PRIVACY POLICY

StandWithLK ("StandWithLK", "we", "our", or "us") respects your privacy. This Privacy Policy explains how we collect, use, disclose, transfer, and protect your personal data when you use our website and Services.

We process your personal data in accordance with the Personal Data Protection Act, No. 9 of 2022 (PDPA) of Sri Lanka, its associated regulations, and adhere to globally recognized principles of data protection.

1. WHO WE ARE

StandWithLK is a platform that enables individuals and communities affected by disasters in Sri Lanka to publish reports about damage, upload photos, share locations, and connect with donors, volunteers, and NGOs.

2. Data We Collect

2.1. Information You Provide to Us

• Account & Profile Data: Name or username, email address, phone number, password.
• Report Data: Type and description of damage, contact information, district/location details, coordinates, images/videos.
• Communications: Content of comments you post and messages you send. Note: For safety investigations, administrators may review the last 10 messages of a reported conversation.

2.2. Data Collected Automatically

We may automatically collect technical data such as your IP address, browser type, device type, operating system, pages visited, and time spent.

2.3. Sensitive Information and Special Category Data

Special Category Data: Under the PDPA, "Special Category Personal Data" includes data revealing or concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

Our Policy on Special Category Data

• No Active Collection: Our Platform does not actively solicit, require, or have dedicated form fields for the collection of any Special Category Personal Data for the purpose of providing our core Services.
• Voluntary Disclosure Risk: However, such data may be voluntarily disclosed by you within free-text descriptions, uploaded images/videos, or comments (e.g., a report mentioning a health condition arising from a disaster, or a photo revealing religious symbols). You are solely responsible for any such voluntary disclosure.
• User Responsibility: You must exercise extreme caution and avoid including any Special Category Personal Data in your public submissions unless you fully understand and accept that this information will become publicly visible.
• Platform Liability: StandWithLK is not liable for the consequences of your voluntary disclosure of Special Category Personal Data. We cannot control how such publicly visible information is used by other Platform visitors or third parties.

2.4. General Sensitive Information Notice

3. Legal Basis for Processing

We process your personal data based on the following legal grounds,

• Your Consent: When you opt-in to create reports, subscribe to communications, or use certain features.
• Performance of a Contract: To provide and maintain the Services you request.
• Legitimate Interests: For improving our Platform, ensuring security, and facilitating disaster-relief coordination.
• Compliance with Legal Obligations: To meet our legal and regulatory requirements.
• Vital Interests or Substantial Public Interest: In the rare event we process Special Category Data inadvertently disclosed in a disaster report, we may rely on grounds related to the protection of vital interests or reasons of substantial public interest for disaster response, as permitted under the PDPA.

4. Consent Management

Where we rely on your consent to process personal data (e.g., for marketing communications), we will obtain it through a clear, affirmative action. You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To withdraw consent, please send a clear email request to our designated Compliance Officer, Mr. Anuradha Ranaweera, at privacy@standwithlanka.lk. We will process your withdrawal request promptly.

5. How We Use Your Data

We use your personal data to,

• Operate the Platform and provide Services.
• Facilitate connections between affected communities and aid providers.
• Secure, monitor, and improve the Platform.
• Communicate service-related information.
• Comply with applicable laws and regulations.

6. Sharing and Cross-Border Transfer of Data

We do not sell your personal data.

We may share your data with,

• Trusted Service Providers: Such as Supabase (database hosting), Cloudinary (media storage), and other IT infrastructure providers. These partners may process data on our behalf under strict contractual agreements.
• Other Users: Information you include in public reports is visible to other Platform visitors.
• Legal & Regulatory Authorities: Where required by Sri Lankan law or a valid legal request.

International Transfers: Some of our service providers are located outside Sri Lanka. When we transfer your personal data internationally, we ensure an adequate level of protection is in place. We rely on Standard Contractual Clauses or other PDPA-approved mechanisms to safeguard data transferred to countries without an adequacy decision. By using our Services, you acknowledge this necessary transfer of data.

7. Data Retention

We retain personal data only as long as necessary to fulfill the purposes in this policy, maintain historical disaster records for public interest, and comply with legal obligations (such as tax or regulatory holds). We have defined data retention schedules to periodically review and delete data that is no longer needed.

8. Your Data Subject Rights

Under the PDPA, you have the following rights regarding your personal data,

• Right of Access: To confirm if we process your data and request a copy.
• Right of Rectification: To correct inaccurate or incomplete data.
• Right to Erasure: To request deletion under certain conditions.
• Right to Restriction of Processing: To limit how we use your data in specific scenarios.
• Right to Data Portability: To receive your data in a structured, commonly used format.
• Right to Object: To object to processing based on legitimate interests.
• Rights related to Automated Decision Making: To obtain human intervention and challenge decisions.
• Right to Withdraw Consent

To exercise any of these rights, please contact our Compliance Officer at privacy@standwithlanka.lk. We may need to verify your identity before responding and will do so within the timelines stipulated by the PDPA.

9. Children's Privacy

Our Platform is not directed at children under 18. We do not knowingly collect personal data from children under 18 for independent accounts. If we become aware of such collection, we will take steps to delete the information. Parents or guardians can contact us to request deletion of data submitted by a child.

10. Security & Legitimacy

We implement reasonable technical and organizational measures (including HTTPS encryption, access controls, and secure cloud configurations) to protect your data. While we take steps to verify user legitimacy, no internet transmission is 100% secure. You are responsible for keeping your account credentials confidential.

11. Cookies

Our Platform uses cookies to manage login sessions and analyze usage. You can control cookies through your browser settings.

12. Changes to This Privacy Policy

We may update this policy. Material changes will be signaled by updating the "Last updated" date and notifying you via the Platform or email.

13. Contact Us & Data Protection Officer

For privacy-specific questions, to exercise your rights, or to withdraw consent, please contact our designated Compliance Officer,