Umartco

Legal

Privacy Policy

Last updated: June 24, 2026

At Umartco ("we", "our", "us"), your privacy and security are important to us. This Privacy Policy explains how we collect, use, share, and protect your personal information when you visit or make a purchase on umartco.com — Bangladesh's multi-vendor online marketplace. It also describes the security safeguards and privacy controls we maintain to keep your data safe.

1. Who We Are

Umartco ("we", "our", "us") operates umartco.com, a multi-vendor online marketplace serving customers across Bangladesh. We connect shoppers with independent merchants ("Sellers") who list and fulfill products on our platform. This Privacy Policy applies to your use of the Umartco customer website (umartco.com), our mobile-friendly storefront, and related customer services. It does not cover the Umartco Seller Center (sellercenter.umartco.com), which is governed by separate merchant terms. If you have questions about this policy, contact us at info@umartco.com.

2. Information We Collect

We collect information you provide directly, information generated when you use our services, and limited technical data from your device. Account & profile information When you register, we collect your name, email address, and password (stored in hashed form). You may optionally add a profile photo. If you sign in with Google, we receive your name, email address, and profile picture from Google as permitted by your Google account settings. Email verification via one-time passcode (OTP) is required for email/password registration. Shipping & address information When you save delivery addresses or place an order, we collect recipient name, phone number, street address, city, district, upazila, postal code, and country (default: Bangladesh). Order & checkout information For every order — whether you are logged in or checking out as a guest — we collect shipping and billing details, items purchased, payment method selected, delivery method, order notes, and order history. Guest checkout requires email verification via OTP before an order is placed. Payment information We accept Cash on Delivery, credit/debit cards, mobile wallets (such as bKash, Nagad, and Rocket), and bank transfer where available. Payment details are processed by third-party payment providers. Umartco does not store full card numbers or mobile-wallet PINs on our servers. Wishlist, cart & preferences Logged-in customers can save products to a wishlist and follow stores. Cart contents are stored locally in your browser and, when you are signed in, synced to your account on our servers. Product reviews If you submit a product review, we collect your rating, written comment, display name, and any photos or videos you upload (stored on our media infrastructure). Communications & support When you contact us through our contact form, email, or phone support, we collect the information you provide (such as name, email, subject, and message content) so we can respond. Usage, analytics & device data To improve our platform and personalize recommendations, we collect: • Visitor and session identifiers (via cookies) • Pages viewed, products viewed, search queries, cart actions, and purchase events • Hashed IP address and browser user-agent string • Referring URL and general interaction metadata We use first-party analytics on our own infrastructure, and Google Tag Manager / Google Analytics may also collect usage data as described in our Cookie Policy.

3. How We Use Your Information

We use the information we collect to: • Create and manage your account, including email verification and password recovery • Process, fulfill, and deliver your orders • Share necessary order and delivery details with Sellers and logistics partners • Send order confirmations, shipping updates, OTP codes, and service-related emails • Provide customer support and resolve disputes between you, Umartco, and Sellers • Operate your wishlist, cart sync, store follows, and order tracking • Display and moderate product reviews you submit • Personalize product recommendations and improve search results • Measure site performance, traffic patterns, and conversion through analytics • Send promotional emails and offers where you have opted in (you may unsubscribe at any time) • Detect, investigate, and prevent fraud, abuse, and security incidents • Enforce our Terms of Service and comply with applicable laws in Bangladesh

4. Multi-Vendor Marketplace & Seller Sharing

Umartco is a marketplace. When you purchase from a Seller, we share the information needed to fulfill your order — including your name, phone number, delivery address, and order items — with that Seller and their fulfillment team. Sellers are independent businesses and are responsible for handling your data in accordance with applicable law for order fulfillment purposes. Umartco requires Sellers to use customer information only to process and deliver orders placed through our platform, not for unrelated marketing unless you have given separate consent to the Seller. We do not sell your personal data to third parties for their own marketing purposes.

