Rangpur Old Cadets' Association (ROCA)
homeHome infoAbout
About ROCA
groupsExecutive Committee workspace_premiumAdvisors badgeBatch Representatives newspaperNews volunteer_activismActivities favoriteDonation mailContact
Member Login
Home Privacy Policy

Privacy Policy

Effective: 1 May 2025 Last updated: April 2026 Applies to: https://roca.org.bd
Legal basis: This policy is prepared in compliance with the Personal Data Protection Ordinance 2025, the Cyber Security Ordinance 2025, and Article 43 of the Constitution of Bangladesh (right to privacy).
1
Who We Are

Rangpur Old Cadets' Association (ROCA) is the alumni organisation of Cadet College Rangpur, Bangladesh. ROCA Connect is the official members-only digital platform operated by ROCA for membership management, events, communications, and organisational governance.

ROCA is the data controller for all personal data collected through this platform, as defined under the Personal Data Protection Ordinance 2025 of Bangladesh. The platform is administered by the ROCA Executive Committee under the elected President and General Secretary.

2
What Data We Collect
Identity & Membership
DataNotes
Legal full nameOfficial records; shown alongside Cadet Name in profile and directory
Cadet nameDefault display name across the platform
Cadet number & batchUnique identifier; forms Member ID ROCA-{batch}-{cadet_no}
HouseOmar Faruque / Titumir / Birshrestho Jahangir — visual identity only
National ID (NID)For compliance with Ministry of Social Welfare; encrypted storage
Date of birth, genderAge verification, birthday feature, statistical records
Marital status & family infoEvent registration for accompanying family members; optional
Profile photographAvatar display and Life Member ID card; stored on ROCA servers
Contact Data
DataNotes
Mobile numberOTP login, account recovery, SMS notifications
Email addressAccount authentication, transactional emails
Residential addressOptional; shown in directory only if member enables it
Country of residenceDashboard map and regional statistics
Professional & Social (Optional)
DataNotes
Designation & organisationOptional; directory display if opted in
LinkedIn / Facebook URLsOptional; shown on your profile page only
Financial & Technical
DataNotes
Transaction referencesMembership dues and event payments via Payment Gateway; no card details stored
IP address, session dataSecurity, rate limiting, audit logs; not shared externally
Browser & device typeError logs and compatibility improvement only
What we do not collect: ROCA Connect does not collect religious beliefs, political opinions, biometric data, health records, or criminal history. We do not use targeted advertising or user profiling for commercial purposes.
3
How We Collect Your Data
Direct Registration

When you register, you provide your name, cadet number, batch, mobile, and email. Registration requires OTP verification of both your mobile and email to confirm identity.

Profile Completion

After registration you may voluntarily add address, professional details, social links, and a profile photograph. None of these are mandatory.

Event Registration

When registering for events we collect attendee preferences, ticket type, transport and accommodation choices, and — where applicable — accompanying family member names. This is used solely for event management.

Payment Processing

Payments are processed through Payment Gateway. ROCA Connect receives only transaction confirmation references and payment status. No card number or bank account details are transmitted to or stored by ROCA Connect.

Automatic Technical Collection

Our servers automatically log your IP address, session token, and access timestamps for security purposes. This data is not shared externally.

4
Why We Use Your Data
Core Membership

Account creation and authentication (OTP, password reset, magic link); Member ID and Life Member ID card issuance; membership dues tracking; Life Membership upgrades.

Event Management

Registration, ticket generation, QR check-in at reception, payment processing, and attendance records.

Communications

Transactional SMS (OTP, event reminders, attendance confirmation) and transactional email (receipts, confirmations, account recovery). ROCA does not send marketing messages without your separate consent.

Member Directory

Your Cadet Name, batch, and house are shown in the members-only directory. Additional details are shown only if you have opted to make them visible.

Governance

Election nominations, committee assignments, batch representative records, and scholarship/welfare programme administration.

Platform Improvement

Aggregated, anonymised statistics (members by country, age distribution, batch data) used internally by the EC. This cannot identify any individual.

Legal & Security

Fraud prevention, account recovery, and compliance with lawful requests from Bangladesh regulatory or law enforcement authorities under the Cyber Security Ordinance 2025.

5
Legal Basis & Consent
Under the Personal Data Protection Ordinance 2025 of Bangladesh, ROCA processes your personal data on the basis of your freely given, specific, informed, and unambiguous consent provided at registration. You may withdraw this consent at any time.

By registering on ROCA Connect and accepting this Privacy Policy, you expressly consent to the collection and processing of your personal data as described herein, consistent with the Personal Data Protection Ordinance 2025.

In limited circumstances ROCA may process data without consent where required by Bangladesh law, court order, or lawful direction from a competent authority. We will inform you where legally permitted to do so.

Withdrawing Consent

You may withdraw your consent at any time by contacting us or submitting a Data Deletion Request through your profile settings. Upon withdrawal, ROCA will cease processing your data except as required by law. Note that withdrawal may limit or terminate your access to ROCA Connect.

