PRIVACY & COOKIE POLICY

1. Who We Are

Elon Hotels (Pvt) Ltd ("ElonHotels", "we", "us", or "our") is a private limited company incorporated and operating in Sri Lanka. We operate the online travel marketplace at elonhotels.com, where travellers can discover and book accommodation, villas, apartments, tours, and other travel-related services offered by third-party providers across Sri Lanka and beyond.

For the purposes of this Privacy Policy, Elon Hotels (Pvt) Ltd is the data controller of your personal information under the Personal Data Protection Act No. 9 of 2022 of Sri Lanka ("PDPA") and, where applicable, the General Data Protection Regulation ("GDPR") and other international data protection frameworks.

2. Important Notice - Marketplace Model

ElonHotels is an online marketplace. We do not own, operate, or manage any of the accommodation or travel services listed on our platform. All bookings are made directly with independent third-party providers (hotels, villa owners, guesthouses, tour operators, etc.). We facilitate the connection and process a service commission of 8% per confirmed booking.

While we take your privacy seriously, please be aware that accommodation providers you book with through our platform may also collect and process your personal data independently, subject to their own privacy policies. We encourage you to review the privacy practices of any provider before completing a booking.

3. Personal Data We Collect

We collect personal data in three ways depending on how you interact with our platform:

3.1 Data You Provide Directly to Us

When you use ElonHotels - whether as a traveller, hotel partner, or general visitor - you may provide us with:

• Identity & contact information: your full name, email address, phone number, and postal address
• Booking & payment details: reservation information, travel dates, room preferences, and payment card or wallet details (processed securely by our payment partners)
• Account credentials: username and encrypted password if you register for an account
• Travel preferences: accommodation type, guest count, special requests (e.g., accessibility needs, dietary requirements), and saved destinations
• Reviews & feedback: written reviews, star ratings, and photos you submit about properties you have stayed at
• Communications: messages, queries, complaints, or other content you send to our customer support or business development teams

3.2 Data We Collect Automatically

When you visit or use our website or mobile application, we automatically collect certain technical and behavioural information:

• Device & connection information: IP address, device type, operating system, browser type and version, and unique device identifiers
• Usage data: pages you visit, search queries you enter, hotel listings you view, features you interact with, and session duration
• Location data: approximate geographic location derived from your IP address, or precise GPS location if you grant permission through your device settings
• Cookies & tracking technologies: data collected via cookies, web beacons, pixels, and similar technologies (see Section 10 for full details)

3.3 Data We Receive from Third Parties

We may also receive information about you from:

• Accommodation & travel partners: property owners or operators who share booking-related details with us to confirm or manage your reservation
• Payment processors: payment service providers (such as PayHere or Stripe) who confirm transaction status and provide fraud-detection signals they do not share your full card details with us
• Analytics & marketing partners: third-party tools that help us understand how users discover and use our platform (e.g., Google Analytics), subject to their own data policies
• Social media platforms: if you choose to connect a social login or interact with our social media pages, we may receive basic profile information in accordance with your social platform's privacy settings

4. How We Use Your Personal Data

We use the personal data we collect for the following purposes:

• Processing bookings: to confirm, manage, and fulfil your reservation with the relevant accommodation or tour provider
• Account management: to create and maintain your user profile, booking history, and saved preferences on our platform
• Payments: to facilitate secure payment processing and generate invoices or booking confirmations
• Customer support: to respond to your enquiries, resolve disputes, and process refunds or cancellations
• Personalisation: to tailor search results, recommendations, and promotional offers based on your travel history and preferences
• Communications: to send booking confirmations, pre-arrival reminders, post-stay review requests, and - where you have opted in - promotional newsletters and exclusive deals
• Platform improvement: to analyse usage patterns, conduct A/B testing, identify bugs, and continuously improve the performance and features of our platform
• Legal & compliance: to comply with applicable laws (including the PDPA, tax obligations, and anti-money laundering regulations), respond to lawful requests from authorities, and enforce our Terms & Conditions
• Fraud prevention & security: to detect, investigate, and prevent fraudulent transactions, unauthorised access, and other harmful activities

5. Legal Basis for Processing

Under the Sri Lanka PDPA and, where applicable, the GDPR, we are required to have a lawful basis for processing your personal data. We rely on the following legal grounds:

• Performance of a contract: processing necessary to fulfil a booking you have made or to provide account services you have requested
• Legitimate interests: processing for fraud prevention, platform security, service improvement, and direct marketing to existing customers (where we balance our interests against your rights)
• Legal obligation: processing required to comply with Sri Lankan law, regulatory requirements, or court orders
• Consent: for optional activities such as marketing emails, the use of non-essential cookies, and the collection of precise location data you may withdraw your consent at any time without affecting prior processing

6. Sharing Your Personal Data

We do not sell your personal data to any third party. We share your information only in the following limited circumstances:

