Privacy Policy

This Privacy Policy explains how Council for Policy Review (“Organization,” “we,” “us,” or “our”) collects, uses, stores, shares, protects, and otherwise processes personal data when you visit our website, subscribe to our communications, register for events, apply for opportunities, make submissions, donate, or otherwise interact with us.

This Privacy Policy is intended to support compliance with applicable law in Bangladesh and, where relevant, other applicable data protection requirements that may arise because of the location of users, partners, funders, collaborators, service providers, or activities.

1. Scope of This Policy

This Privacy Policy applies to personal data collected through:

• our website and related digital platforms;
• mailing lists, newsletters, and subscription forms;
• event registrations and attendance;
• fellowship, internship, employment, collaboration, publication, grant, or research opportunity applications;
• donations, fees, and payment-related interactions;
• correspondence by email, telephone, social media, or webform; and
• other online or offline interactions linked to the Organization’s institutional activities.

This Privacy Policy does not necessarily apply where a separate privacy notice, research participant notice, employment notice, donor notice, event notice, or contract-specific data clause is provided. In that case, the separate notice shall apply to the extent of any inconsistency.

2. Data Controller and Contact

The data controller for the purposes of this Privacy Policy is:

Council for Policy Review

contact@cfpreview.org

3. Categories of Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

3.1 Identity and Contact Data

Name, title, gender where voluntarily provided, institutional affiliation, designation, postal address, email address, telephone number, country, and related contact details.

3.2 Account and Access Data

Usernames, passwords, account credentials, subscription status, account settings, and login-related records where account functionality exists.

3.3 Technical and Usage Data

IP address, browser type, operating system, device information, language preferences, access times, pages viewed, links clicked, approximate location inferred from IP, referral source, and related analytics or log information.

3.4 Communication Data

Records of emails, messages, inquiries, meeting requests, feedback, complaints, support requests, event questions, survey responses, and similar communications.

3.5 Application and Professional Data

Information contained in CVs, resumes, cover letters, academic history, writing samples, references, recommendations, biographical details, employer information, statements of interest, and other application or submission materials.

3.6 Event and Participation Data

Registration details, attendance records, participant lists, accessibility requirements you choose to disclose, dietary preferences you choose to disclose, and records associated with public or restricted events, including recordings, transcripts, photographs, or chat logs where applicable.

3.7 Payment and Donation Data

Billing name, billing address, transaction details, donation history, payment confirmations, and limited payment metadata. Full card or banking information should ordinarily be processed directly by our payment service providers rather than stored by us, except where necessary and lawful.

3.8 Preference and Outreach Data

Subscription preferences, topic interests, communication choices, consent records, and opt-out records.

3.9 Research and Survey Data

Information you choose to provide in surveys, consultations, interviews, questionnaires, or research participation forms. Where data is collected for specific research activity, additional notices, ethical approvals, or consent forms may apply.

4. How We Collect Personal Data

We collect personal data:

• directly from you when you complete forms, subscribe, register, donate, apply, correspond with us, or otherwise provide information;
• automatically through cookies, analytics technologies, server logs, and similar tools when you use the website; and
• from third parties where lawful, such as co-hosts, references, funders, event partners, mailing platforms, recruitment sources, payment providers, or publicly available sources.

5. Purposes of Processing

We may process personal data for the following purposes:

• to operate, maintain, administer, and improve the website and our systems;
• to provide publications, newsletters, alerts, briefings, and other requested communications;
• to register and manage participation in events, workshops, webinars, and public programs;
• to assess and process applications, proposals, submissions, and inquiries;
• to administer research collaborations, institutional partnerships, and contributor arrangements;
• to manage donations, grants, subscriptions, fees, invoicing, accounting, and financial reporting;
• to respond to questions, requests, complaints, and support needs;
• to conduct analytics, impact measurement, internal reporting, and performance review;
• to preserve institutional records and archives;
• to detect, prevent, and investigate fraud, misuse, cyber threats, or unlawful conduct;
• to comply with legal, regulatory, tax, audit, governance, and safeguarding obligations; and
• to establish, exercise, or defend legal claims.

6. Legal Bases for Processing

Where applicable law requires a lawful basis, we may process personal data on one or more of the following grounds:

• your consent;
• performance of a contract or taking steps at your request before entering into a contract;
• compliance with a legal obligation;
• our legitimate interests in operating, funding, administering, securing, and developing the Organization and its activities, provided those interests are not overridden by your rights; and
• lawful research, archival, public-interest, institutional, or publication-related purposes where permitted.

7. Cookies and Similar Technologies

We may use cookies, pixels, tags, local storage, and similar technologies to:

• ensure the website functions properly;
• remember preferences and settings;
• analyze traffic and usage patterns;
• improve content, performance, and security; and
• measure the effectiveness of outreach or communications, where used.

You can manage cookies through your browser settings and, where available, through our cookie management tool. Blocking certain cookies may affect functionality.

8. Marketing and Communications

Where lawful, we may send newsletters, event invitations, publication alerts, donation appeals, or institutional updates. You may opt out of marketing communications at any time by using the unsubscribe link provided or by contacting us.

We may still send essential non-marketing communications concerning applications, transactions, event logistics, legal notices, or administrative matters.

9. Sharing and Disclosure of Personal Data

We do not sell personal data.

