
  2. User preferences, such as biometric lock settings, are stored in iOS Keychain
  3. Cached web content for faster loading, managed by iOS WebKit

This locally stored data never leaves your device except to communicate with our secure web service over HTTPS.

9. Biometric Authentication — iOS Face ID and Touch ID

If you enable Face ID or Touch ID app lock on the iOS app:

  1. Biometric data is processed entirely on your device by iOS
  2. We do not have access to your biometric information at any time
  3. Authentication is managed by Apple's Secure Enclave technology
  4. You can disable this feature at any time in the app Settings

10. App Store Data Collection Declarations

10.1 Google Play Store (Android)

Data Collected:

  1. Personal info: Name, phone number, email (provided during registration)
  2. Financial info: Business transaction records (entered by you, not collected automatically)
  3. App activity: In-app actions, search history within the app
  4. App info and performance: Crash logs, diagnostics
  5. Device or other IDs: Firebase FCM token for push notifications
  6. Location: Approximate location and precise location, ONLY when user explicitly taps the GPS button in the field expense form. Not collected continuously, not collected in background.

Data Sharing:

  1. FCM token shared with Firebase (Google LLC) for notification delivery only
  2. Location coordinates briefly shared with OpenStreetMap Nominatim for reverse geocoding only

Security Practices:

  1. Data encrypted in transit (HTTPS/TLS)
  2. Data encrypted at rest where supported by the hosting infrastructure
  3. You can request data deletion at any time
  4. We follow OWASP secure coding practices

10.2 Apple App Store (iOS)

  1. Data Used to Track You: None
  2. Data Linked to You: None (the iOS app itself does not collect any data)
  3. Data Not Linked to You: None

The iOS app itself does not collect any personal data. All user account data is managed by our web service in accordance with this Privacy Policy.

11. Children's Privacy

DueTrack is intended for adults aged 18 and older. We do not knowingly collect information from individuals under 18. The DueTrack iOS app is not intended for children under the age of 13, and the Android app is rated for users 18 and above.

If we become aware that a minor has registered or used our service, we will promptly delete their account and all associated data. Parents or guardians who believe their child has registered may contact support@duetrack.com.bd to request immediate deletion.

12. International Data Transfers

While we store all user business data on servers within Bangladesh, certain processing activities involve international data transfers:

  1. Firebase Cloud Messaging operates on Google's global infrastructure
  2. OpenStreetMap Nominatim is operated by the OpenStreetMap Foundation (United Kingdom)
  3. Google Analytics processes anonymized usage data on Google's global infrastructure

These transfers are limited in scope and subject to the privacy policies of those service providers.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. For material changes, we will:

  1. Notify registered users via the app or email at least 7 days before the changes take effect
  2. Update the "Last Updated" date at the top of this policy
  3. Display an in-app notice for significant changes
  4. Notify iOS app users through app updates and this page

Continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree with the updated policy, you must discontinue use and may request account deletion.

14. Compliance with Google Play Policies

DueTrack complies with all applicable Google Play Developer Program Policies, including but not limited to:

  1. User Data Policy
  2. Permissions and APIs that Access Sensitive Information Policy
  3. Location Permissions Policy
  4. Families Policy (we do not target children)
  5. Data Safety section requirements
  6. Account deletion requirements

15. Compliance with Apple App Store Policies

The DueTrack iOS app complies with Apple's App Store Review Guidelines, including:

  1. App Privacy section disclosure requirements
  2. Account deletion requirement (Guideline 5.1.1(v))
  3. Sign in with Apple equivalent (we use OTP-based authentication)
  4. App Tracking Transparency (we do not track users)

16. Contact Us

DueTrack

Operated by: Monirujjaman Monjil

Address: Gala Union Parishad, Tangail Sadar, Tangail, Dhaka, Bangladesh

Trade License No: 12196163946

Email Contacts:

  1. General Privacy Inquiries: support@duetrack.com.bd
  2. Customer Support: contact@duetrack.com.bd
  3. Account Deletion: support@duetrack.com.bd (subject: "Account Deletion Request") or use the online form at https://duetrack.com.bd/account-deletion
  4. iOS Privacy Inquiries: support@duetrack.com.bd (subject: "iOS App Privacy Inquiry")
  5. Android Privacy Inquiries: support@duetrack.com.bd (subject: "Android App Privacy Inquiry")
  6. Data Subject Rights Requests: support@duetrack.com.bd (subject: "Data Rights Request")

Response Time: We aim to respond to all privacy-related inquiries within 7 business days, and to data deletion requests within 7 business days of identity verification.