Privacy & Data Protection Policy

1. Introduction & Our Commitment

ECIC (English Club & Immigration Center) is a premier education and immigration consultancy based in Dhaka, Bangladesh. We are deeply committed to protecting your privacy and handling your personal data with the highest standards of confidentiality, transparency, and legal compliance. This Privacy Policy outlines how we collect, use, store, share, and protect your information when you interact with our website, enroll in our English courses, seek visa or immigration assistance, or use any of our banking/study abroad services.

2. Key Definitions (Under Bangladesh Laws)

• "ECIC", "We", "Us", "Our" – English Club & Immigration Center, a registered consultancy firm with RJSC, Bangladesh.
• "You", "User", "Data Subject" – Any individual accessing our services, including students, guardians, or visa applicants.
• "Personal Information" – Any data that identifies an individual: name, NID, passport, academic records, financial details, biometrics, as defined under Section 2(ha) of the ICT Act 2006.
• "Sensitive Personal Data" – Financial statements, criminal records, biometric information, and immigration history.
• "Data Processor" – Third parties like payment gateways (SSLCommerz, bKash), university portals, or embassy systems processing data on our behalf.
• "Data Controller" – ECIC determines the purposes and means of processing your data.

3. Scope & Applicability

This Privacy Policy applies to all individuals who:

• Visit our website (https://theecic.com) or any affiliated landing pages
• Enroll in IELTS, Duolingo, Spoken English, or other language courses
• Seek study abroad counseling, university admission assistance, or visa processing
• Apply for education loans, forex services, or banking solutions through our partner network
• Attend our events, webinars, or career counseling sessions

This policy does not apply to third-party websites (embassies, universities, banks) even if accessed via links on our platform.

4. Categories of Personal Information We Collect

A. Information You Provide Directly

• Full legal name, date of birth, father's/mother's name (as per NID or Passport)
• National ID (NID) or Birth Registration Number (for Bangladesh citizens)
• Passport details, travel history, and previous visa refusals (if any)
• Academic transcripts, certificates, IELTS/PTE/Duolingo/TOEFL scores
• Bank statements, solvency certificates, education loan documents, sponsorship letters
• Contact information: phone number, email address, current and permanent address
• Employment history and professional references (for work visa or migration)

B. Automatically Collected Information (via Cookies & Logs)

• IP address, device ID, browser type and version, operating system
• Geolocation data (city-level, only with your consent)
• Pages visited, time spent on each page, referral source, clickstream data
• Interaction with forms, chatbot conversations, and email engagement

C. Information from Third Parties

• Visa application status from embassies or high commissions
• University offer letters, conditional admissions, or scholarship awards
• Loan sanction letters and credit reports from partner banks
• Verification data from testing bodies (IELTS, Duolingo, etc.)

5. Legal Basis for Processing Under Bangladesh Law

We process your personal data based on one or more of the following legal grounds:

• Explicit Consent: You have given clear consent for specific purposes (e.g., marketing communications).
• Contractual Necessity: Processing is required to fulfill our service agreement (visa processing, course enrollment, admission assistance).
• Legal Obligation: Compliance with laws such as the Money Laundering Prevention Act, Income Tax Ordinance, or court orders.
• Legitimate Interests: Improving our services, fraud prevention, and network security, provided your rights do not override our interests.

6. How We Use Your Information (Purpose Specification)

• Visa & Immigration Services: Prepare and submit visa applications, schedule interviews, and communicate with embassies.
• University Admissions: Apply to partner universities, submit transcripts, and track application status.
• Course Delivery: Enroll you in IELTS, Duolingo, or spoken English classes, share learning materials, and issue certificates.
• Banking & Loan Facilitation: Share necessary documents with partner banks for education loans or forex services.
• Communication: Send service updates, promotional offers, newsletters, and policy changes (with opt-out options).
• Analytics & Improvement: Analyze website usage, track campaign effectiveness, and enhance user experience.
• Legal Compliance & Fraud Prevention: Detect and prevent fraudulent activities, comply with court orders, and assist law enforcement agencies.

7. Cookies, Web Beacons & Tracking

We use cookies and similar tracking technologies to enhance your browsing experience. Under the ICT Act 2006 (Section 54), we provide clear notice and obtain your consent for non-essential cookies.

Types of Cookies We Use:

• Essential Cookies: Required for website functionality (login, forms, security).
• Performance Cookies: Google Analytics to track traffic and user behavior (anonymized).
• Functional Cookies: Remember your preferences (language, region).
• Marketing Cookies: Used for retargeting and personalized ads (only with explicit consent).

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect website functionality. To opt out of Google Analytics, visit https://tools.google.com/dlpage/gaoptout.

8. Who We Share Your Data With

We never sell your personal information to third parties. However, we may share your data in the following circumstances:

• Embassies & High Commissions: For visa processing (Canada, USA, UK, Australia, Germany, etc.) as required by immigration authorities.
• Partner Universities & Colleges: To process applications, verify documents, and facilitate admissions.
• Banks & Financial Institutions: For education loan processing, subject to banking secrecy laws (Banking Companies Act 1991).
• Service Providers: Payment gateways (SSLCommerz, bKash, Nagad), cloud hosting, CRM platforms (all bound by data protection agreements).
• Government Agencies: If required by law, court order, or by Bangladesh Police/CID under the Digital Security Act 2018.
• With Your Explicit Consent: Any other third party you authorize us to share data with.

