Prime Group (referred to herein as “we,” “us,” “our,” or the “Group”) is committed to safeguarding the privacy and personal data of all individuals with whom we interact. For the purposes of this Privacy Notice (the “Policy”), the terms “you” and “your” refer to any reader of this document, data subject, or individual whose personal data is processed by the Group.
In compliance with the Sri Lanka Personal Data Protection Act, No. 9 of 2022 (PDPA), this Policy applies transparently to all processing activities concerning data subjects. This includes, but is not limited to, the following categories of individuals:
- Clients and Consumers: Existing clients, customers, investors, and prospective buyers or renters utilizing our real estate services, physical facilities, or digital portals.
- Corporate Representatives: Directors, authorized corporate principals, and designated representatives of corporate clients, institutional partners, or B2B associates.
- Business Partners and Vendors: Registered vendors, suppliers, individual contractors, and external service providers.
- Workforce and Personnel: Permanent employees, temporary staff, executive officers, job candidates, and employment applicants seeking position allocations.
- Associated Third Parties: Referees, emergency contacts, guarantors, spouses, and dependents whose information is provided to us in connection with employment, financial, or contractual obligations.
- Shareholders: Individual stakeholders, institutional stock investors, and beneficial owners of corporate Group entities.
This document sets forth the comprehensive policies governing data collection, usage, disclosures, data security protocols, chatbot interactions, and international transfers executed through our Web Site and Mobile Application channels, as well as physical on-site forms. This Notice governs all data processing activities executed by Prime Lands (Pvt) Ltd. and all its operational corporate subsidiaries, affiliates, and legal entities—including but not limited to Prime Lands Residencies PLC, Prime Realty (Pvt) Ltd., Prime Housing, and associated brand segments.
Accordingly, this framework comprehensively covers personal data gathered through our official websites (including www.primelands.lk and www.primerealty.lk), any technical system subdomains or URLs to which our main domains redirect, our official mobile applications (such as Prime Edge), paper-based physical forms, and physical Closed-Circuit Television (CCTV) camera monitoring networks deployed across our corporate offices and development construction sites.
1. Definitions
- “Personal Data” (or “Personal Information”): Means any information relating to an identified or identifiable natural person (‘Data Subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- “Sensitive Personal Data”: Means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or personal data relating to offenses, criminal proceedings and convictions.
- “Processing”: Means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Data Controller” / “The Company”: Refers to Prime Lands (Pvt) Ltd. (No. 75, D.S. Senanayake Mawatha, Colombo 08, Sri Lanka) and its legal corporate entities within the Prime Group structure that determine the purposes and means of the processing of personal data.
- “Data Processor” / “Service Provider”: Means any natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller, including third-party companies or individuals employed by the Company to facilitate, provide, or analyze the Service.
- “Data Subject” (also referred to as “You” or “Your”): Means any identified or identifiable natural person whose personal data is collected, stored, handled, or otherwise processed by Prime Group. An identifiable person is an individual who can be recognized, directly or indirectly, by an identifier such as a name, an identification number (e.g., NIC or passport number), location data, or an online identifier. The terms “You” and “Your” throughout this Policy apply directly to any such individual or reader of this document.
- “Data Protection Officer (DPO)”: Refers to the designated individual or team within our organization responsible for overseeing data protection strategies, ensuring compliance with applicable privacy laws, and serving as the primary point of contact for data subjects and regulatory authorities regarding personal data processing activities.
- “Web Site / Mobile Application”: Collectively refers to the digital platforms owned, operated, or maintained by Prime Group, including the primary website domain (www.primelands.lk), integrated systems, official mobile applications (including Prime Edge), and embedded digital interfaces such as our Live Chatbot and automated AI Chatbot channels.
- “Account”: Means a unique account created for You to access our Service or parts of our Service.
- “Affiliate”: Means an entity that controls, is controlled by, or is under common control with a party, where ‘control’ means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for election of directors or other managing authority.
- “Device”: Means any device that can access the Service such as a computer, a cell phone, or a digital tablet.
