PDPO 2025 Compliant
This privacy notice complies with the Personal Data Protection Ordinance, 2025 (Bangladesh)
Privacy Notice
Personal Data Protection Ordinance 2025 Compliant
Last updated: January 2026
1. Data Fiduciary Information (§19(1)(g))
TrustScore by Udbahu Corporation
Registered in Bangladesh
Address: Dhaka, Bangladesh
Email: [email protected]
Data Protection Officer: [email protected]
We are a "data-fiduciary" under the Personal Data Protection Ordinance, 2025 (PDPO 2025), processing your personal data for credit assessment purposes.
2. Categories of Personal Data Collected (§19(1)(a))
Identity Data
- Full name, phone number, email address
- National ID (NID) - partial digits for verification
- Date of birth, gender, division/district
Biometric Data (Sensitive - §2(t)(i))
- Selfie photographs for identity verification
- Face matching data derived from NID and selfie comparison
- Video recordings for Video KYC (liveness detection)
Financial Data (§2(b))
- Mobile wallet transaction history (bKash, Nagad, Rocket)
- Monthly income and employment information
- Existing loan information
- Utility bill payment records
Device & Technical Data
- Device fingerprint and identifiers (for fraud prevention)
- IP address and approximate location
- Browser and operating system information
3. Purposes of Processing (§19(1)(b))
| Purpose | Legal Basis (PDPO) |
|---|---|
| Credit Assessment & Scoring | §5(5)(a) - Contract Performance |
| Identity Verification (KYC) | §5(5)(c) - Legal Obligation (BB Guidelines) |
| Fraud Prevention | §5(6)(b) - Legitimate Interest |
| Sharing with Partner Banks | §5(5)(a) - Contract Performance + Consent |
| Service Improvement | §5(6)(b) - Legitimate Interest (anonymized) |
4. Your Rights as Data Subject (§11-16)
📋 Right of Access (§11)
Request and receive a copy of all personal data we hold about you.
Response time: 30 days
✏️ Right to Correction (§12)
Request correction of inaccurate, incomplete, or outdated data.
Response time: 15 days
🗑️ Right to Erasure (§15)
Request deletion of your personal data (subject to legal retention requirements).
Response time: 30 days
📦 Right to Portability (§14)
Receive your data in a structured, machine-readable format (JSON).
Response time: 30 days
🚫 Right to Withdraw Consent (§13)
Withdraw consent at any time. Prior processing remains valid per §5(4).
How to Exercise Your Rights:
Email: [email protected]
Subject: "Data Subject Request - [Your Phone Number]"
5. Right to File Complaints (§19(1)(e))
If you believe your rights have been violated, you may:
- Contact our Data Protection Officer at [email protected]
- File a complaint with the National Data Governance and Interoperability Authority per PDPO §39
6. Data Transfers (§19(1)(f), §35)
Your data may be transferred to:
- Partner Banks in Bangladesh: For loan processing (with consent)
- Bangladesh Bank: Regulatory reporting per BB guidelines
- Cloud Service Providers: Data stored on servers with appropriate safeguards
⚠️ We do not transfer personal data outside Bangladesh without compliance with PDPO §35.
7. Data Security (§21)
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Access Controls: Role-based access with multi-factor authentication
- Audit Logging: All data access logged per §23
- Breach Response: Notification to Authority within 72 hours per §24
8. Data Retention (§22)
- Loan Application Data: 5 years (Bangladesh Bank KYC requirement)
- Consent Records: 7 years (proof of compliance)
- Audit Logs: 7 years (AML/CFT guidelines)
- Video KYC: 5 years
9. Consent Management
Per PDPO §5(2), consent must be free, specific, and withdrawable. We collect consent for:
- Credit Assessment: Required for loan application processing
- KYC Verification: Required by Bangladesh Bank regulations
- Partner Bank Sharing: Required for loan offers
- Marketing: Optional - you may opt out anytime