ShiftX Global – Privacy Policy 20122023

DATA PROTECTION NOTICE

1. Introduction

We comply with the Personal Data Protection Act No.9 of 2022 (‘PDPA’). This data protection notice (‘Notice’) sets out what personal data we collect from you and/or generate about you including how we collect or generate, use, store, and process them. The notice intends to illustrate how we comply with the legal obligations in relation to protecting your Personal Data that we collect or generate, use, store, and process. Your privacy is important to us and we are committed to safeguarding the privacy of your personal data. It is important that you read this notice carefully and understand how and why we process your personal data on this website. Terms used in this Agreement such as “personal data”, “controller”, “data subject”, “processor”, “processing” shall have the same meaning as the PDPA.

Hemas Holdings PLC and consisting of its subsidiaries and affiliates, including ShiftX GlobalPvt . Ltd. or hereinafter referred to as “Company”, “we”, “us” or “Hemas” is considered as “controller” under the PDPA and is committed to protecting the Personal Data of the visitors to this website or hereinafter referred to as “you”.

2. What Information is Collected and Why

The following table will indicate what personal data we collect and why.

Type of personal data		Identity data	Contact data	Communication data	Login credentials	User preferences	Payment data	Demograph ic data	Website usage data	Social media data
Purposes of collection	Respond    to                  your inquiries                          and requests	√	√				√
	Process                         your purchases including delivery	√	√	√			√	√
	Identify     you                for service/                     product delivery	√		√		√	√	√	√	√
	Direct marketing and advertising	√	√	√		√	√	√	√	√
	Provide  information about our services/ products	√	√	√		√		√	√	√
	Personalisation	√	√	√		√		√	√	√
	Improve                          and troubleshoot website	√	√	√	√				√
	Process payments	√	√	√			√		√
	Respond    to                 legal obligations	√	√	√						√
	Fraud prevention	√	√		√		√
	Record keeping	√	√	√	√	√	√	√	√	√
Source of Collection		User input	User input	User input	User input	User input	User input, Automatic	User input	Automatic	User Input, Automatic, Third party
Retention period		***** As Per Data Retention Policy *****

The terms used in the above table is explained further below:

• Identity data: your name, NIC, program assigned Member ID number (if any), or any other document to attest your identity.
  • Contact data: your postal address, telephone numbers, email addresses.
  • Employment data: your profession, job title, organisation employed.
  • Communication data: survey inputs, Details of Children, online transactional data, chat bot, email, messaging service or phone communications we may have with you.
  • User Preferences: preferences related to your services, service locations, product preferences, and purchase history including profiling.
  • Demographic data: Includes but not limited to age, gender, marital status, geographic locations.
  • Website usage data: your IP address, ISP, browser details, location data, website usage behaviour, and cookies.
  • Payment data: your transaction history, credit or debit card details.
  • Social media data: profile picture, name, location, public feed, etc of any social media account details you’ve provided to us.
  • User input: information that you provide by entering the data into a data entry form.
  • Automatic: information that is automatically generated when you visit and/or use our website.
  • Third party: information about you that is obtained from third parties including delivery partners.

3. Legal basis for processing your personal data.

We comply with the ‘PDPA when we process your personal data. Depending on the respective purpose, we may rely on one or more of the following lawful basis:

• Your consent, when we have specifically sought your consent to process your personal data for specific purpose(s). In the case of children under the age of 16, consent may relate to parents or legal guardians.
• Contract performance, when we have an agreement with you to provide our services. This includes processing for any pre-contractual purposes as well.
• Legal obligation, when we are required by law or a court order to process your personal data.
• Public interest, when we are required to perform certain processing activities in the public interest as defined by law.
• Our legitimate interests, when have a lawful and reasonable reason to process your personal data, provided such interests do not override your rights and interests such as fraud prevention and network security.

