Privacy Policy

Website: www.astoundingbi.com
Effective Date: March 3, 2026
Last Updated: March 3, 2026

1. Introduction

Astoun Ding Bi (Pvt) Ltd (hereinafter "AstoundingBI," "we," "us," or "our") is committed to protecting your privacy and personal data in accordance with the laws of the Democratic Socialist Republic of Sri Lanka.

This Privacy Policy explains how we collect, use, store, process, disclose, and protect your personal information when you visit our website www.astoundingbi.com (the "Website"), register for an account, purchase products or services, or otherwise interact with us.

Legal Framework: This Privacy Policy complies with:
  • Electronic Transactions Act, No. 19 of 2006 – governing electronic records and data messages
  • Financial Transactions Reporting Act, No. 6 of 2006 – relating to transaction data collection and confidentiality
  • Computer Crime Act, No. 24 of 2007 – protecting against unauthorized data interception
  • Sri Lanka Telecommunications Act (Consolidated 2024) – governing electronic communications

By using the Website, you consent to the collection, use, and processing of your personal data as described in this Privacy Policy.

2. Definitions

For the purposes of this Privacy Policy:

  • "Personal Data" or "Personal Information" means any information relating to an identified or identifiable natural person, including but not limited to name, address, email address, telephone number, payment information, IP address, and browsing data.
  • "Processing" means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
  • "Data Subject" means you, the individual to whom personal data relates.
  • "Electronic Record" means information, data, or communications generated, stored, received, or sent in electronic form, as defined under the Electronic Transactions Act, No. 19 of 2006.
  • "Data Message" means information generated, sent, received, or stored by electronic, magnetic, optical, or other similar means.
  • "Transaction" includes purchases, orders, registrations, downloads, communications, and any other interaction with our Website or services.
  • "Third Party" means any person or entity other than you or AstoundingBI.

3. Data Controller

Astoun Ding Bi (Pvt) Ltd is the data controller responsible for the processing of your personal data collected through the Website.

Data Controller Contact Information:
Astoun Ding Bi (Pvt) Ltd
Website: www.astoundingbi.com
Contact: Via the Contact Us page on the Website

4. Personal Data We Collect

We collect personal data in the following categories:

4.1 Information You Provide Directly

When you interact with our Website, you may provide the following information:

  • Account Registration: Name, email address, username, password, country, and contact details.
  • Purchase Information: Billing address, shipping address, payment card details (processed securely by third-party payment processors), and order history.
  • Communications: Information you provide when you contact us via email, contact forms, support tickets, or chat, including your name, email, message content, and any attachments.
  • Survey and Feedback: Responses to surveys, reviews, ratings, testimonials, or other feedback you choose to provide.
  • Event Registrations: Information provided when purchasing event tickets, including attendee names, contact details, and special requirements.

4.2 Information Collected Automatically

When you visit our Website, we automatically collect certain technical information:

  • Device Information: IP address, browser type and version, operating system, device identifiers, screen resolution, and language settings.
  • Usage Data: Pages visited, time spent on pages, links clicked, referral URLs, search queries, download activity, and navigation paths.
  • Location Data: General geographic location inferred from IP address (country, city, region).
  • Cookies and Tracking Technologies: Data collected through cookies, web beacons, pixels, and similar technologies (see Section 10).

4.3 Information from Third Parties

We may receive personal data about you from third-party sources, including:

  • Payment Processors: Transaction confirmation, payment status, and fraud detection information.
  • Social Media: If you interact with us on social media platforms or use social login features, we may receive publicly available profile information.
  • Analytics Providers: Aggregated and anonymized usage statistics and demographic information.
  • Business Partners: Information from partners involved in joint events, promotions, or co-branded services.
Customer Identification & Verification: In accordance with the Financial Transactions Reporting Act, No. 6 of 2006, we are required to identify and verify customer identity for certain transactions. We may request official documents or reliable independent source documents to verify your identity where legally required. Failure to provide satisfactory evidence of identity may result in our inability to process your transaction.

