Privacy Policy
Last updated: May 7, 2026 | Version 2.0
This policy applies to all users globally. Jurisdiction-specific rights are listed in Section 10.
SECTION 1 — ABOUT US & SCOPE
Company: SDF Clothing Ltd
Business type: International garment manufacturer and exporter
Registered address: House 125, Road 01, Baridhara DOHS, Dhaka-1212, Bangladesh
Website: https://sdfltd.com
Contact: via Contact Form only
This policy applies to all visitors and users of sdfltd.com regardless of their country of residence. SDF Clothing Ltd acts as the Data Controller for all personal information collected through this website.
SECTION 2 — INTERNATIONAL PRIVACY FRAMEWORKS WE COMPLY WITH
SDF Clothing Ltd is committed to complying with the world's leading data protection regulations. Our privacy practices are designed to meet the requirements of multiple international privacy frameworks, ensuring that your personal data is protected regardless of where you are located.
| Regulation | Jurisdiction | Who It Protects |
|---|---|---|
| GDPR (General Data Protection Regulation) | European Union | EU/EEA residents |
| UK GDPR + Data Protection Act 2018 | United Kingdom | UK residents |
| CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act) | USA — California | California residents |
| US State Privacy Laws (Virginia CDPA, Colorado CPA, Connecticut DPA, Texas DPSA) | USA — Multiple States | Residents of applicable states |
| PIPEDA (Personal Information Protection and Electronic Documents Act) | Canada | Canadian residents |
| Quebec Law 25 (Law 25 / Bill 64) | Canada — Quebec | Quebec residents |
| Australian Privacy Act 1988 + APPs (Australian Privacy Principles) | Australia | Australian residents |
| PDPA (Personal Data Protection Act) considerations | Bangladesh | Bangladeshi residents |
| POPIA (Protection of Personal Information Act) | South Africa | South African residents |
We apply the most stringent applicable standard across all jurisdictions. If you are located in a region with specific privacy rights, your rights are detailed in Section 10.
SECTION 3 — DATA CONTROLLER INFORMATION
Data Controller: SDF Clothing Ltd
Registered in: Bangladesh
Address: House 125, Road 01, Baridhara DOHS, Dhaka-1212, Bangladesh
Website: https://sdfltd.com
Data Protection enquiries: via our Contact Form at /contact
Response time: within 30 days (within 72 hours for breach notifications)
Note: SDF Clothing Ltd does not currently have a formal Data Protection Officer (DPO) requirement under GDPR Article 37, as we do not engage in large-scale systematic monitoring or process special category data as a core activity. However, all privacy enquiries are handled with the same rigour expected of a DPO-level review.
SECTION 4 — WHAT PERSONAL DATA WE COLLECT
4.1 Data You Provide Directly
- Contact form: name, email address, phone number, company name, country, message
- Sample request form: name, email, phone, company, shipping address, product specifications
- Newsletter signup: email address, name (optional)
4.2 Data Collected Automatically
- IP address and approximate geographic location (country/city level)
- Browser type and version
- Operating system
- Device type (desktop/mobile/tablet)
- Pages visited, time on page, referral source
- Date and time of visit
4.3 Cookies and Tracking Technologies
We use cookies as detailed in our full Cookie Policy at /cookies. Types include strictly necessary, analytics, and preference cookies.
4.4 Data We Do NOT Collect
- We do not collect payment card information
- We do not collect government-issued ID numbers
- We do not collect biometric data
- We do not collect sensitive personal data as defined under GDPR Article 9 (health, religion, race, political opinion, etc.)
- We do not knowingly collect data from individuals under the age of 16
SECTION 5 — LEGAL BASIS FOR PROCESSING (GDPR ARTICLE 6)
For EU/UK residents, we process personal data only on the basis of one or more of the lawful grounds specified in GDPR Article 6. Each processing activity is documented with its specific legal basis.
5.1 Legitimate Interests (Article 6(1)(f))
Used for: Website analytics, security monitoring, fraud prevention, improving our services. We conduct a Legitimate Interests Assessment (LIA) to ensure our interests do not override your fundamental rights.
5.2 Consent (Article 6(1)(a))
Used for: Non-essential cookies (analytics cookies), marketing communications. You may withdraw consent at any time via our cookie banner or by contacting us through our Contact Form.
5.3 Contractual Necessity (Article 6(1)(b))
Used for: Processing sample requests and business inquiries where a pre-contractual relationship exists.
5.4 Legal Obligation (Article 6(1)(c))
Used for: Compliance with applicable laws, responding to lawful requests from regulatory authorities, tax and record-keeping obligations.
Note for non-EU users: While GDPR Article 6 applies specifically to EU/UK users, we apply the same legal basis principles globally as best practice.
