Privacy Policy

Effective Date: 19 August 2025. BNS Hardware is a division of BNS Holdings (Pvt) Ltd (Reg. No. PV 94688), Head Office: No. 56/35, Borella Road, Depanama, Pannipitiya, Sri Lanka. Contact: info@bnsholdings.com, +94 720 900 252. This Policy explains how we collect, use, disclose, and protect personal data through our website (bnshardware.lk) and related channels (online forms, email, phone, in-store interactions, social media). It is designed to comply with Sri Lanka’s Personal Data Protection Act No. 9 of 2022 (PDPA) and Electronic Transactions Act No. 19 of 2006 (ETA), as well as relevant international regulations (e.g. GDPR). The PDPA is now fully enforced from 18 March 2025, so we adopt its principles (lawfulness, purpose limitation, data minimization, security and accountability). We also honour GDPR-style rights and obligations for any overseas customer

1. Personal Data We Collect

We collect information about you in the following categories:

  • Identity & Contact Details: Your name, email address, mobile/phone number, company name, job title or role. For B2B customers we may also collect corporate registration numbers or business IDs.
  • Account & Profile Data: If you register for an account, we collect your username/login and hashed password, and any profile preferences you provide.
  • Delivery & Billing Data: Your delivery/shipping address, billing address, and (if required) identification numbers (e.g. NIC/passport) for order verification or legal compliance.
  • Order & Purchase Data: Details of the products or services you order (order history), purchase dates, quantities, prices, and warranty information.
  • Payment Information: Payment details you provide (e.g. credit/debit card number, bank account, CVV) when checking out. We transmit this information securely to our payment gateway (Sampath Bank IPG) and do not store your full card numbers on our systems. We only retain minimal billing info (e.g. last 4 digits of card, transaction ID) as needed for our records and support.
  • Communications Data: Records of any correspondence you send us (emails, chat, call notes), and your marketing preferences.
  • Technical & Usage Data: Automatically collected data when you use our website, including your IP address, browser type/version, device type, operating system, pages viewed, date/time of visit, and referring site. We use cookies and similar technologies to collect this information. This helps us understand site usage and improve our services.

For example, we collect personal data you provide directly (such as name, contact and payment details for processing your purchase). We also collect information automatically via cookies or analytics (such as IP address, device and page visits). We do not knowingly collect sensitive personal data (like health or special category data) unless you voluntarily provide it (e.g. for specific authorizations) with explicit consent.

2. How We Obtain Data

  • Directly from You: You may provide data when creating an account, placing an order, subscribing to newsletters, completing surveys, visiting our store, or contacting us by phone/email. Forms on our site (checkout, contact, account signup) collect the data you enter. We also gather information from any discussions or communications you initiate.
  • Automatically: When you visit bnshardware.lk, we automatically obtain technical data as described above (see “Technical & Usage Data”). We use standard web analytics tools (e.g. Google Analytics) to track site performance and usage patterns. Cookies (see §10) also collect browsing behavior data.
  • From Third Parties: Where permitted, we may supplement or verify your information from public or commercial sources. For example, we might use publicly available business registries or social media (e.g. LinkedIn) to confirm a company address or job role for a corporate account. We only do this in compliance with data protection laws.

3. Purposes of Processing & Lawful Basis

We process your personal data for the following purposes, relying on appropriate legal bases under the PDPA (and GDPR for overseas customers):

  • Order Fulfilment & Contract Performance: To process your orders, deliver products, issue invoices, provide customer service and support, and manage returns or warranties. Processing for these purposes is necessary for the performance of our contract with you (or with your employer/organization, as applicable).
  • Payment Processing: To process payments securely (with Sampath Bank’s gateway) and prevent fraud. This is necessary to fulfill your purchase order (contract) and comply with financial regulations.
  • Customer Relationship Management: To communicate with you about your orders, answer inquiries, and manage your account. This is covered by contract or our legitimate interests in serving customers.
  • Security & Fraud Prevention: To monitor transactions, detect and prevent fraud or abuse on the site (e.g. verifying identity for large orders). This is our legitimate interest and may also fulfill legal obligations.
  • Marketing & Promotions: With your consent, we may send promotional emails or texts about new products, offers, or updates. You can withdraw consent or opt-out of marketing at any time.
  • Analytics & Service Improvement: To analyze how the site is used and to improve our products and services (e.g. website performance, inventory planning). This is done on the basis of our legitimate interests.
  • Legal Compliance: To comply with applicable laws and regulations (tax, accounting, consumer protection, etc.). For instance, keeping sales records for auditing or providing information to courts or regulators if lawfully required. These activities are necessary to meet legal obligations.