Your Duty to Provide Accurate Information and Inform Us of Changes
It is vital that the Personal Data we hold about you is accurate, current, and true. Outdated data dramatically impacts real estate title preparation, legal registration, human resources administration, vendor management, and financial planning functions. Please keep us informed if your Personal Data changes (e.g., change of primary residential or business address, legal name change, updated identity documentation, or corporate registration details) during your employment, vendor relationship, or ongoing engagement with us.
Your Duty to Ensure the Security of Your Own Personal Devices
While Prime Group implements stringent enterprise-grade security structures, it is critically important that you ensure the absolute security of the personal devices used to access our Web Site / Mobile Application or transfer Personal Data to us. No data transmissions over the Internet or cellular networks can be guaranteed to be 100% secure. Therefore, it shall be your sole responsibility to safeguard your devices against cybersecurity risks, unauthorized device access, malware infections, and root vulnerabilities.
Security Notice: We will never ask for your passwords, or transactional account information by any unsolicited means of communication (such as cold calls, unsolicited SMS, or unauthenticated emails). You are responsible for keeping your account credentials secure and not sharing them with any third party.
2. Third Party Engagements
Third-Party Consent Requirements
In the event you provide us with any personal information or data on behalf of another individual—including family members, joint investors, co-applicants, or corporate principles—for the purposes of securing real estate products, processing financial services, submitting inquiries, or executing related contracts, you explicitly confirm that such information has been obtained by you and provided to us with the prior specific consent of such person.
You must ensure that the individual has been fully apprised of the full terms and conditions of this Privacy Policy. Any third-party Personal Data provided by you must be strictly accurate, valid, up to date, and must not include any false representations or misstatements of facts.
Third-Party Links
This Web Site / Mobile Application may integrate links to third-party web entities, interactive plug-ins, payment gateway environments, and external mobile applications that are not maintained or controlled by Prime Group. Clicking on those links or enabling those configurations may allow third-party systems to collect, mine, or share data about you based entirely on their distinct terms of use and privacy frameworks. We do not control these third-party environments and are not responsible for their respective privacy policies, operational security setups, or processing activities. When you exit our Web Site / Mobile Application, we strongly encourage you to review the Privacy Notice of every external service environment you visit.
3. Data We Collect
We may collect, use, store, organize, and transfer different types of Personal Data about you which we have grouped together as follows:
- Identity Data: Includes first name, last name, maiden name, username or unique identifier, account registration parameters, marital status, title, date of birth, gender, National Identity Card (NIC) number, passport details, and photographs/scanned document copies.
- Contact Data: Includes billing address, permanent residential address, property delivery mailing address, email address, mobile phone numbers, and landline telephone numbers.
- Financial Data: Includes bank account statements, source of funds documentation, income verification details, credit history records (essential for Prime Max programs and long-term corporate financing structures), tax identifiers, and tax clearance certifications.
- Transaction Data: Includes specific details about payments to and from you, comprehensive records of real estate properties purchased, site visit history records, reservation dates, deed reference records, and preference parameters.
- Technical Data: Includes internet protocol (IP) address, your login data, browser type and version, time zone setting, location parameters, unique device identifiers, browser plug-ins, operating system, platform architectures, and other diagnostic technology identifiers embedded in the devices you use to access this Web Site / Mobile Application.
- Usage Data: Includes detailed metrics concerning how you navigate and interact with our Web Site / Mobile Application, property viewing durations, page visit durations, and selected search terms.
- Chat, Communication, and Interaction Data: Includes written text, user queries, files, uploaded documents, contact data, and comprehensive context transcripts of conversations generated when you interact with the Live Chatbot or the automated AI Chatbot on our main website.
- Marketing and Communications Data: Includes your precise communication preferences in receiving corporate marketing material from us and our integrated third parties, and your preferred channel choices.
- CCTV Video Surveillance: For the protection of our physical property, corporate assets, employees, and visitors, continuous video surveillance through closed-circuit television (CCTV) cameras is conducted at our corporate Head Office and across all active construction/development site perimeters. Video footage containing your physical image and movements is automatically captured and securely recorded whenever you visit these physical locations.