• Accommodation & travel providers: we share your booking details (name, contact information, dates, and special requests) with the property or tour operator you have booked with to fulfil your reservation
• Payment service providers: your payment information is processed by PCI-DSS compliant payment gateways (PayHere, Stripe, or equivalent). We do not store your full card details on our servers
• Technology & service providers: we engage trusted third-party vendors for hosting (cloud servers), email delivery, analytics, and customer support tools all bound by data processing agreements
• Legal authorities: we may disclose your data when required to do so by law, court order, or a legitimate request from a competent regulatory authority in Sri Lanka or elsewhere
• Business transfers: in the event of a merger, acquisition, or sale of business assets, your personal data may be transferred as part of that transaction, subject to equivalent privacy protections

7. International Data Transfers

As an online platform serving both local and international travellers, some of your personal data may be transferred to, stored in, or processed in countries outside Sri Lanka. This may include countries where our cloud hosting providers or third-party service partners operate.

Where we transfer personal data internationally, we take appropriate steps to ensure your data is protected to a standard equivalent to that required by the PDPA and, where applicable, the GDPR. These steps may include entering into standard contractual clauses or ensuring the recipient country has been deemed to provide adequate data protection.

8. How Long We Keep Your Data

We retain your personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law. Our general retention guidelines are:

• Active account data: retained for as long as your account remains active
• Booking & transaction records: retained for a minimum of 7 years to comply with Sri Lankan tax and financial recordkeeping requirements
• Customer support communications: retained for up to 3 years after the matter is resolved
• Marketing data: retained until you withdraw consent or unsubscribe, whichever is earlier
• Cookies & analytics data: retained in accordance with the individual cookie durations described in Section 10

When your data is no longer required, we securely delete or anonymise it in accordance with our internal data management procedures.

9. Your Rights

Under the Personal Data Protection Act No. 9 of 2022 of Sri Lanka and applicable international law, you have the following rights regarding your personal data:

• Right of access: to request a copy of the personal data we hold about you
• Right to rectification: to request correction of any inaccurate or incomplete data
• Right to erasure: to request deletion of your data where it is no longer necessary for its original purpose, subject to legal retention obligations
• Right to restriction: to request that we limit our processing of your data in certain circumstances
• Right to data portability: to receive your data in a structured, machine-readable format so you can transfer it to another service
• Right to object: to object to our processing of your data for direct marketing or where we rely on legitimate interests
• Right to withdraw consent: where processing is based on your consent, you may withdraw it at any time through your account settings or by contacting us

To exercise any of these rights, please contact us at info@elonhotels.com or call our hotline at +94 77 1717 627. We will respond to all verified requests within 30 days, in accordance with the PDPA. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive.

10. Cookie Policy

Cookies are small text files placed on your device when you visit our website. We use cookies and similar technologies to make our platform work properly, remember your preferences, and help us understand how people use ElonHotels so we can keep improving it.

10.1 Types of Cookies We Use

10.2 Managing Your Cookie Preferences

When you first visit ElonHotels, you will be presented with a cookie consent banner where you can accept all cookies or customise your preferences by category. Strictly necessary cookies cannot be disabled as they are essential for the site to function.

You can also manage or delete cookies directly through your browser settings at any time. Please note that disabling certain cookies may affect your experience on our platform for example, you may need to re-enter your preferences on each visit. For guidance on managing cookies in your specific browser, visit www.allaboutcookies.org.

10.3 Third-Party Cookies

Some cookies on our platform are placed by trusted third-party services such as Google Analytics, Google Maps, and payment gateways. These parties may use the data collected by their cookies for their own purposes in accordance with their own privacy policies. We do not control the cookies set by third parties.

11. Children's Privacy

ElonHotels is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age. If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at info@elonhotels.com and we will take steps to delete the information promptly.

12. Security

We take the security of your personal data seriously and have implemented a range of technical and organisational measures to protect it from unauthorised access, loss, or disclosure. These measures include:

• HTTPS encryption across our entire platform
• Secure, encrypted storage of passwords and sensitive data
• JWT-based authentication and session management
• Regular security vulnerability assessments and testing
• Access controls limiting data access to authorised personnel only
• Cloudflare CDN and DDoS protection

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we continually review and improve our security practices to minimise risk. In the event of a personal data breach that is likely to affect your rights, we will notify you and the relevant authority as required by law.

13. Changes to This Policy

We may update this Privacy & Cookie Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will notify you by posting the updated policy on this page with a revised "Last Updated" date, and - where required by sending a notification to your registered email address.

We encourage you to review this policy periodically. Your continued use of ElonHotels after any changes become effective constitutes your acceptance of the updated policy.

14. Contact & Complaints

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please do not hesitate to get in touch with us:

If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Authority of Sri Lanka, established under the Personal Data Protection Act No. 9 of 2022. International users may also have the right to contact their local data protection supervisory authority.