When we process special categories of personal data (i.e. information relating to a child etc. as defined in the PDPA) we may pursue the following legal basis:

• Your consent, when we have specifically sought your consent to process your personal data for specific purpose(s). In the case of children under the age of 16, consent may relate to parents or legal guardians.
• For education-related alignment of best practices to specific topical segments or the management of educational services, and where such data is processed by professionals licensed or authorized by law in Sri Lanka.
• Public education purposes ensuring public benefit at large, or other educational service provisioning, and the management of public educational services in so far as it is provided for in any law.

• Processing personal data which is manifestly made public by you.
• For the establishment, exercise or defence of legal claims before a court or tribunal or such similar forum.
• When necessary, to achieve a public interest purpose as laid down by law.
• For archiving purposes in the public interest, scientific research or historical research purposes or statistical purposes, in accordance with law in a manner that is proportionate to the aim pursued, and in accordance with the PDPA.

4. Sharing with Third Parties

We do not sell, trade, or otherwise transfer to third parties your personal data. However, we may need to share your personal data with third parties to complete the purposes stated in section 2 above. Broadly, we may share your personal data with the following entities:

• Members of the Hemas Group of Companies: information may be shared with entities within the Hemas Group who provide IT and information security services to us. Information may also be shared within the organisation for product/service improvements, customer profiling, feedback escalations, market research and to conduct advertising.
• Our Suppliers/Service Providers: we may need to engage with a host of external suppliers or service providers to carry out various operational work to support our relationship with you. These suppliers/service providers will be subject to a contractual and legal framework that will stipulate various conditions including but not limited to ensuring the confidentiality and privacy of your personal data. The access they may have will be limited to a need-to-know basis and in so far as strictly necessary for them to provide their services to us. Accordingly, these suppliers/service providers will provide services in relation to (including without limitation) IT infrastructure and support, delivery services, communication services, finance and accounting, audit, market research, legal, data analytics, processing payments, web indexing, and search results, scoring, assessing and managing credit risk, customer relationship management, content transmission.
• To government, regulatory or law enforcement authorities: we may share your personal data if we are of the opinion that the applicable laws require disclosure your personal data with the government including but not limited to tax and other regulatory bodies, the police or law enforcement authorities.
• Prospective buyers or sellers including their advisers: we may be required to share your information in the context of an acquisition, merger, joint-venture, or any other form of change in control or any other form of strategic alliance.

5. Use of Automated Decisions Making Systems

We may adopt automated decision-making systems on this website. Automated decision-making means making decisions or profiling your Personal Data purely through automated means without any human intervention. These systems are generally used to support human decision-making processes by analyzing your data subject to certain criteria set by us. We may use these systems for evaluation purposes of your preferences and make recommendations or offer personalized services, products, or content.

6. Use of cookies

We use cookies on our website. Hemas Holdings PLC (‘we’, ‘us’ or ‘Hemas’ hereafter) is committed to providing you with best user experience on our website(s) through cookies whilst ensuring your Personal Data is handled responsibly and in compliance with the PDPA. This Cookie Notice explains

what cookies are, how and why we use them and what choices you have regarding the same. This Cookie Notice is in addition to our Data Protection Notice found here.

1. What are cookies?

Unlike the edible ones, cookies are small data files or text files that is stored on your computer, tablet or other mobile device when you visit our websites. Cookies can be either first party or third party. First party cookies are set by our own websites when you visit them and only our website can access or read them. We may also use third-party cookies, which are stored by external partners.

Cookies help us to remember certain information about you and accommodate your use of the websites, improve web performance and your overall experience.

In general, first party and third-party cookies allow us to track your usage, browsing and recommend better user experience by saving your preferences when you return to the website.

• What are the cookies we use on our site?

Essential cookies: these are absolutely necessary for the website to function correctly and cannot be removed. These cookies do not store personal data and are usually used to respond to any queries you make on the website. You may set your browser setting to either inform you about cookies or refuse them altogether. However, this may cause parts of the website not to function properly and therefore you may not have an optimum user experience.

Performance cookies: these help us to keep track of website traffic which helps us to improve the performance of our site. These cookies do not collect individually identifiable information and instead collect aggregated data. They help us to know which pages are mostly visited or least visited and how users browse through our site.

