Data Protection & Governance Policy

This policy applies to all personal and business data processed by ANUSHKA DAHANAYAKE (PVT) LTD through its website, platform, dashboards, databases, email systems, payment integrations, and client service delivery.

• Personal Data Protection Act No. 9 of 2022 — primary data protection law in Sri Lanka
• Electronic Transactions Act No. 19 of 2006 — electronic records and transactions
• Companies Act No. 7 of 2007 — corporate governance obligations
• GDPR — applied to EEA data subjects where relevant
• Industry best practices for cloud security and privacy by design

• Data Controller: ANUSHKA DAHANAYAKE (PVT) LTD
• Responsible person: Anushka Dahanayake (Founder / Managing Director)
• Privacy contact: [email protected]
• Legal contact: [email protected]

We maintain internal practices for data classification, access control, incident response, and processor management appropriate to our size and operations.

Personal and business data may be stored in:

• MySQL/MariaDB databases (Hostinger Cloud Professional)
• Application logs and server infrastructure
• Third-party processor systems (payments, email, analytics)
• Secure backups for disaster recovery

Primary hosting is in infrastructure selected for reliability and security. Cross-border transfers use appropriate safeguards as described in our Privacy Policy.

• Lead & contact inquiries: retained while active and up to 3 years thereafter unless longer required by law
• Client account data: retained for duration of relationship plus statutory limitation periods
• Invoices & payment records: retained minimum 6–7 years for tax and audit compliance
• Analytics data: aggregated/retained per provider settings, typically 14–26 months
• Email logs: retained up to 2 years for operational and legal purposes
• Authentication logs: retained up to 12 months for security monitoring

Data is deleted or anonymised when no longer required, subject to legal hold obligations.

• HTTPS encryption for data in transit
• Role-based access control (ADMIN / CLIENT)
• Hashed credentials and secure session management (NextAuth)
• Environment variable protection for secrets and database credentials
• Cloudflare DDoS protection and WAF where configured
• Regular dependency updates and security monitoring
• Least-privilege access to production systems

We honour data subject rights under the Personal Data Protection Act No. 9 of 2022, including access, correction, erasure, restriction, and objection where applicable. EEA users may additionally exercise GDPR rights including portability and complaint to a supervisory authority.

Requests: [email protected]. Identity verification may be required before fulfilling requests.

In the event of a personal data breach likely to affect your rights, we will investigate promptly, mitigate harm, and notify affected individuals and relevant authorities as required by the Personal Data Protection Act No. 9 of 2022 and applicable international law.

We assess processors for security and privacy before engagement. Current categories include hosting, CDN, payments, email, and analytics. A list of processor categories is available on request.

Access to personal data is limited to authorised personnel and contractors under confidentiality obligations and only for legitimate business purposes.

We integrate data minimisation, purpose limitation, and security considerations into platform architecture — collecting only data necessary for stated purposes and protecting it throughout its lifecycle.

This policy is reviewed at least annually or when significant legal, technical, or operational changes occur.