Legal

Privacy Policy

Last updated: March 8, 2026

MagulYaluwo ("we", "our", "us") is committed to protecting your personal information. This Privacy Policy explains what data we collect, how we use it, and your rights as a user of our platform. We operate in compliance with the Personal Data Protection Act No. 9 of 2022 of Sri Lanka (PDPA) and applicable data protection principles.

On This Page
1. Data We Collect · 2. How We Use It · 3. Sharing · 4. Cookies · 5. Security · 6. Retention · 7. Your Rights · 8. Children · 9. Third-Party Links · 10. Changes · 11. Contact

1. Data We Collect

We collect the following categories of personal information:

Account & Identity Data

  • Full name, email address, phone number, and password (stored as a bcrypt hash — never in plain text)
  • Account role (freelancer, client, or admin) and account creation date

Freelancer Profile Data

  • Retinue role, age, height, district, daily rate, bio, skills, availability status
  • Profile photo and portfolio gallery images you upload
  • Social media profile links (Facebook, Instagram, TikTok, YouTube, WhatsApp) you optionally provide

Transaction & Payment Data

  • Featured Profile upgrade requests: selected plan, amount, and bank transfer reference numbers you submit
  • We do not collect or store credit card numbers or bank account details

Communication Data

  • Inquiry messages, subjects, event dates, and locations sent between Clients and Freelancers
  • Replies and correspondence within the platform

Usage & Technical Data

  • IP address, browser type, and operating system (collected via server logs)
  • Session identifiers and CSRF tokens (stored in encrypted PHP sessions)
  • Pages visited and timestamps (not linked to individual profiles)

2. How We Use Your Data

We process your personal data only for the following purposes:

  • Service delivery: Creating and displaying your profile in the directory, facilitating inquiries between Clients and Freelancers
  • Account management: Authentication, password resets, session management
  • Payments: Processing Featured Profile upgrade requests and verifying payment references
  • Safety & security: Preventing fraud, abuse, spam, and unauthorised access
  • Platform improvement: Analysing aggregate usage patterns to improve features (no individual tracking)
  • Legal compliance: Meeting obligations under Sri Lankan law, responding to lawful requests from authorities
  • Communications: Sending service-related notifications (e.g. inquiry responses, upgrade approvals). We do not send marketing emails without your explicit opt-in consent.

3. Sharing Your Data

We do not sell, rent, or trade your personal data to third parties. Data may be shared only in these limited circumstances:

  • Public profile information: Your name, retinue role, district, skills, rate, bio, and profile photo are publicly visible on the Platform to all visitors
  • Between Clients and Freelancers: When an inquiry is sent, the Client's name is visible to the Freelancer and vice versa, along with inquiry contents
  • Service providers: We use XAMPP/MySQL for database hosting on our own servers. No cloud third-party data processors handle your personally identifiable information
  • Legal obligations: If required by a Sri Lankan court order, government authority, or applicable law, we may disclose data to comply
  • Business transfer: If MagulYaluwo is acquired or merges with another entity, your data may be transferred as part of that transaction, subject to equivalent privacy protections

4. Cookies & Sessions

We use session cookies solely to maintain your login state while you browse the Platform. These are essential functional cookies — the Platform cannot work without them. We do not use advertising cookies, cross-site tracking cookies, or analytics cookies from third parties.

Session cookies expire automatically when you close your browser, or after 30 minutes of inactivity. You can also log out manually to clear your session immediately.

External services that may set their own cookies:

  • Bootstrap 5 & Bootstrap Icons (loaded from jsDelivr CDN) — may set performance cookies
  • Google Fonts — may set cookies per Google's own privacy policy

5. Data Security

We implement the following technical and organisational security measures:

  • Passwords: Stored as bcrypt hashes (cost factor 12) — we never store or transmit plain-text passwords
  • CSRF protection: All forms are protected with cryptographically random CSRF tokens
  • Input validation: All user input is validated and sanitised to prevent SQL injection and XSS attacks
  • Parameterised queries: All database queries use PDO prepared statements
  • File uploads: Uploaded images are validated for type and size; only image formats are accepted
  • Access control: Role-based access control ensures users can only access data appropriate to their role

While we take reasonable steps to protect your data, no system is completely secure. In the event of a data breach that affects your rights and freedoms, we will notify affected users as required by the PDPA.

6. Data Retention

  • Active accounts: Data is retained for as long as your account remains active
  • Deleted accounts: Profile and personal data is removed within 30 days of account deletion. Inquiry records may be retained for up to 3 years for legal and dispute-resolution purposes
  • Featured upgrade records: Payment reference records are retained for 7 years to satisfy financial record-keeping obligations
  • Server logs: IP address and access logs are retained for 90 days, then deleted

7. Your Rights

Under the Personal Data Protection Act (Sri Lanka) and general privacy principles, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Correct inaccurate or incomplete data (you can edit most information directly in your profile settings)
  • Erasure: Request that we delete your personal data, subject to legal retention obligations
  • Restriction: Ask us to restrict processing of your data in certain circumstances
  • Portability: Request your data in a machine-readable format
  • Objection: Object to processing where we rely on legitimate interests as our legal basis

To exercise any of these rights, email us at privacy@magulyaluwo.lk. We will respond within 30 days.

8. Children's Privacy

Our Platform is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that a child under 18 has registered an account, we will promptly delete that account and all associated data. If you believe a minor has registered, please contact us immediately.

9. Third-Party Links

Freelancer profiles may contain links to external websites (e.g. Facebook, Instagram, TikTok). MagulYaluwo is not responsible for the privacy practices of those websites. We encourage you to read their privacy policies before sharing any personal data with them.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the Platform after changes are published constitutes acceptance of the revised policy.

For significant changes affecting how we use your personal data, we may also send a notification to your registered email address.

11. Contact & Data Controller

MagulYaluwo (Pvt) Ltd is the data controller for personal information collected through this Platform.

Also Read
Our other legal documents
Terms & Conditions Refund Policy