Privacy Notice

1. About this Privacy Notice

Softlogic Life Insurance PLC ("SLI", "we", "our" or "us") is a public limited company carrying on life insurance business under licence from the Insurance Regulatory Commission of Sri Lanka (IRCSL) and listed on the Colombo Stock Exchange. We act as a data controller under the Personal Data Protection Act, No. 9 of 2022, as amended (the "PDPA").

This Privacy Notice explains, in plain language, what personal data we collect about you, why we collect it, what we do with it, who we share it with, how long we keep it, how we protect it, and the rights you have under the PDPA. It is designed to satisfy the disclosures required by Schedule V of the PDPA and reflects insurance-industry best practice. This Notice should be read together with the Company’s Data Privacy Policy.

1.1 Who this Notice applies to

This Notice applies to anyone whose personal data we process in connection with our life insurance business, including:

• Visitors to www.softlogiclife.lk and our digital channels, including our customer portal and mobile applications;
• Prospects, applicants and proposers (whether the application is made through an agent, broker, bancassurance partner or directly to SLI);
• Current and former policyholders, lives assured, joint lives assured, nominees and beneficiaries;
• Persons covered under group life, group medical, group personal accident, employer-employee and bancassurance schemes;
• Claimants, including persons making a death, disability, critical illness, hospitalisation, surgical, maternity, surrender, maturity or annuity claim, and persons named in such claims;
• Our individual agents, advisors, brokers, business partners and their representatives, and the staff of our corporate clients;
• Visitors to SLI offices, branches and partner premises (including CCTV);
• Participants in SLI surveys, contests, wellness programmes and loyalty programmes;
• Anyone who contacts us with an enquiry, complaint or feedback (including via social media).

1.2 Where it applies

This Notice covers all personal data processing carried out by SLI, online and offline, across the lifecycle of an insurance relationship – quotation, application, underwriting, issuance, servicing, premium collection, claim assessment, payout, recovery, complaints and post-termination archiving. Where a specific product, channel, campaign or feature (for example, a microsite, a wellness application or a third-party administered service) has its own privacy terms, those will be read together with this Notice and, in the case of inconsistency, this Notice prevails on PDPA matters.

2. Who we are

The data controller for your personal data is:

• Softlogic Life Insurance PLC, a company incorporated in Sri Lanka and licensed by the Insurance Regulatory Commission of Sri Lanka (IRCSL) to carry on long-term insurance business;
• Registered office: Level 16, One Galle Face Tower, Colombo 2, Sri Lanka;
• Website: www.softlogiclife.lk;
• Listing: Colombo Stock Exchange;
• Group affiliation: Softlogic Holdings PLC group of companies.

Our processing is supervised, in different respects, by: the Insurance Regulatory Commission of Sri Lanka (IRCSL); the Financial Intelligence Unit of the Central Bank of Sri Lanka (FIU); the Inland Revenue Department (IRD); the Colombo Stock Exchange (CSE) and the Securities and Exchange Commission of Sri Lanka (SEC) (in our capacity as a listed company); and the Data Protection Authority of Sri Lanka (DPA) under the PDPA.

3. Data Protection Officer (DPO)

SLI has appointed a Data Protection Officer in line with section 20 of the PDPA. The DPO is responsible for advising on PDPA compliance, monitoring our data protection practices, training our staff, handling data subject requests and acting as the principal point of contact with the Data Protection Authority of Sri Lanka.

• Position: Data Protection Officer, Softlogic Life Insurance PLC
• Address: Level 16, One Galle Face Tower, Colombo 2, Sri Lanka
• Email: dataprivacycompliance@softlogiclife.lk
• Telephone: 1312 / +94 112300400

If your enquiry is operational rather than privacy-specific (for example, a premium payment, a policy document or a claim status), please contact our Customer Service team first, who will escalate to the DPO if needed.

4. Personal data we collect

Life insurance is a data-intensive product. The exact information we collect depends on your relationship with us; a casual website visitor and a proposer for a 20-year endowment policy are very different. We follow the principle of data minimisation: we collect only what we need for the specific purpose, and no more.

