Legal

Privacy Policy

Effective date: 1 June 2026 · Last updated: 1 June 2026

Your privacy matters to us. This policy explains what personal data Leisurery.com collects, why we collect it, and how we protect it — in plain language.

1. Introduction

Leisurery Stays (PVT) LTD ("we", "us", "our"), trading as Leisurery.com, is committed to protecting your personal data. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use the Leisurery.com platform.

This policy is issued in compliance with the Personal Data Protection Act No. 9 of 2022 (Sri Lanka) ("PDPA") and other applicable data protection laws. Leisurery Stays (PVT) LTD is the data controller for personal data processed through the Platform.

By using the Platform you acknowledge that you have read and understood this Privacy Policy.

2. Data We Collect

We collect the following categories of personal data:

Account & Identity Data

Full name, email address, password (stored as a secure hash), profile photo (optional), and phone number (optional).

Booking Data

Reservation details including check-in/out dates, room type, number of guests, special requests, and booking history.

Payment Data

Transaction reference numbers, payment method type (card / bank), and billing address. Full card numbers are processed exclusively by our payment provider (Stripe) and are never stored on our servers.

Usage & Technical Data

IP address, browser type, device information, pages visited, time spent on pages, search queries, and referral URLs — collected automatically when you use the Platform.

Communications Data

Emails, support messages, and reviews you send to us or post on the Platform.

3. How We Use Your Data

We use your personal data for the following purposes:

PurposeLegal Basis (PDPA)
Create and manage your accountContract performance
Process and confirm bookingsContract performance
Process payments and issue receiptsContract performance
Send booking confirmation and status emailsContract performance
Respond to customer support enquiriesLegitimate interests
Send payment reminders and notificationsContract performance
Detect and prevent fraud or abuseLegitimate interests / Legal obligation
Improve the Platform and user experienceLegitimate interests
Send marketing communications (opt-in only)Consent
Comply with legal and regulatory obligationsLegal obligation

4. Sharing Your Data

We do not sell your personal data to third parties. We share your data only in the following limited circumstances:

  • Hotel Partners — We share your booking details (name, contact, guest count, dates) with the relevant Hotel Partner to fulfil your reservation.
  • Payment Processors — Stripe Inc. processes payments on our behalf. They act as an independent data controller for payment data under their own privacy policy.
  • Cloud & Infrastructure Providers — We use reputable cloud services to host and operate the Platform. These providers process data only on our instructions.
  • Email Service Providers — We use a transactional email service (Zoho Mail) to deliver booking and system emails to you.
  • Legal Authorities — We may disclose data where required by Sri Lankan law, court order, or governmental authority.
  • Business Transfers — In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction, subject to the same privacy protections.

5. Cookies & Tracking

We use cookies and similar tracking technologies to operate the Platform, remember your preferences, and analyse usage patterns. Cookies used include:

  • Strictly necessary cookies — Required for the Platform to function (e.g., session authentication). These cannot be disabled.
  • Functional cookies — Remember your preferences such as language, currency, or saved searches.
  • Analytics cookies — Help us understand how the Platform is used so we can improve it. We use anonymised data only.

You can control cookies through your browser settings. Disabling cookies may affect the functionality of the Platform.

6. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law.

  • Account data — Retained for the life of your account, plus 2 years after closure.
  • Booking & payment records — Retained for 7 years for tax and accounting compliance under Sri Lankan law.
  • Usage logs — Typically deleted or anonymised after 90 days.
  • Marketing preferences — Retained until you withdraw consent.

When data is no longer needed, we securely delete or anonymise it.

7. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • TLS/HTTPS encryption for all data in transit.
  • Hashed storage of passwords (bcrypt).
  • JWT-based authentication with short-lived access tokens.
  • Role-based access controls limiting staff access to personal data.
  • Regular security reviews of our infrastructure.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify you and the relevant authorities as required by the PDPA.

8. Your Rights

Under the Sri Lanka Personal Data Protection Act No. 9 of 2022, you have the following rights:

Right of Access

Request a copy of the personal data we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete data.

Right to Erasure

Request deletion of your personal data where permitted.

Right to Restriction

Ask us to restrict processing in certain circumstances.

Right to Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests or for direct marketing.

Withdraw Consent

Withdraw consent at any time where processing is consent-based.

Right to Complain

Lodge a complaint with the Personal Data Protection Authority of Sri Lanka.

To exercise any of these rights, please email us at support@leisurery.com. We will respond within 30 days of receiving your request.

9. Children's Privacy

The Platform is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without parental consent, please contact us immediately and we will take steps to delete that data.

10. International Data Transfers

Your data may be processed by our service providers in countries outside Sri Lanka (for example, cloud hosting and payment processing). Where such transfers occur, we ensure appropriate safeguards are in place — such as data processing agreements — to maintain a level of protection consistent with the PDPA.

11. Governing Law

This Privacy Policy is governed by the laws of the Democratic Socialist Republic of Sri Lanka, including the Personal Data Protection Act No. 9 of 2022 and any regulations issued thereunder.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "Effective date" above. We encourage you to review this policy periodically.

Your continued use of the Platform after any update constitutes acceptance of the revised Privacy Policy.

13. Contact Us

If you have any questions about this Privacy Policy, or wish to exercise your data rights, please contact our privacy team:

Leisurery Stays (PVT) LTD

Trading as: Leisurery.com

Registered in the Democratic Socialist Republic of Sri Lanka

Email: support@leisurery.com

Website: leisurery.com

Terms and ConditionsBack to Home