PRIVACY AND DATA PROTECTION POLICY
1. Who are we and the purpose of this policy
-
This Privacy and Data Protection Policy sets out the practices that SB Technologies (Pvt) Ltd.
("we", "our", "us", "Company") follows with respect to the collection, use maintenance, and
disclosure of information collected via SkoolBus Application ("Application").
-
We respect and value the privacy of each person ("you" or "your") who visits the Application and
we commit towards maintaining the highest standards required in order to protect any personal
information you consent to share with us in accordance with the Sri Lanka's Personal Data
Protection Act No 9 of 2022 ("PDPA"). This Privacy Policy applies only to information we collect
from this Application and does not apply to any other application, website, or business activity
of the Company.
-
Personal Data as defined by the PDPA means any information that can identify a data subject
directly or indirectly, by reference to an identifier such as a name, financial data, location
data, or an online identifier or one or more factors specific to the physical, economic,
cultural or social identity of that individual.
-
The purpose of this policy is to provide you with an understanding of how we collect, handle,
and use your personal data.
-
We reserve the right to revise this Privacy Policy at any time, without prior notice, and the
changes will be effective subsequent to posting the changes to the Application. Please check our
Application frequently to be updated on the changes. By accessing the content and services made
available on this Application and by providing your personal data to us, you acknowledge and
agree that you have fully read and understood this policy, and consent to the collection, use,
processing, and disclosure of your personal data as described in this policy.
2. What information do we collect and how we collect it
-
a. We collect and maintain personal information about you from many sources to understand and
meet your needs, facilitate your request, and provide our services. The personal data we collect
may include but is not limited to,
If Parent/Guardian;
-
Full name and residential address of the parent/guardian.
-
Full name of the child
-
Date of birth of the child
-
Contact number of the parent/guardian
-
Full name of the nominated guardian
-
Contact number of the nominated guardian
-
Child's School details including name, address, grade etc.
-
Child's availability for the journeys
-
Medical information of the child
If Driver;
-
Full name of the primary driver
-
Contact number of the primary driver
-
Residential address of the primary driver
-
License number of the primary driver
-
Primary driver's vehicle information
-
Primary driver's journey start/end time
-
Primary driver's journey start location
-
Full name of the secondary driver
-
Contact number of the secondary driver
-
License number of the secondary driver
-
Secondary driver's vehicle information
-
Secondary driver's journey start/end time
-
Secondary driver's journey start location.
-
We collect most of the personal data of the parent/guardian and the primary driver/ secondary
driver to enhance your child's safety and provide the parent/guardian with real-time location
information of your child during their school journeys.
-
To the extent that the personal information we collect constitutes sensitive personal
information under applicable law, the Application will collect and process this sensitive
personal information within the limits provided by applicable law, and only after establishing
reasonable security safeguards for such sensitive personal information. Where required by law,
the Application will seek your consent before processing sensitive personal information.
-
We will not share any data collected with any non-authorized third parties.
3. How We Use Your Information
The Company collects personal data for some or all of the following reasons.
-
Provide and maintain the services- To process and fulfill your purchases and subscriptions, send
you confirmation emails of your purchase and subscription status and allow you to pay for
subscriptions.
-
Improve, personalize, and develop the services-We use the information collected to; improve and
personalize customer experience, perform data analysis and testing, collect feedback to help
improve our programs, features or/and services, produce certification, enhance the online
experience of using the Application.
-
Communicate with you-To alert you about products upgrades and revisions, respond to you when you
contact us, and promote new features or products that we feel may be of interest you to assist
in addressing your inquiries and troubleshooting, about our products and services. To provide
you with information that is relevant to your use of the service.
4. How we disclose your information
-
We do not sell, trade or otherwise transfer to third parties your personally identifiable
information. Any information provided to the Application will be protected from loss, misuse,
unauthorized access or disclosure, alteration or destruction. However, we share your personal
information with authorized third parties who assist us in operating the Application, conducting
our business or servicing you including, but not limited to, credit card payments and online
support, as long as these parties are compliant with applicable data protection laws.
-
We use Firebase, a service provided by Google, for data storage and Phone Authentication. Your
data may be processed and stored by Firebase in accordance with their privacy policy.
