Digital Nilkhet

Privacy Policy

We respect your privacy. This policy explains what personal information we collect, why we collect it, and how we keep it safe.

Last updated: 8 June 2026

1. Introduction

Digital Nilkhet (“we”, “us”, or “our”) operates an online printing and binding service for customers in Bangladesh through digitalnilkhet.com. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our website, place orders, or communicate with us.

We process personal data in accordance with applicable laws of the People's Republic of Bangladesh, including the Information and Communication Technology Act, 2006 and the Digital Security Act, 2018. By using our services, you acknowledge that you have read and understood this policy.

This policy should be read alongside our Terms of Service.

2. Information We Collect

We collect the following categories of information:

Account information

  • Full name
  • Email address
  • Bangladeshi mobile phone number (01XXXXXXXXX)
  • Password (stored as a secure hash — we never store plain-text passwords)
  • Email verification status

Order and delivery information

  • Uploaded PDF file name, page count, and stored file (for order fulfilment only)
  • Print specifications (paper size, colour, binding, copies, etc.)
  • Delivery address (division, district, thana, street, postal code)
  • Order history, status, and tracking details
  • Delivery notes and coupon codes applied

Payment information

  • bKash Transaction ID (TrxID) and payment amount
  • bKash payment reference IDs returned by the payment gateway
  • Refund transaction details, where applicable

We do not collect or store your bKash PIN, mobile banking password, or full payment credentials. Payment is handled directly through the bKash platform.

Communications

  • SMS messages sent to your phone for order updates (via GreenWeb SMS or equivalent provider)
  • Emails sent to your address (order confirmations, verification links, password resets)
  • In-app notifications stored in your account dashboard
  • Messages you send us through our contact form or support email

Third-party sign-in

If you sign in with Google, we receive your name and email address from that provider. We do not receive your Google password. Your use of Google sign-in is also governed by Google's privacy policy.

Technical information

  • Browser type, device type, and operating system (from standard web server logs)
  • IP address (used for security, rate limiting, and fraud prevention)
  • Session cookies required to keep you logged in

3. How We Use Your Information

We use your personal information only for legitimate business purposes, including:

  • Creating and managing your account
  • Processing, printing, and delivering your orders
  • Verifying bKash payments and processing refunds
  • Sending order status updates by SMS and email
  • Providing customer support and responding to enquiries
  • Generating invoices and order records
  • Preventing fraud, abuse, and unauthorised access
  • Complying with legal obligations and responding to lawful requests from authorities
  • Improving our website and services (using aggregated, non-identifiable data where possible)

We do not sell your personal information to third parties. We do not use your uploaded documents for marketing, training, or any purpose other than fulfilling your specific order.

4. How We Share Your Information

We share your information only with trusted service providers who help us operate our business:

  • bKash (BRAC Bank) — to process and verify mobile payments. bKash operates under Bangladesh Bank regulations for mobile financial services.
  • SMS provider (GreenWeb or equivalent) — to send order status messages to your phone number, in compliance with BTRC guidelines for commercial SMS in Bangladesh.
  • Email provider (SMTP / SendGrid) — to deliver transactional emails such as order confirmations and password resets.
  • Cloudflare R2 (production) — to store uploaded PDF files in a private, encrypted cloud bucket. Files are never publicly accessible.
  • Courier partners — we share your name, phone number, and delivery address with courier services to deliver your printed order. We do not share your uploaded file contents with couriers.
  • Google — only when you choose to sign in with Google; limited to authentication data as described above.

We may also disclose information if required by law, court order, or government authority in Bangladesh, or to protect the rights, safety, and property of Digital Nilkhet, our customers, or the public.

Our staff and administrators have access to order and customer data only as needed to fulfil orders, provide support, and manage the platform. Admin access is role-restricted and logged.

5. Data Retention

We retain your information only for as long as necessary:

  • Account data (name, email, phone, addresses) — retained while your account is active. You may request account deletion by contacting us.
  • Order records (specifications, payment details, status history) — retained for business and accounting purposes as required under Bangladeshi commercial and tax law.
  • Uploaded PDF files — automatically deleted 90 days after your order reaches Delivered or Cancelled status. Until then, files are stored securely and accessible only to authorised staff via time-limited signed URLs.
  • SMS and email logs — retained as part of your notification history in your account dashboard and in our systems for support and dispute resolution.
  • Security logs (IP addresses, login attempts) — retained for a limited period for fraud prevention and security auditing.

When data is no longer needed, we delete or anonymise it using reasonable technical measures.

6. Data Security

We take appropriate technical and organisational measures to protect your personal information, including:

  • HTTPS encryption for all data transmitted between your browser and our servers
  • Passwords stored using industry-standard bcrypt hashing
  • Authentication sessions secured via httpOnly cookies (NextAuth.js JWT)
  • Uploaded PDF files stored outside the public web root, served only via signed URLs with a 15-minute expiry
  • Role-based access controls for admin and staff accounts
  • Rate limiting on login and sensitive API endpoints to prevent brute-force attacks
  • Phone numbers partially redacted in application logs

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at [email protected].

7. Your Rights

Under applicable Bangladeshi law, you have the following rights regarding your personal information:

  • Access — request a copy of the personal data we hold about you
  • Correction — update your name, phone number, or delivery addresses from your account dashboard, or contact us to correct inaccurate records
  • Deletion — request deletion of your account and associated personal data, subject to legal retention requirements for order and payment records
  • Objection — object to processing of your data for purposes not essential to fulfilling your order
  • Complaint — lodge a complaint with us or with the relevant authority in Bangladesh if you believe your data has been mishandled

To exercise any of these rights, email [email protected] with your full name, registered email, and a description of your request. We will respond within 15 business days.

Please note that we may need to retain certain order and payment records even after account deletion to comply with legal, tax, and accounting obligations in Bangladesh.

8. Cookies & Sessions

We use a minimal set of cookies necessary to operate the service:

  • Authentication session cookie — keeps you logged in securely. This is an httpOnly cookie set by NextAuth.js and is essential for account access.
  • Order wizard state — temporarily stores your in-progress order configuration in browser storage until you complete or abandon the order.

We do not use third-party advertising cookies or tracking pixels. We do not serve targeted advertisements based on your browsing behaviour on our site.

You can clear cookies through your browser settings, but doing so will log you out and may clear in-progress order data.

9. Children's Privacy

Our services are intended for users aged 18 and above, or users aged 13–17 with parental or guardian consent. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The “Last updated” date at the top of this page shows when the most recent revision took effect.

For significant changes, we will post a notice on our website or notify registered users by email. Continued use of our services after changes take effect constitutes your acceptance of the updated policy.

11. Contact Us

For privacy-related questions, data access requests, or concerns about how we handle your information:

You may also reach us through our contact page.