Privacy Policy

Tiffany & Sienna (Private) Limited (hereafter: “Tiffany & Sienna” or “Data Controller”), in accordance with the PDPA, is committed to protecting your personal data and ensuring transparency in all processing activities. Before communicating any personal data to the Controller, we invite you to carefully read this Privacy Policy, which contains important information on how your data will be handled. This notice:

Applies to the website and all services offered by Tiffany & Sienna.
Constitutes an integral part of the website and the services we provide.
Is issued in compliance with the information-notice obligations under the PDPA.

Data processing will be carried out under the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, integrity and confidentiality, and accountability, in line with PDPA requirements.

“Processing of personal data” refers to any operation or set of operations, with or without automated means, performed on personal data, including collection, recording, organisation, storage, use, disclosure, erasure or destruction, among others.

Data Controller and Data Processors
Personal Data Subject to Processing
a. Navigation Data
b. Cookies and Similar Technologies
c. Data Provided Voluntarily by Users
Purposes of Processing
Legal Basis and Nature of Processing
Recipients of Personal Data
Data Transfers Outside Sri Lanka
Data Retention and Storage
Rights of the Data Subject
Security, Governance and Data Protection Officer
Data Breach Notification
Amendments to this Notice
Contact Information

1. Data Controller and Data Processors

Data Controller: Tiffany & Sienna (Private) Limited.
Contact for privacy-related requests: contact@tiffanyandsienna.com

Tiffany & Sienna determines the purposes and means of processing personal data. External processors (e.g. IT service providers, payment gateways, logistics partners) may be engaged, always under written agreements to ensure compliance with PDPA standards.

2. Personal Data Subject to Processing

a. Navigation Data

During normal use of our website, technical data are automatically recorded by the servers. This data may include IP address, device/browser information, pages visited, timestamps, request methods, and other metadata. Such data is used only for internal analytics, security, and site maintenance, and may be retained only for as long as needed to achieve those purposes.

b. Cookies and Similar Technologies

We use cookies and similar technologies to enhance user experience, manage sessions, and allow certain functionalities (e.g. login, cart, preferences). Details about cookie categories and how to manage them are available via our Cookie Policy.

c. Data Voluntarily Provided by Users

When you register for an account, place an order, book styling or salon appointments, subscribe to membership, or contact us through the website or customer-service channels, we collect data you voluntarily submit. This may include your name, contact information, shipping/billing address, booking details, preferences, and other data needed to fulfil the requested service.

These categories of data qualify as “personal data” under PDPA if they identify or make identifiable a natural person.

3. Purposes of Processing

Personal data may be processed for the following purposes:

To operate the website, allow navigation, and provide requested services (orders, bookings, memberships, customer support).
To manage booking and scheduling for styling salon or other services.
To fulfil contractual obligations related to orders, deliveries, membership, or services.
To comply with legal obligations (e.g. tax, accounting, regulatory compliance).
To improve our services, perform internal analytics (in anonymised or aggregated form), and ensure website security and fraud prevention.
Optionally (only with explicit consent): marketing communications, newsletters, promotions, or personalised offers.

4. Legal Basis and Nature of Processing

Processing necessary to perform contract or pre-contractual steps (for order fulfilment, bookings, services): lawful under PDPA (similar to “performance of contract”).
Processing to comply with legal obligations (e.g. accounting, tax, regulatory) lawful under PDPA.
Processing for legitimate interests such as security, fraud prevention, website maintenance, lawful provided rights of individuals are respected.
Optional processing (marketing, newsletters): only upon explicit consent, which may be withdrawn at any time.

Providing personal data for mandatory processing is required to access certain services; failure to do so may prevent such services from being provided.

5. Recipients of Personal Data

Your personal data may be shared with:

External processors acting under contract (payment gateways, shipping/logistics partners, IT service providers).
Authorities or government bodies if required by law.
Internal staff authorised to process data for purpose of service delivery, under confidentiality obligations.

We ensure that transfers to third-party processors are performed only under legally binding agreements that guarantee data protection compliance.

6. Data Transfers Outside Sri Lanka

If we transfer personal data to recipients outside Sri Lanka, we will ensure safeguards in compliance with the PDPA. This may include binding agreements, corporate rules, or other measures prescribed by the Data Protection Authority of Sri Lanka (DPA) to guarantee continued protection of your data.

7. Data Retention and Storage

Personal data will be retained only for the period necessary to fulfil the purposes for which it was collected or as required by law. When data is no longer needed, it will be securely deleted or anonymised.

Typical retention periods:

Customer orders and transaction records, up to 7 years (for accounting, warranty, or legal compliance)
Membership, booking, and account data, until membership/relationship ends, plus a reasonable retention period for audit or legal needs
User-consent and preferences (for marketing), until consent is withdrawn
Website analytics or log data, for a limited period (e.g. up to 30 days), after which data is anonymised or purged.

8. Rights of the Data Subject

Under the PDPA, you have the following rights:

Right to access your personal data and to obtain a copy
Right to rectify or update inaccurate or incomplete data
Right to request erasure or anonymisation (subject to legal or contractual requirements)
Right to restrict or object to certain processing (especially where based on consent or legitimate interests)
Right to withdraw consent for optional processing (e.g. marketing) at any time
Right to data portability where applicable
Right to lodge a complaint with the DPA if you believe your rights have been violated

Requests are to be sent in writing to the Data Controller to the addresses indicated in the “Contacts” section of this information notice.

9. Security, Governance & Data Protection Officer

Tiffany & Sienna commits to implementing appropriate technical and organisational safeguards to protect personal data against unauthorised access, loss or damage. These safeguards include secure storage, access controls, encryption (where applicable), confidentiality obligations for personnel, and regular internal audits.

Where required under PDPA, for example, for sensitive data processing or large-scale operations, we may appoint a Data Protection Officer (DPO) to oversee compliance, data governance and subject requests.

10. Amendments to this Notice

Tiffany & Sienna reserves the right to modify this Privacy Policy at any time, in response to changes in law (including PDPA), regulatory guidance, or internal practices. We encourage you to review this notice periodically to stay informed of any updates.

11. Contact Information

To exercise the above rights or for any other requests, please write to the Data Controller at the physical address indicated above.

Subject line (recommended): “Request Regarding Personal Data”

Account