গোপনীয়তা নীতি / Privacy Policy

Document version: 2026-05-06.v1 · Last updated: 6 May 2026 · Applies to tenderpulse.com.bd

এক নজরে — আপনার সব data AWS Singapore-এ encrypted ভাবে রাখা থাকে। শুধু আপনার account-ই tender ZIP, ডকুমেন্ট ও copilot-এর উত্তর দেখতে পারে। আমরা আপনার data বিক্রি করি না, share করি না, এবং কোনো model train করার কাজে লাগাই না। কার্ডের information আমরা কখনই দেখি না — Bangladesh Bank-licensed EPS gateway সেটি handle করে। দুই ক্লিকে সব data export বা delete করা যাবে।

One-line summary — Your data is encrypted at rest and in flight, lives only in AWS Singapore, is visible only to your account, is never sold or used to train models, and can be exported or deleted by you at any time.

১ · Data controller / নিয়ন্ত্রক

TenderPulse is operated by TICON SYSTEM LIMITED, a company registered in Dhaka, Bangladesh under the Companies Act, 1994. For all privacy questions and exercise of your rights under this policy, the accountable contact is:

Email: privacy@publicpulse.com.bd
General contact: info@publicpulse.com.bd
Postal: TICON SYSTEM LIMITED, Dhaka, Bangladesh
Urgent privacy matters: same email with subject “PRIVACY URGENT”; we acknowledge within 72 hours.

২ · কী data collect করি / Categories of data

আমরা শুধু সেই data রাখি যেটা ছাড়া product কাজ করবে না। নিচের প্রতিটি category-র জন্য আমরা দেখাই — কী collect হচ্ছে, কেন, কোন আইনি ভিত্তিতে।

২.১ · Account data

Your name, email address, mobile number, and password hash (BetterAuth bcrypt — we never store plaintext passwords).
Login session metadata: IP, user-agent, timestamps. Used to detect unauthorised logins and to show “recent sessions” in settings.
Lawful basis: contract — necessary to operate your account.

২.২ · Company profile data

Trade name, legal name, RJSC registration, TIN, BIN, VAT registration, trade license, e-GP user ID, registered + mailing address, contact persons.
Authorized capital, paid-up capital, employee count.
Business categories, work specializations, geographic coverage, keywords.
Lawful basis: contract — required to compute your eligibility against tender ITBs and to populate Form Tech-1, etc.

২.৩ · Financial data ★ sensitive

Audited turnover, net profit, net worth, current assets & liabilities for the last 3–5 fiscal years.
Bank account names + numbers + branches + routing codes (3+ banks allowed).
Credit / bonding / overdraft / bid-security / term-loan facilities (limit, expiry, issuing bank).
Lawful basis: contract; access strictly per-tenant; bank account numbers are stored encrypted in the database column at rest (AES-256 via AWS KMS) and never returned in API responses (always masked except for the last 4 digits in the UI).

২.৪ · Key personnel data ★ sensitive

Authorized signatory, engineers, finance personnel — name, designation, qualification, years of experience, email, phone, and (optionally) National ID number.
Lawful basis: contract; you must obtain consent from each personnel before adding them. We treat personnel records as a data-processing relationship — see the Data Processing Addendum.
NID is never displayed in full in the UI (only last 4 digits).

২.৫ · Document vault

Trade license PDF, TIN/BIN/VAT certificates, e-GP registration letter, audited financials, bank solvency certificates, PCC (Project Completion Certificates), CV files, equipment documents, authorization letters.
Each file is stored in S3 (Singapore) with server-side encryption (SSE-KMS), with object keys scoped under your company ID; URL generation is per-request and signed with a 60-second expiry.