4.1 Identification data

• Full name, including any names previously used;
• Date and place of birth;
• Gender;
• Nationality and country of residence;
• National Identity Card (NIC) number and a copy of your NIC;
• Passport number and copy (for non-Sri Lankan residents or where used for KYC);
• Driving licence number (where used as a supporting ID);
• Photograph and signature, including specimen signature for policy and claim forms;
• Marital status and, where relevant for the product, spouse details;
• Number and ages of dependants.

4.2 Contact data

• Residential and mailing address (and, where different, employer address);
• Telephone numbers – mobile, landline and WhatsApp;
• Email address;
• Preferred language and channel of communication;
• Emergency contact details.

4.3 Family, beneficiary and nominee data

To pay claims correctly and honour the policyholder’s intentions, we need information about other people you nominate or insure under our policies:

• Names, NIC numbers, dates of birth and contact details of nominees, beneficiaries, assignees and trustees;
• Relationship to the policyholder or life assured;
• Where the life assured is different from the policyholder (e.g. a parent insuring a child, or an employer insuring an employee), the life assured’s full identification, contact and medical information as well;
• Details of joint lives assured under joint-life policies;
• Details of any person on whose life a child policy is dependent (e.g. a parent in a child education plan).

4.4 Employment and financial data

• Occupation, job title, industry, employer name and address, and length of service;
• Hazardous occupations (e.g. pilot, aircrew, professional diver, mining, demolition, armed forces deployment, offshore work) where these affect underwriting;
• Annual income, range of income, sources of income and source of funds for AML purposes;
• Self-employed and business-owner information – business registration, business income and audited accounts where used to evidence affordability or source of funds;
• Tax identification number (TIN) and tax residency declarations;
• Bank account details, debit/credit card details, standing instruction or direct-debit mandates, and other payment information used to collect premiums or pay claims and benefits;
• Politically Exposed Person (PEP) status, sanctions screening results and AML risk classification.

4.5 Policy and product data

• Application/proposal forms and supporting documents;
• Product(s) you hold or have applied for – including term life, whole life, endowment, child education plans, retirement and annuity plans, unit-linked plans, critical illness covers, hospital and surgical cash plans, and group life/group medical schemes;
• Riders and add-ons such as accidental death and disability, total permanent disability, critical illness, hospital cash, surgical, family income, premium waiver and term riders;
• Sum assured, premium amount and frequency, premium-paying term and policy term;
• Underwriting decisions – standard acceptance, loading (extra premium), exclusion, postponement or decline – and the reasoning behind them;
• Policy events: issuance, lapse, revival, alteration, assignment, nomination changes, surrender and maturity;
• For unit-linked policies, fund allocation, switching history, top-up history and unit balances;
• For participating policies, declared bonuses and reversionary additions;
• Persistency information (whether premiums are paid on time) and lapse/revival history.

4.6 Claims data

• Type of claim (death, total permanent disability, critical illness, hospital cash, surgical, maternity, surrender, maturity, annuity, group);
• Details of the event giving rise to the claim – date, place and cause; for death claims, the cause of death and circumstances; for disability claims, the date of onset, progression and prognosis;
• Supporting documents – death certificate, post-mortem and coroner’s reports where available, hospital discharge summaries, in-patient and out-patient records, doctors’ certificates, ICU records, surgical records, attending physician’s statement, police reports for accidental deaths, and employer’s certificate for group claims;
• Investigation reports from our claim investigators and from independent surveyors or medical experts;
• Beneficiary identification and KYC for payout;
• Claim payment history and any disputes or recoveries.

4.7 Correspondence, complaints and interaction data

• Recordings of telephone calls to and from our contact centre (we will tell you at the start of the call that it is being recorded);
• Chat transcripts (live chat, WhatsApp, social media direct messages);
• Email and SMS correspondence;
• Records of meetings between you and our agents, advisors or staff;
• Complaints, feedback, compliments and survey responses;
• CCTV footage from SLI premises and partner premises, captured for safety, security and incident investigation.