Functional cookies: these are aimed at providing enhanced functional and personalised experience to you when you visit our website. These may be first party or third party. If you refuse these cookies, then we may not be able to curate the content or your experience to you properly.

Targeted cookies: these can help build a profile based on your browsing behaviour and then target advertisements on the website of the advertising partners who may set them on our site. Refusing these cookies will cut down on the targeted advertisements you may experience.

We store essential cookies by default when you visit our site. You will have the option to opt out of performance, functional or targeted cookies, when you visit our site.

We may also allow you to enhance your engagement through social media platforms such as Instagram, Facebook, Tiktok, LinkedIn, Twitter etc. When you chose to do so, the third-party content that may get added to our website may result in third-party providers storing their own additional cookies on your devices. We have no control over these additional cookies.

7. Your Rights

Under the PDPA, you’d be entitled to the following rights subject to any exceptions permitted under the PDPA:

Access: you may access your personal data or get a confirmation whether we process any of your personal data. You may also request further information pertaining to how, where and why we process your personal data.

Withdraw consent: if we have sought your consent to process your information for any of the purposes listed in Section 2 above, then you may be in a position to withdraw your consent for those particular purpose(s). When you withdraw your consent, we will not be able to process your personal data thereafter. However, your withdrawal will not invalidate any processing which we’ve done prior to such withdrawal.

Object to processing: if we are processing your personal data pursuant to a legitimate interest of ours or due to public interest, then you may request us to refrain from processing your personal data for said purposes. However, your objection will not invalidate any processing which we’ve done prior to such objection.

Rectification & update: you have the right to request rectification of any inaccurate data or completion of incomplete personal data which we process.

Erasure: if you think that we are processing your personal data in contravention to the PDPA, or you have withdrawn your consent regarding any processing that was founded upon your consent, then you may request us to erase your personal data. Any request for deletion will be evaluated against our legal obligations to retain the said data.

Review of automated decisions: if any decision that affects your rights are taken by us based on purely automated means without human intervention, in certain circumstances you may have the right to request us to review the said decision.

However, please note that the exercise of the above rights is subject to certain conditions stipulated under the PDPA.

You also have the right to make a complaint to the Data Protection Authority of Sri Lanka established under the Personal Data Protection Act No.9 of 2022 regarding our use of your personal data.

8. Data Security

We are committed to securing your personal data and safeguarding the confidentiality, integrity and availability of your personal data by using appropriate organisational and technical measures.

Some of these measures include, using secure information systems and networks when we transmit and store your personal data, implementing access restrictions and allow access on need-to-know basis to our staff and our external service providers and suppliers, regular training and guidance to our staff on privacy and data protection, use of anonymisation and encryption as appropriate, implementing internal procedures to duly detect and respond to data breaches.

In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.

All transactions are processed through a payment gateway provider and are not stored or processed on our servers.

9. International Transfers

Your personal data may be transferred and processed outside of Sri Lanka in one or more countries in certain circumstances. Such circumstances may typically arise when your personal data may be stored/hosted on cloud platforms. Whist we strive to process personal data in countries where the Sri Lankan Data Protection Authority has given adequacy decisions, for operational reasons, this may not always be possible. Therefore, we have adopted appropriate safeguards to ensure the security and privacy of your Personal Data through comprehensive contractual and legal means.

10. Contact

If you need any clarifications regarding this data protection notice, you may contact us at {email}

To exercise any of your rights under this data protection notice, please complete the following form and sent it to {email}

Name	ShiftX Global Pvt Ltd
Email	[email protected]
Mobile No.	076 870 8701
Request Type: [Access | Withdrawal of Consent | Object to Processing | Rectification | Update | Erasure | Review of Automated Decision | Further Information]
Additional Information on the Request

11. Changes to Data Protection Notice

We may update this data protection notice from time to time to reflect the changes in our services, data protection practices, or legal obligations. Any significant changes will be notified by posting the updated notice on our website, or by contacting you directly through registered channels.

Last update: 27^th January 2024.