Privacy Policy

Last Updated: 31/03/2025

This Privacy Policy / Data Protection Notice explains what personal data we collect, how we collect it, why we use it, how we store and process it, and your rights in relation to that personal data.

Introduction |
What Information is Collected and Why |
Legal Basis |
Sharing with Third Parties |
Automated Decision-Making |
Use of Cookies |
Your Rights |
Data Security |
International Transfers |
Contact |
Changes

1. Introduction

We comply with the Personal Data Protection Act No. 9 of 2022 (“PDPA”). This data protection notice (“Notice”) sets out what personal data we collect from you and/or generate about you, including how we collect or generate, use, store and process such data. This Notice illustrates how we comply with our legal obligations in relation to the protection of your personal data.

Your privacy is important to us and we are committed to safeguarding your personal data. It is important that you read this Notice carefully and understand how and why we process your personal data on this website. Terms such as “personal data”, “controller”, “data subject”, “processor”, and “processing” shall have the same meaning as under the PDPA.

Hemas Holdings PLC together with its subsidiaries and affiliates, hereinafter referred to as the “Company”, “we”, “us” or “Hemas”, is considered the “controller” under the PDPA and is committed to protecting the personal data of visitors to this website.

Back to top

2. What Information is Collected and Why

The personal data we may collect includes the following categories:

Category Description / Examples Typical Source
Identity data Your name, NIC, hospital assigned patient ID number (if any), or any other document to attest your identity. User input
Contact data Your postal address, telephone numbers, and email addresses. User input
Employment data Your profession, job title, and organisation employed. User input
Communication data Survey inputs, chatbot submissions, emails, messaging service communications, or phone communications we may have with you. User input
Login credentials Credentials and related access details used to access services or accounts. User input
User preferences Preferences related to services, service locations, product preferences, purchase history, and profiling information. User input
Payment data Your transaction history and credit card details. User input / third party processor
Demographic data Includes but is not limited to age, gender, marital status, and geographic location. User input
Website usage data Your IP address, ISP, browser details, location data, website usage behaviour, and cookies. Automatic
Social media data Profile picture, name, location, public feed, and other social media account details you provide to us. User input / third party

We may collect and process personal data for the following purposes:

  • Responding to your inquiries and requests
  • Processing your purchases, including delivery
  • Identifying you for service or product delivery
  • Direct marketing and advertising
  • Providing information about our services and products
  • Personalisation
  • Improving and troubleshooting the website
  • Processing payments
  • Responding to legal obligations
  • Fraud prevention
  • Record keeping

Source types explained:

  • User input: information that you provide by entering data into a form or otherwise submitting it to us.
  • Automatic: information that is automatically generated when you visit and/or use our website.
  • Third party: information about you obtained from third parties, including delivery partners.

Back to top

We comply with the PDPA when processing your personal data. Depending on the relevant purpose, we may rely on one or more of the following lawful bases:

  • Consent: where we have specifically sought your consent to process your personal data for specific purpose(s). In the case of children under the age of 16, consent may relate to parents or legal guardians.
  • Contract performance: where we have an agreement with you to provide services, including pre-contractual processing.
  • Legal obligation: where we are required by law or court order to process your personal data.
  • Public interest: where we are required to perform certain processing activities in the public interest as defined by law.
  • Legitimate interests: where we have lawful and reasonable reasons to process your personal data, provided those interests do not override your rights and interests, such as fraud prevention and network security.

When we process special categories of personal data, including health information or information relating to a child as defined under the PDPA, we may rely on the following additional lawful bases where applicable:

  • Your consent
  • Preventive or occupational medicine, medical diagnosis, provision of care or treatment, or management of healthcare services by a licensed or authorised health professional in Sri Lanka
  • Public health purposes, including public safety, monitoring, public alerts, prevention or control of communicable diseases, and management of public healthcare services where provided for by law
  • Processing personal data manifestly made public by you
  • Establishment, exercise, or defence of legal claims
  • Public interest purposes as laid down by law
  • Archiving, scientific research, historical research, or statistical purposes in accordance with the PDPA and applicable law

