En
At LOLC Finance PLC (“LOLC Finance”, “we”, “our”, or “us”), your trust matters to us.
We are committed to protecting the personal data you share with us and being transparent about how we collect, use, and safeguard it. This Privacy Policy (“Policy”) explains how we process personal data in line with the Sri Lankan Personal Data Protection Act, No. 9 of 2022 (PDPA).
This Policy applies to all personal data collected by LOLC Finance through its websites, systems, and business operations, and to all individuals whose data we process, including clients, vendors, partners, employees, and visitors.
LOLC Finance provides innovative and real-world financial solutions for our customers, who use our services to take on loans, send remittances, and access funds locally and globally. As a premier licensed finance company, LOLC Finance largely assumes the role of “controller”, and also as a “processor” in a limited capacity.
If you have any questions about this Privacy Policy or how your data is processed, you may contact our Data Protection Officer (“DPO”) at:
Personal Data refers to any information relating to an identified or identifiable individual, including information you provide to us and information we collect about you during your interaction with our Services (In simple terms, this means any information that can be used to identify you, such as your name, contact details or financial data).
We may collect the following categories of personal data, depending on your interaction with us:
Website Visitors
Your connection data - i.e. IP address, browser type, device information, cookies, usage logs, web behaviour -, product interest submissions
Clients / Business Contacts
Your KYC data - i.e. name, identification documents, proof of address, job title, contact details -, communication records, connection data, transactional data - i.e. billing address, payment method information, merchant and location, purchase amount
Vendors / Service Providers
Representatives’ personal data including connection data, payment and contact details
Employees / Job Applicants
Your name, address, NIC/passport number, educational background, employment history, bank details, biometric and health data (where required)
End-Users (when acting as processor)
Personal data collected by clients and processed on their behalf, including name, contact information, identification numbers, and other service-related data
We collect personal data through the following means:
When you visit our website or contact us via forms, emails, phone calls, branch visits or online chats
When you apply for or enter into a business relationship or contract with us including when you open a LOLC account, use the LOLC Real Time app or apply for loans
During the onboarding and KYC (Know Your Customer) process
When you apply for a job or become an employee
When our clients provide us access to their systems or user data as part of our services
From third parties such as credit bureaus and financial regulators when determining credit worthiness or compliance with regulatory obligations
Through cookies, analytics tools, and third-party integrations (see our Cookie Policy)
For the purposes of the Personal Data Protection Act of Sri Lanka and other applicable data protection laws, we will process your Personal Data only where this is a legal basis to do so, including:
| Processing Purpose | Legal Basis under PDPA |
|---|---|
| To open accounts, offer card and financial products, and provide service delivery | Contractual necessity |
| To manage transactions | Contractual necessity/ legal obligation |
| To conduct credit risk assessments | Contractual necessity/ legitimate interest |
| To provide IT support | Contractual necessity |
| To manage vendor or client relationships | Legitimate interest / legal obligation |
| To administer human resource functions | Contractual necessity / legal obligation |
| To comply with financial, tax, and regulatory laws | Legal obligation |
| To monitor service usage and improve our platforms | Legitimate interest |
| To ensure system security, including detecting and preventing fraud, and access management | Legitimate interest / public interest |
| For marketing, advertising and communications (where applicable) | Consent |
| To fulfil contractual obligations to our clients | Controller instruction (when acting as processor) |
When LOLC Finance provides services to group companies or external clients, we may process personal data on their behalf, under their instructions. In such cases:
The client remains the data controller
LOLC Finance acts as a data processor , implementing necessary technical and organizational safeguards
We do not use or disclose such data for any purpose other than to fulfill our contractual obligations
We may disclose personal data in the following circumstances:
To LOLC Group entities for internal administration and support
To authorized third-party service providers (e.g. cloud hosting, payroll processors) under strict contractual safeguards
To government authorities or regulators, where required by law
To auditors or legal advisors as necessary to protect our rights or comply with legal obligations
We do not sell or rent your personal data to third parties.
We work with trusted partners and service providers, some of whom are based outside Sri Lanka. This means your information may be transferred to and processed in other countries that align with the PDPA, and only under lawful grounds such as your consent, the performance of a contract or our legitimate interests.
Where your personal data is transferred outside Sri Lanka (e.g., to international service providers or cloud platforms), we ensure that:
Transfers are made only to jurisdictions with an adequate level of data protection or
Appropriate safeguards (such as data transfer agreements) are in place, or
You have given explicit consent, where required
All cross-border transfers comply with Section 26 of the PDPA.
We retain personal data only for as long as necessary for the purposes it was collected or as required by law.
Some typical retention periods include:
Legal and contractual data: per statutory limits;
Marketing data: until consent is withdrawn.
Once the retention period expires, data is securely deleted or anonymised.
The Sri Lankan PDPA provides you, as a data subject, with rights regarding the collection, use and disclosure of your Personal Data. You have the right to:
Access your personal data
Request correction of inaccurate or outdated data
Request erasure where processing is no longer lawful
Object to or restrict processing, including profiling or automated decisions
Withdraw consent at any time, where consent was the legal basis
You may exercise these rights by contacting our DPO at [email protected].
We implement industry-standard technical and organizational measures to protect your Personal Data, including:
Role-based access control
Encryption of data in transit and at rest
Endpoint protection and network monitoring
Secure software development and vulnerability assessments
Employee confidentiality agreements and data protection training
In the event of a data breach, we will notify affected individuals and the Authority in accordance with the PDPA.
We use cookies and analytics tools to enhance website functionality and understand user behaviour. You can manage your cookie preferences through your browser settings. For more details, see our Cookie Policy.
Our website may include links to other websites or online platforms operated by third-parties. Please note that once you leave our site, their privacy practices and policies will apply, not ours. We encourage you to review those policies carefully, as we do not control and are not responsible for the privacy practices of third-party platforms.
We may update this Privacy Policy from time to time to reflect legal or operational changes. The latest version will always be available on our website with the updated effective date displayed for your reference.
We may share with you timely disclosures and alerts regarding updates to the Policy or Personal Data collected by contacting you through your LOLC Dashboard, email address and/ or the physical address registered with LOLC Finance.
If you have any questions or concerns regarding this Policy or your personal data, please contact our DPO:
Data Protection Officer
LOLC Finance PLC
By email: [email protected]
By address: No.100/1, Sri Jayewardenepura Mawatha, Rajagiriya, Sri Lanka
By visiting this page on our website: https://www.lofc.lk/contact-us/
By phone number: +94 115 715 555