5. How We Use Your Personal Data

We process your personal data for the following purposes:

5.1 To Provide Products and Services

  • Processing and fulfilling orders for software, digital products, and event tickets
  • Creating and managing your user account
  • Providing access to purchased digital products and downloads
  • Facilitating event ticket delivery and entry
  • Providing customer support and responding to inquiries

5.2 To Process Payments

  • Securely processing payments through third-party payment processors
  • Verifying payment methods and preventing payment fraud
  • Issuing invoices, receipts, and financial records
  • Managing refunds, chargebacks, and billing disputes

5.3 To Communicate With You

  • Sending order confirmations, delivery notifications, and transaction receipts
  • Providing technical support, updates, and service announcements
  • Responding to your inquiries, feedback, and requests
  • Sending account-related notifications (password resets, security alerts)

5.4 For Marketing and Promotional Purposes (With Consent)

  • Sending promotional emails about new products, features, offers, and events (you may opt out at any time)
  • Conducting market research and surveys to improve our services
  • Personalizing content, recommendations, and advertisements

5.5 To Improve and Optimize the Website

  • Analyzing usage patterns and trends to enhance user experience
  • Testing new features, functionality, and design improvements
  • Troubleshooting technical issues and optimizing Website performance
  • Conducting internal research and analytics

5.6 For Security and Fraud Prevention

  • Detecting, preventing, and investigating fraudulent transactions and unauthorized access
  • Protecting the security and integrity of our systems and data
  • Enforcing our Terms and Conditions and other policies
  • Complying with legal obligations and responding to lawful requests from authorities
Suspicious Transaction Reporting: In accordance with the Financial Transactions Reporting Act, No. 6 of 2006, if we have reasonable grounds to suspect that any transaction may be related to money laundering, terrorism financing, or any unlawful activity, we are legally obligated to report such transaction to the Financial Intelligence Unit of Sri Lanka. We may be prohibited by law from disclosing to you that such a report has been made.

5.7 For Legal Compliance

  • Complying with legal and regulatory obligations under Sri Lankan law
  • Responding to lawful requests from government authorities, courts, and law enforcement agencies
  • Establishing, exercising, or defending legal claims
  • Maintaining records as required by the Financial Transactions Reporting Act, No. 6 of 2006 and other applicable legislation

6. Legal Basis for Processing

We process your personal data on the following legal bases:

Legal Basis Purpose
Contractual Necessity Processing necessary to perform our contract with you (order fulfillment, account management, service delivery)
Consent Marketing communications, optional cookies, and other processing where you have given explicit consent
Legal Obligation Compliance with Sri Lankan laws including the Financial Transactions Reporting Act, Electronic Transactions Act, and tax regulations
Legitimate Interests Fraud prevention, security, improving our services, and conducting analytics (where not overridden by your rights)

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law.

7.1 General Retention Periods

  • Account Data: Retained for the duration of your account plus 6 years after account closure (for legal and tax purposes).
  • Transaction Records: Retained for 6 years from the date of transaction as required by the Financial Transactions Reporting Act, No. 6 of 2006.
  • Customer Identity Records: Retained for 6 years from the date of closure of the account or cessation of the business relationship, in compliance with the Financial Transactions Reporting Act.
  • Marketing Consents: Retained until you withdraw consent or for 2 years after last engagement.
  • Support Communications: Retained for 3 years after resolution for quality assurance and dispute resolution.
  • Website Usage Data: Retained for up to 2 years for analytics purposes.
Extended Retention by Authorities: Under the Financial Transactions Reporting Act, No. 6 of 2006, the Financial Intelligence Unit may direct us to retain records or correspondence for a longer period than specified above where necessary for investigative or enforcement purposes.

7.2 Secure Deletion

At the end of the retention period, personal data is securely deleted or anonymized in a manner that prevents reconstruction or identification. Electronic records are permanently erased, and physical records are securely destroyed.

8. Sharing and Disclosure of Personal Data

AstoundingBI will not sell, rent, or trade your personal data to third parties for marketing purposes without your explicit consent.

We may share your personal data with the following categories of recipients:

8.1 Service Providers and Business Partners

We share data with trusted third-party service providers who assist us in operating our business:

  • Payment Processors: To securely process credit card and electronic payments (e.g., Stripe, PayPal).
  • Cloud Hosting Providers: To store data and host our Website infrastructure (e.g., AWS, Google Cloud).
  • Email Service Providers: To send transactional and marketing emails.
  • Analytics Providers: To analyze Website usage and performance (e.g., Google Analytics).
  • Customer Support Tools: To manage support tickets and communications.
  • Event Management Partners: To facilitate ticket sales and event logistics.

All service providers are contractually obligated to use your personal data only for the purposes for which it was disclosed and to implement appropriate security measures.

