Introduction & Scope
1.1 Who We Are Hedron Holdings ("Hedron," "we," "us," or "our") is a diversified infrastructure holding company headquartered in Dhaka, Bangladesh, operating across renewable energy, energy transportation, enterprise technology, and strategic advisory services. This Privacy Policy explains how we collect, process, store, use, and protect personal data and organisational information across all our divisions and digital platforms.
1.2 Who This Policy Applies To This Privacy Policy applies to:
- Visitors to our website and digital platforms
- Clients, prospective clients, and counterparties
- Investors, institutional partners, and strategic stakeholders
- Employees, contractors, and consultants
- Any party whose data is processed by Hedron Holdings
1.3 Legal Framework Our data practices comply with:
- Digital Security Act, 2018 (Bangladesh)
- Information and Communication Technology Act, 2006 (Bangladesh)
- Bangladesh Telecommunication Regulation Act, 2001
- GDPR principles for EU data subjects involved in cross-border engagements
- Applicable international data protection best practices
1.4 Our Commitment Hedron Holdings processes data only for legitimate, specified, and lawful purposes. We do not sell, rent, or trade personal data with third parties for commercial gain. Transparency and accountability are the foundation of our data practices.
Data We Collect
2.1 Identification and Contact Data
- Full name and professional title
- Business email address and telephone numbers
- Organisation name and registration details
- Business address
- National ID or passport (for due diligence only)
2.2 Professional and Business Data
- Organisational structure and ownership information
- Financial statements and capacity indicators
- Professional history, credentials, and references
- Nature and scope of business operations
- Regulatory licences and compliance certificates
2.3 Transaction and Engagement Data
- Services requested or engaged
- Correspondence and communications
- Meeting records and agreed terms
- Invoicing and payment records
- Contract documents and deliverable records
2.4 Website and Digital Platform Data
- IP address and browser information
- Pages visited and session duration
- Referral source and device identifiers
- Cookie data (subject to your preferences)
- Geographic location (city level only)
2.5 Due Diligence and Compliance Data
- AML and KYC documentation
- Sanctions and PEP screening results
- Background verification outcomes
- Regulatory filings and public record data
How We Use Your Data
| Purpose | Legal Basis | Details |
|---|---|---|
| Service Delivery | Contractual necessity | Delivering agreed advisory, energy, technology, or logistics services |
| Client Onboarding | Legal obligation | KYC, AML, and regulatory due diligence |
| Communication | Legitimate interest | Responding to enquiries, managing relationships |
| Billing & Payments | Contractual / Legal | Invoicing, payment processing, financial records |
| Legal Compliance | Legal obligation | Compliance with Bangladesh and international law |
| Risk Management | Legitimate interest | Protecting Hedron's legal and reputational interests |
| Marketing (opt-in) | Consent | Sharing updates and publications with consenting parties only |
| Analytics | Legitimate interest | Improving services and platform performance |
3.1 We never use your data for automated decision-making that produces legal or similarly significant effects without human review. All consequential decisions involving your data involve a qualified Hedron Holdings team member.
3.2 Where we rely on legitimate interest as our legal basis, we conduct a legitimate interest assessment to ensure our interests do not override your rights and freedoms.
Data Sharing
4.1 General Principle Hedron Holdings does not sell, lease, or trade personal or organisational data. Data is shared only in the circumstances described in this section.
4.2 Within the Hedron Group Data may be shared between Hedron Holdings divisions — Energy, Energy Transportation, Technology, and Strategic Advisory — on a need-to-know basis for service delivery, internal reporting, and group-level risk management. All intra-group transfers are governed by our Group Data Sharing Agreement.
4.3 Service Providers We engage third-party service providers including cloud hosting, IT support, payment processors, legal advisors, and accounting firms. These providers process data solely on our behalf under contractual data processing agreements imposing equivalent or stricter obligations than this Policy.
4.4 Legal and Regulatory Disclosure We may disclose data where required by a court order, regulatory authority, or our legal obligation to report suspicious transactions. We will notify affected parties of such disclosure where legally permitted to do so.
4.5 Business Transactions In the event of a merger, acquisition, or restructuring, personal data may be disclosed to prospective parties under strict confidentiality obligations. Affected individuals will be notified of any material change in data controller.