In all cases, we process data only as needed and relevant to these purposes. We follow data minimization principles – collecting only what is necessary. As one GDPR example notes, an online shop should “not be allowed to collect a phone number if it is not needed” for delivery, and should “store credit card information only for as long as necessary”. Likewise, we limit data collection to what is required for the transaction or service you request.

4. Data Sharing and Disclosures

We will not sell your personal data to marketers. We share personal data only as described below, and under appropriate safeguards:

  • Service Providers: We engage third-party vendors to help deliver our services. This includes payment processors (Sampath Bank), shipping and logistics companies, website hosting and IT support, analytics and email providers, and marketing platforms. These providers are bound by confidentiality and must use your data only to perform their services. For example, our payment gateway processes your payment data, and Google Analytics processes site usage data under strict data protection settings.
  • Affiliates and Partners: We may share data with other BNS Holdings group companies or joint venture partners as needed to fulfill your order (e.g. if a partner ships an item) or to provide a service you requested. All affiliates are required to protect your data in accordance with this Policy.
  • Legal Authorities: When required by law or necessary to protect rights, we may disclose your information to government authorities, courts or regulators. For example, we will comply with valid subpoenas, court orders or requests from law enforcement.
  • Business Transfers: In the event BNS Hardware (or its parent company) is involved in a merger, acquisition, or sale of assets, we may transfer your data to the new owner under confidentiality obligations. We will notify you of such changes as required by law.

We implement contractual and technical safeguards whenever data is shared. For example, processors must implement security measures and only process data per our instructions. This ensures accountability in processing as mandated by the PDPA.

5. International Data Transfers

Our systems may transmit or store personal data outside Sri Lanka (e.g. cloud hosting or third-party services located abroad). Under the PDPA, data transfers outside Sri Lanka generally require adequate safeguard. We will only transfer data internationally if: (a) the destination country has data protection laws deemed adequate, (b) appropriate contracts or binding rules are in place, or (c) with your explicit consent. For example, our payment gateway or analytics service may be hosted overseas, but we will ensure contractual safeguards and encryption to protect your data. If necessary, we may obtain your consent for transfers or rely on standard contractual clauses consistent with PDPA/GDPR rules. All cross-border transfers will be done in compliance with Sri Lanka’s PDPA (and EU GDPR as applicable).

6. Data Retention

We retain personal data only as long as needed for the purposes outlined above and to meet legal or business requirements. Typical retention periods include:

  • Order and Transaction Records: kept for up to 7 years after completion or cancellation, for warranty, accounting and legal purposes.
  • Customer/Account Data: retained as long as your account is active or for 7 years after last activity, whichever is shorter, unless a longer period is required by law.
  • Marketing Consents and Preferences: kept until you unsubscribe or for up to 24 months of inactivity.
  • Web Analytics and Logs: user and system logs are typically retained for up to 12–24 months, after which they are anonymized or deleted. We periodically review and securely delete or anonymize data that is no longer needed.

7. Data Security

We employ industry-standard technical and organizational measures to protect your data. These include encryption, access controls, and monitoring. For example:

  • Encryption: All sensitive data transmitted between your browser and our site is protected using SSL/TLS encryption (HTTPS). We also use secure, encrypted connections when transmitting data to payment processors and other services.
  • Secure Storage: Personal data is stored on secure servers with restricted access. Backup systems are also encrypted.
  • Access Controls: Only authorized staff have access to your personal data, under least-privilege principles. All personnel are trained on confidentiality and data security.
  • Monitoring and Auditing: We log access to systems containing personal data and regularly audit for unusual activity. Despite these measures, no system is 100% secure. Therefore, we cannot guarantee absolute security. If a breach occurs that puts your data at risk, we will follow regulatory requirements to notify you and the authorities promptly.

