Your Privacy,
Our Responsibility
We believe privacy is a right, not a privilege. This page explains exactly what data Bizhub.lk collects, why we need it, and how we protect it — in plain, honest language.
This Privacy Policy explains how Bizhub.lk (Pvt) Ltd ("we," "our," "us") collects, uses, stores, shares, and protects your personal information when you use our e-commerce platform. We've written this in plain language — not legalese — because we believe you deserve to understand exactly how your data is handled.
This policy applies to all users of Bizhub.lk, including buyers, sellers, visitors, and anyone who interacts with our website, mobile app, or services. It covers all transactions made through our platform including purchases, payments via PayHere, Stripe, bank transfer, card payments, and cash on delivery.
If you have any questions after reading this, please reach out to our Privacy Team at privacy@bizhub.lk — we're always happy to help.
What We Collect
We collect only what's necessary to operate our e-commerce marketplace and provide you with a great shopping and selling experience. Here's a full breakdown by category:
- ·Full name and display name
- ·Email address and phone number
- ·Date of birth (age verification)
- ·Profile photo (optional)
- ·Encrypted account password
- ·Billing address
- ·Shipping / delivery address
- ·District and province
- ·GPS location (optional, with consent)
- ·Tokenized card reference (last 4 digits only)
- ·PayHere transaction IDs
- ·Stripe payment intent IDs
- ·Bank transfer reference numbers
- ·Order and refund history
- ·Browsing and product view history
- ·Wishlist and saved items
- ·Cart contents and abandoned carts
- ·Order history and status
- ·Product reviews and ratings
- ·NIC or passport number (verification)
- ·Business registration number (if applicable)
- ·Bank account details for payouts
- ·Store name, logo and description
- ·Product listings and inventory data
- ·IP address and approximate location
- ·Browser type and operating system
- ·Pages visited and time on site
- ·Referral source and UTM parameters
- ·Device identifiers and session tokens
Seller-Specific Data: If you register as a seller on Bizhub.lk, we additionally collect your NIC or passport number for identity verification, your business registration details (if applicable), bank account information for payouts, and all product listings and inventory data you upload.
Voluntary Data: Some information — such as your profile bio, social media links, or store banner image — is entirely optional. Skipping this data will not affect your ability to buy or sell on the platform.
How We Use Your Data
We process your personal data only for specific, legitimate purposes. We will never use your data in ways you wouldn't reasonably expect as a shopper or seller on Bizhub.lk. Here's a complete breakdown:
| Purpose | Data Used | Legal Basis | Opt-Out? |
|---|---|---|---|
| Order fulfillment & delivery | Name, address, order details, contact info | Contract performance | No |
| Payment processing | Payment tokens, order amounts, billing address | Contract performance | No |
| Account management | Email, password hash, profile data | Contract performance | No |
| Seller verification & payouts | NIC/passport, bank details, business registration | Legal obligation | No |
| Customer support | Order history, contact info, chat logs | Legitimate interests | No |
| Fraud prevention & security | IP address, device data, transaction patterns | Legitimate interests | No |
| Platform improvement & analytics | Anonymised usage data, page views, click events | Legitimate interests | Limited |
| Product recommendations | Browse history, purchase history, wishlist | Legitimate interests | Limited |
| Promotional emails & offers | Email address, purchase history | Consent | Yes |
| SMS order notifications | Phone number, order status | Consent | Yes |
| Legal & compliance obligations | Transaction records, identity data | Legal obligation | No |
Where we rely on consent as our legal basis, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal. Where we rely on legitimate interests, you have the right to object — contact us at privacy@bizhub.lk.
Who We Share Data With
We do not sell, rent, or trade your personal information. We share data only when it is strictly necessary to operate our marketplace — such as processing your payment or delivering your order. All third-party processors are bound by data protection agreements.
| Category | Examples | Purpose | Shared? |
|---|---|---|---|
| Payment Processors | PayHere, Stripe, Visa/Mastercard networks | Securely process card and online payments | Shared |
| Logistics & Delivery | PickMe Flash, DHL, local courier partners | Ship and deliver orders to customers | Shared |
| Cloud Infrastructure | AWS (Singapore region), Cloudflare | Host platform, store data, deliver content | Shared |
| Email & SMS Services | SendGrid (email), Dialog / Mobitel (SMS) | Send order confirmations and notifications | Shared |
| Analytics (Anonymised) | Google Analytics 4 (IP anonymised) | Understand platform usage in aggregate | If Required |
| Government & Regulators | ICTA, Sri Lanka Customs, Police | Comply with lawful legal orders only | If Required |
| Advertisers & Ad Networks | Facebook, Google Ads, TikTok, etc. | N/A — Bizhub.lk is an ad-free platform | Never |
| Data Brokers / Third Parties | Any commercial data buyers | N/A — we never sell customer data | Never |
Cookies & Tracking
We use cookies and similar technologies to keep the platform running, remember your preferences, and understand how shoppers use Bizhub.lk. Below is a full list of every type of cookie we use — and one type we deliberately never use:
| Cookie Type | Purpose | Required? | Duration |
|---|---|---|---|
| Essential / Session | Keep you logged in, maintain your cart, secure your session. These are required for the platform to work. | Required | Session / 30 days |
| Preference | Remember your language, currency (LKR/USD), display preferences, and recently viewed filters. | Required | 1 year |
| Analytics | Anonymised page view and click data via Google Analytics 4 to help us understand how buyers use the platform. | Optional | 2 years |
| Security | CSRF tokens, bot-detection signals (Cloudflare Turnstile), and fraud-prevention fingerprints. | Required | Session |
| Payment | Tokenisation cookies set by PayHere and Stripe to validate payment sessions — never used for tracking. | Required | Session |
| Advertising / Retargeting | Not used. Bizhub.lk does not run ad campaigns or retarget users on external platforms. | Never Used | N/A |
You can manage your cookie preferences at any time through your Account Settings → Privacy. You can also use your browser settings to block or delete cookies, though this may affect your ability to stay logged in or complete purchases.
