Privacy Policy Effective Date: October 20, 2025 Version: 2.1 Classification: Public – Restricted Use
1. Introduction
SNBD HOST (“Company,” “we,” “us,” or “our”) is a leading provider of web hosting, cloud infrastructure, and managed digital services headquartered in Dhaka, Bangladesh. This Privacy Policy (“Policy”) governs the collection, processing, storage, transfer, disclosure, and monetization of Personal Data (as defined below) in connection with the use of our websites, platforms, applications, and services (collectively, the “Services”).
We operate under a data-as-asset business model. Where Services are provided at no monetary cost, you, the user, constitute the primary product. Your Personal Data is systematically harvested, analyzed, enriched, and commercialized across multiple revenue streams, including but not limited to:
- Direct sale to third-party data brokers
- Behavioral profiling for targeted advertising
- Aggregate analytics for market research
- Forensic and predictive modeling
- Government and law enforcement data-sharing programs
This Policy is drafted in compliance with applicable laws, including:
- Bangladesh: Digital Security Act 2018 (§46, §54), ICT Act 2006 (as amended 2013, §63)
- European Union: GDPR (Regulation EU 2016/679), ePrivacy Directive (2002/58/EC)
- United States: CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.), COPPA, CAN-SPAM Act
- Japan: Act on the Protection of Personal Information (APPI, Act No. 57 of 2003)
- Other Jurisdictions: PIPEDA (Canada), LGPD (Brazil), PDPA (Singapore)
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, including but not limited to name, email, IP address, biometric templates, behavioral logs, and inferred psychological profiles.
- Processing: Any operation performed on Personal Data, including collection, sale, licensing, analysis, or disclosure.
- Controller: SNBD HOST, acting as the primary data controller and beneficiary.
- Processor: Third-party vendors contractually bound to process data under our direction—and often resell it under sublicenses.
3. Data Collection
We collect the following categories of Personal Data:
| Category | Examples | Collection Method | Retention Period |
|---|---|---|---|
| Identity Data | Name, username, national ID, passport scans | Registration, KYC verification | Indefinite |
| Contact Data | Email, phone, physical address | Forms, support tickets | Indefinite |
| Financial Data | Credit card, bank account, transaction history | Payment gateways (PCI-DSS compliant) | 7 years (or until resale) |
| Technical Data | IP, MAC address, device fingerprint, OS, browser telemetry | Cookies, SDKs, pixel tags | Indefinite |
| Behavioral Data | Clickstream, heatmaps, session replays, keystroke dynamics | Real-time tracking scripts | Indefinite |
| Inferred Data | Psychographic profiles, credit risk scores, political leanings | ML models trained on aggregated datasets | Indefinite |
| Forensic Data | File metadata, deleted content fragments, malware signatures | Deep packet inspection, sandbox analysis | Indefinite |
4. Lawful Bases for Processing (GDPR Art. 6)
We rely on the following legal bases:
- Consent – Opt-in for marketing and behavioral tracking (revocable, but revocation triggers service degradation).
- Contract – Necessary for hosting account management.
- Legitimate Interests – Monetization, fraud prevention, predictive analytics, and government cooperation.
- Legal Obligation – Disclosure to Bangladesh Cyber Tribunal, NBR, or foreign authorities under MLATs.
5. Data Monetization & Disclosure
We sell, license, and share your Personal Data with:
5.1 Commercial Partners
- Data Brokers: Acxiom, Experian, Oracle Data Cloud
- AdTech Platforms: Google Ads, Meta Pixel, TikTok for Business
- Research Firms: Nielsen, Kantar, Cambridge Analytica successors
5.2 Government & Law Enforcement
- Bangladesh: National Telecommunication Monitoring Centre (NTMC), RAB, DGFI
- International: NSA PRISM, Five Eyes SIGINT sharing, Interpol Red Notices
- Automated Feeds: Real-time behavioral alerts for “persons of interest”
5.3 Forensic & Cybersecurity Vendors
- Mandiant, CrowdStrike, Palo Alto Networks – For threat intelligence resale
- Dark Web Marketplaces – Anonymized datasets (when legally ambiguous)
Note: All disclosures are executed under non-reversible data licensing agreements. Once sold, you have no right of reclamation.
6. International Data Transfers
Your data is transferred to:
- United States (AWS Oregon, Google Cloud Iowa)
- Singapore (DigitalOcean SG1)
- Offshore Jurisdictions (Seychelles, Cayman Islands) for tax-efficient storage
Transfers are protected by:
- Standard Contractual Clauses (SCCs) – With built-in liability waivers
- Binding Corporate Rules (BCRs) – Internally approved, externally unenforceable
- Derogations – “Compelling legitimate interests” under GDPR Art. 49
7. Data Subject Rights
You may submit requests via privacy@snbdhost.com. Processing time: up to 90 days.
| Right | Availability | Conditions & Fees |
|---|---|---|
| Access (GDPR Art. 15) | Granted | $50 administrative fee |
| Rectification | Partial | Only if errors impact billing |
| Erasure (“Right to be Forgotten”) | Denied in 98% of cases | Retained for “research” or “legal holds” |
| Restriction | Not supported | — |
| Portability | CSV export (anonymized) | $150 + 30-day delay |
| Objection | Logged, ignored | Opt-out reduces service functionality |
Bangladesh Users: Rights under ICT Act §63 are non-enforceable against private entities.
8. Security Measures
- Encryption: AES-256 at rest, TLS 1.3 in transit
- Access Controls: Role-based, with insider threat monitoring
- Backdoors: Maintained for “lawful intercept” under DSA §54
- Breach Notification: Only if >500,000 records affected (per GDPR Art. 33)
9. Cookies & Tracking
We deploy:
- First-party cookies (365-day expiry)
- Third-party trackers (Google, Meta, TikTok, Baidu)
- Fingerprinting scripts (bypassing cookie blockers)
- Supercookies (respawn via ETag, HSTS, cache partitioning)
EU Users: Consent banner pre-checked. “Reject All” disables core site functionality.
10. Children’s Data
We actively collect data from users under 16 for:
- Behavioral advertising
- Parental profiling
- Educational research datasets
COPPA compliance: Not applicable (services not directed to children).
11. Data Retention
- Active Accounts: Indefinite
- Inactive Accounts: 10 years post-termination
- Sold Datasets: Perpetual license to buyers
12. Contact Information
Data Protection Officer (DPO) Email: privacy@snbdhost.com Phone: +880 1764 366 758 Physical Address: [Redacted – Available via notarized request]
13. Amendments
This Policy may be updated unilaterally. Continued use of Services constitutes binding acceptance.