Privacy Policy

Privacy Policy

How Dotmarq collects, uses, and protects personal data.

Effective date: [June, 1, 2026] Last updated: [May, 20, 2026]

At a glance

We’re DotMarq, a creative production studio in Dhaka. We make desktop publishing, content, websites, design, video, social media, data analysis, and dashboards for tech startups and enterprise teams from Germany to California. Privacy matters to that work, and it matters to us, so here, in plain language, is what we collect, why, and what you can do about it.

The short version: we collect what we need to talk to you, do the work you’ve hired us to do, get paid, send the occasional email if you’ve asked for one, and keep our website and accounts secure. We don’t sell your personal data. We don’t share it for cross-context behavioural advertising. We don’t profile you, and we don’t make consequential decisions about you with algorithms. When our clients give us files containing other people’s data, we treat that data as theirs, not ours, and we handle it under a separate Data Processing Agreement.

If you want to skip to a specific section, the contents below are anchored. If you want to talk to a human, write to privacy@dotmarq.com at any time.

Table of Contents

Who we are

DotMarq (referred to in this policy as “DotMarq,” “we,” “our,” or “us”) is a creative production agency operating under the laws of the People’s Republic of Bangladesh, with its principal place of business at [Jurain, Dhaka, Bangladesh] and registered under business identification number [Registration / TIN]. Our website is dotmarq.com.

We are the data fiduciary under Bangladesh’s Personal Data Protection Ordinance, 2025, the data controller under the EU General Data Protection Regulation and the UK GDPR, and (where applicable) the business under the California Consumer Privacy Act as amended by the California Privacy Rights Act.

The two roles we play

When you visit dotmarq.com, send us a project enquiry, hire us, work with us, apply for a job, or subscribe to our newsletter, we decide why and how your personal data is used. In that case, we are the controller (or, in Bangladesh, the data fiduciary) of your personal data, and this Privacy Policy explains what we do.

When our clients send us files, accounts, or datasets to work on. For example, social-media audience exports for campaigns we manage on their behalf, CRM lists they want a newsletter built around, customer photography for a brand book, end-user analytics feeding a dashboard we’re designing, or any source files containing personal data of third parties we act as a processor on the client’s behalf. The client remains the controller of that data. Our handling of it is governed by the Data Processing Agreement (DPA) or Master Services Agreement we sign with that client, not by this Privacy Policy. The DPA incorporates the obligations of Article 28 GDPR, the equivalent obligations of UK GDPR, the service-provider terms required by the CCPA, and sections 21–24 of Bangladesh’s PDPO 2025. A copy of our standard DPA is available on request at legal@dotmarq.com. If you are an end customer of one of our clients and want to exercise your privacy rights over data we hold on their behalf, please contact that client first; we will support them in responding promptly.

If anything in a signed DPA conflicts with this Privacy Policy for the data covered by it, the DPA prevails.

The personal data we collect

We collect only what we need. Depending on how you interact with us, the personal data we hold may include:

Identity and contact data: your name, the name of your company, your job title, your business email address, your phone number, and the postal address you give us for invoicing or shipping.

Project data: the content of your enquiries and messages, briefs, scope discussions, feedback on drafts, and files you choose to send us. Where those files contain personal data of other people (your customers, employees, talent, or subjects), see Section 2 above.

Transaction and billing data: the billing contact, billing address, payment method, currency, and transaction reference associated with our engagement. We do not store full payment-card numbers on our own systems. Card and bank data flow directly through our payment partners (Stripe, Wise, Payoneer, and the equivalent providers our clients use), each of which acts as an independent controller of the payment data they process.

Technical and usage data: your IP address, approximate location derived from it, browser type and version, operating system, device identifiers, the pages of dotmarq.com you visit, the order in which you visit them, the URL that referred you, and the timestamps of your visits. We collect this through cookies, server logs, and analytics tools described in Section 8.

Marketing data: your subscription status, the topics you’ve told us you’re interested in, the campaigns or emails you’ve opened or clicked, and any preferences you’ve set.

Applicant data: if you apply to join DotMarq or pitch as a freelancer, your CV or portfolio, work history, references, samples, and the contents of your application.