We may share personal data with:

• service providers that host, secure, maintain, or support our website, databases, cloud storage, communications, analytics, CRM, or IT systems;
• payment processors, banks, or financial service providers involved in donations, fees, or transactions;
• event venues, webinar providers, co-hosts, speakers, or administrative partners where reasonably necessary to run events or programs;
• reviewers, editors, evaluators, referees, interview panels, committees, or assessors where needed for applications, publications, grants, or selections;
• professional advisers such as lawyers, auditors, accountants, insurers, and consultants;
• funders, donors, or reporting partners where disclosure is lawful, proportionate, and reasonably necessary;
• regulators, courts, tribunals, law enforcement agencies, governmental authorities, or competent bodies where disclosure is required or reasonably necessary under law; and
• successor entities, restructuring counterparties, or transferees in connection with a merger, reorganization, transfer, or institutional restructuring.

Where we use service providers, we expect them to process personal data only for authorized purposes and with appropriate confidentiality and security safeguards. The conduct of independent third party service providers shall not make Council for Policy Review liable in any way.

10. International Transfers

Because our work may involve international collaboration, publishing, funding, cloud services, and participation, personal data may be processed, stored, or accessed outside Bangladesh.

Where cross-border transfers occur, we will take reasonable steps to ensure that personal data is handled with an appropriate level of protection consistent with applicable legal requirements and the nature of the data.

11. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including for operational, institutional, archival, financial, legal, audit, security, dispute-resolution, and compliance reasons.

Retention periods may vary by category, including but not limited to:

• newsletter data may be retained until you unsubscribe and for a limited period thereafter to maintain suppression records;
• event records may be retained for administration, reporting, audits, and institutional history;
• application materials may be retained for a reasonable period after the relevant process closes, including for follow-up and defense of claims;
• accounting and transaction records may be retained as required by law and good governance practice; and
• technical logs may be retained as reasonably needed for security, troubleshooting, and compliance.

When data is no longer required, we may delete, anonymize, aggregate, or securely archive it.

12. Data Security

We take reasonable technical, administrative, and organizational measures to protect personal data against unauthorized access, alteration, disclosure, destruction, accidental loss, or misuse.

These measures may include role-based access, strong passwords, access controls, vendor due diligence, secure hosting, encrypted transmission where appropriate, record management measures, and staff or contractor confidentiality obligations.

No method of transmission over the internet or method of storage is completely secure. Accordingly, we cannot guarantee absolute security.

13. Personal Data Breaches

Where we become aware of a personal data breach affecting data under our control, we will assess the nature and scope of the incident and take steps reasonably necessary to contain, investigate, mitigate, document, and respond to it.

Where notification is required by applicable law, regulation, contractual obligation, or material risk considerations, we may notify affected individuals, counterparties, or competent authorities as appropriate.

14. Public Events, Recordings, and Publications

If you attend a public event, webinar, launch, conference, or media-facing program organized by us, your name, affiliation, image, voice, submitted question, or chat content may be visible to speakers, attendees, partners, or the public and may be recorded, streamed, summarized, quoted, photographed, or archived by us, unless the event is specifically designated otherwise.

For confidential, off-the-record, or restricted events, the applicable event-specific notice or participation rules shall govern.

15. Research-Specific Data Collection

Where personal data is collected as part of a research study, interview series, fieldwork exercise, survey project, policy consultation, or similar research activity, we may issue a separate participant information sheet, consent form, confidentiality notice, or ethics statement.

In case of conflict between this website policy and a project-specific research notice, the project-specific notice shall prevail for that activity.

16. Sensitive or Special Data

You should not submit sensitive personal data through general website forms unless specifically requested and reasonably necessary.

Where our work requires the collection of sensitive or higher-risk data, we will apply additional controls appropriate to the context, sensitivity, purpose, and applicable law.

17. Your Rights and Choices

Subject to applicable law, you may have rights to:

• request access to personal data we hold about you;
• request correction of inaccurate or incomplete data;
• request deletion of data in appropriate circumstances;
• object to or request restriction of certain processing;
• withdraw consent where processing relies on consent;
• request a copy of certain data you have provided to us, where applicable; and
• opt out of direct marketing communications.

These rights are not absolute and may be limited by law, privilege, freedom of expression considerations, archival obligations, research exemptions, security needs, contractual requirements, or overriding legitimate grounds.

To make a request, contact us at contact@crpreview.org.

18. Children

Our website and general services are not directed primarily to children. We do not knowingly collect personal data from children through the website in a manner inconsistent with applicable law.

If you believe a child has provided personal data to us inappropriately, please contact us so that we can review the matter.

19. Third-Party Websites

Our website may contain links to third-party websites or services. We are not responsible for the privacy, content, security, or data handling practices of any third party. You should review the privacy policies of those third parties separately.

20. Changes to This Privacy Policy

We may revise this Privacy Policy from time to time. The updated version will be posted on this page with a revised effective date. Where appropriate, we may provide additional notice of material changes.

21. Contact and Complaints

If you have questions, concerns, or requests relating to this Privacy Policy or our handling of personal data, contact:

Council for Policy Review

contact@cfpreview.org

If applicable law gives you the right to lodge a complaint with a regulator or competent authority, you may do so.