Privacy Policy

1. Introduction

TechSci, Inc. ("TechSci," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our remittance service.

Data Controller: TechSci, Inc.

Contact: privacy@techsci.co

Scope: This policy applies to all users of TechSci Currency Exchange and covers all personal information collected through our website, mobile applications, and related services.

2. Information We Collect

2.1 Personal Information You Provide

We collect personal information that you voluntarily provide when using our service, including:

• Identity Information: Full name, date of birth, nationality, residential address
• Contact Information: Email address, phone number, WhatsApp number
• Government-Issued ID: Passport, driver's license, or national ID card number and images
• Biometric Information: Selfie photo (for identity verification)
• Financial Information: bKash account number, Tremendous reward links, transaction amounts
• Transaction History: Payment details, exchange rates, disbursement records
• Referral Information: Referral codes and referral relationships

2.2 Information Automatically Collected

When you access our service, we automatically collect certain information, including:

• Device Information: Device type, operating system, browser type and version
• Usage Data: Pages visited, time spent, clickstream data
• IP Address and Location: IP address, approximate geographic location
• Cookies and Tracking: Session cookies, authentication tokens, analytics data
• Log Data: Access times, error logs, system events

2.3 Information from Third Parties

We may receive information about you from third parties, including:

• KYC Verification Providers: Identity verification results, watchlist screening
• Payment Processors: Tremendous (reward redemptions), PayPal, Revolut (payment confirmations)
• Fraud Prevention Services: Risk scores, device fingerprinting
• Public Databases: Sanctions lists, PEP (Politically Exposed Persons) databases

3. How We Use Your Information

We use your personal information for the following purposes:

• Process Transactions: Facilitate currency exchange and remittance services
• Identity Verification (KYC): Verify your identity as required by the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations
• Fraud Prevention: Detect, prevent, and investigate fraud, money laundering, and other illegal activities
• Compliance: Comply with legal obligations, including FinCEN reporting, sanctions screening, and record retention
• Communications: Send transactional emails, WhatsApp notifications, and service updates
• Customer Support: Respond to inquiries, resolve disputes, and provide assistance
• Service Improvement: Analyze usage patterns, improve user experience, and develop new features
• Referral Program: Track referrals and calculate commissions
• Legal Proceedings: Establish, exercise, or defend legal claims

4. Legal Basis for Processing

We process your personal information based on the following legal grounds:

• Contractual Necessity: Processing is necessary to provide the remittance service you requested and to fulfill our contractual obligations under our Terms of Service.
• Legal Obligation: Processing is required to comply with federal and state laws, including BSA, AML, PATRIOT Act, and FinCEN regulations.
• Legitimate Interests: Processing is necessary for our legitimate business interests, such as fraud prevention, risk management, and service improvement, provided these interests do not override your privacy rights.
• Consent: In some cases, we may process information based on your explicit consent (e.g., marketing communications), which you may withdraw at any time.

5. Information Sharing and Disclosure

5.1 Service Providers

We share information with trusted third-party service providers who assist us in operating our business:

• Payment Processors: Tremendous (reward redemption), PayPal, Revolut, Rho (payment processing)
• Disbursement Provider: bKash (Bangladesh Taka disbursement)
• Cloud Hosting: Vercel (website hosting), Neon (database hosting)
• Email Services: Resend (transactional emails)
• Document Storage: Vercel Blob (KYC document storage)
• Analytics: Anonymous usage analytics (if applicable)

Data Processing Agreements: All service providers are contractually bound to protect your information and use it only for the purposes we specify.

5.2 Legal and Regulatory Authorities

We may disclose your information to government authorities when legally required:

• Law Enforcement: In response to subpoenas, court orders, or lawful requests
• FinCEN: Suspicious Activity Reports (SARs), Currency Transaction Reports (CTRs)
• State Regulators: Money transmitter licensing authorities
• OFAC: Sanctions screening and reporting
• Tax Authorities: IRS reporting (if applicable)

5.3 What We Do NOT Do

5.4 International Transfers

To provide our service, we may transfer your information to:

• United States: Primary data storage (Neon PostgreSQL, Vercel infrastructure)
• Bangladesh: For disbursement processing (bKash account information only)

We ensure adequate safeguards are in place for international transfers, including contractual protections and compliance with applicable data transfer regulations.

6. Data Retention

We retain your personal information for the following periods:

• Transaction Records: Minimum 5 years from transaction date (BSA requirement)
• KYC Documents: Minimum 5 years after account closure or last transaction
• Identity Verification: 5 years after account closure
• Email Communications: 3 years for customer support and transactional emails
• Audit Logs: 7 years for compliance and security monitoring
• SAR/CTR Filings: 5 years (FinCEN requirement)
• Marketing Data: Until you unsubscribe or request deletion (if applicable)

Note: Even if you request deletion of your information, we may be legally required to retain certain records for the periods specified above. After the retention period expires, we securely delete or anonymize your information.

