Privacy Policy

HEART Global (operating under the full name HEART Global — Health, Exploration, Academic, Research & Training) is a youth-led research and educational support organisation headquartered in Dhaka, Bangladesh. HEART Global operates the website located at www.heart-global.org and all associated sub-pages, portals, and communication channels.

▸ Legal Name: HEART Global ▸ Operating Jurisdiction: Bangladesh ▸ Primary Website: www.heart-global.org ▸ Nature of Entity: Youth-led academic support & public health organisation ▸ Primary Service Area: South Asia & international online clients ▸ Data Controller: HEART Global — Executive Management ▸ Contact for Data Matters: See Section 20

This Policy applies to all personal data processed by HEART Global, including but not limited to data collected through:

▸ The HEART Global website (www.heart-global.org) including all service pages, contact forms, and embedded tools ▸ Direct client communications via email, WhatsApp Business, or any other messaging platform ▸ Service agreements, payment records, and NDA documentation ▸ Voluntary submissions for academic writing services (thesis, dissertation, research proposals, assignments, internship reports, presentations) ▸ Research activities, newsletters, or any other organisational communication

This Policy applies regardless of where you are located in the world. Clients in the European Economic Area (EEA) or United Kingdom benefit from GDPR-equivalent protections as voluntarily adopted by HEART Global.

3.1 — Identity & Contact Data ▸ Full name, email address, phone number (including WhatsApp contact number), academic institution name, student status (undergraduate/postgraduate), and city/country of residence.

3.2 — Service & Academic Data ▸ Academic documents, drafts, or materials submitted for reference or support; course/program details, thesis topics, assignment briefs, research themes, deadline dates, and communication history.

3.3 — Financial & Payment Data ▸ Mobile banking transaction reference numbers (bKash, Nagad, Rocket, or equivalent), bank transfer confirmation details, and agreed instalment schedules. *Note: HEART Global does NOT store full bank account numbers, credit/debit card numbers, or PINs at any stage.*

3.4 — Technical & Usage Data ▸ IP address, browser type, pages visited, session duration, device operating system, and referral source.

3.5 — Contractual & Legal Data ▸ Signed Client Service Agreements, NDA records, consent confirmations, and any dispute-related correspondence.

HEART Global processes personal data only where a valid legal basis exists. In alignment with internationally recognised data protection principles (including the EU General Data Protection Regulation and Bangladesh's Cyber Security Act 2023 and ICT Act 2006), our legal bases are as follows:

▸ Contractual Necessity: Processing required to perform a service you have engaged (e.g., delivering academic writing support, honouring agreements). ▸ Legitimate Interests: Analysing website usage, improving service quality, preventing fraud, and internal record-keeping. ▸ Consent: Email newsletters, promotional communications, or any non-essential processing — you may withdraw consent at any time. ▸ Legal Obligation: Retaining financial records where required by Bangladesh tax, financial, or regulatory law. ▸ Vital Interests: Emergency scenarios where processing is necessary to protect life.

Your data is used exclusively for the following clearly defined purposes:

▸ Service Delivery: Providing the academic support services you have commissioned, including research, writing, and revision support. ▸ Client Communication: Responding to inquiries, confirming orders, sending deliverables, and ongoing project coordination. ▸ Payment Processing: Verifying advance payments, processing instalments, and issuing receipts. ▸ Contract Management: Generating, executing, and storing Client Service Agreements and NDAs. ▸ Legal Compliance: Maintaining records as required under applicable Bangladesh law. ▸ Website Improvement: Analysing traffic patterns to improve user experience. ▸ Marketing (with consent only): Sending updates about new services or offers — always with opt-out capability.

HEART Global does not sell, rent, broker, or commercially exploit your personal data to any third party under any circumstances.

HEART Global retains personal data only for as long as necessary to fulfil the purposes outlined in this Policy, subject to the following retention schedule:

▸ Client Service Agreement & NDA: 5 Years (post-agreement) | Purpose: NDA confidentiality period; legal record ▸ Academic project files & drafts: 5 Years (post-delivery) | Purpose: Aligned with NDA period ▸ Payment records & transaction refs: 7 Years | Purpose: Bangladesh financial law compliance ▸ Communication records (email/WhatsApp): 3 Years (post-project) | Purpose: Dispute resolution ▸ Website analytics & cookies: 12 Months | Purpose: Operational improvement ▸ Marketing consent records: Until withdrawn + 1 Year | Purpose: Audit of consent

Upon expiry of the applicable retention period, data will be securely and permanently deleted or anonymised such that it can no longer be associated with any identifiable individual.

