Privacy Policy

1.3 We process your personal data only where a valid legal basis exists under applicable law, including contractual necessity, legal obligation, legitimate interest, vital interest, or valid consent, in accordance with Section 4 of this Privacy Policy and the Personal Data Protection Act No. 9 of 2022.

Where processing is based on consent, such consent shall be freely given, specific, informed, and unambiguous, and shall be obtained through an explicit opt-in mechanism prior to processing. This includes, but is not limited to, marketing communications, precise geolocation data, AI-based processing, and non-essential cookies.

Consent shall not be implied through mere use of the Platform. Users may withdraw consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

1.5 Data Controller Information

For the purposes of applicable data protection laws, including the Personal Data Protection Act No. 9 of 2022, Dynamic Labs (Private) Limited acts as the primary Data Controller for personal data collected through the Platform.

The Data Controller determines the purposes and means of processing personal data. Where third-party service providers are engaged, such parties shall act either as data processors processing data on behalf of the Company or as independent data controllers, depending on the nature and purpose of processing.

The Company shall remain responsible for ensuring that all processing activities are supported by appropriate legal bases and contractual safeguards. All data protection-related inquiries may be directed to the contact details set out in Section 15.

2.1 Information You Provide Directly

2.2 Information Collected Automatically

2.3 Information from Third Parties

2.4 AI Powered Services Data Collection

Our AI powered booking assistants and automated systems collect and process:

• •Voice recordings and transcripts from phone interactions
• •Text conversations from messaging platforms
• •Conversation context and history
• •Language preferences (Sinhala, Tamil, English)
• •Booking preferences and patterns
• •Natural language queries and commands
• •Response accuracy and user satisfaction metrics
• •Training data for improving AI model performance

AI systems may process your data to understand intent, provide recommendations, and automate booking related interactions. This may involve analysis of conversation patterns, preferences, and behavioural data. Data used for AI training purposes is handled separately from data used in real time service delivery.

Where personal data is processed using AI powered systems, the Company shall ensure transparency regarding the nature and purpose of such processing. Where AI systems are used for profiling, recommendation, or decision support functions involving personal data, explicit consent shall be obtained where required by law.

Data subjects shall have the right to opt out of AI related processing used for training or profiling purposes, subject to operational and legal limitations set out in this Policy.

3.1 Service Provision and Fulfillment

• •Processing and managing bookings
• •Communicating booking confirmations, updates, and reminders
• •Facilitating communication between you and Service Providers
• •Providing customer support and responding to inquiries
• •Processing payments and refunds
• •Delivering receipts and transaction records

3.2 Personalization and Improvement

• •Personalizing your experience on the Platform
• •Recommending services based on your preferences and history
• •Remembering your preferences and settings
• •Improving our AI powered assistants and automated systems
• •Training and optimizing machine learning models
• •Analyzing usage patterns to enhance Platform functionality
• •Conducting research and development for new features

AI processing may involve automated analysis of your data to provide personalised recommendations and improve service efficiency.

Automated or AI based processing shall not be used to produce decisions that have legal effects or similarly significant impacts on data subjects without appropriate safeguards. Such safeguards shall include, where applicable, human intervention, meaningful review, transparency regarding the logic of processing, and the ability for data subjects to contest such decisions.

3.3 Communication and Marketing

• •Sending service related notifications and updates
• •Providing customer service communications
• •Sending promotional offers, discounts, and marketing materials (with your consent)
• •Conducting surveys and requesting feedback
• •Sending newsletters and travel-related information
• •Notifying you about changes to our services or policies

Note: You can opt out of marketing communications at any time.

