Privacy Notice

EYEPAX IT Consulting (Pvt) Ltd, along with its subsidiaries and affiliated entities, collectively referred to as “EYEPAX,” is committed to respecting and protecting your privacy. This Privacy Notice outlines our privacy practices regarding the collection, use, and management of your personal data, in compliance with the Personal Data Protection Act (PDPA) of Sri Lanka and the ISO 27701 privacy standard.

Collection of Personal Data

We collect basic personal information, which is stored in our database and/or logbook. The types of personal data we gather may vary based on our relationship with you.

  • Basic information includes, but is not limited to, the following:
    • Personal Identification: Full name, date of birth, national ID/passport numbers.
    • Contact Information: Address, phone number, email address.
  • For Employees/Former Employees: In addition to the basic information, we collect:
    • Employment Details: Employment history, job title, department, salary information, performance reviews, disciplinary records.
    • Financial Information: Bank account details, tax information, benefits information.
    • Health Information: Medical records, health insurance details, disability status, leave records.
    • Legal Documentation: Employment contracts, non-disclosure agreements (NDAs), legal claims, visa/work permit information.
  • For Candidates/Former Candidates: In addition to the basic information, we collect:
    • Professional Information: Resume/CV, job application, cover letter, references, educational qualifications, certifications.
    • Employment History: Previous job titles, employers, durations of employment, salary expectations.
    • Background Checks: Criminal record check, credit check, professional license verification.
  • For Visitors (Office Premises): In addition to the basic information, we collect:\
    • Visit Details: Date and time of visit, purpose of visit, person being visited, vehicle registration number.
    • Security Information: CCTV footage, visitor badge records, access logs.
  • For Third Parties Staff (Vendors, B2B Contacts, third party agency staff, Trainers, Temps, Contractors): In addition to the basic information, we collect:
    • Professional Information: Job title, employer, contract details, certifications, work history.
    • Financial Information: Payment details, invoice information, tax information.
    • Security Information: Access credentials, security clearances, CCTV footage.
  • For Customers: In addition to the basic information, we collect:
    • Professional Information: Job title, company name, industry, areas of interest.
    • Marketing Information: Communication preferences, sales interaction history, survey responses, subscription details.
    • Behavioral Information: Website usage data, interaction with marketing campaigns, purchase intent data.
  • Prospective Customers: In addition to the basic information, we collect:
    • Contact Information: Name, email address, phone number.
    • Professional Information: Job title, company name, industry, areas of interest.
    • Marketing Information: Communication preferences, interactions with marketing campaigns, survey responses.
    • Behavioral Information: Website usage data, product interest, interaction history.
  • Customers: In addition to the basic information, we collect:
    • Contact Information: Name, email address, phone number, and physical address.
    • Professional Information: Job title, company name, and industry.
    • Contractual Information: Contract details, service agreements, and terms of service.
    • Financial Information: Billing details, payment history, and financial transactions.
    • Usage Data: Data related to the use of your products or services, including support interactions and user feedback.

Purpose of Processing Personal Data

The collection, use, and disclosure of personal data are conducted to ensure the security of individuals and assets and to protect confidential information. These measures are in place to prevent losses, fraud, theft, injuries, acts of terrorism, and similar incidents. Additionally, personal data may be processed for the following purposes:

  • To comply with legal obligations.
  • To sign a contract with you.
  • To protect your vital interests or those of another person.
  • To perform a task carried out in the public interest or in the exercise of official authority.
  • For legitimate interests pursued by EYEPAX, except where such interests are overridden by your interests or fundamental rights and freedoms.

Legal Basis for Processing

We process your personal data under the following legal bases:

  • Consent: We will process your personal data if you have given us explicit consent for a specific purpose. For example, if you register for an account, participate in user feedback, or agree to receive updates about our products and services, we process your data based on your consent.
  • Contractual Necessity: We process personal data when necessary to fulfill our contractual obligations or to take steps prior to entering into a contract. For instance, when you use our software or mobile applications, we process your data to provide and maintain those services, including troubleshooting and customer support.
  • Legal Obligations: We may process personal data to comply with legal requirements relevant to our business. For example, we process data for billing purposes, to comply with software licensing agreements, or to meet regulatory requirements related to data protection and cybersecurity.
  • Legitimate Interests: We process personal data based on our legitimate interests, provided these interests are not overridden by your rights and freedoms. For example, we use personal data to enhance user experience, conduct software performance analytics, improve our applications, or address security threats. We ensure that such processing is balanced with your privacy rights.

Security

EYEPAX has implemented various technical, physical, contractual, and organizational measures to secure personal data. These include, but are not limited to, encryption, access controls, firewalls, and secure data storage. These measures are designed to prevent loss, damage, unauthorized use, disclosure, alteration, or access, taking into account the nature of the data and potential vulnerabilities.

Transfer and Disclosure of Personal Data

As part of an international consortium, we may transfer and disclose your personal data beyond your country of residence, including outside Sri Lanka. Your data, while outside your home country, will be subject to the jurisdiction and legal requirements of the host country, including disclosure to authorities, judicial entities, or law enforcement and regulatory agencies as per local laws. We ensure that appropriate safeguards, such as Standard Contractual Clauses or Binding Corporate Rules, are in place to protect your data during such transfers.

Retention of Personal Data

Your personal data will be retained for a period necessary to fulfill the purposes for which it was collected, address inquiries, resolve issues, or comply with legal obligations. Following this period, all records of your personal data will be deleted from EYEPAX systems. When we delete your personal information, we utilize industry-standard methods to ensure that any recovery or retrieval of your information is not possible.

Your Rights

Under the PDPA, you have the following rights regarding your personal data:

  •  Right to Access: You have the right to request access to your personal data.
  • Right to Rectification: You have the right to request correction of any inaccurate personal data.
  • Right to Erasure: You have the right to request deletion of your personal data under certain conditions.
  • Right to Restriction of Processing: You have the right to request restriction of processing of your personal data under certain conditions.
  • Right to Data Portability: You have the right to request the transfer of your personal data to another organization or directly to you, under certain conditions.
  • Right to Object: You have the right to object to the processing of your personal data under certain conditions.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a relevant supervisory authority if you believe your data protection rights have been violated.

For Further Information

For more details about your rights regarding personal data, data transfers, retention, and our security measures, please contact [email protected]. Should you have any concerns or complaints about your personal data’s processing, reach out to EYEPAX’s Data Protection Officer at [email protected].

Data Protection Officer

EYEPAX IT Consulting (Pvt) Ltd

189 Galle Rd, Colombo, Sri Lanka

Privacy Notice Updates

We reserve the right to amend this Privacy Notice at our discretion, updating it as necessary. The latest version supersedes any previous ones. Please check this Privacy Notice periodically for updates. Your continued use of our services implies agreement to abide by its terms, including any changes.

Handling of Children’s Data

If applicable, EYEPAX does not knowingly collect or process personal data from children under the age of 16 without obtaining verifiable parental consent. If we become aware that personal data from a child under 16 has been collected without parental consent, we will delete such data promptly.

Version: 1.1

Updated On: 30.08.2024

Version History

Version 1.0: 17.07.2024 – Initial release.

Version 1.1: 30.08.2024 – Updated to include examples for each legal basis and additional information on data protection measures.