9. International Data Transfers

As part of our services (e.g., applying to universities abroad or visa processing), your personal data may be transferred to countries outside Bangladesh, including Canada, the USA, the UK, Australia, and European nations. We ensure that such transfers are protected by appropriate safeguards:

• Contractual clauses that enforce Bangladesh-equivalent data protection standards
• Data processing agreements with universities and embassies
• Transfer only when necessary for the performance of our services or with your explicit consent

You acknowledge that data protection laws in some recipient countries may differ from Bangladesh. We take reasonable steps to ensure your data remains secure.

10. Security Safeguards & Breach Protocol

• Encryption: 256-bit SSL/TLS encryption for all data transmitted between your browser and our servers.
• Access Controls: Role-based access, multi-factor authentication for staff, and regular security audits.
• Secure Storage: Data stored on servers with firewall protection, intrusion detection systems, and regular backups.
• Staff Training: All ECIC employees undergo mandatory training on the Digital Security Act 2018 and data privacy best practices.

However, no online transmission is 100% secure. You share your data at your own risk, and we encourage you to use strong passwords and secure networks.

11. Data Retention Period

• Student/Visa Records: 7 years after the last interaction (to comply with Income Tax Ordinance 1984 and Money Laundering Prevention Act).
• Course Enrollment Data: 5 years after course completion for certification verification purposes.
• Marketing Communications: Until you withdraw consent or unsubscribe.
• Website Analytics: Anonymized data retained for 26 months (Google Analytics).

After the retention period expires, your data will be securely deleted or anonymized. You may request early deletion, but we may retain certain records if required by ongoing legal proceedings or government investigations.

12. Your Rights Under Bangladesh Constitution & ICT Act

• Right to Access: Obtain confirmation whether we process your data and request a copy of your personal information.
• Right to Rectification: Correct inaccurate or incomplete data within 15 business days.
• Right to Erasure (Right to be Forgotten): Request deletion of your data, subject to legal or contractual retention requirements.
• Right to Withdraw Consent: Opt out of marketing communications at any time via unsubscribe link or email request.
• Right to Data Portability: Receive your data in a structured, commonly used format (CSV/PDF).
• Right to Lodge a Complaint: File a complaint with the Bangladesh Telecommunication Regulatory Commission (BTRC) or the Cyber Tribunal under the Digital Security Act 2018.

To exercise any of these rights, contact our Data Protection Officer (DPO) at dpo@theecic.com. We will respond within 30 days. Identity verification may be required.

13. Minors & Student Data Protection

Our services are primarily intended for individuals aged 16 years and above. For students under 18, we require explicit parental or legal guardian consent before collecting any personal information. We do not knowingly collect data from children under 13. If such data is inadvertently collected, it will be deleted immediately upon discovery. Parents or guardians may request access to or deletion of their child's data by contacting our DPO.

14. External Websites & Third-Party Platforms

Our website may contain links to external sites, including embassy portals, university websites, government platforms (immigration.gov.bd), or partner banks. ECIC is not responsible for the privacy practices, content, or security of these third-party sites. We encourage you to review their respective privacy policies before submitting any personal information.

15. Grievance Redressal & Complaint Process

1. Internal Complaint: Contact our Data Protection Officer at dpo@theecic.com or call +880 1766 123 456 (Ext: 109). We will acknowledge your complaint within 3 business days and aim to resolve it within 21 days.
2. Escalation to Regulatory Authority: If unsatisfied with our response, you may escalate to the Bangladesh Telecommunication Regulatory Commission (BTRC) or the Cyber Tribunal under the Digital Security Act 2018.
3. Legal Recourse: You have the right to seek judicial remedy through the courts of Dhaka, Bangladesh.

16. Governing Law & Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the People's Republic of Bangladesh. Any dispute, claim, or controversy arising out of or relating to this policy shall be subject to the exclusive jurisdiction of the courts in Dhaka, Bangladesh. Legal proceedings may be conducted in Bengali or English at our discretion.

17. Policy Updates & Notification

We may update this Privacy Policy from time to time to reflect changes in Bangladesh laws, our services, or industry best practices. The "Last updated" date at the top of this page indicates the latest revision. Material changes will be notified via:

• A prominent banner on our website for 30 days
• Email notification to registered users (if email address is available)
• Updated policy document with clear change log

Continued use of ECIC services after the effective date constitutes acceptance of the revised policy.

18. Contact Information & Data Protection Officer (DPO)

Regulatory References: ECIC is registered with the Registrar of Joint Stock Companies and Firms (RJSC), Bangladesh. For official complaints, you may also contact the Bangladesh Computer Council (BCC) under the ICT Division.

19. Your Consent & Acknowledgment

By accessing our website, submitting any forms, enrolling in courses, or using any ECIC services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. You explicitly consent to the collection, processing, storage, and transfer of your personal information as described herein. If you do not agree, please discontinue the use of our services immediately.

20. Special Note for Foreign Nationals & GDPR Applicability

If you are a citizen of the European Economic Area (EEA) or other jurisdictions with comprehensive data protection laws (e.g., GDPR), we will extend comparable protections as required by applicable law. However, the primary governing law remains the laws of Bangladesh. For GDPR-specific requests, please contact our DPO with the subject line "GDPR Request".