Sensitive personal data: we generally avoid collecting categories of data that Bangladeshi or European law treats as sensitive (biometric data, health data, racial or ethnic origin, religious beliefs, sexual orientation, financial-account credentials, precise geolocation, contents of private communications, genetic data, and similar). The narrow exceptions are: (i) image, voice, and likeness data inside production materials we handle as a processor under a separate client release; and (ii) bank-account or routing details you give us to receive payment, which we treat as sensitive and protect accordingly.

We do not knowingly collect personal data in the California categories §1798.140(v)(1)(C) (protected classifications), (E) (biometric information for identification), (H) (sensory data outside production assets you’ve licensed to us), or (J) (non-public education records).

How we collect it

Most of what we hold comes directly from you through dotmarq.com’s contact and project-intake forms, email, calls and video meetings, signed agreements, and the files you upload to our shared workspaces. Some of it is generated automatically when you use our website: cookies, analytics, and server logs do this in the background, and Section 8 explains what runs and when. Occasionally, we receive personal data from third parties: introducers and referral partners who put us in touch, public business directories and LinkedIn for prospect research, our payment partners (transaction confirmations), background-check or right-to-work verification services where the role requires it (with your consent), and our clients when they send us files for work.

Why we use it, and the legal basis for each use

European and UK law require us to tell you not only why we process your data, but also the legal basis we rely on for each purpose. Bangladesh’s PDPO 2025 requires the same, with consent and contract as the primary grounds. The table below maps the three together.

What we do & why
Legal basis (EU/UK GDPR)
Legal basis (PDPO 2025)
Reply to enquiries from dotmarq.com to answer your questions and scope possible work
Article 6(1)(b) pre-contractual steps; Article 6(1)(f) legitimate interest in responding
Contractual necessity; consent
Deliver projects you've hired us for to do the work and submit deliverables
Article 6(1)(b) performance of contract
Contractual necessity
Issue invoices, take payment, and keep accounting records
Article 6(1)(b); Article 6(1)(c) legal obligation
Contractual necessity; legal obligation
Send our newsletter and occasional updates
Article 6(1)(a) consent, with one-click unsubscribe in every email
Explicit consent
Limited B2B outreach to corporate prospects who might want our services
Article 6(1)(f) legitimate interest in commercial development, with documented balancing test
Pre-contractual steps; otherwise, explicit consent
Keep the website and accounts secure, prevent fraud, and debug
Article 6(1)(f) legitimate interest in security
Legal obligation; security exemption
Comply with court orders, regulators, and statutory record-keeping
Article 6(1)(c)
Legal obligation
Recruit, hire, and pay our team and freelancers
Article 6(1)(b), (c), (a) where consent is appropriate
Contractual necessity; legal obligation; explicit consent
Establish, exercise, or defend legal claims
Article 6(1)(f); Article 9(2)(f) for special category data
Legal claims exemption

Where we rely on your consent, you can withdraw it at any time, as easily as you gave it, by emailing privacy@dotmarq.com or clicking unsubscribe in any marketing message. Withdrawal does not affect the lawfulness of processing before you withdrew it.

Who we share it with

We share personal data only with people and providers who need it to support the work, and only under written contracts requiring confidentiality and equivalent data-protection standards. The recipients we use fall into the following categories.

Our team and trusted freelancers are working on your project, on a need-to-know basis.

Sub-processors and service providers that make DotMarq run. The current list includes Google (Google Workspace for email, documents, and storage; Google Analytics 4 with IP anonymisation and Consent Mode v2 for website measurement; we self-host fonts rather than load Google Fonts from Google’s CDN), Cloudflare (DNS, content delivery, and security for dotmarq.com), Microsoft (where clients require Microsoft 365 collaboration), Slack and Notion (internal collaboration), Figma and Adobe Creative Cloud (design files), Dropbox and WeTransfer (file transfer with clients), GitHub (code for web-development engagements), Vercel and Netlify (front-end hosting), AWS or DigitalOcean (back-end hosting where applicable), Calendly (meetings), Zoom and Google Meet (calls), Loom (recorded async updates), our newsletter platform (currently [Mailchimp / Brevo / ConvertKit]), and our payment partners Stripe, Wise, and Payoneer. Where engagements require generative-AI assistance, we may use enterprise-tier OpenAI, Anthropic, or Google Gemini APIs under contracts that prohibit our inputs from being used to train their foundation models. Our live, up-to-date sub-processor list is published at dotmarq.com/legal/subprocessors, and you can subscribe to change notifications there.

