Log in Get started
Legal

Privacy Policy

Last updated: June 19, 2026

This Privacy Policy explains how RetroPay ("RetroPay", "we", "us") collects, uses, discloses, and protects information when you use our website, dashboard, REST API, Android relay app, or WooCommerce plugin (together, the "Services").

1. Information we collect

We collect the following categories of information:

  • Account information — name, email address, and password hash when you register a RetroPay account.
  • Merchant information — business name, webhook URL, and API credentials associated with your merchant profile.
  • Transaction data — order IDs, amounts, currencies, checkout tokens, and payment status for each checkout session you create.
  • SMS confirmation data — when you install the RetroPay Android app on a device that receives MFS (bKash, Nagad, Rocket) confirmation messages, the app relays the transaction ID, amount, sender, and timestamp contained in that message to RetroPay for the sole purpose of verifying payments. We do not collect SMS messages unrelated to payment confirmation.
  • Device and usage data — IP address, browser type, device identifiers, and log data generated when you use our website, dashboard, or API.

2. How we use information

  • To verify and confirm MFS payments against the checkout session they belong to.
  • To operate, maintain, and secure your merchant account and API access.
  • To send transactional notifications, including webhooks, to your registered endpoints.
  • To detect, investigate, and prevent fraud, abuse, or violations of our Terms of Service.
  • To provide customer support and respond to inquiries.
  • To comply with applicable legal and regulatory obligations.

3. How we share information

We do not sell personal information. We may share information with:

  • Your own systems, via the webhook URL and API endpoints you configure.
  • Service providers who help us operate the Services (e.g. hosting, infrastructure, error monitoring), under confidentiality obligations.
  • Law enforcement or regulators where required by applicable law.
  • A successor entity in connection with a merger, acquisition, or sale of assets, subject to this Policy.

4. Data retention

We retain transaction and account data for as long as your account is active and for a reasonable period afterward to meet legal, accounting, and fraud-prevention obligations. You may request deletion of your account data as described in Section 7.

5. Security

API keys and webhook secrets are stored hashed or encrypted. Checkout sessions expire automatically, and webhook payloads are signed so your systems can verify they originated from RetroPay. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

6. Your choices

  • You can revoke the RetroPay Android app's SMS permission at any time from your device settings; doing so will stop automatic payment verification.
  • You can rotate or revoke API keys and webhook secrets from your merchant dashboard.
  • You can request access to, correction of, or deletion of your account data by contacting us.

7. Contact us

For privacy questions or data requests, contact us at privacy@retropay.app.

8. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date above.