Overview & Scope
A.J.S Group ("we", "us", "our") is committed to protecting your personal information. This Privacy Policy covers all three divisions of A.J.S Group: A.J.S Real Estate & Construction, A.J.S Foundation, and A.J.S Hospital & Diagnostic Center.
It applies to website visitors, property buyers, hospital patients, Foundation beneficiaries, employees, and business partners. By using our services you acknowledge this Policy.
This Policy complies with the Bangladesh ICT Act 2006, Digital Security Act 2018, EU GDPR principles, ISO/IEC 27001:2022, and HIPAA-aligned medical data standards. Hospital data is additionally governed by the Bangladesh Medical and Dental Council Act 2010.
Data Controller
Legal Name: A.J.S Group of Companies
Address: City Center, Munshipara Joydebpur, Gazipur-1700, Bangladesh
Data Protection Officer: privacy@ajsgroupltd.com
General Enquiries: info@ajsgroupltd.com | +880 171 776 8398
Each division of A.J.S Group processes data under this central Policy. The Hospital additionally maintains a Patient Privacy Notice for clinical data, consistent with this Policy.
Personal Data We Collect
We collect only data necessary for the specific purpose of collection. Categories vary by division:
| Category | Examples | Division |
|---|---|---|
| Identity | Full name, NID/passport, date of birth, gender | All |
| Contact | Email, phone, address, WhatsApp | All |
| Financial | Bank account, payment card, transactions, TIN | Real Estate |
| Property | Preferences, booking records, land title documents | Real Estate |
| Medical & Health | Medical history, diagnoses, lab results, prescriptions, blood type, allergies | Hospital |
| Welfare | Household income, family composition, vulnerability indicators | Foundation |
| Technical | IP address, browser, cookies, page visits | Website |
| CCTV | Footage and images at Group premises | All premises |
Health data, biometric data, and welfare vulnerability data are treated as special category data. We collect these only with your explicit consent or where legally required for medical care or humanitarian assistance.
Lawful Basis for Processing
We process your data only when we have a valid legal basis under the Digital Security Act 2018 and GDPR principles:
| Basis | When Applied |
|---|---|
| Consent | Marketing emails, newsletters, cookie analytics, medical data, Foundation enrolment |
| Contract | Property sales/leases, employment contracts, service delivery |
| Legal Obligation | Tax reporting to NBR, AML compliance, court orders, medical record-keeping |
| Vital Interests | Emergency medical treatment where consent cannot be obtained |
| Legitimate Interests | Fraud prevention, IT security, internal analytics, business communications |
| Public Interest | Foundation welfare programs, disease notification to health authorities |
Where we rely on consent, you may withdraw it at any time by emailing privacy@ajsgroupltd.com. Withdrawal does not affect the legality of prior processing.
How We Use Your Data
- Service Delivery: Property bookings, construction contracts, hospital treatment, Foundation welfare programs.
- Account Management: Identity verification, payment processing, invoicing.
- Medical Care: Patient records, care coordination, prescriptions, emergency contact.
- Legal & Regulatory Compliance: Reporting to NBR, Bangladesh Bank, BSEC, DGHS, and other authorities as required by law.
- Marketing: Sending updates about properties, health programs, Foundation events — only with explicit consent and with an easy opt-out.
- Security: CCTV monitoring, digital security, identity verification, fraud prevention.
- Improvement: Anonymised analytics to improve services and patient outcomes. No individual-level data used without consent.
- HR: Recruitment, payroll, performance management, workplace safety.
Data Sharing & Disclosure
We do not sell, rent, or trade your personal data. We share data only as follows:
- Within A.J.S Group: Between divisions for integrated services (e.g., Foundation referrals to Hospital), under internal data sharing agreements.
- Government & Regulators: NBR, Bangladesh Bank, BSEC, DGHS, courts, law enforcement — where legally required.
- Service Providers: IT providers, payment processors (bKash, Nagad), cloud services, insurance companies — under written data processing agreements.
- Healthcare Partners: Referring doctors, laboratories, health insurers — only with your consent or where required for your medical care.
- Foundation Partners: NGOs and development organisations — only with your consent and under confidentiality agreements.
Under the Digital Security Act 2018, we may be required to disclose data to the Bangladesh Cyber Security Agency (BCSA) or law enforcement upon lawful request. We will notify you where legally permitted.
Medical & Health Data
A.J.S Hospital handles patient data as Special Category data, requiring the highest level of protection, in compliance with the Bangladesh Medical and Dental Council Act 2010 and HIPAA-aligned principles.
- Access Controls: Patient records accessible only to treating clinicians and authorised staff. All access is logged and audited quarterly.
- Retention: Adult records kept for minimum 10 years after last treatment; minor records kept until 21 years after majority.
- Consent for Disclosure: We will not share your medical information with employers, family members (except in emergencies), or insurers without your explicit written consent.
- Research: Identifiable medical data will never be used for research without your specific informed written consent. Anonymised aggregate data may support public health research.
Request your complete records at: hospital@ajsgroup.com or in person at the Hospital Patient Relations desk.