5. How We Share Your Information

Beyond Seller sharing described above, we share information only in these limited circumstances: • Logistics & delivery partners — including Pathao and other courier services — to ship and track your orders • Payment processors — to securely authorize and settle transactions • Cloud & technology providers — including Cloudflare R2 for media storage and content delivery (cdn.umartco.com), email delivery services, database hosting, and caching infrastructure, under contractual data-protection obligations • Analytics services — including Google (via Google Tag Manager) for aggregated usage reporting • Legal & safety — when required by law, court order, or government request, or when necessary to protect the rights, property, or safety of Umartco, our users, or the public We may share anonymized or aggregated data that cannot reasonably identify you for analytics and business reporting.

6. Cookies, Local Storage & Tracking

We use cookies, browser local storage, and similar technologies to operate the site and understand how it is used. Essential cookies & storage include: • user_token and user_logged_in — to keep you signed in securely (httpOnly cookie) • umartco_vid and umartco_sid — anonymous visitor and session identifiers for analytics (httpOnly cookies) • Local storage — to remember your shopping cart between visits Optional tracking technologies, including those set by Google Tag Manager, help us measure traffic and campaign performance. You can manage cookies through your browser settings. Disabling essential cookies will prevent login, checkout, and cart functionality. See our Cookie Policy for full details.

7. Security & Privacy Safeguards

Umartco is built with security and privacy at its core. Below is a comprehensive overview of the measures we maintain to protect your account, orders, and personal information. Encryption & secure transmission • All communication between your browser and our servers is encrypted using TLS/HTTPS in production • Payment transactions are processed through certified third-party payment providers over encrypted channels • We do not store full credit/debit card numbers or mobile-wallet PINs on our systems Account & authentication security • Passwords are hashed with bcrypt (industry-standard one-way encryption) and are never stored in plain text • Passwords must meet strength requirements: minimum 8 characters with uppercase, lowercase, number, and special character • Email verification via one-time passcode (OTP) is required before email/password accounts can sign in • Google Sign-In tokens are cryptographically verified directly with Google before any account is created or accessed • Short-lived access tokens (15 minutes) limit exposure if a token is intercepted • Long-lived refresh tokens are stored in our database, expire after 24 hours, and can be revoked at any time • Refresh token rotation: each time your session is refreshed, the previous token is invalidated to prevent replay attacks • All active sessions are revoked when you change your password, reset your password, or log out • Authentication cookies (user_token, user_refresh_token) are HttpOnly — they cannot be read by client-side JavaScript • Cookies use SameSite=Lax and Secure flags in production to reduce cross-site attack risk • Customer, staff, and merchant tokens use separate JWT audiences and cannot be used interchangeably Verification & anti-abuse controls • All OTP codes are 6 digits, cryptographically generated, expire within 10 minutes, and are deleted after use • Separate OTP scopes are used for signup, password reset, guest checkout, and guest order tracking • Rate limiting on authentication endpoints (login, registration, OTP send, password reset, token refresh) • Guest checkout and signup OTP requests are capped per email address to prevent abuse • Contact form submissions are limited to 3 per 15 minutes per IP address to prevent spam • General API rate limiting protects against automated abuse and brute-force attempts Input validation & API protection • All customer API inputs are validated with strict schema checks before processing • Request body size is limited to prevent oversized payload attacks • Cross-Origin Resource Sharing (CORS) is restricted to approved Umartco domain origins only • Internal server-to-server endpoints (such as our reviews service) require a secret key header and are not publicly accessible • Our Next.js API proxy rejects path-traversal attempts and injects auth tokens server-side so credentials are not exposed in browser JavaScript Access control & data isolation • Protected pages (account, checkout) require authentication enforced at the edge before the page loads • Authenticated API routes verify your identity on every request — you can only access your own cart, orders, addresses, wishlist, and profile • Staff and admin access to customer data is role-based and limited to personnel who need it for order fulfillment, support, or platform operations • Merchants receive only the order and delivery information required to fulfill purchases from their store File upload & media security • Profile photos and review media uploads are restricted by allowed file types and maximum file sizes • Uploads use time-limited signed URLs to Cloudflare R2 storage — direct public write access is not permitted • Profile image uploads are routed through our backend proxy so storage credentials are never exposed to your browser Payment security • Card and mobile-wallet payments are handled entirely by licensed payment processors • Umartco receives only transaction confirmation status, not your full payment credentials • Cash on Delivery orders do not require advance payment information Privacy by design • We collect only the data necessary to operate the marketplace, fulfill orders, and improve your experience • IP addresses in activity logs are stored in hashed form where recorded — we do not retain raw IP addresses in analytics tables • Anonymous visitor (umartco_vid) and session (umartco_sid) identifiers are used for analytics instead of personal identifiers where possible • Soft-delete architecture preserves data integrity while allowing records to be removed from active use • We do not sell, rent, or trade your personal information to third parties for their marketing Monitoring & incident response • We monitor for suspicious login activity, failed authentication attempts, and unusual order patterns • If we detect a security incident affecting your data, we will investigate promptly and notify affected users where required by law Your responsibility No method of transmission or storage is 100% secure. You play an important role in keeping your account safe: • Use a strong, unique password that you do not reuse on other websites • Do not share your login credentials or OTP codes with anyone — Umartco staff will never ask for your password • Log out on shared or public devices • Notify us immediately at info@umartco.com if you suspect unauthorized access to your account