HEART Global implements technical and organisational security measures appropriate to the nature of the data processed and the risks involved. These include:

9.1 — Technical Safeguards ▸ SSL/TLS encryption for all data transmitted through www.heart-global.org. ▸ Password-protected document storage and file transfer systems. ▸ Restricted internal access to client data on a strict need-to-know basis. ▸ Regular review and update of access credentials and permissions.

9.2 — Organisational Safeguards ▸ All staff, contractors, and writers engaged by HEART Global are bound by confidentiality obligations. ▸ Internal data handling protocols reviewed annually. ▸ Incident response procedures for data breach scenarios (see Section 9.3).

9.3 — Data Breach Response In the event of a data breach that is likely to result in risk to your rights and freedoms, HEART Global commits to: ▸ Assessing and containing the breach within 24 hours of discovery. ▸ Notifying affected clients without undue delay and no later than 72 hours after becoming aware of the breach. ▸ Providing clear information on the nature of the breach, data affected, likely consequences, and remediation steps taken.

HEART Global does not sell, trade, or rent your personal data. We may share data only in the following strictly limited circumstances:

▸ Service Contractors: Writers, researchers, editors, or designers engaged on a project basis — all bound by NDA and this Policy. ▸ IT & Hosting Providers: Platform or cloud service providers who host our website or communication tools — bound by data processing agreements. ▸ Payment Processors: We do not use third-party payment gateways. Payments are made directly via mobile banking (bKash/Nagad) or bank transfer, and HEART Global handles all related records internally. ▸ Legal Compulsion: As described in Section 6.1 — only under valid legal order. ▸ Business Transfer: In the event of a merger, acquisition, or asset transfer, data may be transferred subject to equivalent protections — you will be notified in advance.

Any third-party service providers who handle personal data on our behalf are contractually obligated to comply with data protection standards equivalent to those in this Policy.

HEART Global serves clients internationally. If you are located in the European Economic Area (EEA), United Kingdom, or any other jurisdiction with data transfer restrictions, please note the following:

▸ HEART Global is based in Bangladesh, which is not currently designated as an 'adequate' jurisdiction under GDPR. ▸ By engaging HEART Global's services, EEA/UK clients provide explicit consent to the transfer of their personal data to Bangladesh, subject to the protections set out in this Policy. ▸ HEART Global voluntarily implements GDPR-equivalent safeguards as described throughout this Policy. ▸ Where requested, HEART Global can provide Standard Contractual Clauses (SCCs) or equivalent contractual protections for data transfers.

If you are an EEA or UK-based client and have concerns about international data transfers, please contact us before engaging services.

12.1 — Types of Cookies Used ▸ Essential Cookies: Site functionality & navigation | Duration: Session ▸ Analytics Cookies: Understanding usage patterns | Duration: 12 Months ▸ Preference Cookies: Remembering user settings | Duration: 12 Months ▸ Marketing Cookies: Relevant content delivery (with consent only) | Duration: 12 Months

You may control or disable cookies through your browser settings. Disabling essential cookies may affect website functionality. Marketing cookies require your explicit consent via our cookie consent mechanism.

Subject to applicable law, you have the following rights regarding your personal data: ▸ Right of Access: Obtain a copy of all personal data held about you. ▸ Right to Rectification: Correct inaccurate or incomplete data. ▸ Right to Erasure: Request deletion of your data (subject to retention obligations). ▸ Right to Restriction: Limit how we use your data in certain circumstances. ▸ Right to Portability: Receive your data in a structured, machine-readable format. ▸ Right to Object: Object to processing based on legitimate interests or for direct marketing. ▸ Right to Withdraw Consent: Withdraw consent for marketing or non-essential processing at any time. ▸ Right against Automated Decisions: Not be subject to solely automated decision-making with legal effect.

To exercise any of these rights, submit a written request to the contact details in Section 20. HEART Global will respond within 30 days. Requests are processed free of charge unless manifestly unfounded or excessive.

HEART Global's services are designed for university students — adults typically aged 18 and above. We do not knowingly collect or process personal data from individuals under the age of 18.

If you are under 18, you must obtain verifiable parental or guardian consent before using our services. If HEART Global discovers that it has inadvertently collected data from a person under 18 without appropriate consent, such data will be deleted immediately upon discovery.

