Privacy Policy

1000D Technology (Pvt) Ltd ("the Company," "we," "our," or "us") is committed to safeguarding the privacy and protecting the personal data of our clients, users, employees, and partners. This Privacy Policy outlines our comprehensive approach to data governance and compliance, specifically aligning with the Personal Data Protection Act, No. 9 of 2022 (PDPA) of the Democratic Socialist Republic of Sri Lanka, its subsequent amendments, and international data protection standards.

• Personal Data: Any information relating to an identified or identifiable natural person (the "Data Subject").
• Data Controller: 1000D Technology (Pvt) Ltd, which determines the purposes and means of the processing of personal data.
• Data Processor: Any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.

We process all personal data in strict adherence to the following core principles:

• Lawfulness, Fairness, and Transparency: Data is processed lawfully and transparently.
• Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes.
• Data Minimization: Data collection is adequate, relevant, and limited to what is strictly necessary.
• Accuracy: Data is kept accurate and up to date.
• Storage Limitation: Data is retained only for as long as necessary for the defined purposes.
• Integrity and Confidentiality: Data is processed in a manner that ensures appropriate security against unauthorized or unlawful processing, accidental loss, destruction, or damage.

In the course of our software engineering and business operations, we may collect:

• Identity & Contact Data: Names, official identification numbers, email addresses, billing addresses, and telephone numbers.
• Technical & Usage Data: IP addresses, authentication credentials, browser types, operating systems, and interaction metrics with our digital platforms and software solutions.
• Commercial & Project Data: Information related to client projects, source code repositories, software architecture plans, and service agreements.

We process your personal data only when we have a valid legal ground, which includes:

• Consent: You have given clear, explicit consent for a specific purpose.
• Contractual Necessity: Processing is necessary for the performance of a contract to which you are a party (e.g., a Master Service Agreement or Software Development Agreement).
• Legal Obligation: Processing is necessary for compliance with a legal or regulatory obligation under Sri Lankan law.
• Legitimate Interests: Processing is necessary for our legitimate corporate interests, provided your fundamental rights and freedoms do not override those interests.

Under the PDPA of Sri Lanka, you are entitled to exercise the following rights regarding your personal data:

• Right of Access: To request confirmation of whether your data is being processed and to obtain a copy of it.
• Right to Rectification: To request the correction of inaccurate or incomplete data.
• Right to Erasure (Right to be Forgotten): To request the deletion of your data under specific conditions.
• Right to Withdraw Consent: To withdraw previously granted consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Right to Object: To object to processing, including profiling and automated individual decision-making.
• Right to Appeal: To lodge a complaint or appeal with the Data Protection Authority of Sri Lanka if you believe your data privacy rights have been infringed.

We implement state-of-the-art technical and organizational measures to ensure a level of security appropriate to the risk. This includes:

• End-to-end encryption for data in transit and at rest.
• Strict Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA) for our internal infrastructure.
• Regular vulnerability assessments, penetration testing, and code audits.
• A comprehensive Data Protection Management Programme (DPMP) overseen by our leadership.

As a modern software engineering firm, we utilize secure, globally distributed cloud infrastructure. Any cross-border data transfers are executed in strict compliance with the PDPA, ensuring that receiving jurisdictions or entities provide adequate data protection safeguards, or through alternative compliant mechanisms such as explicit consent or contractual necessities.

We retain personal data only for the duration strictly necessary to fulfill the purposes for which it was collected, or to comply with applicable legal, tax, or regulatory retention requirements. Upon the expiration of the retention period, data is securely and permanently destroyed or anonymized.

This Privacy Policy is subject to periodic review and updates to ensure continuous compliance with evolving legal frameworks and technological advancements. Substantive changes will be communicated through our official channels, with the "Effective Date" amended accordingly.