Your privacy matters to us. This Privacy Policy explains how Smart Global Trade Cart ("SGT Cart", "we", "us") collects, uses, shares and safeguards your personal data when you use sgtcart.com, the SGT Cart Customer app, the Seller Center app, our REST API, and any other service we operate (together, "the Platform").
It applies to customers, sellers and visitors. Separate notices may apply if you join SGT Cart as an employee or contractor.
1. Who we are
SGT Cart is operated by Smart Global Trade Cart, with its registered address at Mirpur, Dhaka 1216, Bangladesh. Our Data Protection contact is privacy@sgtcart.com.
For the purposes of data protection — including the principles in the Information & Communication Technology Act 2006, the Digital Security Act 2018 and the Bangladesh Personal Data Protection frameworks under preparation — we act as a data controller for the data we collect about you, and as a data processor when we process customer data on behalf of a Seller for the limited purpose of fulfilling that Order.
2. What personal data we collect
We collect the following categories of personal data:
| Category | Examples |
|---|---|
| Identity | Name, gender (if you provide it), date of birth (if you provide it), profile photo (optional). |
| Contact | Email, mobile number, delivery addresses (street, city, district, postal code). |
| Account & credentials | Password hash, login-time one-time codes (OTP), session identifiers, mobile-app device tokens. |
| Seller KYC (sellers only) | NID number + scanned NID image, Trade Licence number + scanned licence, TIN, bank-account / bKash / Nagad numbers, shop address. |
| Order & payment | Cart contents, order history, payment method, payment tokens (we never see your full card number — SSLCommerz handles it), refund history. |
| Behavioural / analytics | Product views, searches (text + image + voice transcripts), wishlist items, reviews you wrote, Q&A you posted, chat messages. |
| Device & technical | IP address, browser type and version, operating system, mobile device identifier, approximate location (from IP), screen size, language, timezone. |
| Marketing & preferences | Email-notification preferences, language choice, currency choice (BDT only at present). |
We never ask for and never store: your full credit-card number, card CVV, internet-banking password, NID PIN, mobile-wallet PIN. These either stay with the payment processor (SSLCommerz, bKash, Nagad) or are never asked for at all.
3. How we collect it
- Directly from you — when you sign up, place an Order, write a review, upload a profile image, complete seller KYC, or contact our support team.
- Automatically — via cookies, server logs, analytics scripts (first-party only), socket events (chat-presence, viewer counts).
- From third parties — payment processors confirm payment status; delivery partners confirm delivery; the BFIU may check sanctioned lists for high-value sellers (AML / KYC).
4. Lawful basis for processing
| Purpose | Lawful basis |
|---|---|
| Account creation, Order processing, customer support | Performance of the contract you entered into with us under the Customer Terms. |
| Tax records, invoice retention, regulatory reporting | Compliance with Bangladesh tax (NBR), customs, and AML obligations. |
| Fraud detection, dispute resolution, security monitoring | Our legitimate interest in keeping the Platform safe and fair. |
| Marketing emails, push notifications | Your consent (you may withdraw it anytime in Account → Notifications). |
| AI pros/cons summary from reviews | Our legitimate interest in helping buyers make informed decisions, with safeguards against personally identifying reviewers. |
5. How we use your data
- Operate your account, authenticate logins, deliver Orders to your address.
- Process payments and refunds through SSLCommerz, bKash, Nagad and Cash on Delivery.
- Provide customer service, mediate Buyer/Seller disputes, investigate complaints.
- Personalise the Platform — show "Similar products", "Customers Also Viewed", "Frequently Bought Together", reward-point balance, and AI-summarised review pros/cons.
- Send transactional emails / SMS (order placed, paid, shipped, delivered).
- Send promotional emails about flash sales, coupons and new categories (only with your consent).
- Detect and prevent fraud, abuse and counterfeit listings.
- Enforce our Anti-Disintermediation Policy — automatically redact phone numbers and contact details from chat, reviews and Q&A.
- Comply with legal orders, court summons, and tax/AML reporting.
- Improve the Platform — A/B test layouts, monitor performance, fix bugs.
6. Who we share your data with
We share strictly on a need-to-know basis with:
- The Seller for an Order — your name, delivery address and mobile number, so the Seller can ship the right item. Sellers are bound by the Seller Agreement to use this data only for fulfilling and supporting the Order.
