Privacy Policy

This Privacy Policy explains how Packlink Lanka (Private) Limited (“Packlink”, “we”, “us”) processes personal data of users of the Packlink website, mobile apps and related services (the “Service”).

We are the data controller of the personal data described below. Packlink Lanka (Pvt) Ltd is registered in Sri Lanka, with its registered office in Colombo, and complies with the Personal Data Protection Act, No. 9 of 2022 (“PDPA”).

For data-protection enquiries, our Data Protection Officer is reachable at dpo@packlink.lk.

Account & identity

• Name, nickname, profile photo, city & country.
• Email address, phone number, hashed password (we never store it in plain text).
• For KYC: NIC / passport / driving licence (front and back), a selfie liveness frame, proof of address.

Marketplace activity

• Trips, requests, listings, offers, orders, ratings and reviews you create.
• Chat messages exchanged with other members on the platform.
• Receipts, hand-off photos and any attachments you upload to fulfil an order.

Payments

• Wallet balance, payout bank account (last 4 digits and bank name), transaction history.
• We do not store card numbers — payment cards are tokenised by our PCI-DSS certified payment processor (PayHere) and we only see the token plus the last 4 digits and brand.

Device & usage

• IP address, device model, OS, browser, language, time-zone.
• App / page interactions, search queries, error logs.
• Approximate location (city-level) derived from IP. We never collect GPS without explicit consent at the OS level.

Under the PDPA we process your data on these lawful bases:

• Performance of contract — to operate the marketplace, hold escrow, settle payouts and provide support.
• Legal obligation — KYC and AML record-keeping, tax reporting, customs documentation, responding to court / regulator requests.
• Legitimate interests — fraud detection, abuse prevention, product analytics (in anonymised / aggregated form), and platform security.
• Consent — marketing email, push notifications, optional precise location, non-essential cookies. You can withdraw consent at any time.

We share only what is necessary, and only with:

• Other Packlink members you transact with — your nickname, avatar, rating and city are public; phone number unlocks only after an order is funded; your delivery address is revealed only to the matched traveller after status moves to in_transit.
• Service providers bound by data-processing agreements: PayHere (card processing), Cloudflare R2 (encrypted document storage), DigitalOcean (hosting), Plunk (transactional email), Twilio (SMS OTP), Sentry (error monitoring).
• Authorities when required by Sri Lankan law, a valid court order, or to investigate suspected fraud, money laundering, customs violations or threats to life.
• A successor in the event of a merger, acquisition or asset sale — with prior notice and equivalent privacy commitments.

• Active account data — for as long as your account is open.
• KYC documents — 7 years after your last transaction, in line with LK financial-services record-keeping rules.
• Order & ledger records — 7 years after the order closes (legal requirement).
• Chat messages — 24 months from the last message in the thread, then anonymised.
• Server logs — 90 days, then aggregated.

When the retention window expires we delete or irreversibly anonymise the data, except where a legal hold applies (e.g. an open dispute, audit or investigation).

• TLS 1.3 in transit; AES-256 at rest for documents and database backups.
• KYC documents are stored encrypted in object storage (Cloudflare R2). Only the trust & safety team can decrypt them, with audit-logged access.
• Production database access is limited, key-rotated and logged.
• We run automated bot / abuse detection; we maintain a public bug-bounty inbox at security@packlink.lk.

No system is 100% secure. If we ever experience a breach affecting your data, we will notify the Data Protection Authority within 72 hours (PDPA s.23) and the affected users without undue delay.

Some of our processors (Cloudflare, DigitalOcean) operate data centres outside Sri Lanka. Where we transfer personal data abroad we rely on Standard Contractual Clauses and review the recipient country's privacy regime annually. KYC documents are stored in the closest R2 region (Singapore) for latency, never in jurisdictions without adequate protection.

You have the right to:

• Access — get a copy of the personal data we hold about you.
• Rectification — correct any inaccurate or incomplete data.
• Erasure — close your account and have personal data deleted, subject to legal-retention exceptions above.
• Restriction — pause processing while a complaint is investigated.
• Portability — receive your data in a machine-readable format.
• Objection — opt out of any processing based on legitimate interests or direct marketing.
• Withdraw consent — for any consent-based processing, at any time.
• Lodge a complaint — with the Data Protection Authority of Sri Lanka.

You can exercise most of these self-service from Profile → Privacy & data, or by emailing privacy@packlink.lk. We respond within 30 days.

We use a small set of strictly necessary cookies for sign-in and security, plus optional analytics cookies you can decline. Full details are in our Cookie Policy.

Packlink is not intended for users under 18. We do not knowingly collect personal data from children. If you believe a child has registered an account, email privacy@packlink.lk and we will delete it.

We will update this page when our practices change. Material changes are notified by email and an in-app banner at least 14 days before they take effect. The “Last updated” date at the top always shows the most recent revision.