Privacy - UTSO.NET Marketing

1. Introduction

1.1 Who We Are

Utso (“Utso,” “we,” “us,” or “our”) is a comprehensive business operations management Software-as-a-Service (SaaS) platform. We are committed to protecting your privacy and handling your data with transparency and care.

Contact Information:

General Support: hello@utso.net

Privacy Matters: privacy@utso.net

Legal Inquiries: legal@utso.net

Phone: +88 01304-220-033

Website utso.net

1.2 Purpose of This Policy

This Privacy Policy explains:

What personal data we collect and why
How we use, store, and protect your data
Your rights regarding your personal data
How we comply with applicable data protection laws
Our practices regarding cookies and tracking technologies

1.3 Scope

This Privacy Policy applies to:

The Utso web platform (utso.app and subdomains)
Mobile applications (iOS and Android, when available)
Marketing website (utso.net)
All services provided through the Utso platform
All data collected through our Service

This Privacy Policy should be read together with our Terms and Conditions.

1.4 Beta Service Notice

The Service is currently in Beta. During this phase:

We are refining our data practices and security measures
Features and data collection practices may evolve
We will notify you of material changes to this Privacy Policy
Your feedback helps us improve our privacy practices

2. Data We Collect

2.1 Information You Provide Directly

Account Information:

When you register or use the Service, we collect basic account information such as name, email address, phone number, and password (encrypted). Company administrators provide additional business information during setup.

Business Operations Data:

As you use the Service to manage your business operations, you may input and store various types of data including:

Employee information – Employment records, contact details, work history, and related HR data
Customer and contact data – Information about your customers, prospects, and business contacts
Financial data – Payroll information, expense records, budget allocations, and related financial information
Work management data – Projects, tasks, assignments, timelines, and team collaboration information
Asset and resource data – Information about business assets, inventory, and resource allocation
Operational documents – Files, images, receipts, and other documents you upload to the Service

The specific data you store depends on which features you use and how you configure the platform for your business needs.

2.2 Information We Collect Automatically

Usage Information:

We automatically collect information about how you use the Service, including features accessed, actions taken, and frequency of use.

Device and Technical Information:

We collect technical information such as IP address, browser type, device type, operating system, and language preferences.

Location Information:

We collect approximate location (country/city) from your IP address. For certain features (like attendance tracking with geofencing), we may collect precise location data with your explicit consent.

Cookies and Similar Technologies:

We use cookies and similar technologies for authentication, preferences, analytics, and security. See Section 9 for more details.

2.3 Information from Third Parties

Integrated Services:

If you connect third-party services (such as CRM platforms), we may receive data from those services based on your integration settings and their privacy policies.

Payment Processors:

We receive payment confirmation data from payment gateways. We do not store complete payment card numbers or sensitive payment credentials.

2.4 Sensitive Personal Data

In limited circumstances, we may process sensitive personal data where required for legitimate business purposes and permitted by law:

Health information (with consent, for leave management or workplace accommodations)
Biometric data (with consent, for attendance verification if you enable such features)
Financial identifiers (as required for payroll processing and tax compliance)

We apply enhanced security measures and access controls for all sensitive data categories.

3. How We Use Your Data

3.1 Primary Purposes

We use your data to:

Provide and Improve the Service:

Create and manage your account
Authenticate users and maintain security
Deliver the platform features you’ve subscribed to
Process transactions and manage billing
Provide customer support
Analyze usage to improve functionality and user experience
Develop new features
Troubleshoot technical issues

Business Operations:

Maintain platform security and prevent fraud
Ensure compliance with our Terms and Conditions
Generate anonymized analytics and insights
Conduct research and development

Legal Compliance:

Fulfill legal and regulatory obligations
Respond to legal requests and court orders
Enforce our rights and agreements
Maintain records as required by law

Communications (with appropriate consent):

Send transactional notifications (account activity, approvals, system alerts)
Provide service updates and feature announcements
Share educational content and product tips
Conduct surveys and gather feedback
Send marketing communications (opt-out available)