২.৬ · Tender uploads & AI conversations

ZIP archives you upload from e-GP (containing ToR, BoQ, ITB, GCC, SCC, technical specifications, drawings, addenda) — kept for the life of the tender, then archived for evidentiary value.
Copilot chat history per tender (your questions, the AI’s answers, and the PPR rule citations).
Your prompts and tender contents are sent to AWS Bedrock for inference (Claude family by Anthropic and Cohere embed models). Bedrock processes the request, returns the answer, and discards the input — Anthropic & Cohere do not retain it for training. We never use your data to train any model.

২.৭ · Payment data

Plan slug, BDT amount, VAT amount, transaction reference, EPS merchant + transaction IDs, paid-at timestamp.
We do not see, store, or process your card number, CVV, expiry, OTP or banking PIN. The Bangladesh Bank–licensed EPS Bangladesh Limited gateway captures payment credentials directly and returns only the transaction outcome to us.

২.৮ · Usage analytics

We log request paths, response codes, latency, and userIds for operational diagnostics in AWS CloudWatch (90-day retention).
We do not use Google Analytics, Facebook Pixel, Mixpanel, Segment, or any third-party browser tracker.
See the Cookie Policy — we use only essential session cookies.

৩ · Data কীভাবে ব্যবহার করি / How we use it

প্রতিটি ব্যবহারের purpose-ই declared:

Account operation — sign-in, OTP, password reset, billing, audit log, support replies.
Eligibility & fit-score computation — match your profile against tender ITB requirements.
PPR compliance verification — check the eight PPR 2008 rules deterministically on each upload.
Copilot question answering — feed your prompt + relevant tender excerpts to Bedrock Claude with a per-tender context window.
Reminder & deadline notifications — send submission-deadline alerts, profile-document expiry reminders, and billing notices via email.
Operational debugging— investigate failed jobs using anonymised IDs (TP-XXXX-XXXX); engineers see the failure stack trace, not your data, unless an audited “break glass” approval is granted.

We do not use your data for: profiling, automated decisions that produce legal effects on you, targeted advertising, sale to third parties, or model training of any kind.

৪ · Sub-processors / যাদের কাছে data যায়

Below is the complete list of sub-processors that may receive your data, the purpose, and the regional location. We will update this list and notify registered users at least 14 days before adding a new sub-processor.

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Compute (Lambda), Storage (S3, RDS), Email (SES), KMS, CloudWatch logs	ap-southeast-1 (Singapore)
Anthropic (via AWS Bedrock)	LLM inference for copilot answers + analysis (Claude Haiku 4.5 / Sonnet 4.6)	ap-southeast-1 (Singapore region of Bedrock; data does not leave region)
Cohere (via AWS Bedrock)	Multilingual embedding for vector search of PPR rules + tender clauses	ap-southeast-1 (Singapore region of Bedrock)
EPS Bangladesh Limited	Payment processing (cards, mobile wallets, internet banking) — Bangladesh Bank–licensed	Dhaka, Bangladesh
Resend	Transactional email delivery in development environments only (production uses AWS SES)	EU / US (Resend default region; we only send dev OTPs)
Vercel / Cloudflare	Edge DNS & TLS termination; we do not route data through Vercel/Cloudflare for the production app — direct AWS	Global edge

We have not engaged any sub-processor in jurisdictions hostile to Bangladesh-resident data subjects. The Singapore region was chosen for both data-sovereignty (geographic proximity, no US/EU cross-border) and latency reasons.

৫ · Data residency & encryption

Primary region — Encrypted secure cloud · Singapore region (low latency to Bangladesh)
Storage — AES-256-GCM at rest · TLS 1.3 in flight · KMS-managed encryption keys
Database — Encrypted-at-rest Postgres with KMS-managed keys
Payments — Bangladesh Bank–licensed EPS gateway · we never see card / OTP / PIN
Residency commitment — All financials, NIDs, and tender uploads stay in our encrypted Singapore region — never crossing into other jurisdictions
Access control — Per-tenant row-level scoping · staff cannot read your data without an audited break-glass approval recorded in our admin log