4.8 Sensitive personal data (medical, genetic, biometric, criminal)

Because life and health insurance involves an assessment of mortality and morbidity risk, we sometimes need to process "special categories of personal data" as defined under the PDPA. We do so only where it is necessary and proportionate, and we rely on your explicit consent (typically given at the proposal stage) and on the specific conditions permitted by the PDPA. Concrete examples include:

Health and medical data

• Your personal medical history – past and current illnesses, surgeries, hospitalisations, ongoing medications and treatments;
• Family medical history relevant to underwriting – for example, parental history of cardiovascular disease, diabetes or hereditary cancers;
• Lifestyle factors – smoking status, frequency and quantity; alcohol consumption; use of tobacco products; recreational drug use; participation in hazardous sports and hobbies (e.g. scuba diving, paragliding, motor racing, mountaineering);
• Physical measurements collected during a medical examination – height, weight, body mass index (BMI), blood pressure, pulse;
• Investigation results – ECG, treadmill test, blood profile (HbA1c, lipid profile, liver and kidney function), urine analysis, HIV/AIDS testing (with your specific informed consent), chest X-ray, ultrasound scans, mammograms, PSA and other relevant tests;
• Hospital and treatment records used to assess a hospitalisation, critical illness, surgical or death claim – including discharge summaries, surgical notes, pathology reports, ICU charts and prescriptions;
• Mental health information, where disclosed in the proposal form or supporting medical records;
• Maternity-related information for maternity benefit assessment;
• Cause-of-death information from death certificates, post-mortem reports and attending physicians’ statements.

Genetic and biometric data

• Genetic information, where relied on for underwriting hereditary conditions. We collect this only with your explicit consent, only where strictly necessary, and never to make automated decisions without human review;
• Biometric data – for example, a facial image captured during video-KYC (e-KYC) and matched against your NIC photo, or a digital signature image used for fraud detection.

Criminal record information

• Disclosure of any criminal convictions, pending charges or material regulatory actions where (a) the proposal form asks for it as part of risk assessment, (b) it is relevant to a claim (e.g. exclusion analysis, or an accidental death involving unlawful activity), or (c) it is required for sanctions screening or AML investigation.

Other special-category data

• Religion, race or ethnic origin only where strictly necessary (for example, certain claim payments or beneficiary processes that require this information), with appropriate safeguards and minimisation.

4.9 Personal data about other individuals

If you give us personal data about another person (for example, a spouse, child, parent, nominee, beneficiary, attending physician or medical examiner), you confirm that:

• You have the legal authority to share that data with us (e.g. you are the parent or legal guardian of a minor, or you have been authorised by the data subject); or
• The person concerned has been informed that their data is being shared with SLI for the stated purpose, has been made aware of this Privacy Notice and their rights under applicable data protection laws, and has consented to the disclosure.

We may verify this where appropriate (for example, by writing to a nominee or by asking for parental consent in the case of a minor).

4.10 Information we collect automatically from your use of our digital channels

• Device and connection data – IP address, device identifier, advertising identifier, browser type and version, operating system, language settings, screen resolution, mobile network and carrier;
• Usage data – pages visited, products viewed, quotations started, abandoned or completed, documents downloaded, links clicked, time spent, referring URL, search terms used on our site, and the date, time and duration of each session;
• Location data – approximate location derived from your IP address; precise location only with your explicit permission (for example, to suggest the nearest branch or agent);
• Cookies and similar technologies – see section 17;
• Application logs – for example, logs of premium calculator use, claim status checks and customer portal activity, used for service delivery and security.

4.11 What happens if you do not provide the data we ask for

The provision of personal data is voluntary. However, some personal data is mandatory because we are required to collect it by law (for example, KYC and AML information under the Financial Transactions Reporting Act and IRCSL directives), or because it is necessary to give you the product or service you have asked for (for example, your medical history is needed to underwrite a life policy, and your bank details are needed to pay a maturity benefit). If you choose not to provide that information, we may not be able to issue, service or continue the policy, pay a claim or benefit, or respond to your enquiry. Where data is optional, we will say so at the point of collection.