Professional advisers: auditors, lawyers, accountants, insurers, and banks are bound by professional confidentiality.

Regulators, courts, and law-enforcement agencies: where we are legally required to disclose, or where disclosure is necessary to establish, exercise, or defend legal claims. We push back on overbroad requests and only disclose what the law actually requires.

A successor entity: if DotMarq is involved in a reorganisation, merger, acquisition, or sale of assets, in which case we will tell you before your data moves, and the successor will be bound by terms at least as protective as this policy.

We do not sell your personal data. We do not share your personal data for cross-context behavioural advertising (as that term is defined in Cal. Civ. Code §1798.140). We have not sold or shared personal data in the preceding twelve months, and we have no actual knowledge of selling or sharing the personal information of consumers under sixteen.

International data transfers

DotMarq is based in Bangladesh, which the European Commission and the UK Government have not (as of this policy’s effective date) recognised as providing an adequate level of data protection. Our team, clients, sub-processors, and cloud services sit in Bangladesh, the European Union, the United Kingdom, the United States, and elsewhere. When personal data crosses a border, we rely on the following safeguards.

EU/EEA to Bangladesh and onward. We use the European Commission’s Standard Contractual Clauses adopted on 4 June 2021 (Implementing Decision (EU) 2021/914), in Module Two (controller-to-processor) or Module Three (processor-to-processor) as appropriate, supplemented by technical measures including encryption in transit and at rest, role-based access control, pseudonymisation where feasible, and contractual measures restricting onward disclosure to public authorities. We document each transfer in a Transfer Impact Assessment that takes account of Bangladeshi law, including the Cyber Security Ordinance 2025, the surveillance provisions of the Bangladesh Telecommunication Regulation Act 2001, and the rights granted to data subjects under the PDPO 2025.

UK to Bangladesh and onward. We use the UK International Data Transfer Agreement, or the EU SCCs, together with the ICO’s UK Addendum, with a documented Transfer Risk Assessment that applies the ‘standard of protection not materially lower’ test introduced by the Data (Use and Access) Act 2025.

US to Bangladesh. We rely on contractual safeguards reflecting the service-provider requirements of the CCPA/CPRA and any client-imposed additional terms.

From Bangladesh outward. When we transfer personal data outside Bangladesh, for example, to a client’s EU-hosted CRM, to a US-incorporated SaaS, or to our own cloud storage, we comply with sections 29–30 of the PDPO 2025. Where data qualifies as ‘restricted’ under section 29(1)(d), or relates to Critical Information Infrastructure designated under the Cyber Security Ordinance 2025, we maintain at least one synchronised real-time copy within Bangladesh. Where law requires, we notify or seek the approval of the National Data Governance Authority before bulk transfers of sensitive identifiers.
A copy of any safeguard we rely on for a particular transfer is available on request to privacy@dotmarq.com.

Cookies and similar technologies

When you visit dotmarq.com, we use a small number of cookies, pixels, and similar storage mechanisms. We sort them into four categories, and we ask for your permission before using anything beyond the first.

Strictly necessary cookies keep the site working; they remember your cookie choices, keep session state, and protect against fraud and bot traffic (through Cloudflare). They run by default; the site cannot function without them, and the law does not require us to ask permission, but we tell you about them anyway. Functional cookies remember preferences like theme or language and dismissed banners. Analytics cookies Google Analytics 4 with IP anonymisation, and where used, privacy-respecting performance tools like Plausible or Microsoft Clarity help us count visitors and understand which work resonates. Marketing cookies (Meta Pixel and LinkedIn Insight, when active) help us measure whether DotMarq’s advertising actually reaches the people it should.