Data Retention
We retain data only as long as necessary to fulfil the purpose of collection and meet legal obligations.
| Data Type | Retention Period |
|---|---|
| Property transaction records | 12 years (Bangladesh Contract Act 1872) |
| Financial & payment records | 7 years (Income Tax Ordinance 1984) |
| Medical records — adults | 10 years after last treatment (BMDC) |
| Medical records — minors | 21 years from date of majority (BMDC) |
| Foundation beneficiary records | 5 years after last assistance (NGO Bureau) |
| Website analytics data | 26 months (rolling) |
| CCTV footage | 30 days unless flagged |
| Employee records | 7 years after employment (Labour Act 2006) |
| Enquiry / contact form data | 3 years |
At the end of the retention period, data is securely deleted or anonymised using ISO/IEC 27001 disposal standards.
Data Security
- Encryption: Data at rest encrypted with AES-256; all transmissions use TLS 1.3.
- Access Control: Role-based access controls (RBAC). All access is logged and monitored.
- Firewalls & IDS: Enterprise-grade firewalls and intrusion detection with regular third-party penetration testing.
- Backups: Encrypted daily backups with geographically separated storage, tested monthly.
- Staff Training: Mandatory annual data protection training; quarterly refreshers for HR and hospital staff.
- Breach Notification: In the event of a breach posing risk to your rights, we will notify affected individuals and relevant authorities within 72 hours, in line with GDPR Article 33 and the Digital Security Act 2018.
Contact our DPO immediately: privacy@ajsgroupltd.com or call +880 171 776 8398.
Cookies
Our website uses three categories of cookies:
- Essential Cookies: Required for the website to function — session management, security tokens. Cannot be disabled.
- Analytics Cookies (Opt-in): Help us understand how visitors use our site. Data is anonymised and aggregated.
- Marketing Cookies (Opt-in): Used to show relevant ads on third-party platforms. Only active with your explicit consent.
Manage preferences via your browser settings or our cookie consent banner. For the full list of cookies, email privacy@ajsgroupltd.com.
Your Data Protection Rights
You have the following rights under the Digital Security Act 2018 and GDPR principles. Submit requests to privacy@ajsgroupltd.com with proof of identity. We respond within 30 calendar days.
Access
Request a copy of all personal data we hold about you.
Rectification
Request correction of inaccurate or incomplete data. Updates within 14 working days.
Erasure
Request deletion where there is no compelling reason for continued processing.
Restriction
Request restriction of processing while a complaint or dispute is resolved.
Portability
Receive your data in a machine-readable format (JSON/CSV) for transfer.
Object
Object to direct marketing processing. We will cease immediately.
Automated Decisions
You will not be subject to solely automated decisions that significantly affect you without human review.
Withdraw Consent
Withdraw consent at any time. Does not affect prior lawful processing.
International Data Transfers
A.J.S Group primarily processes data within Bangladesh. Where international service providers are engaged (cloud infrastructure, diagnostic software), data may be transferred outside Bangladesh only where:
- The recipient country provides adequate data protection;
- Standard Contractual Clauses (SCCs) or equivalent safeguards are in place;
- You have given explicit informed consent; or
- The transfer is necessary to perform a contract with you.
We maintain records of all international transfers. For details, contact privacy@ajsgroup.com.
Children's Privacy
A child is defined as any person under 18 years per the Bangladesh Children Act 2013.
- Website: Our digital services are not directed at children under 13. We do not knowingly collect data from children under 13 without verifiable parental consent.
- Paediatric Care: Health data from minor patients requires parental/guardian consent, except in emergencies.
- Foundation Programs: Where programs serve minors, data is collected with full parental consent and stored with additional access restrictions.
- Underage Data Discovery: If we discover we have collected data from a child under 13 without proper consent, we will delete it promptly and notify the parent or guardian.
Third-Party Links & Services
Our website may link to third-party sites (payment gateways such as bKash and Nagad, social media, mapping services). This Policy applies only to A.J.S Group's own properties. We are not responsible for the privacy practices of third-party services and encourage you to review their own policies.
Changes to This Policy
We review and update this Policy periodically. For significant changes, we will notify registered users and patients by email at least 30 days before the change takes effect, and display a prominent notice on our website. Continued use of our services after the effective date constitutes acceptance.
Version History
Complaints
If you are dissatisfied with how we have handled your data, please first contact our DPO (details in Section 17). We acknowledge complaints within 5 working days and aim to resolve them within 30 calendar days.
If unsatisfied after our internal process, you may escalate to:
- Bangladesh: Bangladesh Cyber Security Agency (BCSA) — www.cirt.gov.bd | Bangladesh Telecommunication Regulatory Commission (BTRC) — www.btrc.gov.bd
- Medical data complaints: Bangladesh Medical and Dental Council (BMDC) — www.bmdc.org.bd
- EU residents: Your local EU Data Protection Authority at edpb.europa.eu
Contact Our Data Protection Officer
For any questions, data requests, or concerns relating to this Policy or the processing of your personal data:
Postal Address
Data Protection Officer
A.J.S Group, AJS Tower
45 Gulshan Avenue, Dhaka-1212
To protect your privacy, data subject requests require a copy of your NID, passport, or birth certificate for verification. Identity documents are used solely for this purpose and deleted immediately after.
This Policy is effective from 01 January 2025 and supersedes all previous versions. It was reviewed by our Legal & Compliance Committee and external data protection counsel.