8.2 Legal and Regulatory Authorities

We may disclose your personal data to government authorities, regulators, and law enforcement agencies where:

  • Required by law or legal process (court orders, subpoenas, warrants)
  • Necessary to comply with the Financial Transactions Reporting Act, No. 6 of 2006, including reporting suspicious transactions to the Financial Intelligence Unit
  • Required under the Computer Crime Act, No. 24 of 2007 for cybercrime investigations
  • Necessary to protect our legal rights, enforce our policies, or defend against legal claims
  • Required to protect the safety, security, or property of AstoundingBI, our users, or the public
Confidentiality of Suspicious Transaction Reports: Under Section 9 of the Financial Transactions Reporting Act, No. 6 of 2006, we are legally prohibited from disclosing to any person:
  • That a suspicious transaction report has been made to the Financial Intelligence Unit
  • That a suspicion has been formed regarding a transaction
  • Any information from which you could reasonably infer that a report has been or may be made

Violation of this confidentiality obligation would constitute a criminal offence. We are protected from civil or criminal liability for making such reports in good faith.

8.3 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal data may be transferred to the successor entity. You will be notified of any such change via email or prominent notice on the Website.

8.4 With Your Consent

We may share your personal data with third parties for purposes not described in this Privacy Policy where you have given explicit consent to such sharing.

9. International Data Transfers

Your personal data may be transferred to, stored, and processed in countries outside Sri Lanka where our service providers and partners are located. These countries may have data protection laws that differ from Sri Lankan law.

Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

  • Standard contractual clauses approved for international data transfers
  • Ensuring recipients are subject to adequate data protection laws
  • Implementing technical and organizational security measures

By using our Website and services, you consent to the transfer of your personal data to countries outside Sri Lanka for the purposes described in this Privacy Policy.

10. Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and similar tracking technologies to enhance your browsing experience, analyze usage patterns, and deliver personalized content.

10.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They allow the website to recognize your device and remember your preferences and actions over time.

10.2 Types of Cookies We Use

Cookie Type Purpose Duration
Essential Cookies Necessary for the Website to function properly (login, shopping cart, security) Session or up to 1 year
Performance Cookies Collect anonymous information about how visitors use the Website to improve functionality Up to 2 years
Functional Cookies Remember your preferences and settings (language, region, display preferences) Up to 1 year
Targeting/Advertising Cookies Track your browsing habits to deliver relevant advertisements (requires consent) Up to 1 year

10.3 Third-Party Cookies

We may allow third-party service providers to set cookies on our Website for:

  • Analytics and performance monitoring (e.g., Google Analytics)
  • Social media integration (e.g., Facebook, Twitter, LinkedIn)
  • Advertising and retargeting campaigns

These third parties have their own privacy policies governing their use of cookies. We recommend reviewing their policies.

10.4 Managing Cookies

You can control and manage cookies through your browser settings:

  • Block all cookies
  • Allow only first-party cookies
  • Delete cookies after each browsing session
  • Accept or reject cookies on a case-by-case basis

Note: Blocking or deleting cookies may affect the functionality of the Website, and some features may not work properly.

Browser Cookie Settings:

  • Chrome: Settings > Privacy and security > Cookies and other site data
  • Firefox: Settings > Privacy & Security > Cookies and Site Data
  • Safari: Preferences > Privacy > Cookies and website data
  • Edge: Settings > Cookies and site permissions

11. Data Security

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

11.1 Security Measures

  • Encryption: Data transmitted between your browser and our servers is encrypted using SSL/TLS technology.
  • Access Controls: Access to personal data is restricted to authorized personnel only, on a need-to-know basis.
  • Secure Storage: Personal data is stored on secure servers with firewalls, intrusion detection, and regular security audits.
  • Payment Security: We do not store full credit card details. Payment processing is handled by PCI-DSS compliant third-party processors.
  • Password Protection: User passwords are hashed and salted using industry-standard cryptographic algorithms.
  • Regular Updates: We regularly update our systems and software to address security vulnerabilities.
  • Employee Training: Our staff are trained on data protection principles and security best practices.
Unauthorized Access is a Criminal Offence: Under the Computer Crime Act, No. 24 of 2007, any person who attempts to gain unauthorized access to our computer systems or data, intercepts electronic communications, or introduces malicious code commits a criminal offence punishable by imprisonment and/or fines up to Rs. 300,000. We actively monitor for and report such activities to law enforcement authorities.

11.2 Your Responsibilities

You are responsible for:

  • Keeping your account credentials (username and password) confidential
  • Using a strong, unique password for your account
  • Logging out after each session on shared or public devices
  • Notifying us immediately of any unauthorized access or security breach
Disclosure of Login Credentials: Under Section 10 of the Computer Crime Act, No. 24 of 2007, unauthorized disclosure of access credentials is a criminal offence. Never share your login information with others.

