Privacy Policy

Last updated: 2026-04-15

This Policy explains what personal data Mobidata ("we") collects, why we collect it, how we protect it, and what rights you have. It applies to three categories of people: merchant staff who use the app, sellers whose devices merchants record, and public buyers who browse the marketplace.

1. Who is the controller

  • Merchant staff data (you signing up as a phone shop): Mobidata is the data controller.
  • Seller intake data (the NID photos, nominee card, selfie, consent video, IMEI): the merchant's organization is the controller, and Mobidata is the processor acting under their instructions and these Terms.
  • Buyer data (saved listings, contact form, account): Mobidata is the controller.

2. What we collect and why

2.1 Merchant account

  • Email, full name, hashed password: authentication and account recovery.
  • Organization details (name, address, trade license, contact email): verification, tax reporting, public storefront page.
  • IP address, user agent, session timestamps: rate limiting, abuse prevention, audit logs.
  • Locale and theme preference: personalization.

2.2 Seller intake (processed on merchant's behalf)

  • Seller identity: full name, father / mother name, date of birth, address, phone, nominee details.
  • ID number (NID / passport / driving license): stored as an encrypted fingerprint; the raw number is not retrievable from our database.
  • Photos of ID documents and the seller's selfie: private R2 bucket, AES-256 at rest, access limited to the originating organization plus platform moderators with audit.
  • Consent video: camera-only live recording of the seller confirming the voluntary sale. Stored in the same private bucket; additionally protected by R2 Object Lock (24-month retention) and an RFC3161 trusted timestamp.
  • Device details: brand, model, IMEI, condition, intake price.
  • Consent timestamp + IP: proof that the seller consented to the sale at a specific time.

Legal basis: performance of a contract between the seller and the merchant, plus the merchant's legal obligation under applicable second-hand-goods and AML regulations.

2.3 Buyer activity

  • Saved listings, contact messages, and reports: logged for abuse prevention and to let merchants follow up on your interest.
  • Buyer IP on contact and report actions, retained 12 months.

3. Marketplace content vs. private evidence

This is the single most important boundary in Mobidata:

  • Public marketplace shows only the phone photos a merchant explicitly selected for publication, plus a title, price, city, and merchant storefront name.
  • Private evidence — ID photos, nominee cards, selfies, consent videos, and seller identity fields — is never served from the public bucket and is never included in a marketplace API response. Access requires an authorized user, a 60-second signed URL, and a per-URL audit entry.

4. How we store data

  • Database (Postgres 16) on an encrypted volume. Seller ID numbers are stored as an encrypted fingerprint.
  • Public media on Cloudflare R2 (11-nines durability), cached by the Cloudflare CDN with immutable URLs.
  • Private media on a separate R2 bucket. CDN caching is explicitly disabled on the subdomain that serves it; every response carries Cache-Control: no-store.
  • Backups: Postgres WAL continuously archived to R2 for point-in-time recovery. Monthly immutable archive to Backblaze B2 with Object Lock (24-month retention).
  • Disaster recovery: cross-region R2 mirror of the private bucket, synced nightly.

5. Who can see what

  • Merchant staff within an organization can see the intakes and sellers captured by that organization only, filtered by their role (owner, admin, data entry, verifier, marketplace manager).
  • Platform moderators can read intakes across organizations only when investigating a report or integrity drift. Every such read is logged with the moderator's user ID, IP, user agent, and the specific media accessed.
  • Buyers see only marketplace listings and the contact handle the merchant chose to publish.
  • Vendors: we do not sell personal data. The service providers we use to operate Mobidata are listed in §9.

6. How long we keep data

  • Seller intake media: 24 months after the device is marked sold, unless local law requires longer or the merchant configures a stricter retention window.
  • User accounts: until you request deletion. After a deletion request, data is soft-deleted for 30 days and then hard-purged (with the exception of B2 archives, which honor their 24-month Object Lock).
  • Audit logs: 12 months, monthly-partitioned.
  • Contact log + report records: 12 months.
  • OTP codes and session tokens: OTPs expire after 10 minutes; sessions after 30 days.

7. Your rights

Depending on your jurisdiction (Bangladesh DPA, GDPR for EEA residents, DPDP for India), you have the right to:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: correct inaccurate data via your account settings or by writing to us.
  • Erasure: request deletion. Exercise this via Settings → Danger Zone. The request enters our 4-eyes hard-purge workflow: a second platform administrator must approve before execution.
  • Restriction / objection: ask us to stop a specific processing activity.
  • Portability: export your account data as a JSON bundle.

If you are a seller (not a merchant account holder), your erasure and access requests should be directed first to the merchant who recorded your intake. If the merchant is unresponsive or no longer exists, contact [email protected].

8. Security

  • TLS 1.3 end-to-end, HSTS preloaded.
  • Argon2id password hashing; session tokens as SHA-256 of opaque randomness.
  • Cloudflare Turnstile on signup, contact, and report forms. IP-based and per-email rate limits on login, OTP, and password-reset flows.
  • SHA-256 verification of every uploaded media byte, re-checked nightly on a random sample.
  • 2FA mandatory on all Cloudflare and Backblaze admin accounts. Postgres encryption key stored in offline escrow.

9. Service providers

  • Cloudflare — DNS, TLS, CDN, R2 object storage, Turnstile.
  • Backblaze — B2 archive storage (encrypted monthly snapshots).
  • Oracle Cloud — compute (Always Free ARM VM).
  • Resend — transactional email (OTP codes, password reset, staff invites).
  • Google — Firebase Cloud Messaging (push notifications), OAuth sign-in (optional).
  • Sentry — error telemetry (sampled 10%; stack traces are scrubbed of user input before shipping).
  • freetsa.org — RFC3161 trusted timestamps on consent videos.

10. Cookies and tracking

Mobidata uses a single HttpOnly session cookie for authentication and a locale cookie for language preference. We do not use third-party ad trackers or cross-site fingerprinting. Real-user analytics are provided by Cloudflare Web Analytics, which is cookieless.

11. Children

Mobidata is not directed at children under 18. We do not knowingly collect personal data from children. Merchants must not record a seller who is under 18 without a parent or guardian present and co-signing the consent video.

12. International transfers

Our primary region is North America (Cloudflare R2 enam); our DR region is Europe (Cloudflare R2 eeur). If you are in the EEA, transfers out of the EEA are governed by Standard Contractual Clauses.

13. Data breach notification

If we become aware of a personal-data breach that poses a risk to your rights and freedoms, we will notify affected users without undue delay and, where legally required, the relevant supervisory authority within 72 hours of discovery.

14. Changes to this Policy

Material changes are announced in-app and via email at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

15. Contact

Data protection questions or rights requests: [email protected].