Privacy Policy

GIT Lanka (Pvt) Ltd ("BidDrive", "we", "us", or "our") is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our platform at biddrive.lk.

This policy is compliant with the Personal Data Protection Act No. 9 of 2022 of Sri Lanka ("PDPA") and applicable international standards. By using BidDrive, you consent to the data practices described in this policy.

Our Data Protection Officer can be contacted at: dpo@biddrive.lk

We collect the following categories of personal data:

Identity Data: • Full name, date of birth, gender. • National Identity Card (NIC) number or passport number. • Photographs (NIC images and selfies for KYC verification).

Contact Data: • Email address, mobile phone number, postal address.

Transaction Data: • Bid history, purchase records, payment details. • Escrow transaction records and settlement history.

Technical Data: • IP address, browser type, device identifiers. • Session data, login timestamps, platform activity logs.

Communication Data: • Messages exchanged with other users on the Platform. • Support tickets and communications with our team.

We do not collect sensitive personal data beyond what is required for identity verification.

We use your personal data for the following purposes:

Service Delivery: • To create and manage your account. • To facilitate auction participation, bidding, and vehicle transactions. • To process payments and manage escrow. • To conduct KYC identity verification.

Legal & Compliance: • To comply with Sri Lankan financial regulations, including AML/CFT obligations. • To report suspicious activity to the Financial Intelligence Unit (FIU). • To respond to court orders and lawful law enforcement requests.

Platform Improvement: • To analyze usage patterns and improve our platform. • To detect, prevent, and investigate fraud and abuse. • To send service notifications (bid updates, outbid alerts, transaction confirmations).

Marketing (with consent): • To send newsletters, market reports, and platform updates. • You can opt out at any time via account settings or the unsubscribe link in emails.

We do not sell your personal data. We share your data only in the following circumstances:

Transaction Partners: • When you complete a transaction, we share necessary contact details with the counterparty (buyer or seller) to facilitate vehicle handover.

Service Providers: • Payment processors and banking partners for escrow services. • Cloud infrastructure providers (servers located in Singapore and Sri Lanka). • Email and SMS service providers for notifications. • KYC verification technology partners.

All service providers are bound by data processing agreements that restrict use of your data to the purposes we specify.

Legal Authorities: • In response to a valid court order, summons, or lawful request from Sri Lankan authorities. • To prevent imminent harm or protect the safety of users or the public.

Business Transfers: • In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you with 30 days' notice before any such transfer.

We retain your personal data for as long as necessary to fulfill the purposes outlined in this policy, subject to legal obligations:

• Account data: Retained for the duration of your account plus 7 years after closure (for financial record-keeping). • KYC documents: Retained for 7 years as required under Sri Lanka's Anti-Money Laundering Act. • Transaction records: Retained for 7 years from the date of transaction. • Support communications: Retained for 3 years. • Technical logs: Retained for 90 days.

After retention periods expire, your data is securely deleted or anonymized. You can request early deletion subject to our legal obligations — see "Your Rights" below.

We implement robust technical and organizational measures to protect your data:

Technical Measures: • AES-256 encryption for data at rest. • TLS 1.3 encryption for all data in transit. • Bcrypt hashing for passwords (never stored in plain text). • Multi-factor authentication available for all accounts. • Regular penetration testing by independent security firms.

Organizational Measures: • Access to personal data restricted to staff with a legitimate business need. • All staff undergo mandatory data protection training. • Incident response plan in place for data breaches.

Breach Notification: • In the event of a data breach affecting your rights and freedoms, we will notify you and the relevant Sri Lankan Data Protection Authority within 72 hours of becoming aware of the breach.

We use cookies and similar tracking technologies to enhance your experience:

Essential Cookies (required): • Session management and authentication. • Security tokens and CSRF protection.

Analytics Cookies (opt-out available): • Platform usage analytics (aggregated, anonymized). • Performance monitoring.

We do not use third-party advertising cookies or behavioral tracking for advertising purposes.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.

Under the PDPA Sri Lanka and applicable law, you have the following rights:

Right to Access: • Request a copy of all personal data we hold about you.

Right to Rectification: • Request correction of inaccurate or incomplete data.

Right to Erasure: • Request deletion of your data, subject to our legal retention obligations.

Right to Object: • Object to processing for marketing purposes at any time.

Right to Portability: • Request your data in a structured, machine-readable format.

Right to Withdraw Consent: • Withdraw consent for optional data processing at any time.

To exercise any of these rights, contact us at: privacy@biddrive.lk

We will respond to all verified requests within 30 days. We may need to verify your identity before processing a request.

BidDrive is not intended for persons under the age of 18. We do not knowingly collect personal data from children under 18.

If you believe we have inadvertently collected personal data from a person under 18, please contact us immediately at privacy@biddrive.lk and we will delete the data promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

We will notify you of material changes by: • Sending an email notification to your registered address. • Displaying a prominent notice on the Platform. • Updating the "Last Updated" date at the top of this policy.

Changes take effect 30 days after notification. Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.

Last Updated: January 1, 2026 Previous versions are available upon request.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:

Data Protection Officer GIT Lanka (Pvt) Ltd 42 Galle Road, Colombo 3 Sri Lanka 00300

Email: dpo@biddrive.lk Phone: +94 11 200 4800 (ext. 205) Response time: Within 5 business days

You also have the right to lodge a complaint with the relevant Sri Lankan data protection supervisory authority if you believe your rights have been violated.