Cookies in the second, third, and fourth categories run only after you opt in through the cookie banner that appears on your first visit. The banner offers ‘Accept all,’ ‘Reject all,’ and granular per-category toggles with equal prominence. You can change or withdraw your choices at any time by clicking Cookie Preferences in the site footer. We record your choice, the time you made it, and the banner version you saw, and we keep that record for five years to evidence consent. We honour the Global Privacy Control (GPC) signal as a valid opt-out from ‘sale’ and ‘sharing’ under the CCPA. Because no industry standard exists for browser Do Not Track signals, we do not currently respond to DNT.

For a full list of cookies, their providers, purposes, durations, and the countries data flows to, see our standalone Cookie Policy at dotmarq.com/legal/cookies.

How long do we keep your data

We don’t keep personal data longer than we need to. Our standard schedule is:

Category of data
Retention period
Server logs
30–90 days
Cookie-consent records
5 years from collection
Google Analytics 4 identifiers
14 months
Inbound enquiries that did not lead to engagement
24 months from last contact, then deleted or anonymised
Newsletter subscribers
Until you unsubscribe, plus a permanent suppression-list entry of your email to honour your opt-out
Active client correspondence and project files
Duration of the engagement, plus 7 years for tax, contractual, and limitation-period purposes
Invoices, contracts, and payment records
7 years
Unsuccessful job applications
12 months, or 24 months, with your consent for future roles
Employee and freelancer records
Duration of engagement, plus 6 years
Backups containing the above
Rotated on a 30-day cycle; live deletions applied immediately, backups overwritten on rotation

Where the law requires us to keep something longer, tax records being the usual example, we will, and we’ll restrict access to it during that period.

How we protect your data

No system is perfectly secure, but we take security seriously and follow industry-standard practices. All traffic to dotmarq.com, our email systems, and our client portals is encrypted using TLS 1.2 or higher. Files and databases on our cloud providers are encrypted at rest using each provider’s default encryption. Access to client data is limited to the team members assigned to the project on a need-to-know basis, with unique credentials, strong passwords, and two-factor authentication. Sub-processors are subject to documented onboarding diligence and a written DPA. Team devices are protected by automatic OS updates, full-disk encryption, and anti-malware software. Every employee and freelancer signs a confidentiality agreement covering personal data. We have a written incident-response procedure and a documented breach-notification workflow.
If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours of becoming aware of it, in line with Article 33 GDPR and UK GDPR. Where the breach is likely to result in a high risk, we will tell you directly, without undue delay, in plain language. We will also notify Bangladesh’s National Data Governance Authority where significant harm is likely, under section 24 of the PDPO 2025, and any other regulator the law obliges us to inform.

Your rights — Europe (EU/EEA)

If you are in the EU or EEA, the GDPR gives you the right to:
  • access the personal data we hold about you and receive a copy of it;
  • rectify inaccurate or incomplete personal data;
  • erase personal data (“right to be forgotten”), subject to legal exceptions;
  • restrict processing while we resolve a dispute about it;
  • port personal data you’ve given us to another service, in a structured, commonly used, machine-readable format, where processing is based on consent or contract and is carried out by automated means;
  • object to processing based on legitimate interests, and to object absolutely to direct marketing;
  • withdraw consent at any time, where consent is the basis we rely on;
  • not be subject to solely automated decisions producing legal or similarly significant effects; and
  • complain to a supervisory authority (see Section 20).
We respond to rights requests within one month of receipt. For complex or numerous requests, we may extend by up to two further months, and we’ll tell you within the first month if we need to.

Your rights — United Kingdom

UK GDPR rights mirror the EU rights above. In addition, from 19 June 2026, under the Data (Use and Access) Act 2025, you have a statutory right to complain directly to us about how we handle your personal data. We will acknowledge any complaint within 30 days, investigate it, and respond without undue delay. If you remain unhappy, you can escalate to the Information Commissioner’s Office (see Section 20).

Your rights — California and other US states

If you are a California resident, the CCPA (as amended by the CPRA) gives you the right to:

  • know what personal information we collect, the categories of sources, the purposes, the categories of third parties we share it with, and the specific pieces of personal information we hold about you;
  • delete personal information we have collected from you, subject to enumerated exceptions;
  • correct inaccurate personal information;
  • opt out of the sale or sharing of your personal information for cross-context behavioural advertising;
  • limit the use and disclosure of sensitive personal information for purposes beyond those permitted by Cal. Civ. Code §1798.121(a) and 11 CCR §7027(m);
  • non-discrimination for exercising your rights;
  • data portability in a readily usable format; and
    designate an authorised agent to request on your behalf. We may ask the agent for proof of your written permission and may ask you to verify your identity directly with us, unless the agent has been given power of attorney under California Probate Code §§4000–4465.

