Privacy policy

This policy explains how Kirk (the "Service", "we", "us") collects, uses, stores, and shares personal data when you use our mobile apps, website, or any related service. It is written to comply with Sri Lanka's Personal Data Protection Act (PDPA) as well as the privacy disclosure requirements of the Apple App Store and Google Play Store.

1. Who we are (the data controller)

Kirk Reservations (Pvt) Ltd, registered in Sri Lanka. Registered address: [to be filled]. You can contact us at privacy@kirkreservations.lk.

2. What data we collect

We collect only what's needed to make bookings work. Categories of personal data we may collect:

• Identity & contact — phone number (required for OTP login), your name, optional email address.
• Booking history — the businesses you've booked, the services, dates, times, and your status (confirmed, arrived, cancelled, etc.).
• Location — approximate location when you choose to share it, used only to sort nearby businesses.
• Device & technical data — device model, OS, app version, IP address, crash logs.
• Communications — messages you send to support.

3. Why we use it (purpose & legal basis)

• To run the booking service (contract performance) — your phone number, your bookings, your selected business.
• To authenticate you (contract performance) — your phone number receives a one-time password via SMS.
• To show you nearby businesses (consent) — your approximate location, only when you grant permission.
• To improve the product (legitimate interest) — crash diagnostics from the mobile apps. The marketing website (kirkreservations.lk) does not run analytics or set tracking cookies.
• To comply with legal obligations — when required by law or regulator.

4. Who we share it with

We never sell your data. We share what we must with the following processors, each under contract:

• Supabase (database, file storage, authentication) — data is processed and stored on Supabase infrastructure outside Sri Lanka.
• Text.lk — sends OTP and transactional SMS using your phone number.
• Apple & Google — receive push notification tokens to deliver alerts about your bookings.
• The business you book with — receives your name, phone number, and booking details so they can serve you.

5. Cross-border transfers

Some of our processors store data outside Sri Lanka. We rely on contractual safeguards with each processor and only use providers with industry-standard security practices. Where the PDPA requires additional safeguards for cross-border transfers, we comply with the guidance issued by the Data Protection Authority of Sri Lanka.

6. How long we keep it

• Account and bookings: as long as your account is active.
• On account deletion: personal data is removed within 30 days, except where retention is required by law (e.g. financial records).
• Crash logs from the mobile apps: 90 days.

7. Your rights

Under PDPA you have the right to:

• Access the personal data we hold about you.
• Correct any inaccurate or incomplete data.
• Request erasure of your data ("right to be forgotten").
• Object to certain processing.
• Withdraw consent at any time.
• Lodge a complaint with the Data Protection Authority of Sri Lanka.

To exercise any of these rights, email privacy@kirkreservations.lk. You can also delete your account from inside the app or at /delete-account.

8. Children

Kirk is intended for users 18 years and older. We do not knowingly collect data from children under 18 without verified parental consent.

9. Security

We use industry-standard technical and organisational measures — TLS in transit, encryption at rest where supported by the provider, role-based access control, and audit logging — to protect your data. No system is perfectly secure; you should also keep your phone and OTP private.

10. Changes to this policy

We may update this policy. We'll surface meaningful changes in the app and on this page, with the "Last updated" date.