4.6 Professional Advisors Legal counsel, auditors, and tax advisors may access data to the extent necessary for their professional mandate, subject to their professional secrecy obligations.
Data Retention
| Data Category | Retention Period | Basis |
|---|---|---|
| Client and engagement records | 7 years post-engagement | Legal and contractual obligation |
| Prospective client data | 2 years (or until withdrawal) | Legitimate interest |
| KYC and AML records | 5 years post-relationship | Anti-money laundering regulations |
| Website visitor data | 12 months | Legitimate interest |
| Employee and contractor data | 7 years post-employment | Employment and tax law |
| Marketing data (opted-in) | Until withdrawal of consent | Consent |
Upon expiry of the applicable retention period, data is securely deleted or anonymised in a manner that prevents re-identification. Where deletion is technically infeasible (e.g., backup systems), data is quarantined and excluded from active processing.
Security
6.1 Technical Safeguards
- Encryption of data at rest (AES-256) and in transit (TLS 1.2+)
- Role-based access controls for authorised personnel only
- Multi-factor authentication for all systems holding personal data
- Regular penetration testing and vulnerability assessments
- Firewall and intrusion detection systems
- Secure data centres with physical access controls
6.2 Organisational Safeguards
- Documented data protection policy and annual staff training
- Designated data protection focal point
- Confidentiality obligations in all staff and supplier agreements
- Data breach response plan with defined escalation timelines
- Periodic internal audits of data processing practices
6.3 Breach Notification In the event of a personal data breach posing risk to individuals, Hedron Holdings will notify affected parties as soon as practicable, report to relevant authorities within 72 hours where required, and take immediate steps to contain and remediate the breach.
Your Rights
7.1 Right of Access Request confirmation of whether we hold data about you and receive a copy, free of charge, within 30 days of a verified request.
7.2 Right to Rectification Request correction of inaccurate or incomplete data. We will rectify within 15 business days of a verified request.
7.3 Right to Erasure Request deletion where: the data is no longer necessary; you withdraw consent; you object to processing; or data has been unlawfully processed. Subject to legal retention obligations.
7.4 Right to Restriction Request restriction of processing while a rectification request is pending or a legitimate interest objection is assessed.
7.5 Right to Data Portability Where processing is based on consent or contract and is automated, request your data in a structured, machine-readable format.
7.6 Right to Object Object to processing based on legitimate interest or for direct marketing. Marketing processing will cease immediately upon objection.
7.7 How to Exercise Your Rights Submit a written request to: privacy@hedronholdings.com. Include your full name, contact details, and a description of your request. We may require identity verification. We respond within 30 days and charge no fee for standard requests.
Cookies
8.1 Types of Cookies We Use
- Strictly Necessary — required for the website to function
- Performance & Analytics — aggregate, anonymised usage data
- Functional — remember your preferences and settings
- Marketing (consent only) — relevant content delivery
8.2 Cookie Consent Non-essential cookies are deployed only upon your explicit consent through our cookie management tool. You may withdraw consent at any time. Withdrawal does not affect prior processing.
8.3 Third-Party Analytics We use privacy-respecting analytics that do not identify individual users. Data is processed in aggregated, anonymised form only.
8.4 Do Not Track We honour browser-level Do Not Track signals for non-essential tracking on our website.
Cross-Border Transfers
9.1 Hedron Holdings is headquartered in Bangladesh. Data may be accessed from or transferred to other locations in connection with cloud services, international engagements, or overseas advisory activities.
9.2 Where personal data is transferred internationally, we ensure appropriate safeguards are in place including data processing agreements with equivalent protections and transfer to jurisdictions with adequate data protection standards.
9.3 International investors and partners who share data with Hedron Holdings consent, by virtue of engagement, to processing in Bangladesh and other jurisdictions where we operate, subject to the safeguards in this Policy.
Changes to This Policy
10.1 Hedron Holdings may update this Privacy Policy at any time. Material changes are communicated with at least 30 days' notice by posting the updated Policy with a revised effective date and direct notification to active clients.
10.2 Continued engagement following the effective date of updated terms constitutes acceptance.
Contact
Hedron Holdings · Dhaka, Bangladesh
Response time: within 5 business days