Privacy Policy

1. Introduction and Commitment to Privacy

Atelier Optimatix (PVT) LTD ("we," "our," "us," or "Company") is deeply committed to protecting the privacy and security of personal information entrusted to us. This Privacy Policy explains in detail how we collect, use, store, share, and protect information when you use our digital platforms, services, and payment processing systems.

This Privacy Policy applies to all users of our Services, including parents, guardians, educational institution administrators, and any other individuals who interact with our platforms. By accessing or using our Services, you consent to the practices described in this Privacy Policy.

2. Information We Collect

2.1 Personal Information Provided Directly

When you register, use our Services, or communicate with us, we may collect:

Account and Profile Information:

• Full name (parent/guardian or authorized user)
• Email address
• Mobile telephone number
• Postal address
• Date of birth (for verification purposes)
• Preferred language and communication preferences

Student-Related Information:

• Student name and identification numbers (non-sensitive, school-assigned IDs only)
• Grade level and class section
• School enrollment information
• Parent-student relationship details

Communication Data:

• Messages sent through our platform
• Customer support inquiries and correspondence
• Feedback and survey responses
• Email communications and notifications preferences

2.2 Payment and Financial Information

Transaction Data: When processing payments, we collect:

• Transaction amount and currency
• Payment date and time
• Transaction reference numbers
• Payment status and confirmation details
• Invoice and receipt information

Important Note on Payment Card Data: We do NOT collect, store, or have access to:

• Full credit or debit card numbers
• Card CVV/CVC security codes
• Card expiration dates
• Card PIN numbers

All sensitive payment card information is handled directly and exclusively by Commercial Bank of Ceylon PLC's secure Internet Payment Gateway (IPG), which is PCI DSS compliant. We only receive tokenized payment confirmations and transaction identifiers.

2.3 Technical and Usage Information

We automatically collect certain technical data when you use our Services:

Device and Browser Information:

• IP address and general geographic location
• Device type, model, and operating system
• Browser type and version
• Screen resolution and device identifiers

Usage and Analytics Data:

• Pages visited and features used
• Time spent on different sections
• Click patterns and navigation paths
• Search queries within our platform
• Error logs and diagnostic data

Cookies and Tracking Technologies: We use cookies and similar technologies to:

• Maintain user sessions and preferences
• Analyze platform performance and usage patterns
• Improve user experience and functionality
• Prevent fraudulent activities

You can control cookie preferences through your browser settings, though some features may not function properly if cookies are disabled.

2.4 Information from Third Parties

We may receive information from:

• Educational institutions about enrolled students and authorized users
• Commercial Bank of Ceylon PLC regarding payment transaction status
• Identity verification services (where legally required)
• Public databases for fraud prevention purposes

3. How We Use Your Information

3.1 Primary Service Delivery

We use collected information to:

• Create and manage user accounts
• Process payment transactions securely
• Facilitate communication between parents and schools
• Provide access to platform features and services
• Send transaction confirmations and receipts
• Deliver important service-related notifications

3.2 Payment Processing and Settlement

Information is used to:

• Authenticate and authorize payment transactions
• Reconcile payments with educational institutions
• Calculate and process settlement amounts to schools
• Generate financial reports and statements
• Comply with payment processing regulations
• Detect and prevent fraudulent transactions

3.3 Platform Improvement and Analytics

We analyze usage data to:

• Understand how users interact with our platform
• Identify and fix technical issues
• Optimize user experience and interface design
• Develop new features and enhancements
• Conduct internal research and statistical analysis

3.4 Communication and Support

We use contact information to:

• Respond to customer inquiries and support requests
• Send important updates about Services or policies
• Provide transaction notifications and payment reminders
• Request feedback on platform experience
• Conduct user satisfaction surveys

3.5 Legal and Regulatory Compliance

Information may be used to:

• Comply with applicable laws and regulations
• Respond to legal requests from authorities
• Enforce our Terms and Conditions
• Protect against fraud, security threats, and illegal activities
• Maintain records as required by Sri Lankan law

4. Information Sharing and Disclosure

4.1 With Educational Institutions

We share relevant information with partner schools, including:

• Student enrollment and identification details
• Payment transaction records and status
• Parent/guardian contact information
• Communication history related to school matters

Schools are contractually obligated to protect this information and use it only for legitimate educational and administrative purposes.

4.2 With Payment Service Providers

We share necessary transaction data with:

• Commercial Bank of Ceylon PLC for payment processing
• Their authorized payment gateway infrastructure
• Payment card networks (Visa, Mastercard, etc.) as required for authorization

These entities are bound by strict confidentiality and security standards, including PCI DSS compliance.

4.3 With Service Providers and Vendors

We may share information with trusted third-party service providers who assist us with:

• Cloud hosting and data storage
• Technical infrastructure maintenance
• Customer support services
• Analytics and performance monitoring
• Email delivery and communication services

All service providers are contractually bound to maintain confidentiality and security standards consistent with this Privacy Policy.