4. Legal Basis for Processing (GDPR and Equivalent Laws)

For users in jurisdictions with data protection laws similar to GDPR (e.g., European Union), we process personal data based on the following legal grounds:

4.1 Contract Performance

Processing necessary to provide the Service under our Terms and Conditions:

Account creation and authentication
Service delivery and feature enablement
Billing and payment processing
Customer support

4.2 Legal Obligation

Processing required to comply with applicable laws:

Tax and accounting requirements
Labor and employment law compliance
Response to legal requests
Regulatory reporting

4.3 Legitimate Interests

Processing necessary for our legitimate business interests:

Platform security and fraud prevention
Service improvement and optimization
Business analytics and reporting
Direct marketing to existing customers (with opt-out)

We balance our legitimate interests against your rights and will not process data in ways that override your interests or fundamental rights.

4.4 Consent

Processing based on your explicit, freely-given consent:

Marketing communications to non-customers
Optional features (e.g., geolocation for attendance)
Cookies (non-essential)
Processing of sensitive personal data where required

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

5. Data Sharing and Disclosure

5.1 We Do Not Sell Your Data

We do NOT sell, rent, or trade your personal data to third parties for their marketing purposes.

5.2 Sharing Within Your Organization

Multi-Tenant Isolation:

Data is strictly isolated by company/tenant
Users in your organization can access data based on role-based permissions you configure
We maintain strict tenant boundaries to prevent cross-company data access

Access Controls:

Company Administrators control user access and permissions
Employees see only data relevant to their role
Audit logs track all data access

5.3 Service Providers and Subprocessors

We share data with trusted third-party service providers who assist in operating our Service:

Infrastructure and Hosting:

Cloud hosting providers (data center operators)
Content delivery networks (CDN)
Database management services

Payment Processing:

Payment gateways (bKash, Nagad, Stripe, etc.)
Billing and invoicing systems

Communications:

Email service providers (for transactional and marketing emails)
SMS providers (for notifications and OTP)

Analytics and Monitoring:

Usage analytics platforms (anonymized data where possible)
Error tracking and monitoring services
Performance monitoring tools

Customer Support:

Support ticketing systems
Live chat providers (if implemented)

Security:

Security monitoring and threat detection services
Authentication services
Backup and disaster recovery providers

Requirements for Service Providers:

Contractual obligations to protect data
Process data only on our instructions
Maintain appropriate security measures
Comply with applicable data protection laws
Undergo regular security assessments

5.4 CRM Integrations

If you enable CRM integrations (HubSpot, Pipedrive):

Data is shared with the integrated platform based on your configuration
Data synchronization follows your mapping settings
You control what data is shared through integration settings
Third-party platforms have their own privacy policies

5.5 Legal and Regulatory Disclosures

We may disclose your data when required or permitted by law:

To comply with legal obligations or court orders
To protect our rights, property, or safety
To enforce our Terms and Conditions
To prevent fraud or abuse
In connection with a merger, acquisition, or sale of assets (with notice to you)

5.6 Aggregate and Anonymized Data

We may share aggregate, anonymized data that cannot identify you:

Industry benchmarking reports
Usage statistics and trends
Product development insights
Marketing and research purposes

6. Data Security

6.1 Security Commitment

We implement industry-standard security measures to protect your data from unauthorized access, alteration, disclosure, or destruction.

6.2 Technical Safeguards

Encryption:

Data encrypted in transit using TLS/HTTPS
Sensitive data encrypted at rest
Password hashing using industry-standard algorithms
Encrypted database fields for sensitive information

Access Controls:

Multi-factor authentication (OTP-based 2FA)
Role-based access control (RBAC)
Principle of least privilege
Session management and timeout

Network Security:

Firewalls and intrusion detection systems
DDoS protection
Regular security patching and updates
Penetration testing and vulnerability scanning

Application Security:

Input validation and sanitization
Protection against common attacks (SQL injection, XSS, CSRF)
Secure coding practices
Regular code reviews

