Privacy Policy — How tibaj Protects Your Personal Data
At tibaj, protecting the personal information of every player across Bangladesh is a fundamental obligation — not a formality. This Privacy Policy explains exactly what data we collect, why we collect it, how it is stored, who it may be shared with, and the rights you hold over your own information.
Six Privacy Principles We Live By
End-to-End Encryption
All data transmitted between your device and tibaj's servers is protected by 256-bit SSL/TLS encryption. This applies to registration, login, deposits, withdrawals, and all account management actions.
No Data Sales
tibaj will never sell, rent, or trade your personal information to third-party marketers, data brokers, or advertising networks. Your data is used solely to operate and improve the tibaj platform and to meet legal obligations.
Purpose Limitation
Every piece of data tibaj collects has a specific, documented purpose. We do not collect information speculatively. If the purpose for which data was originally collected no longer applies, it is deleted or anonymised in line with our retention schedule.
Minimal Data Collection
tibaj applies data minimisation principles across all collection touchpoints. We ask only for the information that is genuinely necessary for account operation, payment processing, identity verification, and regulatory compliance.
Your Right to Erasure
Registered tibaj players may request the deletion of their personal data at any time, subject to our legal retention obligations. Erasure requests are processed within 30 days of receipt and confirmed to you in writing via your registered email address.
Marketing Opt-Out
Receiving promotional communications from tibaj is always opt-in. You may withdraw consent for marketing emails and SMS notifications at any time through your account preferences or by contacting support. Transactional and security messages are exempt from opt-out as they are essential to account operation.
Information We Collect
tibaj collects personal information at various stages of your interaction with the platform. The nature of the data collected depends on the action you are taking — browsing the site as a visitor, registering a new account, making a financial transaction, or contacting customer support. Below is a comprehensive overview of the categories of personal data we collect and the circumstances in which each category arises.
1.1 Registration and Account Data
When you create a tibaj account, you are required to provide the following information:
- Full legal name — as it appears on your government-issued identification document.
- Date of birth — used to verify that you meet the minimum age requirement of 18 years.
- Email address — used for account correspondence, security alerts, and (with your consent) promotional communications.
- Bangladesh mobile number — used for SMS OTP verification and two-factor authentication.
- Residential address — including division, district, and postal code, as required for identity verification and AML compliance.
- Username and encrypted password — used to authenticate your sessions. Passwords are stored as one-way cryptographic hashes; tibaj staff cannot access your plain-text password.
1.2 Identity Verification (KYC) Documents
Prior to processing withdrawal requests, tibaj conducts Know Your Customer (KYC) verification. This requires you to upload copies of:
- A valid government-issued photo identification document, such as a Bangladesh National Identity Card (NID), passport, or driving licence.
- A recent proof of address document, such as a utility bill, bank statement, or official correspondence issued within the last three months.
- Where applicable, proof of ownership of the payment method used to deposit funds (e.g., a screenshot of your bKash or Nagad registered number matching your account details).
KYC documents are stored securely and accessed only by authorised compliance staff. They are not used for any purpose other than identity verification and fraud prevention.
1.3 Financial Transaction Data
When you make deposits or request withdrawals via bKash, Nagad, Rocket, Upay, or bank transfer, tibaj records transaction identifiers, timestamps, amounts in BDT, and the payment channel used. tibaj does not store full mobile banking PINs, bank account passwords, or card numbers. Financial data is retained in line with anti-money laundering record-keeping requirements.
1.4 Technical and Device Data
When you access the tibaj platform through any browser or device, our servers automatically collect certain technical information, including:
- IP address and approximate geographic location (used for fraud detection and access control).
- Browser type, version, and operating system.
- Device type and screen resolution.
- Pages visited, session duration, and navigation paths within the tibaj platform.
- Referring URL (the address of the page from which you arrived at tibaj).
1.5 Customer Support Communications
When you contact tibaj support by email at [email protected] or through the on-site chat facility, we retain a record of the conversation. This includes your message content, the date and time of contact, and any attachments you provide. Support records are used solely to resolve your query and to improve service quality through periodic internal review.
