Last updated: November 01, 2025

By using and accessing any of the Services, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree, please do not use or access the Services.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or for other operational, legal, or regulatory reasons. When we make changes, we will post the revised Privacy Policy on the Site, update the “Last updated” date, and, where required by applicable law, provide additional notice (e.g., banner or email) and seek consent where necessary.

Data Controller and Contact

KazirHat Gallery (“KazirHat”, “we”, “us”, “our”) is the data controller for personal data processed in connection with the Services.

  • Legal entity: KazirHat Gallery (registered in Bangladesh)
  • Address: Mirpur‑1, Dhaka, 1216, Bangladesh
  • Email: info@kazirhat.com
  • Data Protection Officer (DPO) or Privacy Contact: privacy@kazirhat.com
  • EU Representative (GDPR Article 27): [Name], [Company], [Street, City, Country], [email] (applicable if offering goods/services to the EU)
  • UK Representative (UK GDPR Article 27): [Name], [Company], [Street, City, Country], [email] (applicable if offering goods/services to the UK)

How We Collect and Use Your Personal Information

We collect personal information from a variety of sources to provide and improve the Services, comply with legal obligations, enforce our terms, and protect the Services, our rights, and those of our users.

What Personal Information We Collect

Personal information means information that identifies, relates to, describes, or can be associated with you. The types we collect depend on how you interact with the Site and Services.

Information We Collect Directly from You

We may collect:

  • Contact details (name, address, phone number, email).
  • Order information (name, billing address, shipping address, payment confirmation, email, phone number).
  • Account information (username, security questions).
  • Customer support information (information you include in communications with us).

Some features may require you to provide certain information. If you do not provide it, you may be unable to use those features.

Information We Collect about Your Usage

We automatically collect certain information about your interaction with the Services (“Usage Data”) using cookies, pixels, and similar technologies (“Cookies”). Usage Data may include device and browser information, network details, IP address, geolocation derived from IP, and information regarding your interaction with the Services (pages viewed, actions taken, timestamps).

Information We Obtain from Third Parties

We may obtain information from vendors and service providers, such as:

  • Hosting providers, security tools, analytics platforms, and WordPress plugins.
  • Payment processors who collect payment information (e.g., card details, billing address) to process your payment and fulfill orders. We do not store full payment card numbers; processing is performed by PCI DSS–compliant providers.
  • Third parties that collect information using tracking technologies (pixels, web beacons, SDKs, third‑party libraries, cookies) when you visit our Site, open our emails, or interact with our Services or ads.

Any information we obtain from third parties is treated in accordance with this Privacy Policy. See “Third Party Websites and Links” below.

How We Use Your Personal Information (Business Purpose and GDPR Legal Grounds)

  • Providing Products and Services. Purpose: process payments, fulfill orders, manage accounts, arrange shipping, handle returns/exchanges, and provide related features. Legal grounds: performance of a contract (Article 6(1)(b)); compliance with legal obligations (Article 6(1)(c)) for invoicing, tax, and consumer protection; legitimate interests (Article 6(1)(f)) to operate and improve the Services.
  • Communicating with You and Service Improvement. Purpose: customer support, service updates, troubleshooting, and improvement. Legal grounds: legitimate interests (Article 6(1)(f)) to provide effective services and maintain our relationship; performance of a contract (Article 6(1)(b)) where communications are necessary to deliver services.
  • Marketing and Advertising. Purpose: send marketing communications; tailor content and ads on the Site and other websites; limited profiling to personalize experiences. Legal grounds: consent (Article 6(1)(a)) for email/SMS marketing and non‑essential cookies where required; legitimate interests (Article 6(1)(f)) for direct marketing and personalization where permitted. You may withdraw consent or object at any time (see “Your Rights”).
  • Security and Fraud Prevention. Purpose: detect, investigate, and act on fraudulent, illegal, or malicious activity; protect accounts and systems. Legal grounds: legitimate interests (Article 6(1)(f)) to ensure the security of the Services; compliance with legal obligations (Article 6(1)(c)) where applicable.
  • Analytics and Service Optimization. Purpose: understand usage, measure performance, and improve functionality. Legal grounds: legitimate interests (Article 6(1)(f)); consent (Article 6(1)(a)) where required for non‑essential cookies.
  • Legal Compliance and Claims. Purpose: comply with laws, respond to lawful requests, enforce terms, and manage legal claims. Legal grounds: compliance with legal obligations (Article 6(1)(c)); legitimate interests (Article 6(1)(f)) in establishing, exercising, or defending legal claims.