5. Where we get your personal data from

We collect personal data from a mix of direct, indirect and automated sources. The mix depends on the product and where you are in the policy lifecycle.

5.1 Directly from you

• Online and paper proposal forms, KYC forms and supporting documents;
• Online quotation tools and premium calculators on www.softlogiclife.lk and partner websites;
• Telephone, video and in-person interactions with our agents, financial planners, contact centre and branch staff;
• Customer portal and mobile app interactions (e.g. updating contact details, fund switches, claim intimation);
• Email, WhatsApp, live chat and social media direct messages with our official channels.

5.2 From people acting on your behalf

• Insurance agents, financial advisors, brokers and bancassurance partners through whom you applied for a policy;
• Your employer (for group life, group medical, group personal accident or employer-employee schemes);
• Your parents or legal guardian (for policies on the life of a minor);
• Your nominees, beneficiaries or legal representatives (for example, executors of a deceased policyholder’s estate);
• Your attorney or other authorised representative.

5.3 From medical and claims sources

• Medical examiners and panel doctors who conduct medical examinations on our behalf;
• Hospitals, clinics, laboratories and diagnostic centres that issue reports for underwriting or claims;
• Tele-underwriting and tele-medical interview providers engaged by SLI or by our reinsurers;
• Third-party administrators (TPAs) that manage cashless hospitalisation or group medical claims;
• Independent loss adjusters, surveyors and claim investigators;
• Coroners and law-enforcement authorities (for death claims with non-natural causes).

5.4 From regulators, public registers and authorities

• IRCSL and other Sri Lankan regulators, where they share or require information from us;
• Financial Intelligence Unit (FIU) of the Central Bank of Sri Lanka for AML-related information;
• Inland Revenue Department (IRD), Department for Registration of Persons (DRP) and other government bodies;
• Police, Magistrates’ Courts and other courts (in connection with death or accidental claims and litigation);
• Publicly available registers – sanctions lists (UN, OFAC, EU, local), PEP databases and company registers.

5.5 From other insurers, reinsurers and industry partners

• Reinsurance and retrocession partners, where they receive your data from us and provide back risk assessments, claim opinions or fraud alerts;
• Co-insurers (in shared-risk arrangements);
• Industry anti-fraud databases and the wider insurance ecosystem (e.g. where the same risk is being placed simultaneously with multiple insurers);
• Credit information bureaus, where we are permitted to use them for underwriting or recoveries.

5.6 Automatically

• Cookies and similar technologies on our website and apps (see section 17);
• Logs from our systems when you contact us, make a payment or submit a claim;
• Security and fraud-monitoring systems.

6. How we use your personal data

We process your personal data only where we have a lawful basis under the PDPA. The table below maps each purpose to a concrete life-insurance example and to its lawful basis. If we ever need to use your personal data for a new purpose that is not compatible with the ones below, we will inform you in advance and, where required, obtain your fresh consent first.

7. How we handle sensitive personal data

Health, genetic, biometric and criminal-record data are central to a life insurer’s work, but they carry heightened risk if mishandled. SLI applies additional safeguards beyond those that apply to ordinary personal data:

• Collection only where necessary: we ask for sensitive data only where it is needed for a specific purpose (typically underwriting, claims, regulatory compliance or fraud investigation), and we ask only for what we need.
• Explicit consent: you provide explicit consent at the proposal stage, which authorises us to collect information from your treating physicians, hospitals and laboratories, and to share it with our underwriters and reinsurers.
• Pre-test consent for specific examinations: for HIV/AIDS testing and other specifically sensitive tests, we obtain separate informed consent, and we share results only with those who need to see them.
• Need-to-know access: medical and claims files are stored in restricted-access systems; access is limited to qualified underwriters, claims assessors, medical officers and authorised personnel of our reinsurers and third-party administrators (TPAs).
• Logging and oversight: access to sensitive data is logged and subject to internal audit and DPO oversight.
• Sharing under controls: where we share sensitive data with third parties (reinsurers, medical examiners, TPAs, investigators), it is done under written contracts that impose PDPA-equivalent confidentiality and security obligations and limit further use.
• Data Protection Impact Assessments (DPIAs): we run DPIAs before using sensitive personal data in new ways that are likely to result in high risk – for example, before deploying a new predictive underwriting model that uses lifestyle or genetic factors.
• Minimisation in marketing: we do not use your sensitive personal data for marketing, except where you have specifically opted in to a relevant wellness programme.

