Your Privacy,
Our Responsibility

We collect only what's necessary to operate our e-commerce marketplace and provide you with a great shopping and selling experience. Here's a full breakdown by category:

Seller-Specific Data: If you register as a seller on Bizhub.lk, we additionally collect your NIC or passport number for identity verification, your business registration details (if applicable), bank account information for payouts, and all product listings and inventory data you upload.

Voluntary Data: Some information — such as your profile bio, social media links, or store banner image — is entirely optional. Skipping this data will not affect your ability to buy or sell on the platform.

We process your personal data only for specific, legitimate purposes. We will never use your data in ways you wouldn't reasonably expect as a shopper or seller on Bizhub.lk. Here's a complete breakdown:

Where we rely on consent as our legal basis, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal. Where we rely on legitimate interests, you have the right to object — contact us at privacy@bizhub.lk.

We do not sell, rent, or trade your personal information. We share data only when it is strictly necessary to operate our marketplace — such as processing your payment or delivering your order. All third-party processors are bound by data protection agreements.

We use cookies and similar technologies to keep the platform running, remember your preferences, and understand how shoppers use Bizhub.lk. Below is a full list of every type of cookie we use — and one type we deliberately never use:

You can manage your cookie preferences at any time through your Account Settings → Privacy. You can also use your browser settings to block or delete cookies, though this may affect your ability to stay logged in or complete purchases.

We retain your data only as long as necessary to fulfil the purpose it was collected for, or as required by Sri Lankan law (including the Companies Act, VAT Act, and anti-money-laundering regulations). Here's our full retention schedule:

Security is not an afterthought at Bizhub.lk — it is built into every layer of our platform. Here are the specific measures we implement to protect your personal information:

• ›Encryption in Transit: All data transmitted between your browser or app and our servers is encrypted using TLS 1.3. We enforce HTTPS sitewide and reject plain HTTP connections.
• ›Encryption at Rest: All stored personal data — including order history, addresses, and seller identity records — is encrypted using AES-256, the same standard used by major banks.
• ›Password Security: Passwords are never stored in plain text. We use bcrypt hashing with a high work factor, making brute-force attacks computationally impractical even in a breach scenario.
• ›Two-Factor Authentication (2FA): We offer optional 2FA via SMS or authenticator app for all users. 2FA is mandatory for seller accounts processing high-value payouts.
• ›Payment Security: We are PCI-DSS compliant through our payment partners PayHere and Stripe. Full card numbers never touch our servers — only tokenised references are stored.
• ›Access Controls: Internal access to user data is restricted on a strict need-to-know basis. All employee access is logged, monitored, and reviewed monthly.
• ›Fraud & Bot Detection: We use Cloudflare Turnstile for bot detection and monitor transaction patterns in real time to detect and block fraudulent activity on the platform.
• ›Incident Response: In the unlikely event of a data breach affecting your personal information, we will notify affected users within 72 hours of discovery and provide clear guidance on steps to protect yourself.

Bizhub.lk is an e-commerce platform intended for adults and is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age.

During registration, we collect date of birth for age verification purposes. If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete that information from our systems and cancel the associated account.

If you are a parent or guardian and believe your child has created an account on Bizhub.lk without your consent, please contact us at privacy@bizhub.lk and we will resolve it promptly — typically within 24 hours.

Individuals aged 16–17 may use the platform only with documented parental or guardian consent. The consenting adult assumes full responsibility for that minor's purchases and activity on Bizhub.lk.

Bizhub.lk is headquartered in Sri Lanka and our primary data infrastructure is hosted on AWS servers in Singapore. This means some of your data is processed and stored outside Sri Lanka, specifically in Singapore.

Additionally, our payment processors (PayHere and Stripe), email delivery service (SendGrid), and CDN provider (Cloudflare) may process certain limited data in other countries. When this occurs, we ensure appropriate safeguards are in place:

• ›Contractual data processing agreements that bind all processors to equivalent data protection standards
• ›Data transfer impact assessments for cross-border flows involving sensitive personal data such as identity documents
• ›Hosting our primary infrastructure in Singapore (AWS ap-southeast-1) — a jurisdiction with strong data protection frameworks
• ›Contractual obligations for all international processors to notify us within 48 hours of any security incident

You have meaningful, practical control over your personal data. Here's exactly how to exercise each right:

• ›Right to Access: Request a full export of all personal data we hold about you. Available instantly via Account Settings → Privacy → Download My Data.
• ›Right to Correct: Update inaccurate information directly in your Account Settings. For data you cannot edit yourself (e.g. verified identity documents), email us and we will correct it within 14 days.
• ›Right to Erasure: Request deletion of your account and personal data. We will process this within 30 days, subject to legal retention obligations (e.g. 7-year transaction records).
• ›Right to Object: Object to data processing based on legitimate interests — such as product recommendations or analytics. Email privacy@bizhub.lk and we will stop that processing.
• ›Right to Portability: Receive your data in a machine-readable format (JSON or CSV) to transfer to another service. Request via your Account Settings or by emailing us.
• ›Right to Restrict Processing: Ask us to pause processing of your data while a dispute or correction is pending. We will restrict processing within 48 hours of your request.
• ›Right to Withdraw Consent: Where we process data based on your consent (e.g. marketing emails), you can withdraw that consent at any time via the unsubscribe link in emails or Account Settings.

We may update this Privacy Policy from time to time to reflect changes in our services, technology, or applicable Sri Lankan law. Here is how we handle updates transparently:

• ›We update the "Last Updated" date at the top of this page whenever any change is made.
• ›For material changes — those that significantly affect your rights or how your data is used — we will send an email notification to all registered users at least 14 days before the changes take effect.
• ›For minor updates such as typographical corrections, formatting improvements, or added clarity, we will update the policy without a separate email notification.
• ›Your continued use of Bizhub.lk after the effective date of any change constitutes your acceptance of the updated policy.
• ›If you disagree with a material change, you have the right to close your account before it takes effect. We will process your deletion request promptly and honour it fully.

Previous versions of this policy are archived and available upon request — simply email privacy@bizhub.lkwith the subject line "Previous Policy Version" and we will send the relevant archived version within 5 business days.

If you have any questions, concerns, or requests related to this Privacy Policy or how we handle your data, our Privacy Team is ready to help. We believe in human responses — not automated replies.

We aim to acknowledge all privacy enquiries within 48 hours and resolve them within 30 calendar days. If you are dissatisfied with our response, you have the right to escalate your complaint to the Information and Communication Technology Agency of Sri Lanka (ICTA) or the relevant regulatory authority in your country.