4.4 Legal Requirements and Protection

We may disclose information when we believe it is necessary to:

• Comply with legal obligations, court orders, or subpoenas
• Enforce our Terms and Conditions or other agreements
• Protect the rights, property, or safety of Atelier Optimatix, users, or the public
• Detect, prevent, or address fraud, security, or technical issues
• Respond to claims of rights violations

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, user information may be transferred as part of the transaction. We will notify users of any such change in ownership or control of personal information.

4.6 What We Do NOT Do

We explicitly do NOT:

• Sell personal information to third parties for marketing purposes
• Share student data with advertisers
• Use personal information for purposes unrelated to our Services
• Provide data to unauthorized parties

5. Data Security Measures

5.1 Technical Security

We implement industry-standard security measures:

• Encryption of data in transit using TLS/SSL protocols
• Encryption of sensitive data at rest
• Secure access controls and authentication mechanisms
• Regular security audits and vulnerability assessments
• Intrusion detection and prevention systems
• Secure backup and disaster recovery procedures

5.2 Organizational Security

Our internal practices include:

• Restricted access to personal information on a need-to-know basis
• Employee training on data protection and security
• Confidentiality agreements with all staff and contractors
• Regular security policy reviews and updates
• Incident response and breach notification procedures

5.3 Payment Security

All payment processing adheres to:

• PCI DSS (Payment Card Industry Data Security Standard) compliance
• Tokenization of sensitive payment data
• Secure communication channels with banking systems
• Multi-factor authentication for financial transactions
• Continuous monitoring for fraudulent activities

6. Data Retention and Deletion

6.1 Retention Periods

We retain information for as long as necessary to:

• Provide Services and maintain your account
• Comply with legal and regulatory requirements
• Resolve disputes and enforce agreements
• Support business operations and record-keeping

Specific retention periods include:

• Active account data: Duration of account plus 2 years
• Transaction records: 7 years (as required by banking regulations)
• Communication logs: 3 years
• Technical logs: 1 year

6.2 Data Deletion

Upon account closure or at your request, we will:

• Delete or anonymize personal information where legally permissible
• Retain certain data as required by law or legitimate business needs
• Notify partner schools of account closure where relevant

Note that some information may persist in backup systems for a limited period before permanent deletion.

7. Your Rights and Choices

7.1 Access and Correction

You have the right to:

• Access personal information we hold about you
• Request corrections to inaccurate or incomplete data
• Update your account information at any time
• Request a copy of your data in a portable format

7.2 Communication Preferences

You can control:

• Email notification settings through your account preferences
• Marketing communication opt-outs (service-related emails cannot be disabled)
• Communication channels (email, SMS, in-app notifications)

7.3 Account Deletion

You may request account deletion by contacting us at info@atelieroptimatix.com. Please note:

• Deletion requests are processed within 30 days
• Some data may be retained as legally required
• Outstanding financial obligations must be settled before deletion

7.4 Cookie Management

You can manage cookies through:

• Browser settings to block or delete cookies
• Opt-out tools for analytics services
• Platform settings for personalization features

8. Children's Privacy

Our Services are designed for use by parents, guardians, and educational institutions. We do not knowingly collect personal information directly from children under 18 without parental consent. If we become aware of such collection, we will promptly delete the information.

9. International Data Transfers

Our Services are primarily operated within Sri Lanka. If you access our Services from outside Sri Lanka, please be aware that information may be transferred to, stored, and processed in Sri Lanka where our servers and facilities are located. By using our Services, you consent to such transfers.

10. Third-Party Links and Services

Our platform may contain links to third-party websites or services (such as school websites). We are not responsible for the privacy practices or content of these external sites. We encourage you to review their privacy policies before providing any personal information.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

• Changes in our practices or Services
• Legal, regulatory, or security requirements
• User feedback and industry best practices

When changes are made:

• The "Last Updated" date will be revised
• Significant changes will be communicated via email or prominent notice
• Continued use after changes constitutes acceptance

We encourage you to review this Privacy Policy regularly to stay informed about how we protect your information.

12. Data Protection Officer

For privacy-related inquiries or concerns, you may contact our Data Protection Officer at:

Email: privacy@atelieroptimatix.com
Address: Atelier Optimatix (PVT) LTD, 320, Irabadagama, Sandalankawa 60176 Sri Lanka

13. Regulatory Compliance

We comply with:

• Personal Data Protection Act of Sri Lanka (when enacted)
• Payment Card Industry Data Security Standard (PCI DSS)
• Banking and financial regulations applicable in Sri Lanka
• International data protection principles and best practices

14. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or your personal information:

General Inquiries: info@atelieroptimatix.com
Privacy Concerns: privacy@atelieroptimatix.com
Registered Office: Atelier Optimatix (PVT) LTD, 320, Irabadagama, Sandalankawa Business Hours: Monday - Friday, 9:00 AM - 5:00 PM (Sri Lanka Time)

Last Updated: January 17, 2026

This Privacy Policy is effective as of the date stated above and applies to all users of Atelier Optimatix Services.