Data Protection Policy
1. Introduction
We comply with the Personal Data Protection Act No.9 of 2022 (‘PDPA’). This data protection notice (‘Notice’) sets out what personal data we collect from you and/or generate about you including how we collect or generate, use, store and process them. The notice intends to illustrate how we comply with the legal obligations in relation to protecting of your Personal Data that we collect or generate, use, store and process. Your privacy is important to us and we are committed to safeguarding the privacy of your personal data. It is important that you read this notice carefully and understand how and why we process your personal data on this website. Terms used in this Agreement such as “personal data”, “controller”, “data subject”, “processor”, “processing” shall have the same meaning as the PDPA. Hemas Holdings PLC and consisting of its subsidiaries and affiliates, or hereinafter referred to as “Company”, “we”, “us” or “Hemas” is considered as “controller” under the PDPA and is committed to protecting the Personal Data of the visitors to this website or hereinafter referred to as “you”.
2. What Information is Collected and Why
The following table will indicate what personal data we collect and why
| Type of personal data | Identity data | Contact data | Communication data | Login credentials | User preferences | Payment data | Demographic data | Website usage data | Social media data | |
|---|---|---|---|---|---|---|---|---|---|---|
| Purposes of collection | Respond to your inquiries and requests | √ | ||||||||
| Process your purchases including delivery | ||||||||||
| Identify you for service/ product delivery | √ | |||||||||
| Direct marketing and advertising | ||||||||||
| Provide information about our services/ products | ||||||||||
| Personalisation | √ | √ | √ | √ | ||||||
| Improve and troubleshoot website | ||||||||||
| Process payments | ||||||||||
| Respond to legal obligations | √ | |||||||||
| Fraud prevention | ||||||||||
| Record keeping | ||||||||||
| Source of Collection | User input | User input | User input | User input | User input Automatic | Automatic | User Input Automatic. Third party | |||
| Retention period | ||||||||||
The terms used in the above table is explained further below:
- Identity data: your name, NIC, hospital assigned patient ID number (if any), or any other document to attest your identity.
- Contact data: your postal address, telephone numbers, email addresses.
- Employment data: your profession, job title, organisation employed.
- Communication data: survey inputs, chat bot, email, messaging service or phone communications we may have with you.
- User Preferences: preferences related to your services, service locations, product preferences, purchase history including profiling.
- Demographic data: Includes but not limited to age, gender, marital status, geographic locations.
- Website usage data: your IP address, ISP, browser details, location data, website usage behaviour, cookies.
- Payment data: your transaction history, credit card details.
- Social media data: profile picture, name, location, public feed etc of any social media account details you’ve provided to us.
- User input: information that you provide by entering the data into a data entry form.
- Automatic: information that is automatically generated when you visit and/or use our website.
- Third party: information about you that is obtained from third parties including delivery partners.
3. Legal basis for processing your personal data.
We comply with the ‘PDPA when we process your personal data. Depending on the respective purpose, we may rely on one or more of the following lawful basis:
- Your consent, when we have specifically sought your consent to process your personal data for specific purpose(s). In the case of children under the age of 16, consent may relate to parents or legal guardians.
- Contract performance, when we have an agreement with you to provide our services. This includes processing for any pre-contractual purposes as well.
- Legal obligation, when we are required by law or a court order to process your personal data.
- Public interest, when we are required to perform certain processing activities in the public interest as defined by law.
- Our legitimate interests, when have a lawful and reasonable reasons to process your personal data, provided such interests do not override your rights and interests such as fraud prevention and network security.
When we process special categories of personal data (i.e. information relating to your health, information relating to a child etc. as defined in the PDPA) we may pursue the following legal basis:
- Your consent, when we have specifically sought your consent to process your personal data for specific purpose(s). In the case of children under the age of 16, consent may relate to parents or legal guardians.
- For preventive or occupational medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where such data is processed by a health professional licensed or authorised by law in Sri Lanka.
- Public health purposes ensuring public safety, monitoring and public alert systems relating to impending health or other emergencies, the prevention or control of communicable diseases and other serious threats to public health and the management of public healthcare services in so far as it is provided for in any law.
- Processing personal data which is manifestly made public by you.
- For the establishment, exercise or defence of legal claims before a court or tribunal or such similar forum.
- When necessary for to achieve a public interest purpose as laid down by law.
- For archiving purposes in the public interest, scientific research or historical research purposes or statistical purposes in accordance with law in a manner that is proportionate to the aim pursued, and in accordance with the PDPA.
4. Sharing with Third Parties
We do not sell, trade, or otherwise transfer to third parties your personal data. However, we may need to share your personal data with third parties to complete the purposes stated in section 2 above. Broadly, we may share your personal data with the following entities:
- Members of the Hemas Group of Companies: information may be shared with entities within the Hemas Group who provide IT and information security services to us. Information may also be shared within the organisation for product/service improvements, customer profiling, feedback escalations, market research and to conduct advertising.
