Privacy Policy
1. Background
People’s Leasing & Finance PLC (PLC) offers a range of online services, including online savings, withdrawals, and payment facilities. This Privacy Policy outlines the processes PLC uses to collect, use, and protect personal data from customers who use these services. The goal is to ensure the security and confidentiality of personal data as required by applicable laws.
2. Purpose
This policy aims to clarify what information PLC collects, why it is collected, and how customers can manage, update, export, and delete their data. The data collected is used to provide online services, verify the identity of customers, and ensure adherence to privacy principles, ensuring the confidentiality of all provided information.
3. Scope
This Privacy Policy applies to all personal data collected from PLC’s website, mobile applications, and other online platforms. It governs the handling, processing, and confidentiality of data related to customers, staff, and visitors.
4. Applicability
This policy applies to all customers, staff, and visitors who access PLC’s online services, including mobile applications. It provides guidelines on how data is collected, stored, used, and shared.
5. Terms and Conditions
i. Data Collection & Consent
PLC processes personal data for registration, login, identity verification, and the provision of online services, including mobile applications. Customers provide consent for data collection when they register for online services, and PLC ensures that the collected data is used only for necessary purposes such as service delivery and compliance with legal obligations.
ii. Data Access
Only authorized personnel, primarily in the Online Services department, will have access to customer data. Call center officers will have restricted access for support purposes. Data access logs are maintained, and customers can view and manage access details via their accounts.
iii. Security Measures
All personal data is encrypted using SSL/TLS protocols during transmission and at rest. The mobile application utilizes two-factor authentication (2FA) to prevent unauthorized access. Encryption standards are regularly audited to maintain the highest levels of data security.
iv. Categories of Data Collected
PLC collects the following personal data:
- Name
- Email address
- Date of birth
- Mailing address
- Contact numbers
- Login credentials
- Reference data for financial transactions (e.g., fund transfers, utility payments)
- Permissions for mobile applications
- Phone Permission: We collect and monitor specific details about your device, such as the hardware model, operating system version, unique identifiers like IMEI and serial number, user profile information, and mobile network details. This allows us to uniquely identify devices and ensure that unauthorized devices cannot access your account, thereby helping to prevent fraud.
- Location Permission: We gather and monitor your device’s location to accurately determine your whereabouts and offer a more tailored and efficient service that meets your needs.
- Contacts Permission: This permission enables us to detect references and automatically fill in data during your credit line application process for a smoother user experience. We collect and monitor your contacts’ information, including names, phone numbers, account types, last modified dates, favorites, and optional details such as relationships and addresses. This data helps us enrich your financial profile, assess your risk profile, and determine your credit eligibility.
- SMS Permission: We collect and monitor only SMS messages related to bank transactions, including the names of parties involved, transaction descriptions, and amounts, to perform credit risk assessments and facilitate quicker credit approvals. No personal SMS data is collected, read, or stored.
- Apps Permission: We collect and monitor the list of apps installed on your device to enhance your transaction experience.
- Accounts Permission: We collect and monitor the list of accounts on your device to improve your credit profile.
v. Data Retention & Deletion
We retain customer data only for as long as necessary to provide our services and meet regulatory requirements. Should you wish to request the removal of your data, you may do so by submitting a written request. However, please note that we may be required to retain certain minimal information in order to comply with legal obligations, such as data retention laws. Rest assured, we will inform you of how long your data will be retained and any applicable regulatory requirements that may apply.
vi. Data Sharing with Third Parties
PLC does not share personal data with third parties without customer consent, except in legally required cases. Data shared with subsidiaries or related companies is strictly for service provision. Clear disclosures are provided at the time of data collection, and customers retain control over their data-sharing preferences.
vii. Notification of Policy Changes
PLC will notify customers of any significant updates to the Privacy Policy via in-app notifications, email, and SMS. Users will be prompted to review and accept policy changes during app updates or while using the online portal.
6. Customer and Staff Mobile Application Security
i. Data Security
All personal, financial, and device-related data transmitted through PLC’s mobile applications are encrypted using SSL/TLS protocols. PLC ensures secure access by employing two-factor authentication (2FA) to allow only authorized users to manage their accounts.
ii. Device Security
PLC advises customers and staff to protect their devices using PINs, biometric authentication, and other secure practices. While PLC ensures application-level security, it is not responsible for breaches due to poor device security on the user’s side.
iii. Access Control
Access to sensitive data via PLC mobile applications is strictly controlled based on user roles. Customers can only access their own personal and financial details, while staff access is limited to the data necessary for their job responsibilities.
iv. Security Audits
PLC conducts regular security audits on its mobile applications to detect and address vulnerabilities, ensuring continuous protection of sensitive data.
7. Collecting Personal Information
PLC collects personal information relevant to providing financial services to customers. This includes:
- Direct information from the customer (e.g., during service registration, marketing participation, surveys)
- Data from external sources such as Credit Information Bureau (CRIB) and publicly available information
PLC’s mobile apps request minimal permissions necessary for service delivery, and customers are informed of the reasons for collecting any sensitive data. Sensitive data (e.g., health, political views) will not be collected without explicit consent.
8. Non-Disclosure / Confidentiality
PLC does not share personal information with third parties without customer consent, except as required by law or in the following circumstances:
- To comply with legal and regulatory obligations
- To assist with investigations into unlawful activities
- To report to credit reporting agencies or related entities for service provision
9. Governing Law
This policy is governed by the laws of Sri Lanka, and PLC ensures compliance with all applicable legal and regulatory standards regarding data protection and privacy.
10. Policy Review
PLC reserves the right to amend this Privacy Policy at any time. Updates will be communicated through the website, mobile application, or other appropriate channels. The policy will be reviewed periodically and updated to reflect the latest legal, regulatory, and technological developments.