3.4 Safety, Security, and Fraud Prevention

• •Verifying your identity and preventing fraud
• •Detecting and preventing security threats
• •Monitoring for suspicious or illegal activity
• •Enforcing our Terms of Service
• •Protecting our rights and property
• •Complying with legal obligations
• •Resolving disputes and investigating complaints

3.5 Analytics and Business Operations

• •Analyzing Platform performance and user behavior
• •Generating statistical and analytical reports
• •Understanding market trends and user preferences
• •Improving business operations and strategies
• •Planning future services and features
• •Measuring marketing campaign effectiveness

3.6 Legal Compliance and Obligations

• •Complying with applicable laws and regulations
• •Responding to legal requests and court orders
• •Cooperating with law enforcement and regulatory authorities
• •Protecting legal rights and interests
• •Establishing, exercising, or defending legal claims

4.1 Contractual Necessity:

Processing is necessary to perform our contract with you (i.e., providing booking services).

4.2 Legitimate Interests:

Processing is necessary for our legitimate business interests, such as:

• •Improving our services
• •Fraud prevention and security
• •Network and information security
• •Business analytics and operations
• •Marketing and business development

4.3 Consent:

You have given explicit consent for specific processing activities, such as:

• •Marketing communications
• •Location tracking (precise)
• •Non-essential cookies
• •AI conversation recording and analysis

4.4 Legal Obligation:

Processing is necessary to comply with legal or regulatory requirements.

4.5 Vital Interests:

Processing is necessary to protect someone’s life or physical safety.

5.1 Service Providers

Bus operators, travel agencies, tour operators, and other Service Providers necessary to fulfill your bookings. Information shared includes: passenger names, contact details, booking details, pickup/drop-off locations, and special requirements

5.2 Technology Service Providers

• •Cloud hosting and data storage providers
• •Payment processors and payment gateway providers
• •AI and machine learning service providers
• •Customer relationship management (CRM) platforms
• •Email and SMS service providers
• •Analytics and data intelligence providers
• •Customer support platforms
• •Security and fraud prevention services

5.3 Business Partners

• •Tourism boards and destination marketing organizations
• •Hotel and accommodation providers
• •Tour and activity operators
• •Marketing and advertising partners (with anonymized or aggregated data)
• •Affiliate and referral partners

5.4 Professional Advisors

• •Legal counsel
• •Accountants and auditors
• •Business consultants
• •Insurance providers

5.5 Legal and Regulatory Authorities

• •Law enforcement agencies
• •Government authorities and regulators
• •Courts and tribunals
• •When required by law or to protect rights and safety

5.6 Corporate Transactions

• •In connection with mergers, acquisitions, asset sales, or other corporate transactions
• •Potential buyers or investors (with appropriate confidentiality protections)

5.7 With Your Consent

• •Any other third parties with your explicit consent
• •Social media platforms when you choose to share

5.8 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you with third parties for business, research, or marketing purposes.

Important: We do not sell your personal information to third parties for their marketing purposes.

5.9 Third-Party Data Processing Safeguards

Where personal data is disclosed to third parties, such third parties shall act either as data processors or independent data controllers, depending on the nature of processing.

Where third parties act as data processors, they shall be subject to written agreements imposing obligations regarding confidentiality, security, purpose limitation, sub-processing restrictions, and compliance with applicable data protection laws.

The Company shall take reasonable steps to ensure that such third parties provide sufficient guarantees regarding the security and lawful processing of personal data.

6.1 We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Retention periods are determined based on statutory obligations, contractual necessity, regulatory requirements, dispute resolution needs, and legitimate business interests. Personal data shall not be retained longer than is necessary for the purposes for which it is collected, unless required by law.

6.2 Retention Periods:

• •Account Information: Retained while your account is active and for 3 years after account closure
• •Booking Records: Retained for 7 years for accounting and legal compliance purposes
• •Payment Transaction Records: Retained for 7 years as required by financial regulations
• •Customer Support Communications: Retained for 3 years
• •Marketing Consent Records: Retained until you withdraw consent, plus 3 years for compliance
• •AI Conversation Data: Retained for up to 2 years for training and improvement purposes
• •Analytics Data: Aggregated data may be retained indefinitely

6.3 After the retention period expires, we will securely delete or anonymize your personal information in accordance with applicable laws and regulations.