Data Retention
We retain your data only as long as necessary to fulfil the purpose it was collected for, or as required by Sri Lankan law (including the Companies Act, VAT Act, and anti-money-laundering regulations). Here's our full retention schedule:
Security Measures
Security is not an afterthought at Bizhub.lk — it is built into every layer of our platform. Here are the specific measures we implement to protect your personal information:
- ›Encryption in Transit: All data transmitted between your browser or app and our servers is encrypted using TLS 1.3. We enforce HTTPS sitewide and reject plain HTTP connections.
- ›Encryption at Rest: All stored personal data — including order history, addresses, and seller identity records — is encrypted using AES-256, the same standard used by major banks.
- ›Password Security: Passwords are never stored in plain text. We use bcrypt hashing with a high work factor, making brute-force attacks computationally impractical even in a breach scenario.
- ›Two-Factor Authentication (2FA): We offer optional 2FA via SMS or authenticator app for all users. 2FA is mandatory for seller accounts processing high-value payouts.
- ›Payment Security: We are PCI-DSS compliant through our payment partners PayHere and Stripe. Full card numbers never touch our servers — only tokenised references are stored.
- ›Access Controls: Internal access to user data is restricted on a strict need-to-know basis. All employee access is logged, monitored, and reviewed monthly.
- ›Fraud & Bot Detection: We use Cloudflare Turnstile for bot detection and monitor transaction patterns in real time to detect and block fraudulent activity on the platform.
- ›Incident Response: In the unlikely event of a data breach affecting your personal information, we will notify affected users within 72 hours of discovery and provide clear guidance on steps to protect yourself.
Children's Privacy
Bizhub.lk is an e-commerce platform intended for adults and is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age.
During registration, we collect date of birth for age verification purposes. If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete that information from our systems and cancel the associated account.
If you are a parent or guardian and believe your child has created an account on Bizhub.lk without your consent, please contact us at privacy@bizhub.lk and we will resolve it promptly — typically within 24 hours.
Individuals aged 16–17 may use the platform only with documented parental or guardian consent. The consenting adult assumes full responsibility for that minor's purchases and activity on Bizhub.lk.
International Data Transfers
Bizhub.lk is headquartered in Sri Lanka and our primary data infrastructure is hosted on AWS servers in Singapore. This means some of your data is processed and stored outside Sri Lanka, specifically in Singapore.
Additionally, our payment processors (PayHere and Stripe), email delivery service (SendGrid), and CDN provider (Cloudflare) may process certain limited data in other countries. When this occurs, we ensure appropriate safeguards are in place:
- ›Contractual data processing agreements that bind all processors to equivalent data protection standards
- ›Data transfer impact assessments for cross-border flows involving sensitive personal data such as identity documents
- ›Hosting our primary infrastructure in Singapore (AWS ap-southeast-1) — a jurisdiction with strong data protection frameworks
- ›Contractual obligations for all international processors to notify us within 48 hours of any security incident
Your Rights & Choices
You have meaningful, practical control over your personal data. Here's exactly how to exercise each right:
- ›Right to Access: Request a full export of all personal data we hold about you. Available instantly via Account Settings → Privacy → Download My Data.
- ›Right to Correct: Update inaccurate information directly in your Account Settings. For data you cannot edit yourself (e.g. verified identity documents), email us and we will correct it within 14 days.
- ›Right to Erasure: Request deletion of your account and personal data. We will process this within 30 days, subject to legal retention obligations (e.g. 7-year transaction records).
- ›Right to Object: Object to data processing based on legitimate interests — such as product recommendations or analytics. Email privacy@bizhub.lk and we will stop that processing.
- ›Right to Portability: Receive your data in a machine-readable format (JSON or CSV) to transfer to another service. Request via your Account Settings or by emailing us.
- ›Right to Restrict Processing: Ask us to pause processing of your data while a dispute or correction is pending. We will restrict processing within 48 hours of your request.
- ›Right to Withdraw Consent: Where we process data based on your consent (e.g. marketing emails), you can withdraw that consent at any time via the unsubscribe link in emails or Account Settings.
Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our services, technology, or applicable Sri Lankan law. Here is how we handle updates transparently:
- ›We update the "Last Updated" date at the top of this page whenever any change is made.
- ›For material changes — those that significantly affect your rights or how your data is used — we will send an email notification to all registered users at least 14 days before the changes take effect.
- ›For minor updates such as typographical corrections, formatting improvements, or added clarity, we will update the policy without a separate email notification.
- ›Your continued use of Bizhub.lk after the effective date of any change constitutes your acceptance of the updated policy.
- ›If you disagree with a material change, you have the right to close your account before it takes effect. We will process your deletion request promptly and honour it fully.
Previous versions of this policy are archived and available upon request — simply email privacy@bizhub.lkwith the subject line "Previous Policy Version" and we will send the relevant archived version within 5 business days.
Contact Our Privacy Team
If you have any questions, concerns, or requests related to this Privacy Policy or how we handle your data, our Privacy Team is ready to help. We believe in human responses — not automated replies.
We aim to acknowledge all privacy enquiries within 48 hours and resolve them within 30 calendar days. If you are dissatisfied with our response, you have the right to escalate your complaint to the Information and Communication Technology Agency of Sri Lanka (ICTA) or the relevant regulatory authority in your country.
Questions About Your Data?
Our Privacy Team is happy to answer any questions. We believe transparency builds trust — and trust builds a better marketplace.
Policy v1.0 · Effective 1 January 2025 ·