Ceylon Villas LogoThe Ceylon Villas & Co.
The Ceylon Villas & Co. Logo

Privacy Policy

By accessing or using our Platform, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and use of your information in accordance with it.

1. Introduction

This Privacy Policy describes how The Ceylon Villas & Co. (“we”, “us”, or “our”) collects, uses, processes, and protects your personal information when you access or use our website, booking systems, or any related services (collectively, the “Platform”).

By accessing or using our Platform, you acknowledge that you have read and understood this Privacy Policy and agree to the collection and use of your information in accordance with it. If you do not agree with this policy, you should not use our services.

This policy is designed to ensure transparency while also protecting our legitimate business interests and complying with applicable data protection laws.

2. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings set out below. A “Guest” refers to any individual who makes a booking or stays at one of our properties. A “Client” includes any individual or entity using our services, including corporate customers. A “Supplier” refers to third-party service providers such as villa owners, drivers, tour operators, or other partners involved in delivering services. “Accommodation” refers to villas, apartments, or other properties offered through our Platform. “Services” include bookings, concierge assistance, transport arrangements, and related offerings. “Payment Services” refers to any third-party or integrated systems used to process financial transactions.

These definitions are intended to clarify roles and responsibilities within our Platform and avoid ambiguity in interpretation.

3. Information We Collect

3.1 Information You Provide to Us

We collect personal information that you voluntarily provide when using our Platform. This includes information such as your name, email address, telephone number, residential address, and identification details where required by law or operational necessity (such as passport details for guest registration). In addition, we collect booking-related information, including travel dates, number of guests, and preferences.

Where applicable, we may also collect payment-related information through secure third-party payment processors. We may further collect additional details such as dietary preferences, emergency contact information, or special requests to enhance your stay experience.

Any communication you have with us—whether by email, phone, or through our Platform—may also be recorded and stored.

This information is necessary to fulfill contractual obligations and provide you with the services you request.

3.2 Information Automatically Collected

When you access or use our Platform, certain information is automatically collected. This includes technical data such as your IP address, browser type, device information, operating system, and access times. We also collect information about how you interact with our Platform, including pages visited, links clicked, and booking behavior.

We may also collect approximate location data based on your IP address to enhance service delivery and personalise your experience.

Additionally, we use cookies and similar tracking technologies to gather data about user behaviour and preferences. These technologies help us improve functionality, security, and performance.

3.3 Information from Third Parties

We may receive information about you from third-party sources where necessary. This includes payment processors, booking partners, travel agents, identity verification providers, fraud prevention services, and social media platforms if you choose to connect your account.

We may also receive information from Suppliers or partners involved in delivering your services. While we take reasonable steps to ensure data accuracy, we do not control how third parties collect or process your information, and their practices are governed by their own policies.

3.4 Information Collected via Integrated Services

Our Platform uses the following third-party services that may collect or process your data:

  • Supabase: We use Supabase for authentication, database storage, and two-factor authentication. This includes account credentials, session tokens, and security verification codes.
  • Google Analytics: We use Google Analytics to collect usage data such as page views, session duration, and device type to improve our Platform. This data is anonymised and aggregated.
  • Resend: We use Resend as our email delivery service to send booking confirmations, account notifications, and transactional emails. Your email address and name are shared with Resend solely for this purpose.

4. Legal Basis for Processing

We process your personal information based on several lawful grounds. Primarily, processing is necessary for the performance of a contract, such as when you make a booking or request services. We also process information based on our legitimate business interests, including improving our Platform, preventing fraud, and ensuring operational efficiency.

In certain cases, we process data to comply with legal obligations, such as local regulations requiring guest registration. Where required, we rely on your consent, particularly for marketing communications or optional data collection.

5. How We Use Your Information

We use your information to provide, operate, and improve our services. This includes managing bookings, facilitating communication between Guests and Suppliers, processing payments, and delivering customer support.

We also use your information to personalise your experience, such as recommending suitable accommodations or services based on your preferences and past interactions.

Additionally, your information may be used to maintain security, detect fraudulent activity, conduct investigations, and enforce our policies and agreements.

We may also use your information for marketing purposes, including sending promotional offers and updates. However, you retain the right to opt out of such communications at any time.

6. Sharing and Disclosure of Information

We may share your information with third parties where necessary to provide our services. This includes sharing relevant details with Suppliers to facilitate bookings, as well as with service providers such as payment processors, IT support, and analytics providers.

We may also disclose information where required by law, regulation, or legal process, including responding to lawful requests from authorities or enforcing our legal rights.

In the event of a business transaction such as a merger, acquisition, or sale, your information may be transferred as part of the business assets.

We may also share aggregated or anonymised data that does not identify individuals for analytical or business purposes.

7. International Data Transfers

Your information may be stored and processed in countries outside of Sri Lanka, including jurisdictions where data protection laws may differ. By using our Platform, you acknowledge and consent to such transfers, provided that we take reasonable steps to ensure appropriate safeguards are in place.

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy. This includes retaining data for the duration of your account activity, service delivery, and compliance with legal obligations.

Even after account deletion, certain information may be retained for legal, regulatory, or fraud prevention purposes, or as part of backup systems for a limited period.

Retention periods vary based on the type of data:

  • Account Information: Retained while your account is active and for 2 years after account closure.
  • Booking Information: Retained for 7 years for accounting and legal compliance purposes.
  • Consent Records: Stored in your browser’s localStorage until you clear your cookies or withdraw consent.
  • Analytics Data: Retained by Google Analytics according to their retention policies (typically 26 months).

You can request deletion of your data at any time by contacting us.

9. Your Rights

Depending on applicable laws, you may have rights regarding your personal information. These may include the right to access, correct, update, or request deletion of your data. You may also have the right to withdraw consent, restrict processing, or object to certain uses of your information.

We may require verification of your identity before processing such requests to ensure data security.

GDPR Rights (EU Residents):

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure (“right to be forgotten”)
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time

CCPA Rights (California Residents):

  • Right to know what personal information is collected
  • Right to know whether personal information is sold or disclosed
  • Right to delete personal information collected from you
  • Right to opt-out of the sale or sharing of personal information
  • Right to non-discrimination for exercising your privacy rights

To exercise any of these rights, please contact us at ayubowan@theceylonvillas.com.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance user experience, analyse performance, and support marketing efforts. These technologies allow us to recognise your device, store preferences, and understand how you interact with our Platform.

Types of cookies we use:

  • Necessary Cookies: Required for authentication, security, and core functionality.
  • Analytics Cookies: Help us understand how you use our site (Google Analytics).
  • Preference Cookies: Remember your settings and preferences.

You may control cookie usage through your browser settings. However, disabling cookies may affect the functionality of certain features. For detailed information about all cookies we use, please visit our Cookie Policy.

10A. Do Not Sell My Personal Information

Under the California Consumer Privacy Act (CCPA) and similar state privacy laws, you have the right to opt out of the sale or sharing of your personal information.

We do not sell your personal information to third parties. We only share information with service providers who assist us in operating our website and conducting our business, subject to strict confidentiality agreements.

If you have questions about your privacy rights or wish to exercise your rights under applicable privacy laws, please contact us at ayubowan@theceylonvillas.com.

11. Third-Party Login (Google & Facebook Authentication)

The Ceylon Villas & Co. provides users with the option to register and log in to our platform using third-party authentication services such as Google Sign-In and Facebook Login. This feature is designed to simplify account creation and provide a secure authentication method.

When you choose to sign in using a third-party provider, you authorize that provider to share certain information from your account with The Ceylon Villas & Co.

The information we receive depends on the permissions granted by the user and the privacy settings configured within the respective platform.

Information Collected from Facebook

If you log in using Facebook, we may collect the following information from your Facebook account:

Public Profile Information

  • Full name
  • Profile picture
  • Facebook user ID
  • Other public profile information made available by Facebook

Email Address

Your primary Facebook email address used for account identification and communication.

Age Range

If permitted, your age range as provided by Facebook.

Birthday

If permission is granted, your date of birth.

Gender

If permission is granted, your gender information.

This information is used solely for account creation, identity verification, and improving the user experience on our platform.

Information Collected from Google

If you log in using Google Sign-In, we may collect the following information:

Email Address

Your primary Google Account email address.

Basic Profile Information

  • Your name
  • Profile photo
  • Public profile information available through Google

OpenID Identifier

A unique identifier used to securely authenticate your account.

This information allows us to create your account and provide secure access to our services.

How We Use Social Login Information

Information obtained through Google or Facebook authentication may be used for the following purposes:

  • Creating and managing user accounts
  • Secure login authentication
  • Personalizing your user experience
  • Processing villa reservations or inquiries
  • Sending booking confirmations and important account notifications
  • Preventing fraudulent or unauthorized access

The Ceylon Villas & Co. does not sell, rent, or trade personal data obtained through social login providers.

Data Retention

Information collected through social login providers is retained only for as long as necessary to provide our services or maintain your account.

If you delete your account with The Ceylon Villas & Co., associated personal data obtained through Google or Facebook authentication will also be deleted from our systems, unless we are required to retain certain information for legal or regulatory purposes.

Revoking Access

Users may revoke The Ceylon Villas & Co.’s access to their Google or Facebook account at any time through their respective account settings:

  • Google Account Permissions
  • Facebook App Settings

Revoking access may prevent users from logging into our platform using those services.

Third-Party Privacy Policies

Google and Facebook operate independently from The Ceylon Villas & Co. Your use of their authentication services is subject to their respective privacy policies.

Users are encouraged to review the following:

The Ceylon Villas & Co. is not responsible for the privacy practices of these third-party services.

User Data Deletion Request

Users who have signed up using Google or Facebook may request deletion of their account and associated personal data.

To request data deletion, users may:

Upon receiving a valid request, The Ceylon Villas & Co. will delete the user’s personal data from our systems within a reasonable timeframe, except where retention is required by law.

12. Third-Party Services

Our Platform may contain links or integrations with third-party services. These services operate independently and have their own privacy policies. We do not control and are not responsible for their data practices.

Users are encouraged to review the privacy policies of any third-party services they interact with.

13. Data Security

We implement appropriate administrative, technical, and physical safeguards to protect your personal information against unauthorised access, loss, or misuse. However, no system can guarantee absolute security, and you acknowledge that use of the Platform is at your own risk.

14. Limitation of Liability

To the fullest extent permitted by law, The Ceylon Villas & Co. shall not be liable for any indirect, incidental, or consequential damages arising from the use of our Platform or the processing of your personal information. We are also not responsible for actions of third parties, including Suppliers or external service providers.

15. Children’s Privacy

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that such data has been collected, we will take steps to delete it.

16. Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Updated versions will be published on our Platform with a revised effective date. Continued use of the Platform after changes constitutes acceptance of the updated policy.

17. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, you may contact us at:

The Ceylon Villas & Co.

ayubowan@theceylonvillas.com

+94717100111

Last Updated: 6 March 2026

© The Ceylon Villas & Co. All rights reserved.