6.4 Some information may need to be retained longer for legal, tax, audit, or dispute resolution purposes.

6.5 You may request deletion of your personal information at any time, subject to legal and legitimate business requirements. See Section 8 for details on exercising this right.

6.6 We apply the principle of data minimisation and only retain personal data for as long as necessary to fulfil the purposes for which it was collected.

7.1 We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

7.2 Security Measures Include:

• •Encryption of data in transit using SSL/TLS protocols
• •Encryption of sensitive data at rest
• •Secure authentication and access controls
• •Regular security assessments and vulnerability testing
• •Firewalls and intrusion detection systems
• •Secure data centers with physical security controls
• •Employee training on data protection and security
• •Incident response and breach notification procedures
• •Regular backups and disaster recovery plans

7.3 Payment Security

• •We use PCI-DSS compliant payment processors
• •We do not store complete credit/debit card numbers
• •Payment transactions are encrypted and tokenized

7.4 Account Security

• •Passwords are encrypted using industry-standard hashing algorithms
• •You are responsible for maintaining the confidentiality of your account credentials
• •We recommend using strong, unique passwords and enabling two-factor authentication where available

7.5 Third-Party Security

• •We require third-party service providers to implement appropriate security measures
• •We conduct due diligence on third-party security practices

7.6 Limitations

• •While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure
• •We cannot guarantee absolute security of your information
• •You transmit information to us at your own risk

7.7 Data Breach Response

• •In the event of a personal data breach, the Company shall implement appropriate technical and organisational measures to contain, assess, and mitigate the breach.
• •Where a breach is likely to result in a risk to the rights and freedoms of data subjects, the Company shall notify affected individuals and relevant regulatory authorities without undue delay and within any timeframes prescribed by applicable law.
• •The Company shall also maintain internal records of all personal data breaches, including facts, effects, and remedial actions taken.

7.8 We regularly review and update our security practices to ensure ongoing compliance with applicable data protection laws.

The rights set out in this Section are provided in accordance with applicable data protection laws, including the Personal Data Protection Act No. 9 of 2022. These rights may be subject to statutory limitations, exemptions, and conditions under applicable law.

8.1 Access and Portability

• •Right to access your personal information and obtain a copy
• •Right to receive your data in a structured, machine-readable format
• •Request by contacting [email protected] or through your account settings

8.2 Correction and Updates

• •Right to correct inaccurate or incomplete information
• •Update your information through your account settings or by contacting us

8.3 Deletion (Right to be Forgotten)

• •Right to request deletion of your personal information
• •Subject to legal and legitimate business requirements (e.g., transaction records, legal compliance)
• •Request deletion by contacting [email protected]

8.4 Restriction of Processing

• •Right to request that we limit how we use your information in certain circumstances
• •May affect our ability to provide services to you

8.5 Objection to Processing

• •Right to object to processing based on legitimate interests or for marketing purposes
• •Marketing opt-out options available in all marketing communications
• •Email opt-out: Click “unsubscribe” in marketing emails or contact [email protected]
• •SMS opt-out: Reply “STOP” to SMS messages or contact us

8.6 Withdrawal of Consent

• •Right to withdraw consent for processing activities that require consent
• •Does not affect the lawfulness of processing before withdrawal
• •May affect our ability to provide certain services

8.7 Lodge a Complaint

• •Right to lodge a complaint with a data protection authority if you believe your rights have been violated
• •Contact us first to resolve the issue: [email protected]

8.8 Location Permissions

• •Control location sharing through your device settings
• •Disable precise location while still using approximate location

8.9 Cookie Preferences

• •Manage cookie preferences through your browser settings
• •See our Cookie Policy for more details

8.10 AI Data Preferences

• •Request that your conversations not be used for AI training purposes
• •Opt out of automated decision-making where applicable
• •Request human review of AI-assisted decisions

8.11 Marketing Preferences

• •Manage communication preferences in your account settings
• •Opt out of promotional emails, SMS, push notifications, and other marketing channels

8.12 Responding to Your Requests

• •We will respond to your requests within 30 days
• •We may require verification of your identity before processing requests
• •Some requests may be subject to legal limitations or exceptions
• •We will provide reasons if we cannot fulfill your request

9.1 Our Platform is not directed to children under the age of 18, and we do not knowingly collect personal information from children under 18 without parental consent.