8. Automated decision-making and profiling

Insurance is built on risk assessment, and parts of our business use automated tools to support consistent, fair decisions. The main examples in life insurance are:

• Automated underwriting (“straight-through underwriting”) for simpler proposals – for example, a healthy non-smoker, within certain age and sum-assured limits, may be accepted on the basis of the proposal form alone, using rules-based engines;
• Risk segmentation for pricing – applying loadings or exclusions in line with rules agreed with our reinsurers (for example, smoker vs non-smoker rates, BMI bands, occupation classes);
• Claim fraud scoring – automated scoring of claims to flag those that need additional review (for example, hospitalisation claims with unusual patterns);
• Lapse-propensity and persistency models – to identify policyholders who may need a service intervention before lapsing;
• AML transaction-monitoring rules – to flag transactions for review against FIU thresholds and red flags;
• Cross-sell propensity models – operated only where you have given marketing consent.

8.1 Your rights where solely automated decisions are made

Where a decision that produces legal or similarly significant effects on you (for example, declining a proposal, declining a claim, applying a substantial premium loading, or terminating a policy) is made solely by automated means, we will:

• Tell you that automated decision-making was used and provide an explanation of the general logic involved;
• Give you the right to express your point of view, to obtain a human review by a qualified underwriter or claims assessor, and to contest the decision;
• Avoid using sensitive personal data for solely automated decisions unless you have given explicit consent or another specified PDPA condition applies;
• Take reasonable steps to ensure that the model is accurate, fair, regularly tested for bias and subject to ongoing human oversight.

9. Direct marketing and customer engagement

We will only send you marketing communications about our products, services, events and programmes – including those of selected SLI group companies and partners (e.g. Softlogic Holdings group companies, bancassurance partners, wellness and rewards partners) – where you have given us your consent.

9.1 Your choices

• You choose the channels you are happy to be contacted on – email, SMS, telephone, WhatsApp, etc.;
• You choose the topics you are interested in – for example, new products, wellness content, festive offers, financial planning tips;
• You can opt out of marketing at any time, free of charge, in any of the following ways: clicking the unsubscribe link in any marketing email; replying STOP to any marketing SMS; calling our contact centre; writing to our DPO; or updating your preferences in the customer portal;
• We aim to honour opt-outs as quickly as possible, and in any event within 7 working days.

9.2 Marketing through third parties

Where we engage third-party call centres, agencies or platforms to deliver marketing on our behalf, we do so under written contracts that require them to honour your consent choices, including any opt-out, and to use your data only for the marketing campaign we have agreed.

9.3 Service messages and statutory communications

Even if you opt out of marketing, we will continue to send you essential service messages – for example, premium reminders, policy statements, bonus declarations, fund value updates, regulator-mandated notices, important changes to terms, and updates to this Notice – because these are necessary to perform our contract with you or to comply with the law.

10. Who we share your personal data with

We share personal data only on a need-to-know basis and under appropriate safeguards, in accordance with the Company’s Data Disbursement and Sharing Governance Framework. Every third-party processor we engage is bound by a written data processing agreement that requires PDPA-equivalent protections. The main categories of recipients in the life-insurance value chain are:

We do not sell your personal data.