-
We may choose to retain your personal information to the full extent of any period provided by
law and statute. We may also choose to delete your personal information from our databases after
a required number of years and/or if the intended purposes for which we have collected your
information is completed or is no longer relevant. We may release your information when we are
required to comply with the law, enforce our policies, or protect Company's and other
third-party rights, property or safety. However, non-personally identifiable information may be
provided by the Company to third parties for marketing, advertising, or other uses.
5. Storage and Retention
We may keep information and content in our systems, backup files, and archives
as follows;
-
Utilized encryption for data at rest and in transit.
-
Strong hashing for sensitive information in the database tables.
-
Server-side encryption by default in the database.
-
Obtaining regular backup for the Application data and testing the backup and recovery
procedures.
-
Monitoring and logging access (only metadata), network traffic, and system activities for
detection of security incidents and getting monitored via Security Operation Centre.
-
Classified data based on sensitivity and applied appropriate security controls over the Risk
Based Authentication.
Your personal data will be retained as long as necessary to provide you with the services requested.
When we no longer need to use your personal data to comply with business requirements, we will
remove it from our systems and records and/or take steps to properly anonymize it so that you can no
longer be identified from it, unless we need to keep your personal data, including if we need to
keep your personal data to comply with legal or regulatory obligations to which we are subject.
6. Threat Assessment and Protection
We have standardized enterprise-wide analysis of software-related threats within
the organization and have prioritized proactive improvement of threat coverage throughout the
organization to ensure that there are no leaks of the data we collect.
We are committed to ensuring that your information is secure. In order to
prevent unauthorized access or disclosure we have put in place the following suitable physical,
electronic, and managerial procedures to secure the information.
-
Implement strong access controls including input validation and multifactor authentication.
-
Use secure protocols (SSL/TLS version 1.2 and higher) for data transmission and avoid
transmitting sensitive data over unsecured networks.
-
Establish clear data retention policies and securely dispose of data that is no longer needed.
-
The Company is keeping systems and software up to date with the latest security patches.
-
Conduct regular security audits, GDPR compliances and assessments to identify vulnerabilities
and implement necessary measures.
-
Encrypted the offline data stored on the device using strong encryption algorithms. Android
provides cryptographic APIs and libraries (AES)
-
Established secure key management techniques to store and handle encryption keys (API keys).
-
Data protection by design and default
-
Monitoring and reporting in a file any unauthorized or illegal access attempts.
-
Monitoring specific activities such as who accesses personal data and with whom the data
are being shared.
-
Keeping a record of how long the data are to be stored while being stored.
-
The data are encrypted, pseudonymized, and anonymized whenever possible, to protect them
from any unauthorized access.
-
The components are following industry standards GDPR and acquiring a security
certification.
7. Your Rights
-
Right of access- You may have the right to obtain from us confirmation as to whether
personal data concerning you is processed, and, where that is the case, to request access to the
personal data.
-
Right to rectification- You may have the right to obtain from us the rectification of
inaccurate personal data concerning you. Depending on the purposes of the processing, you may
have the right to have incomplete personal data completed, including by means of providing a
supplementary statement.
-
Right to object- If the processing of your personal data is based on legitimate
interests, you may have the right to object, on grounds relating to your particular situation,
at any time to the processing of your personal data by us and we can be required to no longer
process your personal data. Moreover, if your personal data is processed for direct marketing
purposes, you have the right to object at any time to the processing of personal data concerning
you for such marketing, which includes profiling to the extent that it is related to such direct
marketing. In this case, your personal data will no longer be processed for such purposes by us.
-
Right to fair treatment- We will not discriminate against you for exercising any of your
privacy rights. Irrespective of your standing on your privacy preferences, we will provide the
services.
-
To restrict the use of your information- You can request to restrict the use of your
information.
-
To complain to a supervisory authority- If you have any complaints regarding the data
collected and usage of it, you have the right to lodge a complaint to a superior authority.
8. How to Contact Us
If you have any questions or concerns regarding the Privacy Policy, please feel free to contact us
at the following email or telephone number;
Email: [email protected]
Phone: (+94) 77 547 4343