Privacy Policy

We collect structured data across the following categories:

• Merchant Identification Data: Full legal name, verified email address, mobile phone number, business name, and geographic location — provided during account registration and onboarding.
• Technical Integration Data: API keys generated by our system, Webhook endpoint URLs you configure, Custom Telegram Bot Tokens, associated Telegram Chat IDs, and IMAP email credentials stored in an encrypted vault.
• Transaction & Payment Metadata: To verify and approve payment orders, our automated systems process and log Transaction IDs (TrxID), exact transaction amounts, timestamps, MFS sender phone numbers, payment method types, and order reference numbers.
• Device & App Metadata (Relay Apps): If you use our Android Relay or SMS Reader application, we explicitly collect and store device-specific operational information, including: Device Model, Android OS Version, App Version, Connectivity Status (online/offline), and last-seen timestamp. This data is strictly required to maintain synchronization reliability, monitor device health, and ensure payment verification continuity.
• Add-On Usage Data: Where the Merchant has activated any Add-On service (as described in the Terms of Service, Section 5), we collect and retain usage metrics relating to such Add-On consumption — including, but not limited to, the number of outbound notification emails dispatched, the number of premium SMS alerts sent, timestamps, and recipient metadata — for the purposes of accurate usage-based billing, invoice generation, and dispute resolution.
• KYC & Business Verification Documents: Where required under our KYC and Business Verification policy (Terms of Service, Section 15), we collect, process, and securely store business identity documents submitted by the Merchant, including but not limited to Trade Licenses, National Identity Card (NID) copies, and TIN Certificates. These documents are processed exclusively for compliance, AML, and regulatory purposes and are handled in strict accordance with applicable data protection laws.
• Usage & Log Data: IP addresses, browser type, operating system, pages visited within the dashboard, feature interactions, and session timestamps — collected automatically for security monitoring, fraud detection, and system improvement.
• Communications: Records of support conversations, feedback messages, and email correspondence between you and Xelpay support staff.
• Affiliate & Referral Data: Referral link clicks, referred account details, and commission calculation data for participants in the Xelpay Affiliate Program.

Xelpay processes your personal data under one or more of the following legal bases:

• Contractual Necessity: Processing is required to fulfil our service agreement with you (delivering payment automation, API access, and related features).
• Legitimate Interests: Fraud prevention, security monitoring, platform abuse detection, and continuous service improvement — balanced against your rights.
• Legal Obligation: Compliance with applicable Bangladeshi law, Bangladesh Bank directives, AML regulations, BFIU KYC requirements, court orders, and regulatory requirements.
• Consent: For optional features such as marketing communications, from which you may withdraw consent at any time.

Your data is used strictly for the following operational purposes:

• To reliably authenticate users and maintain robust workspace security and session integrity.
• To algorithmically verify incoming payments and fire real-time Webhook payloads to your configured server endpoints.
• To dispatch instant payment success/failure alerts via Telegram to your connected personal DM or Team Group.
• To identify transaction anomalies, proactively prevent platform abuse, spam, and financial fraud.
• To generate analytics, reports, and dashboard metrics for your own business performance review.
• To calculate, invoice, and collect usage-based fees for any activated Add-On services.
• To process, review, and retain KYC and Business Verification documentation in compliance with AML and BFIU regulatory obligations.
• To send transactional system emails, security alerts, and billing notices.
• To fulfill our legal obligations under AML and fraud prevention regulations.
• To improve our platform's features, fix bugs, and optimize system performance based on anonymized usage patterns.

Xelpay uses the following technologies on our platform:

• Essential Session Cookies: Required to maintain your secure authenticated login state. These cannot be disabled without breaking platform functionality.
• Preference Storage (Local Storage): We use browser local storage to remember your UI preferences, such as Dark/Light Mode selection, language preference, and dashboard layout settings.
• Security Tokens: CSRF protection tokens and similar security mechanisms to protect your account from cross-site attacks.

We do NOT deploy: third-party advertising cookies, cross-site tracking pixels, social media tracking buttons (beyond opt-in sharing features), or behavioral profiling technologies. You can clear cookies and local storage via your browser settings, which will log you out of the platform.

Xelpay does NOT monetize, sell, rent, or arbitrarily share your personal data. Data is only disclosed under the following strictly defined circumstances:

• Infrastructure Providers: We share encrypted, minimal operational data with our trusted, industry-leading infrastructure partners — such as Vercel (hosting), Supabase (database), and equivalent providers — strictly necessary to host, operate, and maintain the software. These partners are contractually bound to data confidentiality.
• Legal & Regulatory Disclosure: If served with a legally valid subpoena, court order, or formal request from cybercrime investigation units, the Bangladesh Financial Intelligence Unit (BFIU), Bangladesh Bank, law enforcement agencies, or any competent regulatory authority — we will fully cooperate and release the minimum legally required merchant data, logs, and transaction records.
• Fraud Prevention: In cases of suspected fraud, money laundering, or serious criminal activity detected on our platform, Xelpay may proactively share relevant account and transaction data with BFIU, law enforcement, or relevant MFS providers without prior notice.
• Business Transfer: In the event of a merger, acquisition, asset sale, or corporate restructuring of Xenverse IT, your data may be transferred to the acquiring entity, subject to the same privacy protections. You will be notified in advance where legally required.
• With Your Explicit Consent: In any other circumstance not listed above, data will only be shared with your express written consent.

