This Privacy Policy describes how Central Desk Limited ("Central Desk", "we", "us", "our") collects, uses, stores, and protects information when you use our omnichannel customer engagement platform.
What we collect
Account information
- Your name, email address, phone number
- Workspace name, business type, country
- Payment information (processed by SSLCommerz / bKash / Nagad — we do not store full card numbers)
Workspace data
- Conversations, messages, attachments you exchange with your customers
- Contact records you create or import
- Orders, products, invoices you create
- Team members you invite, their roles and activity
- Channel credentials (encrypted at rest)
Usage data
- IP address, browser type, device type
- Pages you visit, features you use, time spent
- Login times and locations
How we use your data
- To provide and improve the Central Desk service
- To send important account and product notifications
- To process payments and generate invoices
- To answer your support questions
- To detect and prevent fraud, spam, and abuse
- To comply with legal obligations (NBR, BTRC, etc.)
We do not sell your data to third parties. We do not use your conversations to train our AI models. Each workspace's data is strictly isolated from every other workspace.
Third-party services we use
- Meta (Facebook, WhatsApp, Instagram) — channel APIs
- OpenAI / Anthropic — AI auto-reply (token-level, opt-in)
- SSLCommerz / bKash / Nagad / Rocket — payment processing
- Pathao / Steadfast / RedX / Paperfly / eCourier / SA Paribahan — courier integrations
- Cloudflare — DDoS protection and CDN
- Google Analytics — marketing site usage (not the app)
Each of these has its own privacy policy. We have signed data processing agreements with all third-party processors.
Your rights
- Access: Export all your data anytime from Settings → Data Export
- Correction: Edit account information from Settings
- Deletion: Delete your workspace from Settings → Danger Zone. Data is permanently removed after 30 days
- Portability: Export contacts, conversations, orders to CSV
- Object: Email privacy@centraldesk.io if you object to any processing
How we protect your data
- HTTPS/TLS 1.3 in transit, AES-256 at rest
- Channel credentials individually encrypted
- bcrypt password hashing (12 rounds)
- Role-based access control inside your workspace
- Workspace-level isolation — staff cannot see your conversations without permission
- Daily encrypted backups, 30-day retention
- SOC2 Type II audit underway (target Q3 2026)
Data retention
- Active workspaces — data retained as long as your account is active
- Cancelled workspaces — 30-day grace period, then permanent deletion
- Backups — 30 days rolling
- Activity logs — 12 months
- Anonymous analytics — indefinite
Children
Central Desk is not for individuals under 18. We do not knowingly collect data from minors.
International transfers
Your data is primarily stored in Singapore and Mumbai data centres. Enterprise customers can opt for Bangladesh data residency.
Changes to this policy
If we make significant changes, we'll notify you 30 days in advance via email and in-app banner. For minor edits, we'll update the "Last updated" date above.
Contact us
Questions about this policy? Email privacy@centraldesk.io or write to:
Central Desk Limited
Banani, Road 11
Dhaka 1213, Bangladesh