- Our Suppliers/Service Providers: we may need to engage with a host of external suppliers or service providers to carry out various operational work to support our relationship with you. These suppliers/service providers will be subject to a contractual and legal framework that will stipulate various conditions including but not limited to ensuring the confidentiality and privacy of your personal data. The access they may have will be limited to a need-to-know basis and in so far as strictly necessary for them to provide their services to us. Accordingly, these suppliers/service providers will provide services in relation to (including without limitation) IT infrastructure and support, delivery services, communication services, finance and accounting, audit, market research, legal, data analytics, processing payments, web indexing and search results, scoring, assessing and managing credit risk, customer relationship management, content transmission.
- To government, regulatory or law enforcement authorities: we may share your personal data if we are of the opinion that the applicable laws require disclosure your personal data with the government including but not limited to tax and other regulatory bodies, the police or law enforcement authorities.
- Prospective buyers or sellers including their advisers: we may be required to share your information in the context of an acquisition, merger, joint-venture, or any other form of change in control or any other form of strategic alliance.
5. Use of Automated Decisions Making Systems
We may adopt automated decision-making systems on this website. Automated decision-making means making decisions or profiling your Personal Data purely through automated means without any human intervention. These systems are generally used to support human decision-making processes by analysing your data subject to certain criteria set by us. We may use these systems for evaluation purposes of your preferences and make recommendations or offer personalised services, products or content.
6. Use of cookies
We use cookies on our website, please refer to our Cookie Notice for more information.
7. Your Rights
Under the PDPA, you’d be entitled to the following rights subject to any exceptions permitted under the PDPA:
Access: you may access your personal data or get a confirmation whether we process any of your personal data. You may also request further information pertaining to how, where and why we process your personal data.
Withdraw consent: if we have sought your consent to process your information for any of the purposes listed in Section 2 above, then you may be in a position to withdraw your consent for those particular purpose(s). When you withdraw your consent, we will not be able to process your personal data thereafter. However, your withdrawal will not invalidate any processing which we’ve done prior to such withdrawal.
Object to processing: if we are processing your personal data pursuant to a legitimate interest of ours or due to public interest, then you may request us to refrain from processing your personal data for said purposes. However, your objection will not invalidate any processing which we’ve done prior to such objection.
Rectification & update: you have the right to request rectification of any inaccurate data or completion of incomplete personal data which we process.
Erasure: if you think that we are processing your personal data in contravention to the PDPA, or you have withdrawn your consent regarding any processing that was founded upon your consent, then you may request us to erase your personal data. Any request for deletion will be evaluated against our legal obligations to retain the said data.
Review of automated decisions: if any decision that affects your rights are taken by us based on purely automated means without human intervention, in certain circumstances you may have the right to request us to review the said decision.
However, please note that the exercise of the above rights is subject to certain conditions stipulated under the PDPA.
You also have the right to make a complaint to the Data Protection Authority of Sri Lanka established under the Personal Data Protection Act No.9 of 2022 regarding our use of your personal data.
8. Data Security
We are committed to securing your personal data and safeguarding the confidentiality, integrity and availability of your personal data by using appropriate organisational and technical measures.
Some of these measures include, using secure information systems and networks when we transmit and store your personal data, implementing access restrictions and allow access on need-to-know basis to our staff and our external service providers and suppliers, regular training and guidance to our staff on privacy and data protection, use of anonymisation and encryption as appropriate, implementing internal procedures to duly detect and respond to data breaches.
In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.
All transactions are processed through a payment gateway provider and are not stored or processed on our servers.
9. International Transfers
Your personal data may be transferred and processed outside of Sri Lanka in one or more countries in certain circumstances. Such circumstances may typically arise when your personal data may be stored/hosted on cloud platforms. Whist we strive to process personal data in countries where the Sri Lankan Data Protection Authority has given adequacy decisions, for operational reasons, this may not always be possible. Therefore, we have adopted appropriate safeguards to ensure the security and privacy of your Personal Data through comprehensive contractual and legal means.
10. Contact
If you need any clarifications regarding this data protection notice, you may contact us at info@hairbuddycare.com
To exercise any of your rights under this data protection notice, please complete the following form and
sent it to info@hairbuddycare.com
| Name | |
| Mobile No. | |
| Request Type: | [Access | Withdrawal of Consent | Object to Processing | Rectification | Update | Erasure | Review of Automated Decision | Further Information] |
| Additional Information on the Request |
11. Changes to Data Protection Notice
We may update this data protection notice from time to time to reflect the changes in our services, data protection practices or legal obligations. Any significant changes will be notified by posting the updated notice on our website, or by contacting you directly through registered channels.
Last update: 15/08/2024