SECTION 6 — HOW WE USE YOUR DATA
- Respond to business and manufacturing enquiries → Legitimate interests / Contractual necessity
- Process sample requests and manage client relationships → Contractual necessity
- Improve website performance and user experience → Legitimate interests
- Website security, DDoS protection (via Cloudflare) → Legitimate interests
- Analytics and traffic analysis (via Google Analytics) → Consent
- Legal compliance and record-keeping → Legal obligation
- Fraud detection and prevention → Legitimate interests
We do NOT use your data for:
- Selling or renting to third parties
- Automated decision-making that produces legal effects
- Profiling for advertising purposes
- Any purpose incompatible with the original collection purpose
SECTION 7 — DATA RETENTION POLICY
| Data Type | Retention Period | Reason |
|---|---|---|
| Contact form submissions | 2 years from last contact | Business records and follow-up |
| Sample request data | 3 years | Commercial transaction records |
| Google Analytics data | 26 months | Google Analytics default retention |
| Cookie consent records | 1 year | Proof of consent (GDPR requirement) |
| Security logs (Cloudflare) | 30 days | Security incident investigation |
| Email correspondence | 3 years | Business records |
| Newsletter subscriptions | Until unsubscribed + 30 days | Consent-based |
After the retention period, data is either securely deleted or anonymized so it can no longer be linked to an individual.
SECTION 8 — DATA SHARING AND THIRD PARTIES
We do not sell, trade, or rent your personal data to any third party. We share data only in the following limited circumstances:
8.1 Service Providers (Data Processors)
| Provider | Purpose | Data Shared | Their Privacy Policy |
|---|---|---|---|
| Cloudflare Inc. (USA) | Website hosting, CDN, DDoS protection, security | IP address, request metadata | https://www.cloudflare.com/privacypolicy/ |
| Google LLC (USA) | Website analytics via Google Analytics | Anonymized usage data | https://policies.google.com/privacy |
| Web3Forms / EmailJS | Contact form processing | Name, email, message | Their respective privacy policies |
| Cloudflare Pages | Static site hosting | Server request logs | https://www.cloudflare.com/privacypolicy/ |
8.2 Legal Disclosure
We may disclose your data when required by law, court order, or lawful request from government authorities. We will notify you of such disclosures where legally permitted to do so.
8.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
SECTION 9 — INTERNATIONAL DATA TRANSFERS
Since we use Cloudflare (US-based) and Google Analytics (US-based), data may be transferred outside your country of residence.
For EU/UK users: These transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring GDPR-equivalent protection.
For Canadian users: Transfers comply with PIPEDA Schedule 1 Principle 7 (Safeguards) requirements.
For Australian users: Transfers comply with Australian Privacy Principle 8 (Cross-border disclosure of personal information).
Cloudflare and Google maintain Data Processing Agreements (DPAs) that include appropriate transfer mechanisms.
SECTION 10 — YOUR PRIVACY RIGHTS BY JURISDICTION
Your rights depend on your country of residence. All rights can be exercised by submitting a request through our Contact Form. We will respond within 30 days.
10.1 EU Residents — GDPR Rights
Under the General Data Protection Regulation (GDPR), you have the right to:
- Access: Obtain a copy of your personal data (Article 15)
- Rectification: Correct inaccurate data (Article 16)
- Erasure: Request deletion of your data — "Right to be Forgotten" (Article 17)
- Restrict Processing: Limit how we use your data (Article 18)
- Data Portability: Receive your data in a machine-readable format (Article 20)
- Object: Object to processing based on legitimate interests (Article 21)
- Not be subject to automated decision-making (Article 22)
- Lodge a complaint with your national Data Protection Authority (DPA). Find your DPA at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
10.2 UK Residents — UK GDPR + Data Protection Act 2018
You have the same rights as EU residents under UK GDPR. You may also lodge a complaint with:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Helpline: 0303 123 1113
10.3 California Residents — CCPA / CPRA Rights
Under the California Consumer Privacy Act and California Privacy Rights Act:
- Right to Know: What personal information we collect, use, share, or sell
- Right to Delete: Request deletion of your personal information
- Right to Correct: Correct inaccurate personal information
- Right to Opt-Out: We do not sell or share personal information for cross-context behavioral advertising
- Right to Limit Use of Sensitive Personal Information: We do not collect sensitive personal information as defined by CPRA
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
- Authorized Agent: You may designate an authorized agent to make requests on your behalf
We do not sell personal information as defined by CCPA. We do not share personal information for cross-context behavioral advertising.
To exercise CCPA rights, submit a request via our Contact Form. We will respond within 45 days (extendable by a further 45 days where necessary).
