Privacy Policy

Last Updated: 2025-10-07

Welcome to CeylonOsu (“we,” “us,” “our”). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (https://ceylonosu.com/) and use our services, including purchases via the PayHere gateway.

By using our site or making a purchase, you consent to the data practices described herein.

1. Legal Basis & Sri Lanka’s PDPA Context

  • Sri Lanka’s Personal Data Protection Act, No. 9 of 2022 (PDPA) is the primary law for personal data protection in Sri Lanka. nithyapartners.com+2ICTA+2

  • The PDPA imposes obligations on “data controllers” and “data processors” when processing personal data. nithyapartners.com+2Multilaw+2

  • As a data controller (you decide how and why personal data is processed), you must process data lawfully, fairly, transparently, and only for specified purposes. Multilaw+1

  • Data subjects (users) have certain rights under the PDPA (e.g. access, correction, erasure, object) which you must facilitate. Multilaw+2Securiti+2

  • In the event of a personal data breach, you may have obligations to notify the Data Protection Authority and impacted data subjects. Securiti+2Multilaw+2

  • Some portions of the PDPA are being phased into effect; check the latest Gazette notifications and compliance rules via the Data Protection Authority of Sri Lanka. dpa.gov.lk+2dpa.gov.lk+2

2. What Information We Collect

2.1 Personal Information

We collect personal data you directly provide, such as:

  • Name

  • Email address

  • Phone number

  • Billing and shipping address

  • Transaction / order history

  • Payment information (via PayHere)

  • Any other information you submit (e.g. in contact form, feedback)

2.2 Non-Personal / Technical Information

We may also collect:

  • IP address

  • Device and browser type

  • Operating system

  • Pages visited, time spent, referring website

  • Cookies and similar tracking data

3. How We Use Your Information

We use collected data for the following purposes:

  • To process your orders and payments

  • To communicate with you (shipping updates, support, order status)

  • To send promotional materials or newsletters (if you consent)

  • To improve and optimize our website and services

  • To detect, prevent, and manage fraud or security issues

  • To comply with legal obligations and enforce our terms

We will only use your personal data for the purposes for which it was collected, unless we reasonably determine another compatible purpose.

4. Payment & PayHere Integration

  • We use PayHere as our payment gateway for handling payments securely.

  • We may share necessary payment data (e.g. transaction reference, billing name) with PayHere to complete the payment process.

  • We do not store full credit card numbers or CVV codes on our servers.

  • PayHere maintains their own data protection and security standards; you are subject to their policy for payment data.

5. Cookies, Tracking & Analytics

  • We use cookies, web beacons, and similar technologies to collect non-personal browsing information (for analytics, site performance, remembering preferences).

  • You may set your browser to refuse cookies, or alert you when cookies are being used. But note: some site features may not work properly without cookies.

  • We may also use third-party analytics tools (e.g. Google Analytics). These tools may collect data independently.

6. Sharing & Disclosure of Your Information

We do not sell or rent your personal data. We may share information:

  • With third-party service providers (e.g. hosting, shipping, payment processors) who assist in our operations

  • To comply with legal obligations, court orders, or governmental requests

  • In connection with business transfers (merger, acquisition, reorganization)

  • In aggregated or anonymized form (which cannot identify you)

We require that third parties to whom we disclose data treat your information securely and only use it in accordance with our instructions.

7. Data Security & Integrity

  • We implement reasonable technical and organizational safeguards (encryption, access control, secure servers) to protect your data.

  • While we strive to protect your personal data, no method of transmission over the internet or storage is completely secure.

  • In case of a data breach, we will take prompt steps to contain damage, notify affected users if required, and notify the Data Protection Authority under PDPA rules.

8. Data Retention

We retain your personal data only for as long as needed to fulfill the purposes for which it was collected, enforce our rights, or as required by law.
After that, your information will be anonymized or securely deleted.

9. Your Rights Under PDPA & How to Exercise Them

Under the PDPA, you have the following rights (subject to lawful limitations):

  • Right of Access: Request a copy of your personal data

  • Right of Correction: Correct inaccurate or incomplete data

  • Right of Erasure (Right to be Forgotten): Under certain conditions, ask us to delete your data

  • Right to Object / Restrict Processing: You may object or request limiting certain uses

  • Right to Withdraw Consent: If processing is based on consent, you can withdraw it

  • Right to Data Portability: To receive your data in a commonly used machine-readable format

  • Right to Lodge a Complaint: You may complain to the Data Protection Authority of Sri Lanka

To exercise any of these rights, contact us using the details in Section 13. We may ask for proof of identity before fulfilling certain requests

10. Cross-Border Data Transfers

If your data needs to be transferred outside Sri Lanka, we will ensure that:

  • The destination country provides an adequate level of data protection (as determined by the Data Protection Authority), or

  • We use binding contracts or safeguards to protect your data, or

  • You have provided explicit consent for the transfer

We will only transfer your data abroad in compliance with applicable law and your rights.

11. Children’s Data & Age Restrictions

  • Our website is intended for adults (parents/guardians) purchasing for children.

  • We do not knowingly collect personal data from children under 16 without verifiable parental consent.

  • If we become aware of data collected from children without consent, we will delete it promptly.

12. Solicited Messages / Marketing Communications

  • Under PDPA, sending marketing messages (calls, email, SMS) requires your explicit consent. Securiti+1

  • Whenever we send marketing communications, we will provide an “opt-out” or unsubscribe method.

  • If you withdraw consent, we will cease sending you promotional messages, unless other lawful basis exists.

13. Contact Information & Data Protection Officer (DPO)

If you have questions, requests, or complaints about your data or this policy, please contact:

CeylonOsu
Email: ceylonosu@gmail.com
Phone: +94 77 833 3264

We may appoint a Data Protection Officer (DPO) as required by PDPA. If so, we will publish their contact details above and register them with the Data Protection Authority

14. Changes to This Privacy Policy

We may update this policy periodically to reflect changes in legal requirements, business practices, or technical improvements. We will post the revised version on our site with a new “Last Updated” date.
If changes are material, we may notify you (e.g. via email or notice on the site).

Acknowledgement & Consent

By using our site and providing personal information, you acknowledge that you have read and understood this Privacy Policy, and you consent to the collection, use, and processing of your data as described here.

Shopping Cart
Scroll to Top