Parents or guardians who believe their child's data may have been collected should contact us immediately at the details provided in Section 20.

HEART Global processes payments through direct mobile banking (bKash, Nagad) and bank transfer. In connection with financial transactions:

▸ HEART Global retains only the minimum financial information necessary to confirm payment receipt (e.g., transaction reference numbers and amounts). ▸ Full account numbers, PINs, and card data are never collected, stored, or processed by HEART Global. ▸ A 35% to 40% advance payment (40% for internship report writing) is required to secure a service slot. This is processed directly through agreed channels and confirmed via written receipt. ▸ Instalment schedules are documented in the Client Service Agreement and stored in accordance with Section 8. ▸ Financial records are retained for 7 years in compliance with Bangladesh financial regulatory requirements.

HEART Global will NEVER request payment through unverified third-party platforms, cryptocurrency, or any channel not specified in the Client Service Agreement. If you receive unusual payment requests claiming to be from HEART Global, treat them as fraudulent and contact us immediately.

HEART Global communicates with clients primarily through: ▸ Official email addresses associated with www.heart-global.org. ▸ WhatsApp Business — used for project coordination, file transfer, and client support. ▸ Website contact forms.

By contacting HEART Global through these channels, you consent to receiving communications relating to your service engagement. Please be aware:

▸ WhatsApp messages are transmitted via Meta's infrastructure and subject to WhatsApp's own privacy policy. HEART Global advises clients who require maximum confidentiality to use encrypted email communication instead. ▸ HEART Global will never initiate contact from unofficial or unverified numbers or email addresses. ▸ Communication records may be retained for dispute resolution as per Section 8.

To the maximum extent permitted by applicable law, HEART Global's total liability in connection with this Policy, any data breach, or any claim related to data processing shall be limited to the total fees paid by the relevant client for the specific service engagement to which the claim relates.

HEART Global shall not be liable for: ▸ Indirect, consequential, or incidental damages arising from the use of our website or services. ▸ Academic consequences resulting from a client's choice of how to use delivered materials. ▸ Data loss or security incidents caused by factors outside HEART Global's reasonable control, including cyberattacks, force majeure events, or failures of third-party infrastructure. ▸ Any claim arising from a client's breach of the Client Service Agreement or this Policy.

Nothing in this Policy excludes or limits liability that cannot be lawfully excluded, including liability for death or personal injury caused by negligence, or liability for fraudulent misrepresentation.

18.1 — Governing Law This Policy is governed by and construed in accordance with the laws of Bangladesh, including but not limited to the Cyber Security Act 2023 (CSA 2023), the Information and Communication Technology (ICT) Act 2006, and applicable contract law.

18.2 — Dispute Resolution — Three-Stage Process ▸ Stage 1 — Negotiation: Client submits a written complaint. Parties attempt resolution in good faith within 14 days. ▸ Stage 2 — Mediation: If unresolved, parties engage a neutral mediator in Dhaka. Mediation costs shared equally, resolved within 30 days. ▸ Stage 3 — Arbitration/Courts: Binding arbitration under Bangladesh Arbitration Act 2001 in Dhaka, or submission to competent courts of Dhaka, Bangladesh.

For clients in the EEA/UK, HEART Global acknowledges the right to lodge a complaint with the relevant supervisory authority in your country of residence.

HEART Global reserves the right to update or modify this Policy at any time. The 'Effective Date' at the top of this document will reflect the date of the most recent revision.

Material changes — defined as changes that meaningfully alter client rights, data handling practices, or confidentiality commitments — will be communicated to active clients via email or WhatsApp at least 14 days prior to taking effect.

Your continued use of www.heart-global.org or any HEART Global service following the effective date of an updated Policy constitutes your acceptance of the revised terms. If you do not agree with any amendment, you must discontinue use and notify HEART Global in writing.

For any questions, concerns, or requests relating to this Privacy Policy, your personal data, or HEART Global's data practices, please contact:

▸ Organisation: HEART Global ▸ Website: www.heart-global.org ▸ Location: Dhaka, Bangladesh ▸ Data Queries: Submit via the Contact form on www.heart-global.org ▸ Response Time: Within 30 days of receipt of a written request

By using www.heart-global.org or engaging any service offered by HEART Global, you confirm that you have read, understood, and agree to be bound by this Privacy & Data Protection Policy in its entirety. This Policy was prepared with legal advisory input and reflects HEART Global's genuine commitment to responsible, transparent, and lawful data stewardship.