Multi-Tenant Architecture:

Strict tenant isolation (separate databases per company)
Logical data separation
Access verification at every request
Audit logging for all data access

6.3 Organizational Safeguards

Employee Access:

Background checks for employees with data access
Confidentiality agreements
Security training and awareness programs
Limited access based on job function

Incident Response:

Security incident response plan
Breach notification procedures (as required by law)
Regular security drills

Vendor Management:

Security assessments of service providers
Data processing agreements
Regular audits of third-party security

6.4 Your Responsibilities

You also play a role in data security:

Keep your password secure and confidential
Enable two-factor authentication
Log out from shared devices
Report suspicious activity immediately
Keep your contact information current
Review user access permissions regularly

6.5 Security Limitations

Despite our efforts, no system is 100% secure:

Internet transmission is not completely secure
You use the Service at your own risk
We cannot guarantee absolute security
Promptly report any security concerns to privacy@utso.net

7. Data Retention

7.1 Retention Principles

We retain personal data only as long as necessary for:

Providing the Service
Complying with legal obligations
Resolving disputes
Enforcing our agreements

7.2 Retention Periods by Data Type

Active Account Data:

Retained for the duration of your active subscription
Continuously available for your use

Post-Cancellation:

Retained for 90 days after account cancellation
Allows for potential reactivation
You may request earlier deletion

Inactive Free-Tier Accounts:

Company databases may be archived after 3 months of inactivity
Reactivation available (manual process for free tier, self-service for paid)

Employee Records:

Retained based on your data retention settings
Typically retained after employee departure for compliance purposes
Subject to local labor and tax law requirements

Payroll and Financial Data:

Retained for minimum periods required by tax and accounting laws
Typically 7-10 years for tax records
Varies by jurisdiction

Audit Logs and Security Data:

Retained for security and compliance purposes
Typically 12-24 months
Extended retention for investigation or legal hold

Backup Data:

Included in regular backups for disaster recovery
Backup retention follows our backup policy (typically 30-90 days)
Data in backups deleted according to backup rotation schedule

7.3 Data Deletion

Upon Your Request:

You may request data deletion (subject to legal retention requirements)
Some data may need to be retained for legal compliance
Deletion typically completed within 30 days

Automatic Deletion:

Data deleted after retention periods expire
Secure deletion methods (overwriting, cryptographic erasure)

8. Your Rights and Choices

8.1 Overview of Rights

Depending on your location and applicable laws, you may have the following rights regarding your personal data:

8.2 Access Rights

Right to Access:

Request confirmation of whether we process your data
Obtain a copy of your personal data
Learn how we use and share your data

How to Exercise:

Email privacy@utso.net with your request
We will respond within 30 days (or as required by local law)
Identity verification required

8.3 Correction and Update

Right to Rectification:

Correct inaccurate personal data
Complete incomplete personal data

How to Exercise:

Update information directly in your account settings
Contact privacy@utso.net for assistance
Company Administrators can update employee records

8.4 Deletion Rights ("Right to be Forgotten")

Right to Erasure:

Request deletion of your personal data

Limitations:

We may retain data required for legal compliance
Backup copies may persist until backup rotation completes
Anonymized data not subject to deletion

How to Exercise:

Email privacy@utso.net
Specify what data you want deleted
We will confirm completion or explain any limitations

8.5 Restriction and Objection

Right to Restrict Processing:

Request temporary limitation on how we use your data
Available in specific circumstances (e.g., disputing accuracy)

Right to Object:

Object to processing based on legitimate interests
Object to direct marketing (immediate effect)

How to Exercise:

Email privacy@utso.net with specific objection
Use “unsubscribe” links in marketing emails

8.6 Data Portability

Right to Data Portability:

Receive your data in structured, commonly-used format
Transmit data to another service provider

Scope:

Applies to data you provided to us
Applies to automated processing based on consent or contract

How to Exercise:

Request export through your account settings
Contact privacy@utso.net for assistance
Data provided in CSV or JSON format

