Effective date: [DD Month YYYY]
Last updated: [DD Month YYYY]

1. Introduction

Golden Coconut Holiday(“we”, “us”, “our”) is committed to protecting the privacy and security of the personal information of our guests, website visitors, suppliers and business contacts. This Privacy Policy explains what personal information we collect, how we use it, when we share it, how we protect it and the choices you have regarding your personal information when you use our services or visit our website.

This policy applies to all services we provide as an inbound travel agency in Sri Lanka, including bookings, tour arrangements, transfers, hotel reservations, special services, and enquiries made through our website, email, telephone or in person.

2. Why this matters (legal basis)

We process personal data to provide travel services, manage bookings, communicate with you, meet regulatory and safety obligations, and for legitimate business purposes (such as service improvement and fraud prevention). Where applicable, we will rely on consent, contract performance, compliance with legal obligations, or our legitimate business interests as lawful bases for processing.

We recognise Sri Lanka’s Personal Data Protection Act (PDPA), No. 9 of 2022, and the role of the Data Protection Authority; this policy is written with those obligations in mind. parliament.lk+1

3. Scope — whose data we collect

We collect and process personal data about:

• Guests and travellers who book through us (including names, contact details, identification details required for travel, special needs, meal preferences, passport and visa details where required).

• Website visitors (e.g., cookies and technical identifiers).

• Prospective clients, corporate clients and business contacts.

• Suppliers and service providers (e.g., driver details, hotel contacts).

• Job applicants and contractors.

4. Types of personal information we collect

Examples of personal data we collect include:

• Identity data: full name, date of birth, nationality, passport number (when required for bookings/visas).

• Contact data: postal address, email address, telephone number.

• Booking data: travel dates, flight numbers, accommodation, special requests, dietary or medical needs.

• Financial/payment data: card details or payment confirmations (collected via our payment processor; we do not store full card numbers unless explicitly required and only in secure systems).

• Communications: emails, messages, notes of calls for customer service and support.

• Technical data: IP address, device identifiers, cookies and browsing behaviour on our site.

• Other data reasonably required for health and safety (e.g., mobility assistance requirements).

(We only collect the data necessary for the purpose described and will ask for consent when required by law.)

5. How we collect personal data

We collect personal data when you:

• Make a booking or enquiry via our website, email, phone or in person.

• Provide details to arrange visas, transfers, hotels or other services.

• Register for newsletters or marketing communications.

• Use our website — cookies and analytics may collect technical and usage data.

• Provide information as a supplier, partner or job applicant.

This is standard practice in Sri Lankan travel industry privacy notices. jetwingtravels.com+1

6. How we use personal data (purposes)

We use personal data to:

• Provide and manage travel bookings, confirmations, check-ins and fulfilment of services.

• Arrange visas, permits and immigration information when requested.

• Communicate important trip information, itinerary updates and safety notices.

• Process payments and prevent fraud.

• Comply with legal, regulatory and safety obligations (including government requests where required).

• Improve our services and operate our business (analytics, quality control, customer feedback).

• Send marketing communications where you have consented or where permitted by law (you may opt out at any time).

• Manage supplier relationships and vendor payments.

7. Cookies and similar technologies

We use cookies and similar tracking technologies to operate our website, remember preferences, analyse traffic, and serve basic personalised content. You can control cookies through your browser settings. Our website will provide a cookie banner with options for consent where required.

8. Sharing your personal data — third parties and service providers

To deliver travel services we share data with third parties, for example:

• Hotels, transport providers, tour guides and activity operators to fulfil bookings.

• Payment processors and banks for payment handling.

• Government and immigration authorities for visa and entry requirements (when necessary).

• IT and cloud service providers who host our systems (these providers may be located outside Sri Lanka).

• Professional advisors, auditors and insurers.

We carefully select service providers and require appropriate contractual safeguards and security measures. It is common in the Sri Lankan travel sector to use third-party suppliers and to share information strictly to enable travel fulfilment. aitkenspencetravels.com+1

9. International transfers

Travel services commonly require transferring data outside Sri Lanka (for example, to global payment processors, airline reservation systems or partner suppliers). Where personal data is transferred abroad we will ensure appropriate safeguards are in place (such as contracts, standard contractual clauses or other measures allowed under applicable law) to protect your data.

10. Retention — how long we keep data

We retain personal data only as long as necessary to fulfil the purpose for which it was collected, to comply with legal obligations (e.g., tax, accounting, regulatory or safety records), to resolve disputes, or as otherwise permitted by law. Retention periods vary by data type (booking records, financial records, marketing consents) — typical retention periods range from 1 year to 7 years depending on the applicable legal or business need.

11. How we protect your information

We maintain administrative, technical and physical safeguards to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures include role-based access controls, encrypted communications (HTTPS), secure hosting and vendor security assessments.

Note: No internet transmission or electronic storage is completely secure; we therefore continuously review our security measures in line with industry practice. Sri Lankan travel companies also emphasise secure handling of payment and personal data for fraud prevention and safety. jetwingtravels.com+1

12. Your rights (data subject rights)

Under applicable law (including the PDPA) you may have rights such as:

• The right to access personal data we hold about you.

• The right to request correction or completion of inaccurate or incomplete personal data.

• The right to request that we delete or restrict processing of your personal data (subject to legal exceptions).

• The right to object to certain processing activities, including direct marketing.

• The right to data portability where applicable.

• The right to withdraw consent where processing is based on consent.

To exercise these rights, contact us (details below). We will respond within the timeframes required by law and after verifying your identity. More information about the PDPA and the Data Protection Authority of Sri Lanka can be found via the Data Protection Authority. dpa.gov.lk+1

13. Data Breach

If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify the Data Protection Authority and affected individuals as required by applicable law and the PDPA.

14. Children

Our services are not intended for children under 16 without parental consent. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child inappropriately, please contact us and we will take steps to delete the information.

15. Marketing communications & how to opt out

If you consent to receiving marketing materials, we will use your contact details to send relevant offers and news. You can opt out at any time by clicking the unsubscribe link in our emails or contacting us directly.

16. Links to other websites

Our website may contain links to other sites. We are not responsible for the privacy practices of linked sites. Please read the privacy notices on those websites.

17. Complaints and supervisory authority

If you have concerns about our handling of personal data, please contact us first so we can investigate and respond. If you remain dissatisfied, you have the right to lodge a complaint with the Data Protection Authority of Sri Lanka (or other relevant supervisory authority). dpa.gov.lk

18. Contact details

Data Protection Officer / Privacy Contact:
Golden Coconut Holiday
[Address line 1]
[City], [Postal Code], Sri Lanka
Email: [email@example.com]
Phone: [+94 XXXXXXXXX]

(Replace the above with the correct contact details for your DPO or privacy contact person.)

19. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, legal obligations or service offerings. We will publish changes on this page and update the “Last updated” date. For material changes, we may provide prominent notice (e.g., email notice to customers).