How We Use Your Data
tibaj processes personal data only for purposes that are lawful, specified, and proportionate. The table below sets out the primary processing activities, the data categories involved, and the legal basis for each activity.
| Processing Purpose | Data Categories Used | Legal Basis |
|---|---|---|
| Account creation and authentication | Name, email, mobile number, password hash | Contractual necessity |
| Age and identity verification (KYC) | Date of birth, NID / passport, proof of address | Legal obligation / Contractual necessity |
| Processing deposits and withdrawals | Transaction data, payment method identifiers | Contractual necessity |
| Fraud detection and AML compliance | IP address, device data, transaction history | Legal obligation / Legitimate interest |
| Customer support and complaint handling | Account data, support communications | Contractual necessity / Legitimate interest |
| Sending promotional offers and news | Email address, mobile number, play history | Consent (opt-in only) |
| Platform performance and analytics | Technical data, navigation data | Legitimate interest |
| Responsible gaming monitoring | Play history, session data, deposit patterns | Legal obligation / Player welfare |
Where tibaj relies on your consent as the legal basis for processing (most notably for marketing communications), you have the right to withdraw that consent at any time without affecting the lawfulness of processing that occurred prior to withdrawal. Withdrawing marketing consent does not affect your ability to use the tibaj platform.
Where tibaj relies on legitimate interest as the legal basis for processing, we have determined that our legitimate interest is not overridden by your fundamental rights and freedoms, taking into account the nature of the data processed, the reasonable expectations of players, and the safeguards we have in place.
Data Sharing & Disclosure
tibaj does not sell or rent personal data to any third party. However, in order to operate the platform and meet legal obligations, tibaj may share certain personal data with the following categories of trusted third parties, each of whom is contractually bound to handle your data securely and to use it only for the specified purpose.
3.1 Payment Service Providers
To process deposits and withdrawals, tibaj shares relevant transaction data with payment partners including bKash, Nagad, Rocket (Dutch-Bangla Bank), Upay, and participating Bangladeshi banks such as City Bank, BRAC Bank, Islami Bank, and Sonali Bank. Only the minimum data necessary to complete a transaction is shared with each payment provider.
3.2 Game Content Providers
tibaj integrates game content from licensed studios including Pragmatic Play, Evolution Gaming, Microgaming, NetEnt, Spribe, and Ezugi. These providers may receive a pseudonymous player identifier and session token to deliver game content and record game results. They do not receive your name, contact details, or financial information.
3.3 Identity Verification and AML Services
tibaj may use third-party KYC and AML screening services to verify the identity documents you submit and to screen your account against sanctions lists and politically exposed persons (PEP) databases. These services process your data under strict confidentiality agreements and are not permitted to use it for any other purpose.
3.4 Legal and Regulatory Disclosure
tibaj may be required to disclose personal data to competent regulatory authorities, law enforcement agencies, financial intelligence units, or courts of law where required to do so by applicable legal process. In such cases, tibaj will disclose only the minimum data required by law and will, where legally permitted, notify the affected player of any such disclosure.
3.5 Business Transfers
In the event that tibaj undergoes a merger, acquisition, or sale of all or part of its business assets, personal data held about registered players may be transferred to the acquiring entity as part of that transaction. In such circumstances, tibaj will provide advance notice and ensure that the acquiring entity is bound by privacy obligations no less protective than those set out in this Privacy Policy.
Data Security Measures
tibaj employs a layered security architecture to protect personal data against unauthorised access, disclosure, alteration, and destruction. Our technical and organisational security measures include, but are not limited to, the following:
- Transport Layer Security (TLS 1.3): All data in transit between your browser and the tibaj platform is encrypted using TLS 1.3, providing state-of-the-art protection against interception and man-in-the-middle attacks.
- Password hashing: Account passwords are never stored in plain text. tibaj uses industry-standard bcrypt hashing with individual salt values, ensuring that even in the unlikely event of a data breach, passwords cannot be recovered from stored data.
- Access controls: Access to production systems and personal data is restricted to authorised personnel on a strict need-to-know basis. All administrative access is logged, reviewed, and subject to multi-factor authentication.
- Intrusion detection: tibaj maintains active monitoring systems that detect and alert on anomalous access patterns, brute-force login attempts, and suspicious data queries in real time.
- Regular security audits: The tibaj platform undergoes periodic security assessments, including vulnerability scanning and penetration testing, to identify and remediate weaknesses before they can be exploited.
- Incident response: In the event of a data security incident that affects your personal data, tibaj will notify affected players without undue delay and will take immediate steps to contain, investigate, and remediate the incident.