Aggregated Data
We also collect, compile, and utilize ‘Aggregated Data’ such as statistical or demographic profiles for any purpose. Aggregated Data may be derived from your Personal Data but is legally not considered personal data under the PDPA as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to compute the exact percentage of users accessing a specific real estate project page via our Web Site / Mobile Application. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be processed strictly in accordance with this Privacy Notice.
4. Tracking Technologies and Cookies
We use Cookies and similar tracking technologies (such as web beacons, tags, and scripts) to track activity on our Service and store certain information to improve and analyze our Service. The technologies we use include:
- Necessary / Essential Cookies (Session Cookies): Administered by us. These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features.
- Cookies Policy / Notice Acceptance Cookies (Persistent Cookies): Administered by us. These Cookies identify if users have accepted the use of cookies on the Website.
- Functionality Cookies (Persistent Cookies): Administered by us. These Cookies allow us to remember choices You make when You use the Website (such as remembering your login details or language preference).
- Web Beacons: Small electronic files (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).
Cookies can be ‘Persistent’ or ‘Session’ Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close Your web browser. Where required by law, we use non-essential cookies (such as analytics, advertising, and remarketing cookies) only with Your consent. You can withdraw or change Your consent at any time using Our cookie preferences tool (if available) or through Your browser/device settings. If you deactivate or block cookies, please note that certain components of this Web Site / Mobile Application may become inaccessible or fail to function properly.
5. How We Use Your Personal Data
We process your Personal Data strictly under valid legal frameworks authorized by the Sri Lanka PDPA. Most commonly, we will use your data under the following circumstances:
- Consent of the Data Subject: Applied where you have given clear, unambiguous, and explicit consent for specific processing operations. This basis is primarily leveraged for digital marketing subscriptions, consumer preference profiling, and the processing of Special Categories of Personal Data (such as biometric data for secure facility access, medical records for employee health insurance, or sensitive background checks). You retain the right to withdraw this consent at any time through a written request.
- Performance of a Contract: Applied to all property purchases, investor agreements, construction handovers, and vendor/supplier registration workflows to manage corporate vendor onboarding, verify individual identity parameters, and fulfill contractual deliverables.
- Compliance with Legal Obligations: Applied when verifying the source of funds under anti-money laundering regulations, tracking corporate tax outputs for the Inland Revenue Department, checking credit status via statutory institutions (e.g., CRIB), and filing mandatory reports to state and regulatory authorities.
- Legitimate Business Interests: Applied when administering website infrastructure, coordinating client property tours, running internal data diagnostics, maintaining corporate security via physical CCTV perimeters, and deploying automated customer chatbots to respond to incoming service queries.
- Processing Job Applicant Data (Pre-Contractual Steps): The processing of CVs, employment portfolios, and interview scores is executed strictly as a necessary pre-contractual requirement to evaluate candidate eligibility prior to entering into a formal employment agreement.
- Legal Claims & Dispute Defenses: Processing personal records, historical deeds, and transaction milestones to defend property title transfers, respond to legal notices, or litigate land ownership and property boundary claims is executed under the legitimate interest of protecting corporate property rights and managing judicial disputes.
Purposes for Processing Your Data
- Platform & Service Operations: To provide, maintain, optimize, and monitor the performance and security of our websites, mobile applications, and real estate portals.
- Account & Profile Management: To administer user registrations, logins, customer dashboards, and account credentials on our digital channels.
- Transaction Execution: To manage property purchases, listings, rentals, structural site viewings, construction milestones, and financial installment timelines.
- Legal Documentation & Verification: To facilitate land title verifications, background checks, KYC evaluations (including verifying PEP status and spouse/relative details), and the execution of legal deeds.
- B2B & Supply Chain Onboarding: To register, evaluate, and manage contracts and relationships with external vendors, suppliers, contractors, and corporate client representatives.
- Communications & Support: To contact individuals via email, phone calls, SMS, or WhatsApp regarding critical platform alerts, financial statements, construction progress, or account confirmations.
- Inquiry Handling & Chatbots: To process inputs into our website AI Chatbots and customer care tickets to resolve queries and route complex requests to the appropriate internal teams.
