RenovaLabs
Privacy Policy

Plain-language privacy for serious engineering work.

This policy explains what information RenovaLabs collects, why we collect it, how we use it, and the rights you hold over it.

Effective 13 May 2026
RenovaLabs
01

Who We Are

RenovaLabs ("we", "us", "our") is a cloud-native modernization and enterprise architecture firm incorporated and headquartered at Level 5, House 18, Road 1/A, Block J, Baridhara, Dhaka 1212, Bangladesh, with an operational presence in Singapore.

RenovaLabs is the data controller for personal information collected through our website (renovalabs.com), our inquiry and contact forms, and our professional engagement processes. Questions regarding this policy may be directed to us at the address in Section 10.

02

Data We Collect

We collect only what is necessary for the stated purpose. The categories are:

CategoryExamplesSource
Identity & ContactFull name, job title, company name, email address, phone numberProvided directly via contact form or session booking
Engagement ContextTechnology challenges described, system descriptions, preferred contact methodProvided directly via contact form or discovery sessions
Technical Access DataSystem architecture documents, codebases, infrastructure configurations shared during paid discovery or delivery engagementsProvided directly by client organisations under a signed SOW
Usage & AnalyticsPages visited, referral source, browser type, session duration, IP address (anonymised)Automatically collected via cookies and analytics tools
CommunicationsEmail threads, meeting notes, session recordings where consent is givenGenerated through ongoing client correspondence
We do not collect sensitive categories of personal data, including health, biometric, financial account credentials, or government identification numbers, through our website or standard engagement processes.
03

How We Use Your Data

Every data point we hold serves a defined purpose. We do not sell personal data. We do not use it for advertising. The purposes are:

  • To respond to enquiries submitted via our contact form or calendar booking, and to schedule the requested 30-minute technical session.
  • To scope, deliver, and manage modernization engagements under signed Statements of Work (SOW).
  • To perform free 2-day security assessments, including penetration testing and gap analysis, on systems explicitly made available to us by the client organisation.
  • To send you project updates, milestone reports, and sprint review summaries relevant to your active engagement.
  • To fulfil our legal obligations, including compliance with Bangladesh PDPO 2025 requirements, applicable tax regulations, and contractual obligations.
  • To improve our website and service delivery through anonymised analytics data.
  • To contact you about new services or capabilities only where you have provided explicit consent or where a legitimate interest applies, and always with an opt-out mechanism.
04

Legal Bases for Processing

Where applicable data protection law requires a lawful basis for processing personal data, we rely on the following:

Processing ActivityLegal Basis
Responding to and scheduling enquiriesLegitimate interest / pre-contractual steps
Delivering a signed engagement (SOW)Performance of contract
Security assessment on client systemsPerformance of contract / explicit consent
Sending marketing communicationsConsent (opt-in) or legitimate interest with opt-out
Retaining financial and engagement recordsLegal obligation
Website analyticsLegitimate interest (data anonymised)
05

Data Sharing

We do not sell, rent, or trade personal data. We share data only in the following circumstances:

  • Service Providers. We engage third-party tools for project management, analytics, cloud hosting, and communication. These processors access data only as necessary to perform their functions and are bound by data processing agreements.
  • Professional Advisors. Lawyers, accountants, and auditors acting under duties of confidentiality, where required by regulatory or legal process.
  • Legal Requirements. Where we are required to disclose information by applicable law, court order, or regulatory authority, we will comply and, where legally permitted, notify the affected party.
  • Business Transfers. In the event of a merger, acquisition, or asset sale, personal data may be transferred as part of that transaction. Affected parties will be notified in advance.

Client technical data, including codebases, architecture documents, and infrastructure configurations shared under an SOW, is never disclosed to any third party outside the delivery team assigned to that engagement, except where required by law.

06

International Data Transfers

RenovaLabs operates from Bangladesh with a presence in Singapore. If you are located in another jurisdiction, your personal data may be transferred to and processed in Bangladesh and/or Singapore.

Where such transfers involve personal data originating in regions with transfer restrictions, for example data governed by GDPR, we rely on appropriate safeguards including Standard Contractual Clauses or equivalent mechanisms to ensure an adequate level of protection is maintained.

We do not transfer client technical data outside the engagement team without explicit written authorisation from the client.

07

Retention

We retain personal data only for as long as necessary for the purpose it was collected, or as required by law.

Data TypeRetention Period
Enquiry and contact form submissions (non-client)12 months from last contact, then deleted
Engagement records (SOW, deliverables, communications)7 years from engagement close (legal / audit obligation)
Client technical data (codebases, architecture docs)Returned or destroyed within 30 days of engagement close, per SOW terms
Security assessment findings (penetration test reports)Held for the duration of the engagement only, then returned or destroyed
Website analytics data26 months (anonymised); not linked to individuals
Financial records7 years (Bangladesh fiscal compliance)

After the applicable retention period, data is securely deleted or anonymised so that it can no longer be linked to an individual.

08

Your Rights

Depending on your jurisdiction and applicable law, including the Bangladesh Personal Data Protection Ordinance 2025, GDPR, PDPA Singapore, or equivalent, you may hold some or all of the following rights in relation to your personal data:

  • Access. The right to request a copy of the personal data we hold about you.
  • Rectification. The right to have inaccurate or incomplete data corrected.
  • Erasure. The right to request deletion of your personal data, subject to legal retention obligations.
  • Restriction. The right to request that we limit processing of your data in certain circumstances.
  • Portability. The right to receive your data in a structured, machine-readable format where technically feasible.
  • Objection. The right to object to processing based on legitimate interests, including direct marketing. Marketing opt-outs are honoured immediately.
  • Withdraw Consent. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Lodge a Complaint. You have the right to lodge a complaint with your national or regional data protection authority if you believe your rights have been violated.
To exercise any of these rights, contact us at the details in Section 10. We will respond within 30 days. We do not charge a fee for exercising your rights and will only request information necessary to verify your identity.
09

Security

Security is our core business. We apply the same rigour we bring to client engagements to the protection of data we hold internally. Our technical and organisational measures include:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest across all systems holding personal or client data.
  • Access controls and least-privilege principles. Only authorised team members assigned to a specific engagement access client technical data.
  • Multi-factor authentication on all internal systems and third-party platforms used in delivery.
  • Secure code repositories with audit logging and access reviews.
  • Regular internal security reviews, including the same penetration testing and SAST/DAST methodologies we apply to client systems.
  • Incident response procedures. In the event of a data breach affecting personal data, we will notify affected individuals and relevant authorities within the timeframes required by applicable law.

No data transmission over the internet is completely secure. However, we apply industry-best practices to minimise risk and respond swiftly to incidents.

10

Contact Us

For any questions about this policy, to exercise your rights, or to raise a concern about how your data is handled, contact us through any of the following:

Office Address
Level 5, House 18, Road 1/A, Block J
Baridhara, Dhaka 1212, Bangladesh
Phone
Bangladesh Operations: +880 1711-080215
Singapore APAC Enquiries: +65 8411 6484

This policy was last reviewed and updated on 13 May 2026. We may update it from time to time to reflect changes in our practices or legal obligations. Substantive changes will be communicated to active clients directly. The current version is always published on our website.