← Back to QRID
Legal  /  Privacy Policy

Privacy Policy

How KaritKarma Limited and the QRID platform handle your personal data — in plain language.

Effective date: 1 June 2026  ·  Controller: KaritKarma Limited, Dhaka, Bangladesh

1. Who we are

QRID is a software platform operated by KaritKarma Limited, a company registered in Dhaka, Bangladesh. QRID provides club management software (ERP, website, and member social network) to elite clubs. When a club licenses QRID, it becomes a tenant; its members and staff are the people whose data this policy concerns.

KaritKarma Limited acts as the data controller for platform-level data (account registration, billing, support). Each club tenant acts as an additional controller for the member data it collects and manages within its QRID tenancy.

2. What we collect

We collect only what is necessary to operate the platform. Categories include:

  • Identity data — name, email address, and a unique identifier issued by Wenme (our identity provider). For club members: membership number, category, and date of admission as recorded by the club.
  • Contact data — email address, phone number (optional), and mailing address, where provided.
  • Transaction data — charges posted to a member's house account across all club departments (F&B, events, spa, golf, etc.). This is the core operational record of the platform.
  • Usage data — log entries recording which features were used, from which device, and at what time. We do not build advertising profiles from this data.
  • Device and browser data — IP address, user-agent string, and session tokens, used for authentication and abuse prevention.
  • Communication data — messages sent between club staff and members through the platform's internal channels.
  • Enquiry data — name, email, club name, and any note submitted through the contact form on this website.

We do not collect sensitive personal data (health, biometric, racial or ethnic origin, political opinion, religious belief) unless a specific club module expressly requires it and the club has obtained appropriate consent from its members.

3. How we use it

Data collected through the platform is used exclusively to:

  • Provide and maintain the QRID platform for licensed clubs.
  • Process charges, generate statements, and settle accounts between reciprocal clubs.
  • Authenticate users and enforce role-based access controls.
  • Send transactional communications (booking confirmations, statements, event reminders) via BitsPath, our communications service.
  • Diagnose technical issues and improve platform reliability.
  • Respond to support requests and enquiries.
  • Comply with applicable laws and regulations in Bangladesh.

We do not sell personal data. We do not use personal data for advertising. We do not share personal data with third-party marketing platforms.

4. Identity and authentication

Authentication on the QRID platform is handled by Wenme (wenme.net), a KaritKarma identity service that implements OAuth 2.1 with PKCE. When you sign in, you authenticate with Wenme. QRID receives a signed JWT containing your user identifier and email address. QRID does not store your password; passwords are managed entirely by Wenme.

Role-based access control (what you can see and do within a club's tenancy) is managed by Darwan, another KaritKarma service. Your role assignments within a club are held in Darwan and enforced by the QRID API on every request.

Both Wenme and Darwan operate under the same data-protection obligations as the rest of the KaritKarma stack.

5. Sharing and disclosure

We share personal data only in the following circumstances:

  • Within the KaritKarma group — Wenme (identity), Darwan (authorisation), BitsPath (email, SMS, push notifications). Each service receives only the data needed to perform its function.
  • With the club tenant — each club's staff can access data belonging to that club's members, within the permissions their roles allow. No club can access another club's member data.
  • Reciprocal network settlements — when a member visits a partner club under a reciprocal agreement, the host club receives confirmation that the member holds a valid letter of introduction, the charges incurred, and (optionally) the member's name for house-account purposes. The member's full profile, contact details, and home-club data are not transmitted.
  • Legal requirement — if required by applicable law, court order, or government authority in Bangladesh, we will comply and, where permitted, notify you.
  • Business transfer — if KaritKarma Limited is acquired or merges with another entity, personal data held will transfer as part of that transaction. We will notify affected users before data is subject to a materially different privacy policy.

We do not sell, rent, or broker personal data to any third party.

6. Retention

We retain personal data for as long as a club's subscription is active, plus a post-termination period of 90 days during which the club may request an export. After that, production data is deleted. Daily encrypted backups are retained for 30 days beyond the deletion date, after which they are purged.

Transaction records (charges, statements, invoices) may be retained for up to 7 years to satisfy Bangladesh tax and accounting regulations, even if the underlying membership has ended.

Enquiry data submitted through this website is retained for 12 months from submission.

7. Your rights

Under applicable Bangladesh data protection law, and consistent with international good practice, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of your data, subject to legal retention obligations.
  • Object to processing where our legitimate interest is the legal basis.
  • Request a portable export of your data in a machine-readable format.

To exercise any of these rights, contact us at privacy@karitkarma.com. We respond within 30 days. For data held within a club's tenancy, the club's data protection officer or general manager may need to be involved; we will coordinate on your behalf.

8. Security

QRID data is stored in PostgreSQL 18.3 on KaritKarma-operated infrastructure, served behind Traefik v3 with TLS 1.3. Access to production databases is limited to a small number of engineers, gated by SSH key and internal VPN. We perform daily encrypted backups and weekly restore drills.

No security measure is infallible. In the event of a breach affecting your personal data, we will notify affected clubs within 72 hours of becoming aware, and assist them in notifying affected members as required.

9. Children

QRID is a B2B club management platform. It is not directed at children under 18. If a club admits junior members, the club is responsible for obtaining appropriate parental consent before entering that member's data into the platform. KaritKarma does not knowingly collect personal data from children directly.

10. Changes to this policy

We may update this policy when the platform changes materially or when legal requirements change. The effective date at the top of this page will be updated. For significant changes, we will notify active club tenants by email at least 30 days before the change takes effect. Continued use of the platform after the effective date constitutes acceptance.

11. Contact

Questions, requests, or concerns about this policy or about your personal data:

We aim to respond to all privacy enquiries within 30 calendar days.

Terms of Service © 2026 KaritKarma Limited