PrivacyPolicy.

Sri Lankan TripTip ("we," "our," or "us") is committed to protecting your privacy and safeguarding your personal information. This Privacy Policy explains how we collect, use, disclose, and protect data when you access our website, engage with our services, or book a journey through us.

By using our platform or services, you acknowledge you have read and understood this policy. If you do not agree, please refrain from using our services.

We operate under the laws of Sri Lanka, including the Personal Data Protection Act (PDPA), and align with international best practices including the GDPR where applicable to our European guests.

We collect information in the following categories to deliver a seamless, personalised travel experience:

We process your data only for lawful, specified purposes. Our primary uses include:

• Processing and managing tour bookings, taxi transfers, and custom travel itineraries
• Confirming reservations, issuing vouchers, and providing pre-travel documentation
• Processing payments and issuing invoices and receipts
• Communicating itinerary updates, travel advisories, and operational notifications
• Personalising your experience and recommending destinations aligned with your preferences
• Sending promotional newsletters and special offers — only with your explicit consent
• Conducting satisfaction surveys and gathering feedback to improve our services
• Complying with Sri Lankan immigration, tourism, and tax regulations
• Detecting, investigating, and preventing fraudulent or unlawful activity
• Improving our website through aggregated, anonymised analytics

We do not sell, rent, or trade your personal information. We share data only under strictly defined circumstances:

Our website uses cookies and similar technologies to enhance functionality, analyse traffic, and improve user experience. We use the following categories:

You may manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect your ability to make bookings but may limit personalised features.

Sri Lankan TripTip is headquartered in Matara, Sri Lanka. If you are accessing our services from outside Sri Lanka — including the European Economic Area, United Kingdom, or Australia — your data may be transferred to and processed in Sri Lanka.

We apply appropriate safeguards for international transfers, including standard contractual clauses and data processing agreements with all third-party processors. Where required by the GDPR, we rely on adequacy decisions or other approved transfer mechanisms.

By engaging with our services, you acknowledge and consent to such transfers, which are necessary to fulfil your booking and deliver the services you have requested.

We retain your personal data for only as long as necessary to fulfil the purposes for which it was collected, or as required by law:

Upon expiry, data is securely deleted or anonymised in accordance with our internal data destruction policy.

Subject to applicable law, you hold the following rights regarding your personal data. We will respond to all verifiable requests within 30 days:

To exercise any of these rights, contact us at info@srilankantriptip.com.

We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or disclosure:

• TLS 1.3 encryption for all data in transit between your browser and our servers
• AES-256 encryption for sensitive data stored at rest
• Regular penetration testing and vulnerability assessments by independent auditors
• Strict role-based access controls — staff access only the data necessary for their function
• Multi-factor authentication required for all internal system access
• Automated monitoring and alerting for suspicious activity
• Formal incident response plan with guest notification within 72 hours of confirmed breach

While we apply robust safeguards, no system is entirely immune from risk. We encourage you to use strong, unique passwords and to contact us immediately if you suspect any unauthorised access to your account.

Our website may contain links to third-party websites including hotel partners, activity providers, and review platforms such as TripAdvisor. This Privacy Policy does not apply to those external sites.

We are not responsible for the privacy practices of third-party services. We encourage you to review their privacy policies before sharing any personal information. Our partnerships with these services are purely to enhance your travel experience.

We integrate with the following third-party services that may independently collect data: Google Analytics (website analytics), Google Maps (location and directions), Supabase (secure data storage), and Resend (transactional email delivery). Each operates under their own privacy framework.

Our services are designed for adults and are not directed at children under the age of 16. We do not knowingly collect personal data from minors without verifiable parental or guardian consent.

When a booking includes children as travellers, we collect their travel documentation details (name, date of birth, passport number) solely for the purpose of fulfilling the tour and complying with Sri Lankan entry requirements. This data is treated with the same — or greater — level of protection as adult data.

If you believe we have inadvertently collected data from a child without proper consent, please contact us immediately and we will delete the information promptly.

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. The "Last Updated" date at the top of this page will always reflect the most recent revision.

For material changes that significantly affect how we use your data, we will notify you by email (if we hold your email address) or by placing a prominent notice on our website at least 30 days prior to the changes taking effect.

Your continued use of our services after the effective date of any changes constitutes your acceptance of the revised policy.

Sri Lankan TripTip acts as the Data Controller for all personal information collected through our platform. For privacy-related enquiries, data subject requests, or to raise a concern:

We aim to respond to all privacy requests within 5 business days and resolve them within 30 days. For unresolved concerns, you retain the right to escalate to your national data protection authority.