Terra Cinzenta

Privacy Notice to Personal Data Processing

1.1 Purpose and scope

Terra Cinzenta (PVT) LTD (the 'Company' or 'we'), a legally registered entity in the Democratic Socialist Republic of Sri Lanka, operates in full compliance with the local regulatory requirements.

We are committed to safeguarding the rights and freedoms of individuals whose data we process. The adherence to data protection principles is essential to our data processing activities, ensuring that we achieve our business objectives in a responsible and compliant manner.

The Notice describes the processing of PD collected on the website terracinzenta.com.

All processes for processing PD in the Company are described in the Privacy Policy.

The Privacy Notice (hereinafter referred to as "Notice") refers to the provisions of the applicable local legislation, including:

Please read this Notice carefully to understand how the Company collects and uses your personal information.

If you have any questions about this Notice or need clarification regarding the processing of your PD, please contact the personal data protection officer at privacy@terracinzenta.com.

If there are any updates to the Notice, the revised version will be posted on our website at terracinzenta.com/privacy-notice.

1.2 Principles of personal data protection

We adhere to the fundamental principles of PD processing by implementing the following measures to ensure the security of PD:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Integrity and Confidentiality
  • Storage limitation
  • Accountability

2.1 Third parties with whom your personal data may be shared

We may share your PD with third parties when it is necessary to fulfill the purposes of the PD processing.

Information about third parties Country of establishment Purpose of transfer Categories of personal data subjects Role of the service provider Legal basis
Web-site Administrator Services Provider USA Site analytics
Site administration
Processing information from the forms on the site 		Site visitors
Site visitors
Representatives of prospective counterparties 		Processor Contract

2.2 Cross-border transfer of personal data

Our decision-making processes do not depend entirely on automated processing of PD to make decisions that could have legal consequences or affect the rights and legitimate interests of the data subject.

We may transfer PD to third parties in jurisdictions with specific data protection legislation. Where such legislation is absent, we conclude contracts requiring compliance with Law No. 9 PDPA ensuring that only the necessary and proportionate amount of PD is processed.

When transferring PD, we include provisions for its protection in our contracts and monitor third parties to ensure compliance with data processing principles and security measures.

2.3 How safe is my personal data with third parties?

We consistently ensure that third parties uphold an adequate level of PD protection by entering contracts that define their responsibilities regarding the processing and safeguarding of PD. When sharing your PD with any third party with whom we have a contractual relationship, we require confirmation of the security measures these entities implement to protect the PD we disclose.

We do not share PD with public authorities or other third parties without a lawful request. Access to PD by third parties is granted through specific procedures monitored by the Company.

3. How we shall use your data

3.1 Personal data retention

We retain your PD only for the period necessary to fulfil the purposes that justify its processing. In determining the retention period, we consider factors such as the quantity, nature, and sensitivity of the PD being processed.

3.2 Categories of data subjects and purposes of processing

We do not process sensitive PD related to ideological, political, or trade union views or activities; intimate or racial origin; or administrative or criminal proceedings and sanctions.

We process PD of the indicated categories of data subjects for predefined purposes:

Data Subjects Purposes of PD processing List of processed PD Storage Period Legal basis
Representatives of prospective counterparties Communication with representatives of potential counterparties (presales) Full name, company's name, job position, work email, phone number, messenger user number/ name 2 years after the last contact Consent
Site visitors Site analytics for terracinzenta.com Cookies 1 month after the end of session Consent

4. Your rights regarding the data processing

We guarantee the fulfilment of your following rights as a data subject.

You can withdraw your consent to the processing of your PD at any time. Once we receive your withdrawal, we will stop processing your data, unless there is a legal obligation that requires us to continue processing it.

We hereby provide the following details regarding the processing of your personal data (PD):

Right to Access:

Data subjects have the right to access their personal data.

Right to Rectification:

Data subjects can request the correction of inaccurate or incomplete personal data.

Right to Erasure (Right to be Forgotten):

Data subjects have the right to request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected, or if they withdraw consent (where processing is based on consent) or object to processing in certain cases. To exercise these rights, you need to contact the data protection officer at: privacy@terracinzenta.com. We process and respond to requests from the data subjects within a reasonable period, typically within one month. This time frame may be extended by up to two additional months. In this case we will notify the data subject about the reasons for the delay within one month.

Right to Restriction of Processing:

Data subjects can request the restriction of processing of their personal data in certain situations.

Right to Data Portability:

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format.

Right to Object:

Data subjects have the right to object to the processing of their personal data in certain situations, such as when data is being processed for direct marketing purposes or based on legitimate interests or public interest tasks.

Right to Withdraw Consent:

Where processing is based on the consent of the data subject, Data subjects have the right to withdraw their consent at any time.

Right to Be Informed:

Data subjects must be informed about the collection and processing of their personal data.

Right to Lodge a Complaint:

Data subjects have the right to file complaints with the relevant regulatory authority (such as the Data Protection Authority) if they believe their rights under the PDPA have been violated or their personal data has been misused.

Right to Request a Review of a Decision:

Data subjects have the right to request a review of any decision made solely through automated processing, if that decision has, or is likely to have, a significant and lasting impact on the data subject's rights and freedoms under any applicable law.

5. Measures to ensure the security of personal data processed

We take the security of the PD under our control very seriously and have implemented a comprehensive set of organizational and technical measures to protect PD, comply with applicable laws, and ensure that data is processed securely and responsibly. These measures include:

Appointing a responsible person for overseeing PD processing activities
Establishing data protection policies that align with Law No. 9 PDPA, which includes defining internal responsibilities, conducting training, and implementing internal policies to ensure compliance
Implementing access controls to restrict unauthorized access to PD
Using encryption to safeguard data from unauthorized interception
Applying antivirus protection to prevent malicious software from compromising PD
Maintaining records of all PD processing activities for accountability and transparency
Managing data subject requests by having a defined process to receive and handle such requests appropriately
Conducting data protection impact assessments for processing activities that may involve high-risk processing, including automated profiling that could have legal or significant effects on the data subject, or processing large volumes of sensitive data
Ensuring privacy by design and by default in all our data processing activities
Securing PD shared with third parties and ensuring these parties implement appropriate data protection measures
Monitoring transfers of PD outside Sri Lanka to ensure compliance with data protection regulations
Documenting and investigating PD breaches, notifying affected parties immediately, and taking corrective actions to mitigate any negative effects
Conducting regular audits of PD processing activities, both scheduled and unscheduled, to ensure ongoing compliance and effectiveness
Managing cookies and web analytics in a way that respects user privacy and complies with relevant regulations

We use cookies to enhance the performance characteristics of our website, make it more user-friendly, collect information about visits and take measures to improve the website. Most cookies do not collect information that identifies you, but collect general information (entry method, use of our website) instead.

More information on Cookies is provided in our Cookie Policy.

6. Contact details of the data protection officer

Any doubts regarding this Notice shall be escalated to the data protection officer.

Email: privacy@terracinzenta.com