- Recruitment & Talent Evaluation: To screen CVs, educational portfolios, and reference details strictly as a pre-contractual assessment step for employment applications.
- Corporate Governance: To maintain legal share ledgers, coordinate Central Depository System (CDS) accounts, process dividend distributions, and handle proxy voting records.
- Physical Security Monitoring: To conduct continuous video surveillance via Closed-Circuit Television (CCTV) cameras at our corporate Head Office and active construction sites to ensure asset protection and physical safety.
- System Diagnostics & Security: To run internal corporate server diagnostics, manage database space allocations, perform backups, and troubleshoot software architectures.
- Marketing & Engagement (Optional): To deliver tailored property portfolios, localized newsletters, and custom pricing invitations based on explicit user interests (subject to an absolute right to opt out).
Change of Purpose
We will only use your Personal Data for the explicit purposes for which we gathered it, unless we reasonably determine that we need to use it for another supplementary reason and that reason is compatible with the original processing purpose. If we must use your Personal Data for an unrelated purpose, we will notify you and explain the specific legal foundation or request explicit consent.
6. Marketing
We strive to provide you with meaningful choices regarding specific Personal Data processing practices, particularly around targeted marketing, customized property advertisements, and cross-channel communications. We will request your express, uncoerced consent before we share your Personal Data with any corporate entity outside Prime Group for corporate marketing or promotional purposes. You can withdraw this consent at any time. If you wish to opt out of our marketing communications or promotional activities, you can do so by using the opt-out or unsubscribe options provided within our messages, or by contacting us directly. We will update your preferences and stop processing your data for these purposes immediately upon request.
7. Disclosure and Transfer of Your Personal Data
International Transfers
Prime Group operations may necessitate transferring your Personal Data across international borders to cross-border cloud database environments, foreign branch structures, or global subsidiary entities. Your information, including Personal Data, is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to—and maintained on—computers located outside of Your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those from Your jurisdiction.
Whenever we execute cross-border data transmissions outside Sri Lanka, we ensure an equivalent level of protection is maintained by entering into comprehensive standard contractual clauses and binding data processing frameworks that guarantee the recipient enforces robust technical and physical controls over your data in alignment with the Sri Lanka PDPA.
Categories of Disclosures
We may share your Personal Data with internal and external categories of third parties under strict confidentiality frameworks:
- Statutory National Authorities: We share transactional data and identity logs with the Financial Intelligence Unit (FIU) of Sri Lanka (for anti-money laundering compliance), the Inland Revenue Department (IRD) (for real estate tax reporting), and the Credit Information Bureau (CRIB) of Sri Lanka (for long-term financing credit checks).
- Corporate Subsidiaries: Personal records are shared across specified legal corporate entities under the Prime Group architecture (such as Prime Lands Residencies PLC and Prime Realty Pvt Ltd.) strictly for unified customer management and internal audit reporting.
- Cloud Infrastructure & Software Providers: Data is securely hosted within specialized global cloud server environments, Customer Relationship Management (CRM) databases, and secure sub-processor software architectures.
- Professional Advisors: Disclosures are made to certified title lawyers, notary publics, external legal counsel, and corporate auditors to execute property deed registrations, verify land titles, and compile statutory financial statements.
8. Data Retention
We will only retain your Personal Data for as long as necessary to fulfill the explicit purposes we collected it for, including for the purposes of satisfying any legal, accounting, land registration, or statutory reporting requirements. We apply strict, differentiated retention periods to different categories of Personal Data:
- Account Information: Retained for the duration of your active account relationship plus up to 24 months after closure.
- Data Subject Support Data: Up to 24 months from the precise date of ticket or query closure.
- Usage & Technical Data: Website analytics data, application usage statistics, and server logs are retained for up to 24 months.
- Legal & Transactional Records: Retained permanently or long-term as required under governing statutory laws of Sri Lanka (for land registries, title verification, deeds, and financial auditing compliance).
- Job Applications & CVs: Retained for a period not exceeding 12 months from the date of final recruitment decision, unless otherwise required by law or with renewed consent.