While tibaj takes all reasonable and proportionate steps to secure your personal data, no digital system can guarantee absolute security. You are responsible for keeping your own account credentials confidential and for logging out of the tibaj platform on shared or public devices.
Data Retention & Deletion
tibaj retains personal data only for as long as is necessary to fulfil the purpose for which it was collected, or as required by applicable legal or regulatory obligations. The following general retention periods apply to the main categories of personal data held by tibaj:
| Data Category | Retention Period | Basis for Retention |
|---|---|---|
| Account registration data | Duration of account + 5 years post-closure | AML / legal compliance |
| KYC identity documents | 5 years from submission date | Regulatory obligation |
| Financial transaction records | 7 years from transaction date | AML / tax record-keeping |
| Customer support records | 3 years from last interaction | Dispute resolution / quality review |
| Marketing preference records | Until consent withdrawn + 1 year | Proof of consent |
| Technical / server log data | 90 days rolling | Security monitoring |
Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Anonymised data (from which no individual can reasonably be identified) may be retained indefinitely for aggregate statistical analysis and platform improvement purposes.
If you request deletion of your tibaj account, your personal data will be placed into a restricted state immediately, preventing any further processing beyond legal compliance purposes. Full deletion in line with the schedule above will follow automatically once the relevant retention period elapses.
Your Privacy Rights
As a tibaj player, you hold a number of rights in relation to your personal data. tibaj is committed to honouring these rights promptly and transparently. To exercise any of the rights described below, please contact our data team at [email protected] with the subject line "Privacy Rights Request" and your registered account email address. We will respond within 30 days of receiving your request.
- Right of Access: You have the right to request a copy of all personal data tibaj holds about you, along with information about how it is processed and the legal basis for that processing.
- Right to Rectification: If any of the personal data we hold about you is inaccurate or incomplete, you have the right to request that it be corrected. Minor corrections can be made directly through account settings; significant changes require supporting documentation.
- Right to Erasure: You may request that tibaj delete your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where you object to processing based on legitimate interest. This right is subject to tibaj's legal retention obligations.
- Right to Restrict Processing: You may ask tibaj to suspend the processing of your personal data in certain circumstances — for example, while a dispute about the accuracy of the data is being resolved.
- Right to Data Portability: Where processing is carried out by automated means on the basis of consent or contract, you may request a structured, machine-readable copy of the personal data you have provided to tibaj.
- Right to Object: You have the right to object at any time to the processing of your personal data where tibaj relies on legitimate interest as the legal basis. You also have an unconditional right to object to the use of your data for direct marketing purposes.
- Right to Withdraw Consent: Where tibaj processes your data based on your consent (e.g., marketing communications), you may withdraw that consent at any time without penalty. Withdrawal does not affect the lawfulness of processing that took place before withdrawal.
Policy Updates & Contact
tibaj reserves the right to update this Privacy Policy at any time to reflect changes in applicable law, regulatory guidance, business practices, or the way in which the tibaj platform operates. When material changes are made to this Policy, tibaj will notify registered players by email to the address on file and will publish the updated Policy on this page with a revised "Last Reviewed" date.
Minor clarifications and non-material updates may be made without individual notification, but the updated Policy will always be accessible on this page. It is your responsibility to review this Privacy Policy periodically. Continued use of the tibaj platform following publication of an updated Policy constitutes your acceptance of the revised terms.
How to Contact tibaj About Privacy
If you have any questions about this Privacy Policy, wish to exercise a privacy right, or want to report a potential data security concern, please contact the tibaj data team using the following details:
- Email: [email protected] — please use the subject line "Privacy Enquiry" for the fastest response.
- Response time: tibaj aims to acknowledge all privacy-related enquiries within 48 hours (Bangladesh Standard Time, UTC+6) and to provide a full response within 30 calendar days.
If you believe tibaj has failed to handle your personal data in accordance with this Privacy Policy and have not received a satisfactory response to your complaint, you may escalate the matter to the relevant data protection authority in your jurisdiction.
18+ tibaj is an adult gaming platform. All data collection and processing activities described in this Privacy Policy relate exclusively to registered users aged 18 years and above. If you believe a minor has submitted personal data to tibaj, please contact [email protected] immediately so that we can take appropriate action.
Your Privacy Is Safe With tibaj
Still have questions about how tibaj handles your data? Our support team is ready to help. You can also explore our full game library, check the FAQ, or review our Responsible Gaming guidelines. 18+ only. Play responsibly.