Privacy Policy Summary

• The Sri Lanka Personal Data Protection Act No. 9 of 2022 (PDPA) and related regulations.
• Applicable data protection and privacy laws in other South Asian jurisdictions.
• The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), where applicable.
• General internationally recognized data protection standards (e.g. principles aligned with the EU GDPR).

• Company referred to as either the Company, We, Us or Our means Vitalfew.
• Service refers to the website, applications, and services provided by Vitalfew.
• Country in this policy can refer to Sri Lanka, Australia, or any other country where Vitalfew operates or from where the Service is accessed.
• Personal Data means any information that relates to an identified or identifiable individual. This includes information defined as personal data under the Sri Lanka PDPA, the GDPR, the Australian Privacy Act, or other applicable privacy laws.
• Processing means any operation performed on Personal Data, such as collection, recording, storage, use, disclosure, transfer, or deletion of that data.
• Data Subject means the individual who is the subject of the personal data (in other words, you).
• Controller means the entity that determines the purposes and means of processing personal data (in this case, Vitalfew when handling your data).
• Processor means any third party that processes personal data on behalf of the controller (for example, a cloud service provider that hosts our data).

With trusted service providers who help us run our business (and only for the purposes described in this policy).

Lawful Basis for Processing

• Your Consent We may process your information if you have given us clear consent to do so for a specific purpose. (You have the right to withdraw your consent at any time.)
• Contractual Necessity We need to process your data to perform a contract with you or to take steps at your request before entering into a contract. For example, if you hire our services, we’ll process your contact and payment details to provide the service.
• Legal Obligation We may process your data to comply with a legal or regulatory obligation to which we are subject. For instance, keeping records for compliance with tax or regulatory laws.
• Legitimate Interests We may process your data for our legitimate business interests, provided that such processing does not override your rights and freedoms. For example, we might use certain data to improve our website’s user experience or to prevent fraud, which are activities that benefit both you and us. We will always consider your rights and ensure they are not outweighed by our legitimate interests.

When processing special categories of personal data (sensitive data) or if required by applicable law, we will ensure we have additional legal grounds as needed.

• Personal Data You Provide This includes identifiers such as your name, email address, telephone number, or other contact details you may provide (for example, when filling out a contact form or signing up for services). If you communicate with us, we will collect any information you choose to share.
• Usage Data We also collect information automatically when you use our website or services. This may include technical information like your IP address, device type, browser type, browser version, the pages of our website that you visit, the time and date of your visit, unique device identifiers, and other diagnostic data. This information helps us understand how our Service is accessed and used.
• Cookies and Tracking Technologies We use cookies and similar tracking technologies to track activity on our Service and store certain information. Cookies help us remember your preferences, enhance your experience (for example, by keeping you logged in or remembering language settings), and analyze how you use our site so we can improve it. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. (For more details, please see our Cookies Policy if available, or the cookies explanation in this document.)

We use your personal data for the following purposes:

• To Provide and Maintain Our Services This includes using data to deliver our services to you, process transactions, authenticate you as a user, and provide customer support.
• To Improve and Develop Our Services We analyze usage data and feedback to understand how our services are used and to make enhancements, develop new features, and improve user experience.
• To Communicate with You We may use your contact information to respond to inquiries you send us, inform you about updates or important information related to the services you use, and notify you about changes to our terms or policies. If you have opted in to receive marketing communications, we will send you newsletters or promotions about our products and services; you can opt out of these at any time.
• For Security and Fraud Prevention We process personal data as necessary to maintain the security of our website, systems, and users. This includes using data to prevent fraud, resolve technical issues, and detect or investigate wrongdoing in connection with our services.
• To Comply with Legal Requirements We may process your data to fulfill obligations under applicable laws, regulations, court orders, or governmental requests (for example, keeping transaction records for financial regulations or responding to lawful requests by public authorities).

Vitalfew operates in multiple jurisdictions, currently including Sri Lanka and Australia, and we serve individuals around the world. This means your Personal Data may be transferred to, and stored on, servers or databases located outside of your home country or region. For example, if you are located in the European Union or another country, your data might be processed in Sri Lanka, Australia, or any other country where we or our service providers maintain facilities. When we transfer personal data across borders, we take steps to ensure your data is afforded a high level of protection:

• Adequate Safeguards We will only transfer your data to jurisdictions that have strong data protection laws or where we can ensure adequate safeguards. For instance, we may use standard contractual clauses approved by regulators, or rely on an adequacy decision or certification, to ensure your data remains protected according to international standards.
• Sri Lanka PDPA Compliance If your data originates from Sri Lanka or is processed in Sri Lanka, we comply with the cross-border transfer restrictions of the Sri Lanka PDPA. This means we will not transfer personal data out of Sri Lanka unless the receiving country or entity ensures an adequate level of data protection or other conditions of the PDPA are met (such as obtaining your explicit consent after informing you of possible risks).
• Australian Privacy Principles For data originating from Australia or handled by our Australian operations, we adhere to the Australian Privacy Principles regarding overseas transfers. We will take reasonable steps to ensure that any overseas recipient of personal information does not breach the APPs in relation to that information.
• Other Regions Likewise, for users in other regions (for example, the European Economic Area), we will abide by applicable data transfer rules under those jurisdictions (such as GDPR transfer requirements) to ensure lawfulness of international data flows.

By using our Service or submitting your information to us, you understand that your personal data may be transferred to and processed in countries outside your own. Regardless of where processing takes place, we will protect your data as described in this Privacy Policy.

We respect your rights to control your personal information. Depending on the laws that apply to your situation (for example, the Sri Lankan PDPA, the Australian Privacy Act, the EU GDPR, or other applicable laws), you may have some or all of the following rights:

• Right to Access You have the right to request a copy of the personal data we hold about you and to obtain information about how we process it.
• Right to Rectification You have the right to ask us to correct or update any inaccurate or incomplete personal data we have about you.
• Right to Erasure You have the right to request that we delete your personal data when it is no longer needed for the purposes for which it was collected, or if you withdraw consent (in cases where consent was the basis for processing), or when we have no lawful basis for holding it. This is also known as the right to be forgotten. Please note that we may not be able to delete information that we are required to keep by law or which is necessary to resolve disputes or enforce our agreements.
• Right to Restrict Processing You have the right to ask us to limit the processing of your personal data in certain circumstances – for example, if you contest the accuracy of the data or if you want to prevent us from erasing data but still need it to establish, exercise, or defend legal claims.
• Right to Data Portability If applicable, you have the right to obtain a copy of the personal data you have provided to us in a structured, commonly used, and machine-readable format, and you can request that we transmit that data to another controller (for example, another service provider) where technically feasible. This right typically applies when the processing is based on your consent or a contract with you, and the processing is carried out by automated means.
• Right to Object You have the right to object to our processing of your personal data in certain situations. For instance, you can object to processing done for direct marketing purposes, and we will stop processing your data for that purpose. You may also object if the processing is based on our legitimate interests or for a task in the public interest, unless we have compelling legal grounds to continue the processing.
• Right to Withdraw Consent If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, and it will not affect processing of your personal data under other lawful bases (for example, keeping records of a transaction made with us).
• Right not to be subject to Automated Decisions (If applicable in your jurisdiction) You have the right to not be subject to a decision based solely on automated processing, including profiling, if that decision produces legal effects or similarly significantly affects you. Vitalfew does not typically make solely automated decisions about you, but if we do in the future (for example, automated fraud screening), we will inform you and ensure you have the right to request human intervention or to contest any such decision.

Exercising Your Rights: You can exercise the above rights by contacting us using the contact information provided in this Privacy Policy. We will respond to your request within the timeframe required by law (in Sri Lanka, Australia, the EU, or other applicable jurisdictions). Please note that for security, we may need to verify your identity before fulfilling certain requests, especially for access, deletion, or portability of data. There may be situations where we cannot fully comply with your request, for example, if it would interfere with our legal obligations, or affect other individuals’ privacy, but we will always address your request in good faith and explain our decision to you. There is normally no fee for exercising your rights, but if a request is unfounded or excessive (for example, repetitive), we may charge a reasonable fee as allowed by law or decline to comply.

We will retain your Personal Data only for as long as necessary to fulfill the purposes we collected it for, as outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. For example, we might need to retain certain information for accounting, auditing, or legal compliance purposes. When we have no ongoing legitimate business need or legal requirement to process your personal data, we will either delete it or anonymize it so that it can no longer be associated with you. If deletion or anonymization is not immediately possible (for example, because the data is stored in backup archives), we will securely store the data and isolate it from further use until deletion is feasible. We comply with any specific data retention obligations in the laws applicable to us. In particular, under Sri Lanka’s PDPA, we will not keep personal data for longer than is necessary for the purpose it was collected. Similarly, we adhere to the Australian Privacy Principles which require that personal information is destroyed or de-identified when no longer needed for a permitted purpose.

We treat your personal information with care and confidentiality. However, we may disclose (share or release) your Personal Data in a few scenarios, as described below:

• Service Providers We may share your information with third-party companies and individuals that perform services on our behalf (such as cloud hosting providers, email service platforms, analytics providers, or other support services). These service providers are only given access to the information necessary to perform their functions, and they are contractually obligated to keep your information confidential and to use it only for providing services to us (and not for their own purposes).
• Business Transfers If Vitalfew is involved in a merger, acquisition, sale of assets, or other corporate transaction, your personal data might be transferred to the new owner or successor entity as part of that deal. If such a transfer happens, we will ensure the new owner is bound to respect the terms of this Privacy Policy regarding your personal data, and if required by law, we will notify you or give you an opportunity to opt out.
• Legal Obligations and Security We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court, regulatory agency, or law enforcement). Additionally, we may disclose data if we believe in good faith that it is necessary to:
  • Comply with a legal obligation or court order.
  • Protect and defend the rights, property, or safety of Vitalfew, our customers, or others.
  • Prevent or investigate possible wrongdoing in connection with our services (such as fraud or security incidents).
  • Protect against legal liability.
  We will not disclose your personal data to third parties for their own marketing or business purposes without your consent.

We take the security of your personal data seriously. Vitalfew implements a variety of technical and organizational security measures to protect your information from unauthorized access, use, alteration, or destruction. These measures include encryption of data where appropriate, access controls to data centers and databases, regular security audits, and staff training on data protection. While we strive to use commercially acceptable means to protect your Personal Data, please be aware that no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee absolute security. In the event of a data breach that affects your personal data, we will notify you and the relevant authorities as required by law.

Our services are not directed to individuals under the age of 13. We do not knowingly collect personally identifiable information from children under 13 years of age (or a higher age threshold if your local law provides for a different age of digital consent). If you are a parent or guardian and you believe that your child under 13 has provided us with personal data, please contact us immediately. If we become aware that we have inadvertently collected personal data from a child without proper consent, we will take steps to delete that information promptly from our servers.

Our website or services may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site. We strongly advise you to review the Privacy Policy of every external site you visit, as their privacy practices may be different from ours. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services. This Privacy Policy applies solely to personal data processed by Vitalfew.

We may update our Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we update this Privacy Policy, we will revise the Last updated date at the top of this document. If the changes are significant, we may also provide a more prominent notice (such as by posting a notice on our website or informing you via the email address we have on file, if applicable). Where required by applicable law, we will obtain your consent for material changes to how we use your personal data. We encourage you to review this Privacy Policy periodically for any updates. Your continued use of our services after any changes to this Privacy Policy are posted will be deemed acceptance of those changes, to the extent permitted by law.

If you have any questions, concerns, or requests regarding this Privacy Policy or how Vitalfew handles your personal data, please contact us using the information below. We will be happy to assist you.