11.3 Data Breach Notification

In the event of a data breach that compromises your personal data, we will notify you and relevant authorities as required by law, without undue delay. Notification will include:

  • The nature of the breach
  • The categories of data affected
  • The likely consequences
  • Measures taken to mitigate harm
  • Recommended actions you should take

12. Your Rights and Choices

You have the following rights with respect to your personal data:

12.1 Right to Access

You have the right to request access to the personal data we hold about you. We will provide you with a copy of your data in a commonly used electronic format.

12.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. You can update your account information directly through your account settings or by contacting us.

12.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data where:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw consent (where processing was based on consent)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed

Important: We may be unable to delete your data if retention is required by law (e.g., the Financial Transactions Reporting Act, No. 6 of 2006 requires us to retain transaction records for 6 years) or necessary for legal claims, compliance, or other legitimate purposes.

12.4 Right to Restriction of Processing

You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

12.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller where technically feasible.

12.6 Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.

12.7 Right to Withdraw Consent

Where we process your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

12.8 Right to Opt-Out of Marketing

You may opt out of receiving marketing communications from us at any time by:

  • Clicking the "unsubscribe" link in any marketing email
  • Updating your communication preferences in your account settings
  • Contacting us via the Contact Us page

Note: Even if you opt out of marketing communications, we will still send you transactional emails related to your account and orders.

12.9 How to Exercise Your Rights

To exercise any of the above rights, please contact us through the Contact Us page on our Website or using the contact details provided at the end of this Privacy Policy. We will respond to your request within 30 days.

We may require verification of your identity before processing your request to ensure the security of your personal data.

13. Children's Privacy

Our Website and services are not intended for children under the age of 13 years. We do not knowingly collect personal data from children under 13.

If you are between 13 and 17 years of age, you may use the Website only with the consent and supervision of a parent or legal guardian.

If we become aware that we have inadvertently collected personal data from a child under 13 without parental consent, we will take steps to delete that information as soon as possible.

Parents or guardians who believe that we may have collected information from a child under 13 should contact us immediately.

14. Third-Party Websites and Services

Our Website may contain links to third-party websites, services, or resources that are not owned or controlled by AstoundingBI. This Privacy Policy applies only to our Website and services.

We are not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policies of any third-party sites you visit.

When you use third-party payment processors or service providers through our Website, your interactions with those services are governed by their own privacy policies and terms of service.

15. Electronic Communications and Record Validity

In accordance with the Electronic Transactions Act, No. 19 of 2006:

  • Legal Recognition: All data messages, electronic documents, and electronic records exchanged between you and AstoundingBI have full legal recognition, effect, validity, and enforceability.
  • Electronic Signatures: Where required, electronic signatures applied to electronic communications shall be legally valid and binding.
  • Deemed Receipt: Electronic communications (including emails) shall be deemed received at the time they enter your designated information system (email inbox).
  • Record Retention: Electronic records retained by AstoundingBI are maintained in a reliable manner capable of subsequent reference and have the same legal standing as paper records.

It is your responsibility to ensure that the email address registered with your account is accurate and current, and that you regularly check your email for important communications from us.

16. Confidentiality Obligations

AstoundingBI and its employees, agents, and service providers are subject to strict confidentiality obligations regarding your personal data.

Under the Financial Transactions Reporting Act, No. 6 of 2006, we are required to treat all information furnished to us in compliance with legal requirements as confidential.

Unauthorized disclosure of confidential information by our employees or agents constitutes a breach of their employment or service agreements and may result in disciplinary action and legal liability.

17. Changes to This Privacy Policy

We reserve the right to update, modify, or replace this Privacy Policy at any time at our sole discretion to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons.

When we make material changes to this Privacy Policy, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify registered users by email (where we have your email address)
  • Display a prominent notice on the Website

Your continued use of the Website after changes are posted constitutes your acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically.

18. Governing Law and Dispute Resolution

This Privacy Policy is governed by and construed in accordance with the laws of the Democratic Socialist Republic of Sri Lanka, without regard to conflict of law principles.

Any disputes arising out of or related to this Privacy Policy or our processing of your personal data shall be resolved in accordance with the dispute resolution procedures set forth in our Terms and Conditions.

You agree that any legal action must be brought exclusively in the courts located in Colombo, Sri Lanka, and you consent to the personal jurisdiction of such courts.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our processing of your personal data, please contact us:

AstoundingBI — Astoun Ding Bi (Pvt) Ltd
Data Protection Contact
Website: www.astoundingbi.com
Contact: Via the Contact Us page on the Website

Response Time: We will respond to your inquiry within 30 days.

SIGN UP & STAY UPDATED

Be the first to hear about new arrivals, special promotions, and exclusive discounts.

Please fill the required field.