Privacy Policy

Last updated: June 9, 2026

1. Who We Are

Porichoy (পরিচয়) is operated by Porichoy Technologies, a software company registered in Bangladesh. Our platform is located at porichoy.com and our registered contact address is [email protected].

We are committed to protecting your privacy. This policy explains what personal information we collect, how we use it, and what rights you have over your data.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Phone number (+880 format, if provided)
  • Password (stored as a bcrypt hash — we never store the plain-text password)
  • Google account identifier (if you sign in with Google)

2.2 Document Content

CV and biodata content you enter in the builder — including education, employment history, skills, physical attributes, religious information, and family details — is stored in our database to power the builder, preview, and PDF generation features. This content is private by default and is never shared with anyone without your explicit action.

2.3 Usage Data

We collect standard server-side logs including:

  • Pages visited and features used (to improve the product)
  • Coin wallet activity (credits and debits for PDF export, email, WhatsApp share, and AI features)
  • Payment transaction IDs, bKash reference numbers, and approval statuses (not full card numbers)

2.4 Wallet & Payment Data

When you use the coin wallet, we store your balance, coin ledger entries (including paid vs free coin type and expiry dates), and manual bKash payment submissions (transaction ID and sender verification digits). This data is visible to you on your wallet page and to authorised admins only for payment verification.

2.5 Cookies & Local Storage

We use:

  • HttpOnly refresh token cookie — for keeping you logged in (7-day expiry). This cookie is not accessible to JavaScript.
  • Language preference — stored in localStorage on your device.

We do not use third-party advertising cookies or cross-site tracking cookies.

3. How We Use Your Information

We use the information we collect to:

  • Provide and operate the Porichoy platform
  • Generate PDF exports of your documents
  • Deliver AI scoring and writing suggestions via OpenAI (your CV content is sent to OpenAI's API — see Section 5)
  • Send transactional emails (account verification, payment status, coin credit notifications)
  • Send SMS OTP for phone verification via SSL Wireless
  • Verify manual bKash payments and credit purchased coins to your wallet
  • Deduct coins for PDF download, email send, WhatsApp share, and AI features you initiate
  • Improve the product through aggregated, anonymized usage statistics

We do not sell your personal information to third parties. We do not use your data for targeted advertising.

4. Who Can See Your Documents

No one except you, unless you explicitly export or share a document.

  • Private documents — visible only to you when logged in. There is no public profile or listing page for your CV or biodata.
  • Email & WhatsApp sharing — you choose the recipient. WhatsApp sharing uses a time-limited signed PDF link (typically 24 hours). Email sends the PDF directly to the address you provide. You control what fields appear in the exported PDF from the builder.
  • Discoverable CVs — if you enable discoverability, your CV headline and anonymized profile become visible to verified employers in our search. Your full name and contact details remain hidden until you approve an employer's access request.
  • Admin access — Porichoy staff may access document content only to resolve a verified support request, investigate abuse, or comply with a legal order. All such access is logged internally.

5. Third-Party Services

ServicePurposeData sharedLocation
OpenAIAI CV scoring & writing toolsCV/biodata text content (no name or contact info sent)USA
Cloudflare R2PDF and file storageGenerated PDFs, uploaded profile photos
bKashManual coin package paymentsAmount, transaction reference, sender verification digitsBangladesh

We have data processing agreements in place with each of these providers. Your data is only transferred to countries with adequate protections or under standard contractual clauses.

6. Data Retention

  • Account and document data — retained for as long as your account is active, plus 30 days after deletion to allow recovery if the deletion was accidental.
  • Audit logs — retained for 12 months, then permanently deleted.
  • Payment records — retained for 7 years to comply with Bangladesh tax and accounting regulations.
  • Coin ledger history — retained while your account is active, then deleted with your account after the recovery window.

7. Your Rights

You have the right to:

  • Access — download all your personal data from Account Settings → Export Data.
  • Correction — update any inaccurate information directly in your account or by contacting support.
  • Erasure — permanently delete your account and all associated data from Account Settings → Delete Account. Deletion is irreversible after the 30-day recovery window.
  • Portability — export your documents as PDF at any time (subject to your coin balance for downloads).
  • Objection — opt out of non-essential communications from Notification Settings.

To exercise any of these rights, email [email protected] with the subject line "Privacy Request — [Your Email]". We will respond within 30 days.

8. Security

We protect your data with:

  • All data encrypted at rest (AES-256 via AWS RDS encryption)
  • All data encrypted in transit (TLS 1.3)
  • Passwords hashed with bcrypt (cost factor 12)
  • PDF download links for WhatsApp sharing use cryptographically signed, time-limited URLs that expire automatically
  • bKash transaction references stored only for payment verification — we do not store your bKash PIN or full mobile wallet credentials
  • JWT access tokens expire after 15 minutes; refresh tokens after 7 days

Despite these measures, no system is 100% secure. If you discover a vulnerability, please report it responsibly to [email protected].

9. Children's Privacy

Porichoy is not directed at children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, please contact us and we will delete the account promptly.

10. Bangladesh Legal Compliance

This policy is designed to comply with Bangladesh's Digital Security Act 2018 and the forthcoming Personal Data Protection Act (PDPA). As the PDPA is finalized and enacted, we will update this policy to remain in full compliance. Our primary data infrastructure is located in AWS ap-southeast-1 (Singapore), the closest high-availability region to Bangladesh.

11. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify you by email (at the address associated with your account) and display a banner in the application at least 14 days before the changes take effect. The "Last updated" date at the top of this page always reflects the most recent version.

12. Contact Us

For any privacy-related questions or requests: