← Nilmani Ceylon Tours

Privacy Policy

Last updated: 15 April 2026

1. Who We Are

Nilmani Ceylon Tours is a private tour operator based in Seeduwa, Sri Lanka, operated by Roshan Jayasuriya. We provide personalised private tours and driver-guide services throughout Sri Lanka. Contact: nilmaniceylontours@gmail.com

2. Data We Collect

When you use our website or services, we may collect:

  • Contact details: name, email address, phone number
  • Booking details: travel dates, group size, special requirements, nationality
  • Account details: email and password (if you create an account)
  • Communication data: messages sent through our contact form or chat
  • Technical data: IP address, browser type, pages visited (via analytics)

Sensitive data (phone numbers, passport details where applicable) is encrypted at rest using AES-256-GCM.

3. How We Use Your Data

  • To process and manage your tour booking
  • To communicate about your booking and enquiries
  • To send transactional emails (booking confirmations, status updates)
  • To improve our website and services
  • To comply with legal obligations

We do not use your data for marketing without explicit consent, and we never sell your data to third parties.

4. Legal Basis (GDPR)

For users in the European Economic Area (EEA) and UK, we process your data under the following legal bases:

  • Contract performance — to fulfil your booking
  • Legitimate interests — to run our business securely and improve our service
  • Consent — for analytics cookies (which you can withdraw at any time)

5. Data Sharing

We share your data only with:

  • Resend (email delivery) — Data Processing Agreement in place
  • Cloudinary (image hosting, if applicable) — Data Processing Agreement in place
  • Sentry (error monitoring) — anonymised error reports only, PII scrubbed

No other third parties receive your personal data.

6. Data Retention

  • Active bookings: retained for 6 months after tour completion
  • Enquiries with no booking: anonymised after 6 months of inactivity
  • All booking records: anonymised after 2 years
  • Account data: retained until you request deletion

7. Your Rights

Under GDPR you have the right to:

  • Access — request a copy of all data we hold about you
  • Rectification — correct inaccurate data
  • Erasure (Article 17) — request deletion of your account and data
  • Portability (Article 20) — receive your data in a machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — at any time for consent-based processing

To exercise these rights, sign in to your account and visit your dashboard, or email us at nilmaniceylontours@gmail.com.

8. Cookies

We use essential cookies for authentication (session management). We may also use analytics cookies with your consent to understand how our website is used. You can withdraw consent at any time using the cookie banner or your browser settings.

9. Security

We use industry-standard security measures including HTTPS, AES-256-GCM encryption for sensitive fields, secure HTTP-only cookies, rate limiting, and regular backups. Our servers are hosted on a VPS with firewall protection and automated security patches.

10. Contact & Complaints

For any privacy concerns, contact us at nilmaniceylontours@gmail.com. If you are in the EU/UK and believe we have not handled your data appropriately, you have the right to lodge a complaint with your local data protection authority.

Chat with us