Recipients of Personal Data (GDPR Article 13(1)(e))

We disclose personal information to the following recipients or categories of recipients for the purposes described above:

  • Vendors and Service Providers: hosting and cloud providers, IT and security providers, payment processors, analytics providers, customer support tools, fulfillment and shipping partners. Key categories include: web hosting/CDN, email delivery, analytics (privacy‑focused where possible), payment processing (PCI DSS–compliant), customer support ticketing, and anti‑fraud services.
  • Business and Marketing Partners: advertising networks, remarketing platforms, email marketing providers, affiliate partners (only after consent where required).
  • Social Media Platforms and Widgets: when you choose to use these features (e.g., login integrations, share buttons). Depending on the integration, the platform may act as an independent controller or a joint controller; refer to the platform’s privacy notices.
  • Affiliates: entities within our corporate group for internal administration and service delivery.
  • Public Authorities and Legal Counsel: where required to comply with laws, enforce our terms, or protect rights and safety.
  • Transaction Parties: in the context of a merger, acquisition, asset sale, or bankruptcy, subject to applicable law.

Categories of personal information disclosed may include: identifiers (contact details, order and account information), commercial information (purchase records, support interactions), internet or similar activity (Usage Data), and geolocation data (derived from IP address).

Cookie Policy and Consent

KazirHat uses cookies and similar technologies on kazirhat.com to operate the site, remember preferences, perform analytics, and deliver marketing/advertising. We only set non‑essential cookies (analytics/marketing) after you provide consent via our cookie banner.

  • Categories of cookies:
    • Essential (Strictly Necessary): required for core site functions (security, authentication, load balancing, cart/checkout where applicable). Legal ground: legitimate interests (Article 6(1)(f)) and/or performance of a contract (Article 6(1)(b)). Consent: not required.
    • Preferences: remember choices (language, region). Legal ground: legitimate interests (Article 6(1)(f)); consent may be required depending on local law.
    • Analytics: measure and improve performance. Legal ground: consent (Article 6(1)(a)) where required; otherwise legitimate interests (Article 6(1)(f)) where permitted.
    • Marketing/Advertising: personalize content/ads and track across sites. Legal ground: consent (Article 6(1)(a)).
  • Consent workflow:
    • On first visit, our cookie banner presents “Accept All,” “Reject Non‑Essential,” and “Customize,” with equal prominence for acceptance and rejection choices.
    • Until consent, non‑essential cookies do not run; analytics/marketing scripts are blocked or run in consent mode.
    • You can change or withdraw consent at any time via the “Cookie Settings” link in the footer/banner. Withdrawal does not affect prior lawful processing.
    • Consent logs are retained for audit for 24 months, unless a longer period is required by law.
  • Managing cookies:
    • Browser controls allow removal/rejection; blocking may impact functionality.
    • Site controls via “Cookie Settings” let you enable/disable non‑essential categories.
  • Detailed cookie list:
    A detailed cookie list (name, provider, purpose, duration, category) is maintained and updated in the Cookie Settings panel. We review this list at least quarterly and upon any vendor/script change.

Secure Email Practices

We take steps to safeguard communications sent to info@kazirhat.com:

  • Use of strong authentication, SPF/DKIM/DMARC to help prevent email spoofing and phishing.
  • TLS (encryption in transit) for supported email providers; avoid sending sensitive data over insecure channels.
  • Role‑based access controls and data minimization for support inboxes; periodic review and deletion of unnecessary messages and attachments.
  • If you need to share highly sensitive information, contact us first to arrange a secure channel. Do not include payment card details or passwords in email.

Security Measures and Plugins (WordPress)

We apply technical and organizational measures to protect personal data:

  • Core measures: HTTPS, regular updates, principle of least privilege, backups, vulnerability monitoring, secure key management, and periodic access reviews.
  • WordPress plugins/tools (examples): reputable security/firewall plugins (e.g., Wordfence), activity logging, malware scanning, and hardening tools; privacy‑focused analytics options; email security configurations.
  • Third‑party processors are vetted for security controls and data protection commitments.
  • Incident response: we maintain procedures for detection, containment, forensic analysis, and remediation.

No security measures are perfect, and we cannot guarantee “perfect security.”

Breach Notification

In the event of a personal data breach, we will assess risk and, where required:

  • Notify the competent data protection authority within 72 hours of becoming aware of the breach (GDPR/UK GDPR).
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to rights and freedoms.
  • Document facts, effects, and remedial actions taken.

Privacy Compliance and Consent Management

To support user rights and cookie consent:

  • We use consent management technology that provides a banner and preference center (“Cookie Settings”) to capture, record, and honor your choices.
  • Non‑essential tracking is disabled until consent; consent logs are retained for audit purposes for 24 months (or as required by law).
  • If you withdraw consent, we stop non‑essential processing and adjust tags/scripts accordingly.
  • We honor Global Privacy Control (GPC) signals for US visitors covered by CPRA; we do not respond to legacy Do Not Track signals.

Data Retention

We retain personal information only as long as necessary for the purposes described above and to comply with legal obligations. Retention periods are applied as follows (or the minimum required by applicable law):

  • Account data: retained while the account remains active and for up to 24 months after closure (unless legal retention requires longer).
  • Order records and invoices: retained for 7 years for tax/accounting compliance.
  • Customer support tickets: retained for 24 months from case closure.
  • Consent logs: retained for 24 months (or longer if legally required).
  • Security logs: retained for 12 months (unless an incident requires longer retention).
  • Marketing preferences: retained until you withdraw consent or object; suppression lists retained to honor opt‑outs.
    When retention periods expire, we will delete or anonymize data, unless continued retention is necessary for legal claims or compliance.