11. Transfers of personal data outside Sri Lanka

Reinsurance, cloud computing and group-wide functions mean that some of your personal data is processed outside Sri Lanka. When we transfer your personal data abroad, we do so on a need-to-know basis and only where one or more PDPA-compliant conditions apply:

• An adequacy decision concerning the recipient country, made under the PDPA;
• Appropriate safeguards in the form of binding and enforceable contractual obligations on the recipient, ensuring that your PDPA rights and remedies are preserved (in practice, our standard data protection clauses in vendor and reinsurance contracts);
• Your explicit consent, given after you have been informed of the possible risks (especially relevant for sensitive personal data such as medical and genetic data);
• The transfer being necessary to perform our contract with you, or to take steps at your request before entering into that contract (for example, sharing medical underwriting data with a reinsurer to accept your risk);
• The transfer being necessary for important reasons of public interest, or for the establishment, exercise or defence of legal claims, or another condition specified by the PDPA.

11.1 Representative destinations and what goes where

• India – certain group services and selected cloud hosting;
• Singapore – regional reinsurance, group services and certain SaaS providers;
• United Kingdom, European Economic Area and Switzerland – head offices of certain reinsurers and selected SaaS providers;
• United States of America – certain global SaaS and cloud providers (e.g. email, customer relationship management, analytics);
• Other countries from time to time, where dictated by our reinsurance arrangements or vendor choices.

The actual destinations may change as our vendor and reinsurance landscape evolves. We keep an up-to-date record, which is available on request from our DPO.

11.2 Additional safeguards

Where a destination country does not provide a level of protection equivalent to Sri Lanka’s, we apply supplementary measures – for example, contractual safeguards based on internationally recognised standards, encryption in transit and (where appropriate) at rest, pseudonymisation, vendor security assessments, and restricting the data transferred to the minimum necessary.

12. How long we keep your personal data

We keep your personal data only as long as we need it for the purposes we collected it for, plus any additional period required by Sri Lankan insurance, tax, AML, anti-fraud and corporate law, and by our legitimate business needs (such as defending legal claims). The schedule below is indicative; the exact period for any given record is determined by SLI’s internal retention schedule.

At the end of the applicable retention period, we securely delete, destroy or anonymise personal data, or – where appropriate – archive it with restricted access for the remaining defensive or regulatory period.

13. How we protect your personal data

We have implemented a Data Protection Management Programme aligned with the PDPA and with widely accepted information-security standards. Our safeguards include:

13.1 Organisational measures

• Board-level oversight of data protection and information security;
• Privacy and information-security policies, supported by detailed standards and procedures (including access control, backup and restoration, IT asset management, network management, patch management, information classification, incident management and password policies, an IT risk framework, an IT disaster recovery plan, and a third-party services policy);
• Defined roles and responsibilities, including a designated DPO and an Information Security function;
• Regular staff training on data protection, AML, anti-fraud and information security;
• Confidentiality undertakings in all employment, agency and vendor contracts.

13.2 Technical measures

• Access control on a least-privilege, role-based basis, with separate access controls for sensitive medical and claims data;
• Multi-factor authentication for access to sensitive systems and remote access;
• Encryption of personal data in transit (e.g. TLS) and, where appropriate, at rest;
• Secure backups, network segregation, firewalls, vulnerability management, anti-malware controls and 24/7 security monitoring;
• Logging and monitoring of access to sensitive data, with periodic review;
• Routine penetration testing, security testing of changes, and patch management.

13.3 Vendor management

• Risk-based due diligence before engaging processors;
• Written data processing agreements that impose PDPA-equivalent obligations;
• Periodic vendor reviews and, where appropriate, audit rights;
• Restrictions on sub-processing and on cross-border transfers.

13.4 Physical measures

• Controlled access to SLI offices, branches and data centres;
• Secure storage of paper proposal forms, medical records and claim files;
• CCTV at key locations;
• Clean-desk and clear-screen practices;
• Secure disposal of paper records, media and end-user devices.

13.5 Governance

• Periodic privacy and security risk assessments, including DPIAs for high-risk processing (e.g. new analytics models, new vendors handling medical data);
• Incident-response procedures with defined roles, communications protocols and regulator notification steps;
• Internal audit reviews and management reporting on data protection.