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide our services, resolve disputes, and comply with legal, tax, and accounting obligations. Order records are retained for the period required by applicable law and our internal record-keeping policies. Analytics and activity logs are retained for a limited period and then deleted or anonymized. OTP verification codes expire within minutes and are not kept after use. You may request deletion of your account and associated personal data by emailing info@umartco.com. Some information (such as completed order records) may be retained where required by law or for legitimate business purposes such as fraud prevention.

9. Your Privacy Rights & Controls

You have meaningful control over your personal information on Umartco. Here is what you can do: Account & profile controls • Update your name and profile photo at any time from Account → Profile • Add, edit, or remove saved delivery addresses from Account → Addresses • Change your password from Account → Profile (this automatically signs out all other active sessions) • Log out at any time to revoke your refresh token and end your session Order & communication controls • View your complete order history from Account → Orders • Track guest orders using email OTP verification without creating an account • Opt out of promotional emails using the unsubscribe link in any marketing message Data rights (under applicable law) • Request access to the personal data we hold about you • Request correction of inaccurate or incomplete data • Request deletion of your account and associated personal data • Object to or restrict certain processing where legally permitted • Lodge a complaint with the relevant data protection authority in Bangladesh Cookie & tracking controls • Manage or block cookies through your browser settings • Disable optional analytics cookies without affecting core shopping functionality • See our Cookie Policy for a full list of cookies and how to control them How to submit a privacy request Email info@umartco.com with the subject line "Privacy Request" and describe your request. We may ask you to verify your identity (for example, by confirming your registered email or completing an OTP check) before processing sensitive requests such as data export or account deletion.

10. Children's Privacy

Umartco is intended for users aged 18 and above. You must be at least 18 years old to create an account or place an order, as stated in our Terms of Service. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal information, please contact us at info@umartco.com and we will take steps to delete it.

11. International Data Transfers

Umartco is based in Bangladesh and primarily processes data within infrastructure used to operate our platform. Some of our technology providers (such as Cloudflare and Google) may process data on servers located outside Bangladesh. Where data is transferred internationally, we take reasonable steps to ensure it receives an adequate level of protection consistent with this policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make significant changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify registered users by email or display a notice on umartco.com. Your continued use of Umartco after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

For privacy-related questions, data access requests, or complaints, contact us: Email: info@umartco.com Phone: +880 1959059292 Address: House #09 (Level 04), Road #09, Sector #03, Uttara, Dhaka 1230, Bangladesh Business hours: Saturday – Thursday, 9 AM – 5 PM (BDT).