৬ · Retention / কতদিন রাখি

Category	Retained for	Why
Account & profile	For the life of the account + 30 days after deletion request	Operational; deletion grace period for accidental requests
Tender uploads & analyses	5 years from upload date	PPR-2008 evidentiary period for procurement disputes
Audited financials & bank data	For the life of the account; deleted within 30 days of account closure	Re-used across multiple tenders; competitively sensitive
Invoices & payment records	7 years	Income Tax Ordinance, 1984 + VAT Act 2012 record-keeping minimum
Login sessions & access logs	90 days (CloudWatch); session rows 30 days	Operational diagnostics + security audit
Admin audit log	Indefinite (append-only)	Required for moderation accountability

৭ · আপনার অধিকার / Your rights

Under the laws of Bangladesh and our additional GDPR-aligned best practice, you have the following rights:

Right to access — request an export of every byte we hold on you. Available self-service from /settings/data; otherwise email us and we deliver within 30 days.
Right to rectification — correct inaccurate profile / personnel / financial data. Self-service from your dashboard.
Right to erasure (“right to be forgotten”) — delete your account and all associated data. Self-service from /settings/data. Hard deletion completes within 30 days; thereafter only invoices retained per the Income Tax Ordinance survive, in pseudonymised form.
Right to portability — receive your data in a structured machine-readable format (JSON + the original PDFs).
Right to object / restrict processing — pause inference operations on your account while a question is being investigated.
Right to lodge a complaint— if we don’t resolve a privacy concern, you may complain to the Bangladesh Data Protection Authority once it is constituted under the PDPA, or file a report under the Digital Security Act, 2018.

৮ · Security measures

Passwords are stored as bcrypt hashes (BetterAuth default cost factor), never plaintext, never reversibly encrypted.
OTP codes (sign-up & password reset) are stored hashed with a short expiry; the plaintext is never logged.
All data in flight uses TLS 1.3; HSTS is preloaded on the apex domain.
Role-based access control: only the company owner can see profile + financials. Engineers (TICON staff) cannot read user data without an audited break-glass approval.
Every administrative action against any user account writes a row to AdminAuditLog; you can request a copy of all admin actions taken on your account.
Quarterly review of sub-processor SOC 2 / ISO 27001 status. AWS and Anthropic both maintain SOC 2 Type II.
Vulnerability disclosure: please report security issues to security@publicpulse.com.bd — we respond within 24 hours.

৯ · শিশুদের data / Children

TenderPulse is a B2B procurement tool. We do not knowingly collect data from children under 18. If you become aware that a minor has registered, please notify us so we can delete the account.

১০ · Cross-border transfers

All operational data stays in AWS Singapore. Bedrock LLM inference runs in the Singapore region of Bedrock — your prompts and tender contents do not leave Singapore. The single exception is development-environment OTP email, which Resend sends from EU/US infrastructure; no production user data flows through Resend.

১১ · Changes to this policy

Material changes (any change to your rights, our obligations, the sub-processor list, or the data we collect) will trigger a version bump. We will notify registered users by email and via an in-app banner at least 14 days before the new version takes effect, and you will be re-prompted to accept on your next login. The current version is 2026-05-06.v1.

১২ · Statutory references

Constitution of the People’s Republic of Bangladesh, Article 43
ICT (Amendment) Act, 2013, sections 56, 57, 64
Digital Security Act, 2018, sections 22, 26, 27, 30, 35
Right to Information Act, 2009 — non-disclosure of competitive bidder data
Income Tax Ordinance, 1984 (record retention)
VAT & Supplementary Duty Act, 2012 (record retention)
Public Procurement Regulations, 2008 (PPR)
Draft Personal Data Protection Act, 2023 (followed in advance)

১৩ · Contact

TICON SYSTEM LIMITED, Dhaka, Bangladesh.
Privacy: privacy@publicpulse.com.bd
Security: security@publicpulse.com.bd