Privacy Policy

Last updated: June 27, 2026  ·  Effective date: June 27, 2026

Your privacy matters to us. This policy explains exactly what data we collect, why we collect it, how we protect it, and what rights you have over it.

1. Introduction

Oishia Inc. ("Oishia," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website, use our platform, APIs, or any related services (collectively, the "Services"). By accessing or using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Services. This policy applies to all users of Oishia, including business owners, store managers, employees, and end customers whose data is processed through our platform.

2. Information We Collect

We collect different types of information depending on how you interact with our Services: A. Information You Provide Directly • Account Information: Name, email address, phone number, company name, business address, and password when you register. • Billing Information: Payment card details, billing address, and transaction history (processed securely via third-party payment processors; we do not store raw card data). • Business Data: Products, inventory records, customer data, sales transactions, invoices, and other operational data you input into the platform. • Communications: Messages you send to our support team, feedback submissions, and responses to surveys. • Identity Verification: Documents required to verify your business identity where required by law. B. Information Collected Automatically • Usage Data: Pages visited, features used, session duration, clicks, and navigation patterns within the platform. • Device & Browser Data: IP address, browser type, operating system, device identifiers, and screen resolution. • Log Data: Server logs including access timestamps, error logs, and API request metadata. • Cookies & Tracking: See Section 7 on Cookies for full details. C. Information from Third Parties • Payment Processors: Transaction status and fraud signals from our payment processing partners. • Identity Providers: If you sign in using Google, Microsoft, or another SSO provider, we receive basic profile information from that provider. • Analytics Partners: Aggregate usage insights from analytics tools used to improve the platform.

3. How We Use Your Information

We use the information we collect for the following purposes: Service Provision • To create and manage your account • To process transactions and send billing confirmations • To deliver the features and functionality you have subscribed to • To synchronise data across your devices and locations in real time Platform Improvement • To analyse usage patterns and identify feature improvements • To debug issues, fix errors, and improve system performance • To develop new features, modules, and integrations Communication • To send transactional emails (receipts, password resets, account alerts) • To send product updates, feature announcements, and maintenance notices • To respond to support requests and provide customer service • To send marketing communications (only with your explicit consent; you may unsubscribe at any time) Legal & Security • To detect and prevent fraud, abuse, and unauthorized access • To comply with applicable laws, regulations, and court orders • To enforce our Terms of Service and other agreements • To protect the rights, property, and safety of Oishia, our customers, and the public We will not use your business data (products, customers, sales records, etc.) for any purpose other than providing and improving the Services for your account.

5. How We Share Your Information

We do not sell your personal data or your business data to third parties. We may share information in the following limited circumstances: Service Providers (Sub-processors) We work with trusted third-party companies to help us operate the platform. These include: • Cloud infrastructure providers (hosting, storage, database services) • Payment processors for billing and subscription management • Email delivery services for transactional and marketing emails • Analytics tools for platform performance monitoring • Customer support software for help desk management All sub-processors are bound by data processing agreements that restrict them from using your data for any purpose other than providing services to Oishia. Business Transfers If Oishia is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy. Legal Requirements We may disclose your information if required to do so by law, court order, governmental authority, or regulatory body, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of Oishia, our users, or the public. With Your Consent We may share information with third parties when you explicitly authorise us to do so.

6. Data Retention

We retain personal data and business data only as long as necessary for the purposes described in this Privacy Policy, or as required by law. Active Accounts: Data is retained for the duration of your subscription plus a reasonable period thereafter to resolve disputes or comply with legal obligations. After Cancellation: When you cancel your account, your data remains available for export for 30 days. After this period, all personal and business data is permanently deleted from our systems and backups within 90 days. Financial Records: Certain billing and transaction records may be retained for up to 7 years to comply with tax and financial regulations. Anonymised Data: We may retain anonymised, aggregated data that cannot reasonably be used to identify you indefinitely for analytics and product improvement purposes. If you request deletion of your data before the end of the standard retention period, we will fulfil the request subject to any legal obligations to retain certain records.

7. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to operate and improve the Services. Here is what we use: Essential Cookies These are required for the platform to function. They manage your login session, preserve your preferences, and enable core security features. You cannot opt out of essential cookies without losing access to the platform. Analytics Cookies We use analytics tools (such as anonymised page-view tracking) to understand how users interact with the platform and identify areas for improvement. These are anonymised and do not identify you personally. Marketing Cookies (Website Only) On our public marketing website, we may use cookies to measure the effectiveness of our advertising campaigns. These cookies are only placed with your consent, which you can withdraw at any time via our cookie preference centre. How to Control Cookies Most browsers allow you to control cookies via their settings. You may also use browser extensions to block specific tracking. Note that disabling cookies may impair the functionality of the platform.

8. Security

We take the security of your data seriously and implement industry-standard measures to protect it: • Encryption in Transit: All data transmitted between your browser/device and our servers is encrypted using TLS 1.2 or higher. • Encryption at Rest: Sensitive data stored in our databases is encrypted at rest using AES-256. • Access Controls: Access to customer data within Oishia is limited to employees who need it to perform their job functions, governed by role-based permissions. • Regular Security Audits: We conduct periodic security assessments, vulnerability scanning, and penetration testing. • Incident Response: We maintain a documented incident response plan. In the event of a data breach, we will notify affected users and relevant authorities within the timeframes required by applicable law. While we employ strong security measures, no method of transmission or storage is 100% secure. We encourage you to use strong, unique passwords and to enable two-factor authentication on your account.

9. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data: Right of Access: You may request a copy of the personal data we hold about you. Right to Rectification: You may ask us to correct inaccurate or incomplete personal data. Right to Erasure ("Right to be Forgotten"): You may request deletion of your personal data, subject to our legal obligations to retain certain records. Right to Restriction: You may ask us to restrict how we process your personal data in certain circumstances. Right to Data Portability: You may request that we provide your personal data in a machine-readable format so you can transfer it to another service. Right to Object: You may object to our processing of your personal data for direct marketing or where we rely on legitimate interests. Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before fulfilling the request. If you believe your rights have not been respected, you have the right to lodge a complaint with your local data protection authority.

10. International Data Transfers

Oishia is headquartered in Bangladesh. If you access our Services from outside Bangladesh, your data may be transferred to and processed in Bangladesh or other countries where our service providers operate. We ensure that any international transfer of personal data is subject to appropriate safeguards, such as: • Standard Contractual Clauses (SCCs) approved by the European Commission • Adequacy decisions where applicable • Your explicit consent where required By using our Services, you acknowledge and consent to the transfer of your data to countries that may have different data protection laws than your country of residence.

11. Children's Privacy

Our Services are not intended for or directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us at [email protected] and we will take steps to delete that information promptly.

12. Third-Party Links & Integrations

Our platform may contain links to third-party websites or integrate with third-party services (such as payment gateways, shipping providers, or accounting tools). This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you connect to through Oishia. When you enable a third-party integration, you may be granting that third party access to certain data from your Oishia account. We are not responsible for the privacy practices of integrated third parties.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform functionality. When we make material changes, we will: • Update the "Last updated" date at the top of this page • Send an email notification to the primary account holder • Display an in-app notice for a reasonable period after the update Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised Privacy Policy. If you do not agree with the changes, you should discontinue use and may request deletion of your data.

14. Contact Us

If you have questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact us: Data Controller: Oishia Inc. Address: Dhaka, Bangladesh Email: [email protected] Website: https://oishia.com/contact For users in the European Economic Area, our EU representative can be contacted at [email protected]. We aim to respond to all privacy-related enquiries within 30 days.

Privacy questions or requests?

Contact our privacy team directly — we aim to respond to all enquiries within 30 days.