8.7 Withdraw Consent

Right to Withdraw Consent:

Withdraw consent for processing based on consent
Does not affect lawfulness of processing before withdrawal

How to Exercise:

Update preferences in account settings
Email privacy@utso.net
Use opt-out links in communications

8.8 Complaint Rights

Right to Lodge a Complaint:

File complaint with data protection authority in your jurisdiction
For Bangladesh: relevant regulatory body
For EU: your local Data Protection Authority
For other jurisdictions: applicable privacy regulator

Our Preference:

Please contact us first at privacy@utso.net
We will work to resolve your concerns directly

8.9 Response Timeframes

Requests acknowledged within 7 days
Completed within 30 days (standard)
Extended to 60 days for complex requests (with notice)
Varies by jurisdiction (we comply with local requirements)

9. Cookies and Tracking Technologies

9.1 What Are Cookies

Cookies are small text files stored on your device when you visit websites. They help websites remember information about your visit.

9.2 Types of Cookies We Use

9.2.1 Strictly Necessary Cookies

Purpose: Essential for the Service to function Examples:

Session authentication
Security tokens
Load balancing

Can You Disable: No (required for Service operation)

9.2.2 Functional Cookies

Purpose: Remember your preferences and settings Examples:

Language preferences
Theme selection
Dashboard layouts

Can You Disable: Yes (but may reduce functionality)

9.2.3 Analytics Cookies

Purpose: Understand how you use the Service Examples:

Page views and navigation
Feature usage statistics
Error tracking

Can You Disable: Yes (through cookie settings)

9.2.4 Marketing Cookies (when applicable)

Purpose: Deliver relevant marketing content Examples:

Ad targeting (if we implement advertising)
Conversion tracking
Retargeting

Can You Disable: Yes (through cookie settings or browser settings)

9.3 Third-Party Cookies

We may use third-party cookies from:

Analytics providers (e.g., Google Analytics)
Security services
Support tools

Third parties have their own privacy policies.

9.4 Managing Cookies

Browser Settings:

- Most browsers allow you to manage cookies
- You can block or delete cookies
- Blocking cookies may affect Service functionality

Our Cookie Preferences:

Access cookie settings through your account (when available)
Opt out of non-essential cookies

9.5 Similar Technologies

Local Storage:

Used to store preferences and cache data
Managed through browser settings

Session Storage:

Temporary storage for session data
Cleared when you close your browser

Device Identifiers:

Mobile apps (when available) may use device identifiers
Used for analytics and security
Managed through device settings

10. International Data Transfers

10.1 Global Service

Utso operates globally and may transfer data across borders:

Primary operations based in Bangladesh
Service expanding to Pakistan, Nepal, Sri Lanka, and beyond
Data may be stored in different geographic locations

10.2 Data Residency

Current Status:

Customer Data stored in secure data centers
Location varies based on your geographic region and subscription plan
Contact privacy@utso.net for specific data location information

Future Options:

Regional data residency options for enterprise customers
Compliance with local data localization requirements

10.3 Transfer Safeguards

When we transfer data internationally, we ensure appropriate safeguards:

Contractual Protections:

Standard Contractual Clauses (SCCs) where required
Data processing agreements with service providers
Transfer impact assessments

Security Measures:

Encryption in transit and at rest
Access controls and monitoring
Compliance with destination country requirements

Legal Compliance:

Adherence to Bangladesh data protection laws
Compliance with GDPR for EU data subjects
Local law compliance in all operating jurisdictions

10.4 Your Location and Applicable Laws

Bangladesh Customers:

Governed by Bangladesh data protection regulations
Data may be stored locally or regionally

European Union Customers:

GDPR applies
Additional rights and protections
Transfers outside EU use Standard Contractual Clauses

Other Jurisdictions:

Local data protection laws may apply
We commit to compliance with applicable regulations
Regional addendums provided where required

11. Children's Privacy

11.1 Age Restriction

The Service is not intended for children under 18 years of age. We do not knowingly collect personal data from children.