Personal data may be stored in electronic or physical form, at the Company’s own facilities or at third-party premises (including external cloud storage and physical archives), subject to the safeguards above. No system is completely immune to risk. While we cannot guarantee absolute security, we work continuously to reduce risk and to respond promptly when something goes wrong.

14. If something goes wrong: personal data breaches

A "personal data breach" includes any act or omission that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data – for example, a hacking incident, a lost laptop, a misdirected email containing claim details, or unauthorised internal access to a medical file. If a breach occurs we will:

• Activate our Data Breach Response Plan and Information Security Incident Management procedures, contain the incident, and investigate the cause and impact;
• Notify the Data Protection Authority of Sri Lanka and, where relevant, the Insurance Regulatory Commission of Sri Lanka, within 72 hours of becoming aware of a notifiable incident, in the manner specified by the PDPA and applicable guidance;
• Where the breach is likely to result in a high risk to your rights and freedoms, notify you without undue delay and in any event within 21 days, explaining in plain language what happened, what data was involved, the likely consequences, what we have done in response, and what you can do to protect yourself;
• Notify other authorities, regulators and partners as required (for example, the Police in a criminal incident, or our reinsurers where their data is affected);
• Carry out a root-cause analysis and apply lessons learned through updated controls, retraining and, where appropriate, contract changes with affected vendors.

15. Your rights under the PDPA

Subject to the conditions and exceptions in the PDPA, you have the following rights regarding your personal data:

• Right to be informed – to know what we do with your data (this Notice).
• Right of access – to request confirmation of whether we hold your personal data and, if so, to receive a copy and key information about how it is processed, including the purpose, the legal basis for processing and who it may be shared with (subject to limited exceptions, e.g. where disclosure would prejudice an active fraud investigation or legal proceedings).
• Right to rectification – to ask us to correct inaccurate or incomplete personal data (for example, an updated NIC number, address or nominee).
• Right to erasure – to ask us to delete personal data in certain circumstances (e.g. the data is no longer necessary; you have withdrawn consent and we have no other lawful basis; the processing is unlawful). Note that we may not be able to erase data that we are required to keep by IRCSL, AML, tax or other laws.
• Right to withdraw consent – where we rely on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal and does not affect processing under another lawful basis (e.g. performance of the contract).
• Right to object / restrict processing – to object to processing based on legitimate interests (including profiling), and in particular to direct marketing, and to ask us to restrict processing in defined cases (e.g. while a rectification request is being verified). Where processing is restricted, we may continue to store your data but will not use it further unless permitted by the PDPA.
• Right to data portability – in certain cases, to receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller.
• Right regarding automated decision-making – not to be subject to a solely automated decision that produces legal or similarly significant effects on you, and to request human review (see section 8).
• Right to lodge a complaint – with our DPO and/or with the Data Protection Authority of Sri Lanka (see section 19), including the right to inquire about the Company’s policies and practices in relation to personal data.

15.1 How to exercise your rights

• Send your written request to our DPO using the contact details in section 3, or via the data subject request form on our website (where available);
• Include enough information for us to identify you and to understand what you are asking for. We may ask for proof of identity (for example, a copy of your NIC) before acting, to make sure we do not disclose personal data to the wrong person;
• We will respond within 21 working days of receiving your request, informing you whether the request has been granted, or has been refused and the reasons for refusal (unless such disclosure is prohibited by law). Where a request is refused, we will also inform you of your right of appeal to the Data Protection Authority of Sri Lanka;
• A request may be refused only on the grounds permitted by the PDPA – for example, national security, public order, an inquiry or investigation under written law, the prevention, detection, investigation or prosecution of criminal offences, the rights and freedoms of other persons, or where processing is required under written law;
• Our responses are free of charge. We may charge a reasonable, cost-based fee only where requests are manifestly unfounded or excessive, or where we are permitted by law to do so;
• If you are acting for someone else (e.g. as a nominee, beneficiary, parent or attorney), we will need evidence of your authority.