We respond within 45 days, extendable once by a further 45 days where reasonably necessary, and we confirm receipt within 10 business days. Opt-out requests are processed within 15 business days and require no verification.

Because we do not sell or share personal information and do not use sensitive personal information for purposes outside §1798.121(a) and §7027(m), no ‘Do Not Sell or Share My Personal Information’ or ‘Limit the Use of My Sensitive Personal Information’ link is required. We nevertheless honour Global Privacy Control signals from California browsers as valid opt-out requests, and we display confirmation when GPC has been processed.

We do not offer financial incentives in exchange for personal information.

Equivalent rights apply if you reside in any other US state with a comprehensive privacy law in force (currently including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Indiana, Iowa, Tennessee, Kentucky, Rhode Island, and Nebraska). To exercise any of those rights, use the contact methods in Section 15 and tell us which state you reside in.

Your rights- Bangladesh

Under the Personal Data Protection Ordinance, 2025, you have the right to access your personal data, correct or complete it, withdraw consent, receive your data in a structured machine-readable format, ask for deletion, challenge solely automated decisions that affect you, and complain to the National Data Governance Authority. We will acknowledge your request and substantively respond within thirty days. Article 43 of the Constitution of the People’s Republic of Bangladesh protects the privacy of your correspondence and other communications, and we respect that right in everything we do.

How to exercise your rights

Email privacy@dotmarq.com with a short description of what you want, and the email address or other identifier that will let us find the right records. You can also write to us at the postal address in Section 21. We won’t charge a fee for a reasonable request. We may ask for enough information to confirm we’re talking to the right person, but we won’t ask for more verification than the law requires (we don’t need a copy of your passport to honour an opt-out). If we can’t action your request because the law requires us to keep something, for example, we’ll tell you why.

Children's privacy

Dotmarq’s services and website are intended for businesses and the adults who run them. We do not knowingly collect personal data from anyone under sixteen, or under thirteen where US federal COPPA applies, or under eighteen where Bangladesh’s PDPO 2025 applies, without the verifiable consent of a parent or guardian. If you believe a child has provided us with personal data, write to privacy@dotmarq.com, and we will delete it promptly.

Automated decisions and profiling

We do not make decisions about you using solely automated means that would produce legal effects on you or similarly significant effects. If that ever changes, we will update this policy first, obtain a lawful basis, and tell you about your rights to human intervention, to express your view, and to contest the decision.

Third-party links

dotmarq.com sometimes links to client work, case studies, or partner sites. We don’t control those sites, and we’re not responsible for their privacy practices; their own privacy policies apply.

Changes to this policy

We review this policy at least once a year and whenever our practices change materially. When we make a change that affects how your personal data is used, we’ll update the version number and effective date at the top, post a notice on the homepage, and for material changes email subscribers and active clients at least thirty days before the change takes effect. Previous versions of this policy are available on request at legal@dotmarq.com.

Complaints to supervisory authorities

You have the right to complain to a regulator at any time. Talking to us first usually resolves things faster, but it isn’t required.
  • Bangladesh: National Data Governance Authority (NDGA). Appeals lie to the Appellate Tribunal under the Information and Communication Technology Act, 2006.
  • United Kingdom: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF ico.org.uk.
  • Germany: Your competent federal or state data protection authority (BfDI or the relevant Landesdatenschutzbeauftragte). A list is maintained at bfdi.bund.de.
  • Elsewhere in the EU/EEA: Your local supervisory authority. The European Data Protection Board maintains a list at edpb.europa.eu.
  • California: The California Privacy Protection Agency (cppa.ca.gov) or the California Attorney General (oag.ca.gov/privacy).
  • Other US states: Your state Attorney General’s office.

How to contact us

For any privacy question, request, or concern: We aim to acknowledge every privacy email within three working days and to give you a substantive response well within the statutory deadlines.