Privacy Policy

Definitions

• Affiliate: Means a legal entity that controls, is controlled by, or is under common control with another legal entity, but only while that control relationship exists.
• Controller: Means any person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
• Data Subject: Means the services made available to you through our Site.
• DPL: Means the Data Protection Law Personal Data Protection Act, No. 9 of 2022 (the "Act" or "PDPA") Law of Sri Lanka.
• Personal Data: Means any information referring to an identified or identifiable natural person, i.e., a Data Subject.
• Processor: Means the entity/any person that processes Personal Data on behalf of a Controller.
• Products: Means the financial products made available to you by H2BIS and/or its Affiliates.
• Services: Means the services made available to you through our Site.

Collection of Personal Data

We collect your Personal Data through our Site when you fill in and send the information request only. Personal Data we collect may include information required to communicate with you and would generally consist of the following information:

• Your name
• Telephone number
• E-mail address

Purpose of Collecting Personal Data

We may use the information collected from you for the following purposes:

• To personalize and continually improve the Services.
• To customize your browsing experience and inform you about additional Products, Services, or promotions that may be of interest to you.

We may also email you several times after your inquiry to follow up on your interest and ensure that we have answered it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale.

How Long We Keep Your Personal Data

We keep your Personal Data only so long as we need it to provide services to you and fulfill the purposes described in this policy. This is also the case for anyone with whom we share your information and who carries out services on our behalf.

We may also retain your Personal Data after the information request is fulfilled, declined, or abandoned for as long as we require in order to comply with legal and regulatory requirements and for our legitimate business purposes. We will ordinarily retain your information for six (6) months or as otherwise required by the Personal Data Protection Act, No. 9 of 2022, Law, Rules, and Regulations.

Disclosure of Personal Data

We may share your Personal Data with our Affiliates and third parties for the purposes of providing you with Products and Services. For example, we may share your Personal Data with our Affiliates, agents, partner companies, bankers, custodians, and sub-contractors as necessary in order to provide the Services to you.

We may be obliged to disclose your Personal Data in certain circumstances for legal or regulatory reasons, including but not limited to instances where we are required to disclose the information in accordance with the laws and regulations of Sri Lanka and any other applicable regulations.

Data Security and Safety of Personal Data

We have taken appropriate steps to ensure the security of any Personal Data that we collect and hold by us, including limiting the number of people who have access to our database servers.

Your Personal Data is protected during transmission by using Secure Sockets Layer (SSL) software, which encrypts Personal Data transmitted to us. Furthermore, a 128-bit key, the most secure form of commercially available encryption, is used to ensure the security of your transactions.

Data Subject Rights Under DPL

As a Data Subject, you will have the following rights under DPL:

• The right to request access to personal data or restriction of processing or to object to processing and rectification.
• The right to erasure (i.e., the right to be forgotten).
• The right to data portability.

Processing, Storage, and Transfer of Personal Data

We will take all steps reasonably necessary to ensure your Personal Data is processed in accordance with the Data Protection Act, other applicable laws, and this Policy. By submitting your Personal Data, you agree to such transfer, storing, or processing in accordance with this Privacy Policy.

Rights Under General Data Protection Regulations (GDPR)

If you are a Data Subject in a European Union country, we are committed to fulfilling our obligations concerning the exercise of your rights under GDPR as a Data Controller or sometimes as a Data Processor as applicable.

Contact Point for Data Protection Inquiries

If you have any queries about this Privacy Policy or Data Protection provisions or need to change and modify any information previously provided to us, please contact the DPO via email or phone:

Notification of Personal Data Breaches

We will notify you as soon as practicable in the circumstances when a Personal Data Breach is likely to result in a high risk to the security of your rights.

Governing Law and Jurisdiction

The governing law of this Policy or other agreements entered with H2BIS is the Data Protection Act No. 9 of 2022, Sri Lanka.