Privacy Policy

Controller: HimoSoft, software development and IT solutions provider, Bangladesh (serving clients globally).

Privacy contact: hello@himosoft.com.bd — use subject line "Privacy request" and include your name, relationship to us (visitor, client, partner), and request type.

We will appoint or designate a privacy lead for GDPR inquiries. If EU/UK representative or Data Protection Officer details are required for your jurisdiction, contact us for current registration information.

This policy covers personal data processed through our corporate website, marketing communications, pre-sales inquiries, billing (including pay.himosoft.com.bd), recruitment where applicable, and delivery of professional services under contract.

It does not govern third-party websites, client applications we build (where the client is typically controller), or payment processors' own privacy practices — see their policies when you interact directly with Stripe, bKash, Easy Payment Gateway, NOWPayments, banks, or marketplaces such as apps.himosoft.com.bd when operated under separate terms.

Related documents: Cookie Policy (/cookies), Terms of Service (/terms).

Depending on your interaction, we may process:

• Identity and contact data: name, email, phone, company, job title, billing address
• Account and project data: usernames, credentials you choose to share, SOW references, support tickets
• Technical data: IP address, browser type, device identifiers, time zone, language preference, cookie consent status
• Usage data: pages viewed, referral source, approximate location derived from IP (where analytics accepted)
• Communication content: emails, meeting notes, chat transcripts, files you upload for projects
• Financial data: invoice records, transaction references, partial payment metadata from gateways (we do not store full card PANs unless explicitly scoped under PCI-compliant design)
• Recruitment data: CV and interview notes if you apply for roles
• Compliance data: sanctions screening results, export control declarations where required

We collect data directly from you (forms, email, contracts, calls), automatically through cookies and logs (see Cookie Policy), from payment partners (confirmation of payment status), from publicly available business sources (company websites, LinkedIn for B2B context), and from your employer or colleagues when they introduce a project.

We may receive data from clients when we act as processor on their instructions — processing then follows their privacy notice and our data processing agreement.

We process personal data to:

• Operate and secure our website and infrastructure
• Respond to inquiries and provide proposals, statements of work, and contracts
• Deliver custom software, integrations, deployments, maintenance, and support
• Process invoices and payments through approved gateways
• Manage client relationships, account management, and service quality
• Comply with legal, tax, audit, and regulatory obligations
• Protect against fraud, abuse, and security incidents
• Improve our services through aggregated analytics where you have consented to optional cookies
• Send relevant B2B updates where permitted by law or with consent
• Establish, exercise, or defend legal claims

Where GDPR applies, we rely on the following legal bases:

• Contract (Art. 6(1)(b)): processing necessary to perform a contract with you or your organization, or pre-contractual steps at your request (project delivery, support, billing)
• Legitimate interests (Art. 6(1)(f)): securing systems, preventing fraud, B2B marketing to existing clients, improving services, portfolio references with appropriate safeguards — balanced against your rights
• Consent (Art. 6(1)(a)): optional analytics cookies, certain newsletters, optional cookies via our banner — withdraw anytime without affecting lawfulness prior to withdrawal
• Legal obligation (Art. 6(1)(c)): tax, accounting, responding to lawful authority requests, export and sanctions compliance
• Vital interests or public interest: only where rare and applicable

We share personal data only as needed with:

• Hosting and cloud infrastructure providers
• Email, ticketing, and collaboration tools
• Payment processors (Stripe, bKash, Easy Payment Gateway, NOWPayments, banks)
• Professional advisers (lawyers, accountants) under confidentiality
• Subcontractors and specialists bound by contract (design, QA, specialized dev) for client projects
• Authorities when required by law

We require subprocessors to provide comparable protection by contract. An enterprise subprocessor list is available on request for active clients.

HimoSoft is based in Bangladesh. Data may be processed in Bangladesh, the EEA, the United States, and other countries where our providers operate.

When we transfer personal data from the EEA/UK to countries without an adequacy decision, we implement appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, UK International Data Transfer Agreement addendum where relevant, and supplementary measures where required by transfer impact assessments.

You may request information about safeguards by contacting hello@himosoft.com.bd.

We retain personal data only as long as necessary for the purposes above:

• Marketing inquiries: typically up to 24 months without conversion
• Contracts and project files: duration of engagement plus 6–10 years for legal, tax, and warranty purposes unless longer required
• Invoices and payment records: per Bangladesh tax and accounting law and client jurisdiction requirements
• Cookie consent logs: up to 12 months
• Security logs: typically 90–365 days unless needed for incident investigation
• Recruitment: up to 12 months after process ends unless you consent to longer talent pool retention

When retention ends, we delete or anonymize data unless law requires archival storage.

We implement appropriate technical and organizational measures including access controls, encryption in transit (TLS), least-privilege credentials, secure development practices, backups, and vendor review for material subprocessors.

No system is perfectly secure. We maintain incident response procedures and will notify controllers, regulators, or individuals of personal data breaches where required by GDPR Articles 33–34 and applicable law.

You are responsible for securing credentials on your side and configuring production environments per agreed runbooks.

Where GDPR applies, you have the right to:

• Access — obtain confirmation and a copy of your personal data (Art. 15)
• Rectification — correct inaccurate data (Art. 16)
• Erasure — request deletion in certain circumstances (Art. 17)
• Restriction — limit processing in certain cases (Art. 18)
• Data portability — receive data you provided in structured, machine-readable format where processing is based on consent or contract and automated (Art. 20)
• Object — object to processing based on legitimate interests or direct marketing (Art. 21)
• Withdraw consent — at any time for consent-based processing
• Lodge a complaint — with your supervisory authority in the EU/EEA member state of residence, workplace, or alleged infringement

We respond to verified requests within one month, extendable by two further months where complex. We may request identity verification. US state residents may have additional rights (access, delete, correct, opt-out of certain sharing) — contact us to exercise them.

Bangladesh residents may exercise rights available under applicable national law as it develops; we handle requests in good faith consistent with international best practice.

We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals without human involvement, except routine fraud signals from payment processors under their policies.

If this changes, we will update this policy and provide required GDPR information.

Our B2B services and corporate website are not directed at children under 16. We do not knowingly collect children's personal data without appropriate authority. Contact us to request deletion if you believe we received such data.

When developing or operating systems for clients, we often act as data processor processing personal data on the client's instructions. The client's privacy notice and our Data Processing Agreement (DPA) govern that processing, including subprocessors, security, breach notification, deletion, and assistance with data subject requests.

Enterprise clients may request our subprocessor list and SCC module details during onboarding.

Payment pages may collect billing contact details and route card or wallet data directly to certified processors. HimoSoft minimizes retention of sensitive payment identifiers and follows PCI-DSS scope boundaries agreed in project design.

For cryptocurrency payments, blockchain addresses and transaction hashes may be visible on public ledgers — you acknowledge this technical property when choosing crypto settlement.

We may send B2B emails about services, events, or content to business contacts with legitimate interest or consent, including opt-out links in each message. You may unsubscribe anytime.

We do not sell personal data for money. We do not share contact lists with unrelated third parties for their marketing without consent.

We may update this Privacy Policy to reflect legal, technical, or business changes. The "Last updated" date will change. Material changes may be communicated via the website or direct notice where appropriate.

Continued use after publication constitutes acknowledgment where permitted; active contracts may require notice per SOW.

Privacy requests: hello@himosoft.com.bd

EU/EEA complainants may contact their local supervisory authority. Example references: Ireland (DPC), Germany (state authorities), France (CNIL) — use the authority for your country of residence.

UK complainants: Information Commissioner's Office (ICO).

We encourage you to contact us first so we can address concerns promptly.