Back to top

4. Sharing with Third Parties

We do not sell, trade, or otherwise transfer your personal data to third parties. However, we may need to share your personal data to complete the purposes described above. This may include sharing with:

  • Members of the Hemas Group of Companies: including entities that provide IT and information security services, and entities involved in product/service improvements, customer profiling, feedback escalations, market research, and advertising.
  • Suppliers / Service Providers: including providers supporting IT infrastructure, delivery services, communication services, finance and accounting, audit, market research, legal, data analytics, payment processing, web indexing and search results, credit risk scoring and assessment, customer relationship management, and content transmission.
  • Government, regulatory, or law enforcement authorities: where applicable law requires disclosure.
  • Prospective buyers or sellers and their advisers: in connection with acquisitions, mergers, joint ventures, strategic alliances, or changes in control.

Back to top

5. Use of Automated Decision-Making Systems

We may adopt automated decision-making systems on this website. Automated decision-making means making decisions or profiling your personal data purely through automated means without human intervention. These systems are generally used to support human decision-making processes by analysing your data according to certain criteria set by us. We may use these systems to evaluate your preferences and make recommendations or offer personalised services, products, or content.

Back to top

6. Use of Cookies

We use cookies on our website. Please refer to our Cookie Notice / Cookie Policy for more information.

Back to top

7. Your Rights

Under the PDPA, and subject to any exceptions permitted under the PDPA, you may be entitled to the following rights:

  • Access: you may access your personal data or obtain confirmation as to whether we process your personal data. You may also request further information on how, where, and why we process it.
  • Withdraw consent: where processing is based on your consent, you may withdraw that consent. Withdrawal will not invalidate processing carried out before the withdrawal.
  • Object to processing: where processing is based on legitimate interests or public interest, you may object to such processing. Your objection will not invalidate processing already carried out.
  • Rectification and update: you may request correction of inaccurate data or completion of incomplete data.
  • Erasure: where appropriate under the PDPA, you may request deletion of your personal data, subject to any legal obligations requiring retention.
  • Review of automated decisions: where decisions affecting your rights are made solely by automated means without human intervention, you may request a review in certain circumstances.

You also have the right to lodge a complaint with the Data Protection Authority of Sri Lanka established under the Personal Data Protection Act No. 9 of 2022 regarding our use of your personal data.

Back to top

8. Data Security

We are committed to safeguarding the confidentiality, integrity, and availability of your personal data using appropriate organisational and technical measures.

  • Use of secure information systems and networks when transmitting and storing personal data
  • Access restrictions on a need-to-know basis for staff and external service providers
  • Regular privacy and data protection training and guidance for staff
  • Use of anonymisation and encryption where appropriate
  • Internal procedures to detect and respond to data breaches

All sensitive / credit information supplied through the website is encrypted via Secure Socket Layer (SSL) technology. All transactions are processed through a payment gateway provider and are not stored or processed on our servers.

Back to top

9. International Transfers

Your personal data may be transferred to and processed outside Sri Lanka in certain circumstances, including where your data is stored or hosted on cloud platforms. While we strive to process personal data in countries where the Sri Lankan Data Protection Authority has issued adequacy decisions, this may not always be operationally possible. Appropriate contractual and legal safeguards are adopted to ensure the security and privacy of your personal data.

Back to top

10. Contact

If you need any clarification regarding this Privacy Policy / Data Protection Notice, or if you wish to exercise any of your rights, please contact:

Name Sarita Dunuwille
Email sarita.legal@hemas.com
Mobile No. 0777314234

You may submit a request under one of the following request types:

Request Type Access | Withdrawal of Consent | Object to Processing | Rectification | Update | Erasure | Review of Automated Decision | Further Information
Additional Information on the Request Please provide sufficient details to identify the request and the personal data concerned.

Back to top

11. Changes to This Data Protection Notice

We may update this data protection notice from time to time to reflect changes in our services, data protection practices, or legal obligations. Any significant changes will be notified by posting the updated notice on our website or by contacting you directly through registered channels.

Last update: 31/03/2025