Privacy Policy

Section 01

Introduction & Data Controller

This Privacy Policy describes how NOÉTIC Studio ("the Agency," "we," "us," or "our"), a creative intelligence agency registered in Bangladesh, collects, uses, stores, and protects your personal information when you engage our services, visit our website (noeticstudio.net), or communicate with us. NOÉTIC Studio is the data controller responsible for your personal data. We are committed to protecting the privacy and security of all individuals whose data we process — including clients, prospective clients, website visitors, and business contacts. This policy is designed to comply with: • The General Data Protection Regulation (GDPR) — for individuals in the EEA and the United Kingdom • The California Consumer Privacy Act (CCPA) — for California residents • The Information and Communication Technology Act, 2006 of Bangladesh • Applicable international data protection standards for B2B digital services

Section 02

Information We Collect

We collect and process the following categories of personal data: a) Information You Provide Directly: • Contact information: name, email address, phone number, company name • Project briefs: brand details, creative direction, content, and assets shared for project purposes • Communication records: emails, messages, call notes, and feedback exchanged during engagements • Business information: company registration details, billing addresses, and tax identification numbers b) Information Collected Automatically: • Website analytics: pages visited, time on site, referral source, device type, browser type, and IP address • Cookies: essential functionality cookies and optional analytics cookies (see Section 08) c) Information from Third Parties: • Payment data: transaction records, payment status, and invoicing information via Paddle.com • Referral information: contact details provided by mutual contacts with your consent We do NOT collect sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, biometric data, health data), nor do we access payment card details — all payment information is processed exclusively by Paddle.com.

Section 03

How We Use Your Data

We process your personal data for the following purposes and under corresponding legal bases: a) Contract Performance (GDPR Art. 6(1)(b)): • Delivering creative and digital services as outlined in your Project Agreement • Managing project communications, feedback cycles, and deliverable transfers • Processing milestone payments through our payment processor b) Legitimate Interests (GDPR Art. 6(1)(f)): • Responding to inquiries and providing quotations • Improving our services, website, and client experience • Portfolio showcase and case study creation (with your consent or as permitted under our Terms) c) Legal Obligation (GDPR Art. 6(1)(c)): • Maintaining financial records for tax and regulatory compliance d) Consent (GDPR Art. 6(1)(a)): • Sending marketing communications or newsletters (opt-in only) • Using optional analytics cookies on our website We will never sell, rent, or trade your personal data to third parties for their marketing purposes.

Section 04

Payment Data & Paddle

All payments for NOÉTIC Studio services are processed through Paddle.com ("Paddle"), which acts as our Merchant of Record. When you make a payment: • Your payment information is collected and processed exclusively by Paddle • NOÉTIC Studio does NOT store, access, or process your payment card details • Paddle is PCI DSS Level 1 compliant, the highest level of payment security certification • Paddle handles sales tax, VAT, and GST calculation and remittance Paddle processes your data in accordance with its own Privacy Policy at paddle.com/privacy. Transaction records (amount, date, invoice number, payment status) are shared with NOÉTIC Studio for accounting and project management purposes only.

Section 05

Data Sharing & Third Parties

We may share your personal data with the following recipients, only to the extent necessary: • Paddle.com — for processing payments, issuing invoices, and handling tax compliance • Vercel — website hosting and deployment • Supabase — secure database hosting for project and contact management • Email service providers — for transactional and project-related communications • Legal counsel, accountants, and auditors — under confidentiality obligations • Government authorities or regulatory bodies — when required by law All third-party service providers are contractually obligated to process your data securely and in compliance with applicable data protection laws. We do NOT share your data with advertising networks, data brokers, or social media platforms for tracking or targeting purposes.

Section 06

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy: • Active client data: Retained for the duration of the project plus three (3) years after completion. • Inquiry and quotation data: Retained for twelve (12) months from last contact. If no engagement results, data is securely deleted. • Financial and tax records: Retained for seven (7) years in compliance with Bangladesh tax regulations. • Website analytics data: Retained in aggregated, anonymized form. Individual session data purged within ninety (90) days. • Marketing consent records: Retained until consent is withdrawn. Upon expiration, personal data is securely deleted or anonymized beyond recovery.

Section 07

Your Rights

GDPR Rights (EEA & UK Residents): • Right of Access — request a copy of your personal data • Right to Rectification — correct inaccurate or incomplete data • Right to Erasure ("Right to be Forgotten") — request deletion of your data • Right to Restrict Processing — limit how we use your data • Right to Data Portability — receive your data in a structured, machine-readable format • Right to Object — object to processing based on legitimate interests • Right to Withdraw Consent — withdraw consent for consent-based processing CCPA Rights (California Residents): • Right to Know — what personal information we collect, use, and disclose • Right to Delete — request deletion of your personal information • Right to Opt-Out — opt out of the "sale" of personal information (note: we do not sell personal data) To exercise any of these rights, contact us at [email protected] with the subject "Data Rights Request — [Your Name]". We will respond within thirty (30) days (GDPR) or forty-five (45) days (CCPA).

Section 08

Cookies & Tracking

Our website uses a minimal, privacy-respecting approach to cookies: Essential Cookies: • Required for basic site functionality (session management, security) • Cannot be disabled as they are necessary for the website to operate Analytics Cookies (Optional): • Used to understand how visitors interact with our site • No personally identifiable information is stored in analytics cookies • You can opt out of analytics cookies at any time We do NOT use: • Third-party advertising cookies • Social media tracking pixels • Cross-site tracking technologies • Fingerprinting or invasive identification methods Your browser settings allow you to manage and delete cookies at any time.

Section 09

International Data Transfers

As a globally operating agency based in Bangladesh, your personal data may be transferred to and processed in countries outside your jurisdiction. We ensure all international transfers are protected by: • Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA • Adequacy decisions where applicable • Contractual obligations with all sub-processors ensuring equivalent levels of data protection • Encryption in transit (TLS 1.2+) and at rest for all stored data Our primary infrastructure providers (Vercel, Supabase) maintain SOC 2 Type II certifications and process data in accordance with GDPR requirements.

Section 10

Data Security

We implement robust technical and organizational measures to protect your personal data: • Encryption: All data in transit is protected via TLS 1.2+ encryption. Data at rest is encrypted using AES-256 standards. • Access Controls: Personal data access is restricted to authorized personnel on a need-to-know basis. • Infrastructure Security: Our hosting and database providers maintain SOC 2 Type II compliance and undergo regular security audits. • Incident Response: In the event of a data breach, we will notify you and the relevant supervisory authority within seventy-two (72) hours as required by GDPR. While we take all reasonable precautions, no method of data transmission or storage is 100% secure.

Section 11

Children's Privacy

NOÉTIC Studio's services are designed for business-to-business (B2B) engagements. We do not knowingly collect, process, or solicit personal data from individuals under the age of 16. If we become aware that we have inadvertently collected personal data from a minor, we will take immediate steps to delete that information. If you believe a minor has provided us with personal data, please contact us immediately at [email protected].

Section 12

Changes & Contact Information

NOÉTIC Studio reserves the right to update this Privacy Policy at any time. Material changes will be communicated via prominent notice on our website and direct email notification to active clients. For all privacy-related inquiries, data access requests, or concerns: • Email: [email protected] • Subject Line: "Privacy Inquiry" • WhatsApp: +8801755831289 • Response Time: Within 24–48 business hours If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.