- Payment processors — SSLCommerz (cards), bKash, Nagad — for payment authorisation and reconciliation.
- Delivery partners — your name, address and mobile, so they can deliver and reach you on the way.
- Hosting and infrastructure providers — under written data-processing agreements that cap them to operating our systems.
- Government authorities — when ordered by Bangladesh law (court orders, tax inquiry, fraud investigation, BFIU notices, ICT Act §28 / §57 takedown demands).
- Professional advisers — auditors, lawyers — under confidentiality obligations.
We do not sell your personal data. We do not share it with advertising networks. We do not allow third parties to track you across other sites for marketing purposes.
7. International transfers
Our primary servers are hosted in data centres serving the Bangladesh region. Some support tools (email delivery, error monitoring) operate from outside Bangladesh. When we transfer your data abroad, we use contractual safeguards (Standard Contractual Clauses or equivalent) to maintain the same level of protection. When the Platform opens to international shipping in a later phase, we will publish a fuller cross-border transfer addendum.
8. How long we keep it
| Data | Retention period |
|---|---|
| Account record (active) | For as long as your account is active. |
| Account record (closed) | 2 years after closure, then anonymised. Required to honour any pending disputes or chargebacks. |
| Order & invoice data | 7 years (NBR / Income Tax retention rule). |
| Seller KYC documents | 5 years after the seller account is closed (BFIU / AML requirement). |
| Marketing email logs | 2 years after the last interaction. |
| Chat messages | 3 years (for dispute evidence), then deleted. |
| Web-server access logs | 90 days (for security and abuse investigation). |
9. Security measures
We protect your data with technical and organisational measures appropriate to the risk:
- Encryption in transit — TLS 1.2+ on every connection.
- Encryption at rest — sensitive fields (KYC documents, payment tokens) encrypted on disk.
- Password storage — only salted hashes (Werkzeug PBKDF2). We never store passwords in plaintext.
- OTP for customer logins — codes valid for 10 minutes, single-use, rate-limited.
- PCI-DSS scope reduction — card data goes directly to SSLCommerz; we never touch the PAN.
- CSRF protection, rate limiting, HSTS, Content-Security-Policy on every page.
- Audit log for all admin actions.
- Least-privilege access — only on-call staff can access production databases, and every access is logged.
If we ever discover a personal-data breach affecting your account, we will notify you within 72 hours by email and post a notice on the Platform with the facts known to us, the likely impact and the steps to take.
10. Your rights
You have the following rights over your personal data:
- Access — request a copy of the data we hold about you.
- Correction — fix anything inaccurate or incomplete (most fields are editable in Account).
- Deletion — request closure of your account and erasure of personal data (subject to legal retention obligations above).
- Portability — receive your data in a machine-readable JSON export.
- Objection — opt out of marketing communications at any time.
- Withdraw consent — where we relied on your consent, you can withdraw it without affecting past processing.
- Complaint — lodge a complaint with the National Consumer Right Protection Department or any future Bangladesh data-protection authority.
To exercise any of these rights, write to privacy@sgtcart.com. We respond within 30 days. There is no fee unless requests are clearly excessive or repeated.
11. Children's privacy
The Platform is not directed at children under 13. We do not knowingly collect personal data from children under 13. If we learn that we have collected such data, we delete it without delay. Customers aged 13-17 may use the Platform only through the account of a parent or legal guardian (see Children's Privacy Policy).
12. Cookies
We use cookies and similar storage technologies to keep you signed in,
remember your cart, store your language and cookie-consent preference,
and measure aggregate site performance. The full list, including
categories (necessary, preferences, analytics) and how to manage them,
lives in our Cookie Policy. You can also
revisit your consent decision at any time by clearing
sgt_cookie_consent from your browser storage.
13. Changes to this policy
We may update this Privacy Policy. Material changes are notified by email and in-app notification at least 14 days before the new version takes effect. The "Last reviewed" date at the bottom of this page always reflects the current version. Past versions are available on request from privacy@sgtcart.com.
14. Contact & supervisory authority
For any question about this Privacy Policy, your data, or to exercise your rights, write to:
- Data Protection contact: privacy@sgtcart.com
- Postal: Smart Global Trade Cart, Mirpur, Dhaka 1216, Bangladesh
If you are not satisfied with our response, you may lodge a complaint with the National Consumer Right Protection Department under the Consumer Rights Protection Act 2009, or any future data-protection authority established in Bangladesh.