8. Your Rights

Under the PDPA (and GDPR, where applicable), you have the following rights regarding your personal data:

  • Access: You can request confirmation of whether we hold your personal data and request a copy of it.
  • Rectification: You can request correction of inaccurate or incomplete data we hold about you.
  • Erasure: You can request deletion of your personal data in certain circumstances (e.g. if it is no longer needed or you withdraw consent).
  • Portability: You can request a copy of your data in a structured, machine-readable format.
  • Objection/Restriction: You may object to certain processing (e.g. for direct marketing) or ask us to restrict processing while a complaint is resolved.
  • Withdraw Consent: Where we rely on consent (e.g. marketing), you can withdraw it at any time.

These rights are similar to those in the GDPR and are intended to give you control over your data. To exercise any right, please email us at info@bnsholdings.com with “Data Request” in the subject line, indicating which right you wish to exercise and any relevant details to identify you. We will respond within the timeframes required by law. If you are not satisfied with our response, you may contact Sri Lanka’s Data Protection Authority (DPA) using the contact details provided on their website.

9. Cookies & Tracking Technologies

We use cookies and similar tools to improve the functionality and performance of our site. Cookies are small text files stored on your device that help us remember your preferences and understand how you use our site. We categorize cookies as follows:

  • Strictly Necessary Cookies: Required for core site functions (e.g. enabling secure login, maintaining your shopping cart). These are essential and cannot be disabled.
  • Performance/Analytical Cookies: Collect anonymous data about site usage (pages visited, time on site) to help us improve our site’s performance. These may be stored up to 24 months and require your consent.
  • Functionality Cookies: Remember your preferences (e.g. language, region) to provide a more personalized experience. These require your consent.
  • Marketing/Advertising Cookies: We do not use marketing or advertising cookies at this time. (If we do in the future, we will update this policy and our cookie banner accordingly.)

We obtain your informed consent for any non-essential cookies via a cookie banner, as recommended by GDPR guidance. You can manage or disable cookies through your browser settings; however, disabling some cookies may limit features of our site. For more details, see our Cookie Notice (if any) or the cookie settings on your browser.

10. Children’s Data

Our services are intended for adults and business customers. We do not knowingly collect personal data from children (under 18). If we learn that a child’s data has been submitted without parental consent, we will promptly delete it.

11. Third-Party Links and Services

Our website may contain links to third-party websites or services (for example, social media or affiliated retailers). This privacy policy does not apply to those third parties. We encourage you to review the privacy notices of any external sites you visit.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. The “Effective Date” at the top will indicate when the latest version takes effect. We recommend you review this policy regularly. Continued use of our services constitutes acceptance of the updated terms.

13. Contact and Data Protection Officer

For questions or concerns about this Policy or our data practices, contact us at: BNS Hardware (BNS Holdings Pvt Ltd) No. 56/35, Borella Road, Depanama, Pannipitiya, Sri Lanka Email: info@bnsholdings.com (ask for “Privacy”) Phone: +94 720 900 252

If you need to exercise your data rights (access, deletion, etc.), please email Data Request to the address above. We will verify your identity as required. You may also contact the Sri Lanka Data Protection Authority (DPA) at info@dpa.gov.lk dpa.gov.lk with any complaints or inquiries about your personal data rights.

Sources: We have aligned this policy with Sri Lanka’s PDPA (in force Mar 2025)dpa.gov.lk dlapiperdataprotection.com, the Sri Lanka ETA (recognizing electronic signatures and records)docusign.com, and international guidelines such as the EU GDPRstripe.comstripe.com. Cookie practices follow standard guidancelankabookofrecords.com stripe.com, and security measures reflect bestpracticesstripe.com. All cited guidance is incorporated above.