Your Rights (GDPR and other applicable laws) — Rights Notice (GDPR Article 13(2)(b))

Depending on your location, and subject to conditions and exceptions, you may have the following rights:

  • Right to Access / Know: obtain confirmation and a copy of your personal data, plus details of its use and disclosure.
  • Right to Rectification: correct inaccurate or incomplete personal data.
  • Right to Erasure: request deletion of personal data (e.g., where no longer necessary, or consent withdrawn).
  • Right to Restrict Processing: request restriction (e.g., while accuracy is verified or in certain legal claims).
  • Right to Object: object to processing based on legitimate interests, including direct marketing and related profiling; we will stop processing unless we demonstrate compelling legitimate grounds.
  • Right to Data Portability: receive personal data you provided in a structured, commonly used, machine‑readable format and transmit it to another controller where technically feasible.
  • Right to Withdraw Consent: where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
  • Right to Lodge a Complaint: with your local data protection authority.

We aim to respond to rights requests within 1 month of receipt; where requests are complex or numerous, we may extend by 2 additional months and will inform you of the reasons for delay. To exercise your rights, use the tools available on our Site, “Cookie Settings,” or contact us at info@kazirhat.com. We may need to verify your identity before responding. You may designate an authorized agent with proof of authorization; we may also require direct verification and a signed declaration.

US Privacy (California CPRA)

For California residents, the following disclosures apply:

  • Notice of Collection: we collect identifiers (contact details, order/account information), commercial information (purchase records, support interactions), internet activity (Usage Data), geolocation (derived from IP), and in limited cases inferences used for personalization.
  • Sensitive personal information: we do not use or disclose sensitive personal information for purposes other than those permitted by CPRA (e.g., security, service delivery).
  • “Selling” or “Sharing” personal information: we do not sell personal information for monetary consideration. We may “share” personal information for cross‑context behavioral advertising with your consent via marketing cookies. You can opt‑out via “Cookie Settings” or GPC signals.
  • Rights: right to know, delete, correct, opt‑out of sale/share, limit use of sensitive information, and non‑discrimination.
  • Requests: submit via info@kazirhat.com or “Cookie Settings”; we will verify identity and respond within 45 days (may extend an additional 45 days with notice).

Children’s Data

The Services are not intended for children. We do not knowingly collect personal information from children.

  • EU/UK: we do not knowingly process data of children under 16 without parental consent.
  • US (COPPA): we do not knowingly collect data from children under 13.
    Parents or guardians may contact us to request deletion of a child’s personal information. As of the Effective Date, we do not have actual knowledge that we “share” or “sell” personal information of individuals under 16 years of age.

How We Disclose Personal Information (Purpose and GDPR Legal Grounds)

We may disclose personal information for the purposes below:

  • Vendors and Service Providers (IT, hosting, payment processing, analytics, customer support, cloud storage, fulfillment, shipping). Legal grounds: performance of a contract (Article 6(1)(b)); legitimate interests (Article 6(1)(f)); compliance with legal obligations (Article 6(1)(c)).
  • Business and Marketing Partners (to provide services and advertise to you). Legal grounds: consent (Article 6(1)(a)) for targeted advertising and marketing where required; legitimate interests (Article 6(1)(f)) where permitted.
  • Social Media Widgets/Login Integrations (where you direct us to do so). Legal grounds: consent (Article 6(1)(a)); performance of a contract (Article 6(1)(b)) where applicable. Platform roles may vary (independent controller/joint controller).
  • Affiliates and Corporate Group (internal administration). Legal grounds: legitimate interests (Article 6(1)(f)).
  • Business Transactions and Legal Requests (merger, acquisition, bankruptcy; subpoenas, warrants; enforcement of terms; protection of rights). Legal grounds: legitimate interests (Article 6(1)(f)); compliance with legal obligations (Article 6(1)(c)).

Third Party Websites and Links

Our Site may link to third‑party platforms. Review their privacy and security policies. We are not responsible for their practices or the accuracy, completeness, or reliability of their information. Information you provide on public or semi‑public venues, including social networks, may be viewable by other users of the Services and/or by those third‑party platforms.

International Users and Data Transfers

We may transfer, store, and process your personal information outside your country. If we transfer personal information out of Europe or the UK, we rely on recognized transfer mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement/Addendum (IDTA), or adequacy decisions. We perform transfer impact assessments and apply appropriate safeguards (e.g., encryption in transit and at rest, access controls).

Profiling and Automated Decision‑Making

We do not engage in automated decision‑making that produces legal or similarly significant effects. We may use limited profiling to personalize content or offers; you can object at any time via “Cookie Settings” or by contacting us.

Contact

If you have questions about our privacy practices or this Privacy Policy, or wish to exercise your rights, email us at info@kazirhat.com or contact us at Mirpur‑1, Dhaka, 1216, Bangladesh.