Xelpay deploys multiple layers of security to protect your information:

• Encryption at Rest: Sensitive configuration strings — including Bot Tokens, IMAP credentials, and API configurations — are encrypted within our databases using industry-standard AES-256 encryption.
• Encryption in Transit: All communication between your systems and Xelpay is exclusively enforced over HTTPS/TLS 1.2+ protocols. Plain HTTP connections are rejected.
• Access Controls: Internal access to merchant data is restricted on a strict need-to-know basis. Administrative access requires multi-factor authentication.
• Security Monitoring: Xelpay employs automated anomaly detection, rate limiting, and intrusion detection systems to monitor for unauthorized access attempts.
• Breach Notification: In the event of a confirmed data breach that exposes your personal or API data, Xelpay commits to notifying affected merchants within 72 hours of internal verification, in accordance with international best practices. The notification will describe the nature of the breach, data affected, and mitigation steps taken.
• Limitation: No security system is completely impenetrable. While we implement industry-standard protections, Xelpay cannot guarantee absolute security against all possible threats. You use the platform acknowledging this inherent risk.

By registering a Xelpay account, you explicitly and freely consent to receive the following types of electronic communications from us:

• Transactional & Operational: Account creation confirmations, payment verification alerts, API error notifications, security warnings, Telegram bot activity reports, and billing/invoice emails. These are mandatory and cannot be opted out of while the account is active, as they are essential to service delivery.
• System Updates & Policy Changes: Platform update announcements, maintenance notices, and policy change notifications.
• Promotional & Marketing: News about new features, special offers, and platform upgrades. You may opt out of marketing communications at any time by clicking the unsubscribe link in any such email or by contacting our support.

• Active Account Data: Your merchant profile, gateway configurations, and transaction logs are retained for as long as your account is active and for a reasonable period thereafter to enable potential account reactivation.
• KYC & Business Verification Documents: KYC documents submitted pursuant to the Terms of Service, Section 15 are retained for the duration of the account relationship and, upon termination, for the mandatory minimum period required by BFIU and AML regulations, which shall be no less than Five (5) years following account termination, consistent with our Post-Termination AML Retention policy below.
• Post-Termination AML Retention: To strictly comply with the Money Laundering Prevention Act, 2012 (Bangladesh), Bangladesh Bank AML/CFT guidelines, and applicable financial intelligence requirements, Xelpay reserves the legally mandated right to retain basic transaction logs, associated IP history, merchant identification metadata, KYC documentation, and account activity records for a minimum period of Five (5) years following account termination, before executing a complete data purge.
• Add-On Usage Records: Detailed Add-On service usage records — required for accurate billing, invoice reconciliation, and dispute resolution — are retained for a minimum of Three (3) years following the billing period in which the usage was incurred, or for such longer period as required by applicable tax or regulatory law.
• Log Data: System access logs and security logs are retained for up to 24 months for security investigation purposes, then automatically purged.
• Support Communications: Support ticket records are retained for up to 3 years from the last interaction to enable historical reference and dispute resolution.

Subject to applicable law and our AML retention obligations, you possess the following rights regarding your personal data:

• Right of Access: You may request a copy of the personal data Xelpay holds about you.
• Right to Rectification: You may update or correct inaccurate personal information through your account settings or by contacting support.
• Right to Erasure ("Right to be Forgotten"): You may submit a formal account deletion request via our support channel. Upon processing, your active merchant profile and non-AML-mandated data will be permanently deleted. AML-required records will be retained as per Section 8.
• Right to Data Portability: You may request your merchant data in a structured, machine-readable format.
• Right to Object: You may object to certain types of data processing, including direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of prior processing.

To exercise any of the above rights, contact us at our official support channel. We will respond to valid requests within 30 days.

Xelpay primarily operates from Bangladesh. However, due to our use of cloud infrastructure providers such as Vercel and Supabase, your data may be stored on or transmitted through servers located outside Bangladesh, including in the United States or European Union.

We ensure that any such international transfer of data is conducted with appropriate contractual protections in place (such as Data Processing Agreements with our providers) and only with partners who maintain data security standards equivalent to or exceeding our own.

For all privacy-related concerns, data access requests, account deletion requests, or to report a suspected data breach, please contact us through our official support channel listed in the dashboard. We are committed to responding to all legitimate privacy inquiries within 30 business days.

For legal notices or regulatory correspondence, include "LEGAL / DATA PROTECTION" in your subject line to ensure proper routing to our compliance team.