6
Data Storage & Security
Where Your Data Is Stored

All personal data is stored on servers. Profile photographs, event images, and media files are stored on the ROCA Connect web server's storage. No personal data is transferred outside ROCA web server except as listed below.

Third-Party Services
ServiceData InvolvedPurpose
SSLCommerzPayment amount, referencePayment processing (Bangladesh)
ZeptoMail / SMTPEmail address, nameTransactional email delivery
SMS GatewayMobile number, OTP textOTP and SMS notifications
Google Fonts / IconsIP address (standard CDN)Font and icon delivery
Security Measures

Passwords are stored using bcrypt hashing (cost factor 12) and never in plain text. All sensitive operations require OTP verification. Sessions are encrypted and rotated on login. NID data is stored encrypted. HTTPS is enforced for all connections. Admin access to member data is restricted by role-based access control and is fully audit-logged.

Data Breach Notification

In the event of a breach affecting your personal data, ROCA will notify affected members and, where required by law, relevant Bangladesh authorities within the timeframes prescribed by the Personal Data Protection Ordinance 2025.

7
Data Sharing & Disclosure
ROCA does not sell, rent, or trade your personal data to any third party for commercial purposes, under any circumstances.
Within the Association

Authorised ROCA officials (Executive Committee members with admin roles) can access member records for membership management, event administration, and governance. All access is logged in the platform's audit system.

With Service Providers

Minimal data is shared with payment processors, email and SMS providers solely to deliver the services described in this policy. These providers act as data processors under contractual obligations not to use your data for any other purpose.

Legal Requirements

ROCA may disclose your data if required by court order, lawful direction from Bangladesh government authorities, or where necessary to prevent a threat to life, health, or safety.

Member Directory

The directory is accessible only to verified, logged-in ROCA Connect members. It is not publicly accessible. Fields shown are limited to those you have chosen to make visible.

8
Data Retention

ROCA retains data only as long as necessary for its stated purpose or as required by law.

Data CategoryRetention Period
Member profile dataDuration of membership + 7 years after deletion
Event registration records7 years from event date
Payment transaction records7 years (Bangladesh financial regulations)
Audit logs90 days rolling
OTP / session tokensDeleted immediately on use or expiry
Profile photographsDeleted within 30 days of account deletion request
NID dataRetained for life membership verification; deleted on account deletion
Email / SMS logs30 days

When retention is no longer necessary, data is deleted or anonymised so that it can no longer be associated with any individual.

9
Your Rights

Under the Personal Data Protection Ordinance 2025 of Bangladesh, you have the following rights:

Right of Access

Request a copy of all personal data ROCA holds about you.

Right to Rectification

Correct any inaccurate data in your profile at any time via profile settings.

Right to Erasure

Request deletion of your account and personal data, subject to legal retention requirements.

Right to Withdraw Consent

Withdraw your consent at any time. This may affect your access to the platform.

Right to Restrict Processing

Ask ROCA to limit how your data is used while a complaint is being resolved.

Right to Object

Object to your data being used for any purpose beyond core membership administration.

Right to Data Portability

Request a machine-readable export of your personal data held by ROCA.

Right to Complain

Lodge a complaint with the relevant Bangladesh data protection authority.

Contact us using the details below or via your profile settings. We respond within 30 days. We may request proof of identity before processing your request.

10
Cookies & Tracking
CookiePurposeDuration
roca-connect-sessionKeeps you authenticated while browsingCleared on logout
XSRF-TOKENCross-site request forgery security (Laravel)Session duration

ROCA Connect does not use analytics cookies, advertising cookies, Google Analytics, tracking pixels, or any third-party behavioural tracking. The only cookies set are strictly necessary for authentication and security. Disabling them will prevent login.

11
Children's Data

ROCA Connect is intended exclusively for alumni of Cadet College Rangpur who have completed their cadet training. All registered members are adults (18 and over). ROCA Connect does not knowingly collect personal data from children under 18. If you believe a minor has registered, contact us immediately and we will remove the account.

Family member names collected during event registration are used solely for seating and gift allocation and are not retained beyond the event record retention period.

12
Changes to This Policy

ROCA may update this Privacy Policy to reflect changes in our practices, technology, or Bangladesh law. For material changes, registered members will be notified by email and in-app notification at least 14 days before the changes take effect.

Continued use of ROCA Connect after the effective date constitutes acceptance. If you disagree, you may request account deletion before the effective date. Previous versions are available on request from the ROCA Secretariat.

Contact & Privacy Requests

For data access, correction, deletion, or privacy concerns:

Organisation Rangpur Old Cadets' Association (ROCA)
Email info@roca.org.bd
Address House 281/B (Ground Floor) Road 19/C, Mohakhali DOHS Dhaka 1206, Bangladesh

Response time: within 30 days of receipt. For urgent matters please use subject line "Privacy Request — Urgent".