9.2 If you are under 18 years of age, you may only use the Platform with the involvement and consent of a parent or legal guardian.

9.3 If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete such information

9.4 If you believe we have collected information from a child under 18, please contact us immediately at [email protected].

10.1 Your information may be transferred to, stored, and processed in countries other than Sri Lanka, including countries that may have different data protection laws.

10.2 When we transfer personal information internationally, we ensure appropriate safeguards are in place, such as:

• •Standard contractual clauses
• •Data processing agreements with service providers
• •Ensuring recipients are in jurisdictions with adequate data protection laws
• •Other legally recognized transfer mechanisms

10.3 We ensure that such transfers are carried out in compliance with applicable data protection laws, including ensuring that adequate safeguards are implemented to protect your personal data, such as contractual protections, data transfer agreements, or transfers to jurisdictions recognised as providing adequate levels of data protection. Where required by law, we will obtain your consent prior to transferring your personal data outside Sri Lanka.

10.4 Where personal data is transferred outside Sri Lanka, such transfers shall only occur where appropriate safeguards are in place to ensure an adequate level of protection. Such safeguards may include standard contractual clauses, binding contractual obligations, or transfers to jurisdictions recognised as providing adequate data protection standards. The Company shall remain responsible for ensuring that international transfers comply with applicable legal requirements. Where required by law, explicit consent shall be obtained prior to such transfers

11.1 Our Platform may contain links to third party websites, applications, or services that are not operated by us.

11.2 We are not responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access.

11.3 Third party services include:

• •Payment gateway providers
• •Social media platforms
• •Service Provider websites
• •Mapping and navigation services
• •Analytics providers
• •Advertising networks

11.4 Your interactions with third parties are governed by their respective privacy policies, not this Privacy Policy.

12.1 We may use automated decision making and profiling to:

• •Personalize your experience
• •Recommend relevant services
• •Detect fraud and prevent security threats
• •Optimize pricing and availability
• •Improve AI powered booking assistants

12.2 Automated decisions that significantly affect you are subject to human review upon request.

12.3 You have the right to

• •Object to automated decision-making
• •Request human intervention
• •Express your point of view
• •Contest the decision

12.4 Our AI systems are continuously monitored and improved to ensure fairness and accuracy.

12.5 We ensure that automated processing does not result in decisions that produce legal or similarly significant effects without appropriate safeguards, including the availability of human intervention. We are committed to ensuring transparency, fairness, and accountability in the use of AI-powered systems.

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA):

To exercise these rights, contact us at [email protected] with “California Privacy Request” in the subject line.

14.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons.

14.2 When we make material changes, we will notify you by:

• •Posting a prominent notice on the Platform
• •Updating the “Last Updated” date at the top of this policy
• •Sending an email to the address associated with your account
• •In-app notifications

14.3 We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14.4 Your continued use of the Platform after changes are posted constitutes your acceptance of the updated Privacy Policy.

14.5 If you do not agree with the updated Privacy Policy, you should discontinue use of the Platform.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

All data protection and privacy-related inquiries may be directed to:

Email: [email protected]

The Company shall designate a responsible officer to oversee data protection compliance in accordance with applicable legal requirements.

Where processing of personal data is based on consent, such consent shall be obtained through a clear, specific, and affirmative opt-in mechanism.

Data subjects may withdraw consent at any time, without affecting the lawfulness of processing carried out prior to such withdrawal.