7. Your Privacy Rights

7.1 Rights for All Users

You have the following rights regarding your personal information:

• Right to Access: Request a copy of the personal information we hold about you.
• Right to Correction: Request correction of inaccurate or incomplete information.
• Right to Deletion: Request deletion of your personal information, subject to legal retention requirements.
• Right to Data Portability: Receive your transaction data in a machine-readable format.
• Right to Object: Object to processing based on legitimate interests.

7.2 California Residents (CCPA Rights)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to Delete: Request deletion of personal information, subject to legal exceptions (e.g., BSA retention requirements).
• Right to Opt-Out of Sale: Opt-out of the sale of personal information. Note: We do not sell personal information.
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your CCPA rights.

7.3 How to Exercise Your Rights

To exercise any of your privacy rights, please contact us at:

We will respond to your request within 30 days (or 45 days if additional time is needed, with notice). We may require identity verification to protect your privacy.

8. Security Measures

We implement industry-standard security measures to protect your personal information:

8.1 Technical Safeguards

• Encryption at Rest: AES-256-GCM encryption for sensitive data (government ID numbers, documents)
• Encryption in Transit: TLS 1.2+ for all data transmissions
• Database Security: Neon PostgreSQL with connection pooling and SSL enforcement
• Access Controls: Role-based access control (RBAC) for admin users
• Authentication: NextAuth v5 with bcrypt password hashing
• Secure Storage: Vercel Blob Storage with access controls for KYC documents

8.2 Organizational Safeguards

• Employee Training: Regular security and privacy training for all employees
• Limited Access: Access to personal information restricted to authorized personnel only
• Background Checks: Screening for employees with access to sensitive data
• Incident Response Plan: Procedures for responding to data breaches
• Third-Party Audits: Regular security assessments and penetration testing

8.3 Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

• Notify affected users within 72 hours of discovery
• Notify relevant authorities as required by law
• Provide information about the breach and remediation steps
• Offer credit monitoring services if applicable

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience:

9.1 Types of Cookies

• Essential Cookies: Required for authentication and basic functionality (cannot be disabled)
• Session Cookies: Temporary cookies that expire when you close your browser
• Persistent Cookies: Remain on your device until expiration or manual deletion
• Analytics Cookies: Track usage patterns to improve our service (optional)

9.2 Managing Cookies

You can control cookies through your browser settings:

• Chrome: Settings > Privacy and Security > Cookies
• Safari: Preferences > Privacy
• Firefox: Options > Privacy & Security

Note: Disabling essential cookies may prevent you from using certain features of our service.

10. Children's Privacy

Our service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18.

If we discover that we have inadvertently collected information from a minor, we will promptly delete it. If you believe we have collected information from a minor, please contact us at privacy@techsci.co.

11. International Data Transfers

Your information may be transferred to and stored in countries other than your country of residence:

• Primary Storage: United States (Neon PostgreSQL, Vercel infrastructure)
• Service Delivery: Bangladesh (bKash disbursement processing)

When transferring data internationally, we ensure adequate safeguards are in place:

• Standard Contractual Clauses: EU-approved data transfer agreements
• Adequacy Decisions: Transfers to countries with adequate data protection (if applicable)
• Service Provider Agreements: Contractual obligations to protect transferred data

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will:

• Provide at least 30 days' notice via email to your registered email address
• Update the "Last Updated" date at the top of this page
• Post a notice on our website homepage

Your continued use of the service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the revised policy, you must stop using the service and may request deletion of your account (subject to legal retention requirements).

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

14. Regulatory Contact Information

If you have concerns about our privacy practices that we have not addressed, you may contact the relevant regulatory authorities:

14.1 Consumer Financial Protection Bureau (CFPB)

14.2 California Attorney General (California Residents)

15. Additional Disclosures

15.1 Do Not Track Signals

Some browsers have a "Do Not Track" (DNT) feature that lets you tell websites you do not want to be tracked. We currently do not respond to DNT signals.

15.2 Third-Party Links

Our service may contain links to third-party websites (e.g., Tremendous, bKash). We are not responsible for the privacy practices of these websites. We encourage you to read their privacy policies.

15.3 Automated Decision-Making

We may use automated systems for fraud detection and risk assessment. If you believe an automated decision has adversely affected you, you have the right to request human review by contacting privacy@techsci.co.