10.4 Canadian Residents — PIPEDA Rights
Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec Law 25:
- Right to know why your information is collected, used, or disclosed
- Right to access your personal information
- Right to challenge the accuracy and completeness of your information
- Right to withdraw consent (with reasonable notice)
- Right to complain to the Office of the Privacy Commissioner of Canada
To exercise your rights or lodge a complaint:
Office of the Privacy Commissioner of Canada
Website: https://www.priv.gc.ca
Phone: 1-800-282-1376
Quebec residents have additional rights under Law 25 (Bill 64), including the right to data portability and the right to be de-indexed.
10.5 Australian Residents — Australian Privacy Act 1988
Under the Australian Privacy Act 1988 and the 13 Australian Privacy Principles (APPs):
- Right to know what personal information we hold about you
- Right to access your personal information (APP 12)
- Right to correct your personal information (APP 13)
- Right to make a complaint about a breach of the APPs
If you believe we have breached the Australian Privacy Principles, you may complain to:
Office of the Australian Information Commissioner (OAIC)
Website: https://www.oaic.gov.au
Phone: 1300 363 992
10.6 Bangladesh Residents
While Bangladesh is developing its formal data protection framework, SDF Clothing Ltd — as a Bangladesh-registered company — is committed to applying international best practice standards to the handling of all personal data, regardless of the nationality of the individual concerned.
10.7 Other International Users
We apply GDPR-level protections as a baseline standard for all users globally, regardless of jurisdiction. If your country has specific data protection rights not listed above, please contact us via our Contact Form and we will honour applicable legal requirements.
SECTION 11 — CHILDREN'S PRIVACY
Our website and services are directed exclusively at business professionals in the garment and textile industry. We do not knowingly collect, process, or retain personal data from individuals under the age of 16.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately via our Contact Form and we will delete such data promptly.
This applies in compliance with:
- GDPR Article 8 (EU)
- UK GDPR Article 8 (UK)
- COPPA — Children's Online Privacy Protection Act (USA)
- PIPEDA (Canada)
- Australian Privacy Act (Australia)
SECTION 12 — SECURITY MEASURES
We implement appropriate technical and organisational measures to protect your personal data:
- SSL/TLS encryption on all data in transit (enforced HTTPS)
- Cloudflare security infrastructure including DDoS protection, Web Application Firewall (WAF), and bot management
- Access controls limiting data access to authorised personnel only
- Regular review of third-party data processors' security practices
- Secure deletion of data at end of retention period
- No storage of payment card data on our systems
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify relevant supervisory authorities within 72 hours and affected individuals without undue delay, in compliance with GDPR Article 33 and applicable law.
SECTION 13 — ENVIRONMENTAL COMMITMENT
SDF Clothing Ltd is committed to sustainable and responsible business practices:
- We engage in active tree plantation initiatives as part of our corporate environmental responsibility
- Our website is hosted exclusively on Cloudflare Pages, which is officially certified as a green host by the Green Web Foundation — running on 100% renewable energy
- Cloudflare has committed to 100% renewable energy and removing all historical carbon emissions from their network
- Every interaction with our website has a minimal carbon footprint
We believe responsible data stewardship and environmental responsibility go hand in hand — both reflect our commitment to a better future.
SECTION 14 — COOKIES
We use cookies and similar tracking technologies on our website. For a complete breakdown of every cookie we use, their purpose, and how to manage your preferences, please see our full:
You can manage your cookie preferences at any time via our cookie consent banner.
SECTION 15 — POLICY UPDATES
We may update this Privacy Policy periodically to reflect:
- Changes in applicable law or regulatory guidance
- Changes in our data processing activities
- Improvements to our privacy practices
The "Last updated" date at the top of this page indicates when the policy was last revised. For significant changes, we will place a prominent notice on our website.
We encourage you to review this policy periodically. Your continued use of our website after any changes constitutes acceptance of the updated policy.
Previous versions of this policy are available upon request via our Contact Form.
SECTION 16 — HOW TO EXERCISE YOUR RIGHTS & COMPLAINTS
16.1 Submit a Privacy Request
To exercise any of your rights listed in Section 10, or to ask any question about this policy:
→ Use our Contact Form
We will respond within 30 days. For complex requests, we may extend this by a further 30 days with notification.
We may ask you to verify your identity before processing your request to protect against unauthorised access to your data.
16.2 Supervisory Authority Complaints
You have the right to lodge a complaint directly with your relevant supervisory authority:
- EU: Your national Data Protection Authority — https://edpb.europa.eu/about-edpb/about-edpb/members_en
- UK: Information Commissioner's Office (ICO) — https://ico.org.uk
- USA (California): California Privacy Protection Agency (CPPA) — https://cppa.ca.gov
- Canada: Office of the Privacy Commissioner — https://www.priv.gc.ca
- Australia: OAIC — https://www.oaic.gov.au
We ask that you contact us first so we have the opportunity to address your concern before escalating to a supervisory authority.