Privacy Policy

01Who We Are

Rafirit Station ("we", "us", "our") is a full-service digital agency based in Dhaka, Bangladesh. We provide web development, app development, UI/UX design, graphic design, e-commerce solutions, video editing, content writing, digital marketing, SEO, Google Ads, Meta Ads, social media management, web analytics, CRO, and email marketing services to clients in Bangladesh and internationally.

Our website is https://rafirit.com. This Privacy Policy applies to all information collected through our website, service pages, contact forms, job applications, and any other interactions you have with Rafirit Station.

🏢 Data Controller

Rafirit Station is the data controller responsible for your personal information. We are based in Dhaka, Bangladesh. For privacy enquiries, contact us at privacy@rafirit.com.

02Information We Collect

We collect information in three ways: information you provide directly, information collected automatically when you visit our website, and information from third parties.

2.1 Information You Provide Directly

When you contact us, request a quote, submit a job application, or interact with our forms, we may collect:

Contact information — your full name, email address, phone number, and WhatsApp number
Business information — company name, website URL, industry, and business description
Service enquiry details — the services you're interested in, budget range, project description, and timeline
Job application data — CV/resume, portfolio links, work experience, skills, and cover notes
Communication content — the content of emails, WhatsApp messages, and other communications you send us
Payment information — billing name and address (we do not store card numbers — payment processing is handled by Stripe, PayPal, and bKash)

2.2 Information Collected Automatically

When you visit rafirit.com, we automatically collect certain technical information:

Device and browser data — IP address, browser type and version, operating system, device type
Usage data — pages visited, time spent on pages, links clicked, scroll depth, referring website
Location data — approximate geographic location derived from your IP address (country and city level only)
Cookie data — see Section 6 for full details on cookies we use

2.3 Information from Third Parties

We may receive information about you from:

Google Analytics 4 — aggregated website traffic and behaviour data
Meta Pixel — conversion data from Meta Ads campaigns you may have clicked
Referral partners — name and contact details when a partner refers you to us

✅ What We Do NOT Collect

We do not collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, or financial account numbers. We do not purchase data lists or scrape contact information from third-party sources.

03How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Data Used	Legal Basis
Respond to your enquiry or quote request	Name, email, phone, message	Legitimate interest / Contract
Deliver services you have purchased	Contact, business, project details	Contract performance
Process and manage job applications	CV, portfolio, personal details	Legitimate interest / Consent
Send project updates and deliverables	Name, email, project info	Contract performance
Issue invoices and process payments	Name, address, payment data	Contract / Legal obligation
Improve our website and services	Usage data, analytics	Legitimate interest
Send marketing emails (with consent)	Name, email	Consent
Comply with legal obligations	As required by law	Legal obligation
Prevent fraud and abuse	IP address, usage data	Legitimate interest

📧 Marketing Communications

We only send marketing emails to people who have explicitly opted in. Every marketing email includes an unsubscribe link. You can opt out at any time by clicking unsubscribe or emailing privacy@rafirit.com. We do not send cold marketing emails to purchased lists.

04Legal Basis for Processing

Under applicable data protection law (including GDPR for EU/UK residents), we process your personal data on the following legal bases:

Contract performance — processing necessary to deliver the services you have hired us for, or to take steps at your request before entering a contract
Legitimate interests — processing necessary for our legitimate business interests (such as improving our services, responding to enquiries, and preventing fraud), provided these interests are not overridden by your rights
Consent — where you have given clear, specific, and freely given consent (such as for marketing emails or non-essential cookies)
Legal obligation — processing necessary to comply with applicable laws (such as tax record-keeping requirements)

Where we rely on consent as our legal basis, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

05Data Sharing & Third Parties

We never sell your personal data. We do not sell, rent, or trade your personal information to any third party for commercial purposes — ever. We share data only in the following limited circumstances:

5.1 Service Providers

We share data with trusted service providers who help us operate our business. These providers are contractually bound to protect your data and may only use it for the specified purpose:

Google (Analytics, Ads, Workspace) — website analytics, advertising, and email services
Meta (Facebook/Instagram) — advertising platform and conversion tracking
Stripe — international card payment processing
PayPal — international payment processing
bKash / Nagad — local Bangladesh mobile payment processing
Cloudflare — website security, CDN, and performance
Hotjar / Microsoft Clarity — website heatmaps and session recordings (anonymised)
Email service providers — transactional and marketing email delivery

5.2 Legal Disclosure

We may disclose your personal data to law enforcement, government authorities, or other third parties where required by applicable law, court order, or where we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of Rafirit Station's assets, your personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different Privacy Policy.

✅ Our Commitment

We never sell your data. We never share your data with advertisers for their own use. Every third party we work with is carefully vetted and contractually required to protect your information under standards no less protective than our own.

06Cookies & Tracking Technologies

Our website uses cookies and similar tracking technologies to improve your experience and help us understand how visitors use our site. A cookie is a small text file stored on your device.

6.1 Types of Cookies We Use

6.2 Managing Your Cookie Preferences

You can manage your cookie preferences at any time through:

Our cookie banner — shown on your first visit, allowing you to accept or decline non-essential cookies
Your browser settings — most browsers allow you to block or delete cookies; see your browser's help documentation for instructions
Google Analytics opt-out — install the Google Analytics Opt-out Browser Add-on
Meta Ads opt-out — visit Facebook Ad Preferences
Email us — privacy@rafirit.com and we will update your preferences within 48 hours

Please note: disabling certain cookies may affect the functionality of our website and services.

07Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are:

Data Type	Retention Period	Reason
Client project data and communications	5 years after project completion	Legal obligation & dispute resolution
Invoice and financial records	7 years	Bangladesh tax and accounting law
General enquiries and quotes (not converted)	2 years	Legitimate interest
Job applications (successful)	Duration of employment + 5 years	Legal & HR obligation
Job applications (unsuccessful)	6 months	Future role consideration
Website analytics data	26 months (GA4 default)	Analytics purposes
Marketing email subscriber data	Until unsubscribe + 30 days	Consent-based retention
Security and access logs	12 months	Security monitoring

After the applicable retention period expires, your data is securely deleted or anonymised. You may also request deletion at any time (see Section 8 — Your Rights).

08Your Data Rights

Depending on your location, you have the following rights regarding your personal data. We honour all these rights regardless of whether you are located in Bangladesh, the EU, the UK, or elsewhere.

👁️

Right to Access

Request a copy of all personal data we hold about you. We will provide this within 30 days of your request, free of charge.

✏️

Right to Rectification

Request correction of inaccurate or incomplete personal data. We will update your data within 72 hours of a verified request.

🗑️

Right to Erasure

Request deletion of your personal data ("right to be forgotten") where there is no legal reason for us to continue holding it.

⏸️

Right to Restriction

Request that we restrict processing of your data in certain circumstances — for example while a dispute is being resolved.

📦

Right to Portability

Request a copy of your data in a structured, machine-readable format (JSON or CSV) so you can transfer it to another service.

🚫

Right to Object

Object to processing of your data for direct marketing, profiling, or where we rely on legitimate interests as our legal basis.

🔄

Right to Withdraw Consent

Where processing is based on consent, withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

⚖️

Right to Complain

Lodge a complaint with your local data protection authority if you believe we are not handling your data appropriately.

📧 How to Exercise Your Rights

Email your request to privacy@rafirit.com with the subject line "Data Rights Request". Include your full name and the email address associated with your data. We will respond within 30 days (usually much sooner). We may need to verify your identity before processing the request. There is no charge for exercising your rights.

09Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction.

Technical Measures

SSL/TLS encryption — all data transmitted to and from rafirit.com is encrypted using SSL/TLS (HTTPS)
Encrypted data storage — sensitive data is encrypted at rest using AES-256 encryption
Access controls — strict role-based access controls; only authorised team members can access client data
Secure payment processing — all payments are processed by PCI-DSS compliant providers (Stripe, bKash); we never store card numbers
Regular security updates — all systems and software are kept up to date with the latest security patches
Firewalls and monitoring — Cloudflare WAF and security monitoring for intrusion detection

Organisational Measures

All team members are trained on data protection and security best practices
Access to personal data is restricted on a strict need-to-know basis
We conduct regular security reviews of our systems and processes
Third-party vendors undergo security vetting before we share any data

🚨 Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals within 72 hours of becoming aware, and report to the relevant authority as required by law. We will provide clear information on what happened, what data was affected, and what steps we are taking.

10International Data Transfers

Rafirit Station is based in Bangladesh. We work with clients and use service providers across the world, which means your data may be transferred to, processed in, and stored in countries outside Bangladesh.

When we transfer data internationally, we ensure appropriate safeguards are in place, including:

Using service providers who are certified under international data protection frameworks (e.g. EU-US Data Privacy Framework)
Entering into Standard Contractual Clauses (SCCs) where required for EU personal data
Only transferring to countries with adequate data protection laws, or ensuring equivalent protections are in place contractually

Our primary international processors include Google (USA), Meta (USA), Stripe (USA), Cloudflare (USA), and PayPal (USA) — all of whom maintain internationally recognised data protection certifications and are subject to data processing agreements with us.

11Children's Privacy

Our services are not directed at, and are not intended for, children under the age of 16 (or under 18 in jurisdictions where the age of digital consent is 18). We do not knowingly collect personal data from children.

If you are a parent or guardian and believe that your child has provided us with personal data without your consent, please contact us at privacy@rafirit.com and we will promptly delete such information.

12Third-Party Links & Websites

Our website may contain links to third-party websites, including our client websites, social media platforms, and tool providers. This Privacy Policy applies only to rafirit.com and our own services.

We are not responsible for the privacy practices of third-party websites. We encourage you to review the privacy policies of any website you visit. The inclusion of a link on our site does not imply our endorsement of that site's privacy practices.

Specific third-party services we link to or use include:

Google services — governed by Google Privacy Policy
Meta/Facebook — governed by Meta Privacy Policy
WhatsApp — governed by WhatsApp Privacy Policy
LinkedIn — governed by LinkedIn Privacy Policy

13Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make significant changes, we will:

Update the "Last Updated" date at the top of this page
Post a prominent notice on our website for 30 days
Send an email notification to clients and subscribers (for material changes affecting how we use your data)

We encourage you to review this Privacy Policy periodically. Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy.

For historical versions of this Privacy Policy, or if you have questions about specific changes, please contact us at privacy@rafirit.com.

14Contact Us & Privacy Requests

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact our privacy team. We respond to all privacy enquiries within 48 hours (usually the same business day).

📧 Privacy Enquiries

privacy@rafirit.com

Data access, erasure, correction, and objection requests

📧 General Contact

hello@rafirit.com

General questions about our services

📍 Registered Address

Rafirit Station
Dhaka, Bangladesh

💬 WhatsApp

+880 1X-XXXX-XXXX

Mon–Fri, 9AM–6PM BST

⚖️ Supervisory Authority

If you are located in the European Union or United Kingdom and are not satisfied with our response to a privacy complaint, you have the right to lodge a complaint with your local data protection supervisory authority. For EU residents: visit edpb.europa.eu to find your national authority. For UK residents: Information Commissioner's Office (ICO).

🔍 Quick Summary — What This Policy Covers