In some specific circumstances, you have the legal right to ask us to delete your data. Alternatively, we may choose to completely anonymize your Personal Data (so that it can no longer be associated with you or identify you) for historical research or statistical analysis, in which case we may use this non-identifiable information indefinitely without further notice to you.
9. Children’s Privacy
Our Service does not address anyone under the age of 16. We do not knowingly collect personally identifiable information from anyone under the age of 16. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact us. If We become aware that We have collected Personal Data from anyone under the age of 16 without verification of parental consent, We take steps to remove that information from Our servers.
10. Data Security
We have implemented rigorous, enterprise-grade physical, technical, and administrative security measures to prevent your Personal Data from being accidentally lost, altered, disclosed, destroyed, or accessed in an unauthorized manner. We secure all digital channels via industry-standard Transport Layer Security (TLS/SSL) encryption, firewalls, role-based access management profiles, and multi-factor authentication protocols.
Furthermore, we limit access to your Personal Data to those employees, contractors, agents, and operational third parties who have an absolute corporate ‘need-to-know’ business requirement.
11. Your Legal Rights
Under the Sri Lanka Personal Data Protection Act, No. 9 of 2022 (PDPA), you possess specific enforceable statutory rights over your Personal Data, including the following:
- Right of Access / Disclosure: You have the right to request access or copies of the personal data we safely store regarding your identity.
- Right to Rectification: Request modification, updates, or immediate rectification of any inaccurate, incomplete, or outdated data.
- Right to Erasure / Deletion: You have the right to delete or request that We assist in deleting the Personal Data that We have collected about You. You may update, amend, or delete Your information at any time by signing in to Your Account or contacting Us.
- Right to Object or Restrict Processing: Object to specific algorithmic workflows, restrict data usage, or object entirely to corporate promotional campaigns.
- Right to Withdraw Consent: Where processing relies on specific consent structures, you hold the statutory right to withdraw your consent freely at any point without penalty. Please note that withdrawing your consent will not affect the lawfulness of any processing carried out based on that consent before its withdrawal.
- Rights Related to Automated Processing & Chatbots: Where our automated AI Chatbot or digital systems process your data to evaluate property preferences automatically, you have the right to request human intervention, express your distinct point of view, or contest any automated outcomes that significantly impact your engagement or property transaction.
- Right to Appeal: If you believe the Company has failed to address your data rights appropriately, you hold a statutory right to lodge an appeal directly with the Data Protection Officer or escalate the matter to the national Data Authority.
You will not have to pay a fee to access your Personal Data or to exercise any of your statutory rights. We strive to respond to all legitimate Data Subject requests within a period of twenty-one (21) working days (this period may be extended by up to three (3) months with prior notice to the requestor (provided for within the amendments to the Act.), or as prescribed under the statutory regulations of the PDPA. If you wish to exercise any of your rights, please contact the Data Protection Officer via [email protected].
12. Changes to this Privacy Policy
Prime Group may amend, modify, or update this Privacy Policy from time to time in accordance with updated applicable national laws, regulations, technological updates, best data practices, and internal corporate governance frameworks. We will notify You of any changes by posting the new Privacy Policy on this page and updating the ‘Last updated’ date at the top. Historic archived versions can be requested by contacting our privacy desk.
13. Clarifications or Complaints
If you have any detailed clarifications, unresolved questions, or wish to register a formal complaint regarding how Prime Group processes your data, you are encouraged to contact us directly at [email protected], or via our physical corporate headquarters at No. 75, D.S. Senanayake Mawatha, Colombo 08, Sri Lanka. You also have the legal right to escalate your complaint or report systemic regulatory violations to the designated Data Protection Authority of Sri Lanka.
Contact Details
- Full Name of Legal Entity: Prime Group / Prime Lands (Pvt) Ltd.
- Designated Inquiries Desk: Data Protection Officer
- Email Address: [email protected]
- Postal Mailing Address: No. 75, D.S. Senanayake Mawatha, Colombo 08, Sri Lanka.
- Telephone Hotline: +94 11 2 690 790