16. Children’s personal data

Our products and services are not directed at children under 18, except where the product is specifically designed for minors (for example, child savings plans and child riders on a parent’s policy):

• Where a product involves a minor, we collect their data only with the verifiable, documented consent of the parent or legal guardian, who provides the data on the minor’s behalf, and only to the extent strictly necessary for the specific purpose (e.g. the child’s name, date of birth and beneficiary status);
• We obtain additional consent where a minor’s sensitive personal data (e.g. medical information for a child policy) is needed;
• We do not use children’s data for direct marketing, for creating personality profiles, or for any other purpose not explicitly disclosed to and consented to by the parent or guardian;
• Access to children’s data within SLI is restricted to those who need it for the policy;
• Parents and legal guardians may access the personal data we hold about their child, ask us to rectify inaccurate data, request erasure, or opt their child out of further data collection by contacting our DPO at dataprivacycompliance@softlogiclife.lk;
• If you believe we have collected personal data of a minor without proper authorisation, please contact our DPO so that we can investigate and, where appropriate, delete the data.

17. Cookies and similar technologies

Our website and apps use cookies and similar technologies (e.g. pixels, SDKs, local storage, server logs) to make our digital channels work and to improve them. Cookies fall into the following categories:

• Strictly necessary cookies – needed for the website or app to function (e.g. session management, security, fraud prevention, load balancing).
• Functional cookies – remember your preferences (e.g. language, font size, last branch selected, quotation parameters).
• Performance and analytics cookies – help us understand how visitors use our site so we can improve it (e.g. which products attract interest, where users drop off in a quotation journey).
• Advertising and social media cookies – used (where you have consented) to measure campaign effectiveness, deliver more relevant ads, or integrate with social media platforms.

Strictly necessary cookies are set automatically because the site cannot work without them. For all other categories we ask for your consent through a cookie banner the first time you visit, and you can change your choices at any time via our Cookie Preferences link or by adjusting your browser settings. Our separate Cookie Policy lists each cookie we use, its purpose, provider and duration.

18. Links to third-party websites and services

Our website and digital channels may contain links to third-party websites, services or applications that we do not control – for example, a bancassurance partner’s website, a wellness partner’s app, a hospital’s billing page, a payment gateway, or social media platforms. We are not responsible for the privacy practices, content or security of those third parties. We recommend that you review their privacy notices before providing any personal data to them.

19. Complaints

If you are unhappy with how we have handled your personal data, please contact our DPO first (see section 3) so that we can investigate and put things right. If you remain unsatisfied, you have the right to lodge a complaint with:

• Data Protection Authority of Sri Lanka – please verify the latest contact details on the DPA’s official website before lodging a complaint.

Depending on the matter, you may also be able to escalate to:

• The Insurance Ombudsman of Sri Lanka, in respect of insurance-related disputes;
• The Insurance Regulatory Commission of Sri Lanka (IRCSL), in respect of conduct or licensing matters;
• Other authorities with relevant jurisdiction.

20. Changes to this Notice

We may update this Notice from time to time to reflect changes in law, regulation, our products and services, our vendor and reinsurance arrangements, or our processing practices. We encourage you to review this Notice periodically.

• Material changes – for example, new purposes, new categories of recipients, or new sensitive-data processing – will be notified to you in advance through appropriate channels (email, customer portal banner, SMS, or a prominent notice on our website) and, where required by law, we will obtain your fresh consent;
• Non-material changes – such as clarifications, typographical fixes, or additional contact details – will simply be published on this page, with the version number and date updated;
• A version history is kept at the end of this Notice so that you can see what changed and when.

21. Definitions

22. Contact us

For any privacy enquiry, to exercise your rights, or to make a complaint:

• The Data Protection Officer, Softlogic Life Insurance PLC – Level 16, One Galle Face Tower, Colombo 2, Sri Lanka
• Email: dataprivacycompliance@softlogiclife.lk
• Telephone: 1312 / +94 112300400

For general customer-service queries (premium payments, policy documents, claim status, fund switches, change of address, etc.), please use the contact details on our website at www.softlogiclife.lk or call our contact centre.

Version History