11.2 No Intentional Collection

We do not target children for marketing
Account holders must be 18 or older
Employee records should not include minors (unless lawful in your jurisdiction)

11.3 Parental Rights

If we discover we have collected data from a child under 18:

We will delete the information promptly
Parents may request deletion by contacting privacy@utso.net

11.4 Reporting

If you believe we have collected information from a child, please contact us immediately at privacy@utso.net.

12. Changes to This Privacy Policy

12.1 Right to Modify

We may update this Privacy Policy from time to time to reflect:

Changes in our data practices
New features or services
Legal or regulatory requirements
Industry best practices

12.2 Notification of Changes

Material Changes:

Email notification to registered address
In-app notification
Prominent notice on website
30 days advance notice (typically)

Minor Changes:

Updated “Last Updated” date
Posted on website
No specific notification required

12.3 Review of Changes

We encourage you to review this Privacy Policy periodically:

Check the “Last Updated” date
Review changes before they take effect
Contact us with questions at privacy@utso.net

12.4 Continued Use

Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

If you do not agree with changes, you may:

Discontinue use of the Service
Cancel your subscription
Request data deletion (subject to retention requirements)

13. Privacy by Design

13.1 Our Commitment

We build privacy into our Service from the ground up:

Data Minimization:

Collect only necessary data
Avoid excessive or irrelevant collection
Regular review of data collection practices

Purpose Limitation:

Use data only for specified, legitimate purposes
Obtain consent for new purposes
Clear communication of how data is used

Storage Limitation:

Retain data only as long as necessary
Automatic deletion after retention periods
Regular data cleanup processes

Security by Default:

Strong encryption standards
Secure defaults for new features
Regular security assessments

Transparency:

Clear privacy notices
Accessible privacy controls
Open communication about practices

13.2 Privacy Impact Assessments

We conduct privacy impact assessments for:

New features processing sensitive data
Changes to data processing activities
Introduction of new technologies
High-risk processing activities

14. Contact Us About Privacy

14.1 Privacy Inquiries

For questions or concerns about privacy:

Email: privacy@utso.net

Phone: +88 01304-220-033

Response Time: Within 7 business days

14.2 Data Subject Requests

To exercise your rights (access, deletion, correction, etc.):

Email: privacy@utso.net

Subject Line: “Data Subject Request – [Your Name]

Include:

Your full name and email address
Specific request (e.g., “Access Request,” “Deletion Request”)
Any relevant details

Response Time: Within 30 days (or as required by local law)

14.3 Security Concerns

To report security issues or data breaches:

Email: privacy@utso.net (mark as “URGENT – Security”)

Phone: +88 01304-220-033

Response: Immediate acknowledgment, investigation within 24 hours

14.4 Complaints and Escalation

If you’re not satisfied with our response:

Internal Escalation:

Contact privacy@utso.net
Request escalation to Privacy Officer
We will review and respond within 14 days

External Complaint:

File complaint with data protection authority in your jurisdiction
For Bangladesh: Contact relevant regulatory body
For EU residents: Contact your local Data Protection Authority

15. Region-Specific Privacy Information

15.1 European Union (GDPR)

For EU data subjects, additional rights and information:

Legal Basis for Processing: See Section 4

Data Protection Officer: Contact privacy@utso.net

Representative in EU: To be designated if required

Transfer Mechanisms: Standard Contractual Clauses

Supervisory Authority: Your local DPA

Additional Rights:

Right to lodge complaint with supervisory authority
Right to object to automated decision-making
Right to restrict processing

15.2 Bangladesh

Governing Law: Bangladesh data protection regulations

Data Location: May be stored in Bangladesh or regionally

Local Requirements: Compliance with Digital Security Act and applicable regulations

15.3 Pakistan, Nepal, Sri Lanka (Expansion Markets)

As we expand to these markets:

Regional privacy addendums will be provided
Local data protection laws will be respected
Data residency options will be considered
Local language privacy notices may be offered

15.4 Other Jurisdictions

For customers in other regions:

We comply with applicable local laws
Contact privacy@utso.net for region-specific information
Additional disclosures provided as required

16. Specific Feature Privacy Notes

16.1 Location-Based Features

Certain features may use location data:

Approximate location (city/country) derived from IP address for all users
Precise location collected only with your explicit consent for specific features you enable
You can disable location-based features at any time
Location data used only for the specific feature you’ve enabled

16.2 Biometric Data

If you enable features that use biometric data (such as facial recognition):

Explicit consent required before collection
Biometric data encrypted and securely stored
Used solely for authentication or verification purposes
Not shared with third parties
Retained only during active use of the feature
You can opt for alternative methods at any time

16.3 Sensitive Financial and Health Data

Some business operations may involve sensitive data:

Financial data (salary, bank details, tax information) processed with enhanced security
Health information (if provided for leave management) handled with strict access controls
Sensitive data shared only when necessary for Service operation or legal compliance
Subject to additional security measures and access restrictions
You control what sensitive data you input into the system

17. Automated Decision-Making and Profiling

17.1 Automated Processing

The Service includes some automated processing:

Leave Balance Calculations:

Automated based on policies you configure
You can review and override
No significant legal effects

Payroll Computations:

Automated calculations based on your inputs
You review before final processing
You maintain control and responsibility

Budget Alerts:

Automated threshold notifications
Informational only, no binding decisions

17.2 No Automated Decisions with Legal Effect

We do NOT make automated decisions with legal or similarly significant effects without human review.

17.3 Your Rights

You have the right to:

Obtain human intervention
Express your point of view
Contest automated decisions
Request explanation of automated processing

18. Data Protection Principles

We adhere to core data protection principles:

Lawfulness, Fairness, and Transparency:

Process data lawfully and fairly
Transparent about our practices
Clear privacy notices

Purpose Limitation:

Collect data for specified purposes
Not use data for incompatible purposes
Obtain consent for new uses

Data Minimization:

Collect only necessary data
Avoid excessive collection
Regular review of data needs

Accuracy:

Keep data accurate and current
Provide tools for you to update data
Correct inaccuracies promptly

Storage Limitation:

Retain data only as long as necessary
Delete data after retention periods
Secure deletion methods

Integrity and Confidentiality:

Protect data with appropriate security
Prevent unauthorized access or disclosure
Maintain data integrity

Accountability:

Demonstrate compliance
Maintain records of processing
Conduct privacy assessments
Train staff on data protection

19. Additional Information

19.1 California Privacy Rights (CCPA/CPRA)

For California residents (when we serve US customers):

Right to know what data we collect
Right to deletion
Right to opt-out of sale (we don’t sell data)
Right to non-discrimination
Contact: privacy@utso.net

19.2 Do Not Track

We currently do not respond to “Do Not Track” browser signals, as there is no industry standard for compliance.

19.3 Social Media

If we maintain social media presence:

Interactions governed by platform privacy policies
We may collect publicly available information
Separate privacy notices provided

19.4 Job Applicants

If we collect data for recruitment:

Separate applicant privacy notice provided
Data retained for recruitment purposes
Deleted after retention period (typically 1-2 years)

Acceptance and Agreement

By using the Utso Service, you acknowledge that:

You have read and understood this Privacy Policy
You agree to the collection, use, and disclosure of your personal data as described
You understand your rights and how to exercise them
You consent to international data transfers as necessary to provide the Service

For Company Administrators:

By registering your company and inviting employees, you represent that:

You have authority to provide employee data
You have obtained necessary consents from employees
You will comply with applicable employment and privacy laws
You will inform employees of how their data is used

Version History

Version 1.0 (Beta) – December 15, 2025

Initial Privacy Policy for Beta launch
Comprehensive coverage of all modules and features
Multi-jurisdiction framework
GDPR and international standards compliance

Last Updated: December 15, 2025

Effective Date: December 15, 2025

Version: Beta 1.0

For questions or concerns about this Privacy Policy, please contact:

Email: privacy@utso.net

Website: utso.net