Privacy Policy

Alro Engineering ("we", "us", or "our") is committed to protecting your privacy and handling your personal data lawfully and transparently. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website alroengineering.lk or engage our services.

This policy is provided in accordance with the Sri Lanka Personal Data Protection Act, No. 9 of 2022 (PDPA) and, where applicable to visitors from the European Economic Area, the EU General Data Protection Regulation (GDPR).

1. Data Controller

The data controller responsible for your personal data is Alro Engineering, a service-based business operating across Sri Lanka. You can reach our data protection contact through the channels below:

• Email: alroengineering@gmail.com
• Phone / WhatsApp: (+94) 76 0707 261

2. Information We Collect

• Information you provide: Name, phone number, email address, company name, project location, and the message content you submit through our contact form, WhatsApp, email, or phone.
• Automatic data (only with your consent): IP address, approximate location (country/city), browser type and version, device type, pages viewed, time on page, referring website, and interaction events such as clicks. This data is collected only after you opt in via the cookie banner.
• Cookies and local storage: Small data files stored on your device. See Section 5 for the full categorization.

3. Lawful Basis for Processing

• Contract / pre-contractual steps — to respond to your enquiry, prepare quotes, and deliver services.
• Consent — for analytics cookies, heatmap tracking, and any marketing communications.
• Legitimate interest — to maintain site security, prevent abuse, and improve our services.
• Legal obligation — to comply with Sri Lankan tax, accounting, and regulatory requirements.

4. How We Use Your Information

• Respond to enquiries and prepare quotations
• Schedule site assessments and deliver project work
• Send transactional updates about your enquiry or project
• Improve website usability (only with analytics consent)
• Comply with legal and regulatory obligations

5. Cookies & Tracking Technologies

Our cookie banner lets you grant or refuse consent per category. You can change your choices at any time using the "Cookie Settings" link in the footer.

• Strictly Necessary (always on): Stores your cookie choice (alroConsent_v2 in browser localStorage). No tracking.
• Analytics (opt-in): Google Analytics 4 (_ga, _ga_*). Used to understand aggregated site usage. IP addresses are anonymized by Google.
• Functional / Marketing: We do not currently use functional or marketing cookies.

You can also opt out of Google Analytics globally with the Google Analytics Opt-out Browser Add-on.

6. Data Sharing

We do not sell your personal information. We share data only with the following processors, under contractual confidentiality:

• Formspree (USA) — receives contact-form submissions and forwards them to our email. Formspree privacy policy.
• Google Analytics 4 (USA / EU) — only if you grant analytics consent. Google privacy policy.
• Cloudflare (USA) — provides DNS, CDN, and security infrastructure. Processes server logs as necessary to deliver the site.
• Legal disclosures: When required by Sri Lankan law or valid court orders.

Some of these providers are located outside Sri Lanka. Where applicable we rely on Standard Contractual Clauses or equivalent safeguards for cross-border transfers.

7. Data Retention

• Contact-form enquiries: retained for up to 24 months after the last interaction, then deleted or anonymized.
• Project records: retained for up to 7 years after project completion to comply with Sri Lankan tax and warranty obligations.
• Analytics data: Google Analytics retains user-level data for 14 months by default; we do not export or store it locally.
• Server / CDN logs: retained by Cloudflare per their default policy (typically under 30 days).

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• HTTPS / TLS 1.3 encryption for all data in transit
• HSTS, CSP, and other modern security headers
• Web Application Firewall and DDoS protection via Cloudflare
• Restricted access to enquiry email accounts (account holders only)
• No payment data is collected or stored on this website

9. Your Rights (PDPA & GDPR)

Subject to applicable law, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erasure ("right to be forgotten") of data we no longer need
• Restrict or object to processing
• Portability — receive a copy of your data in a machine-readable format
• Withdraw consent at any time, including via the "Cookie Settings" footer link
• Lodge a complaint with the Sri Lanka Data Protection Authority

To exercise any of these rights, email alroengineering@gmail.com or call (+94) 76 0707 261. We will respond within 30 calendar days.

10. Children's Privacy

Our services are intended for property owners and businesses. We do not knowingly collect data from children under 16. If you believe a child has submitted personal data, please contact us and we will delete it.

11. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. The "Last updated" date at the top will reflect any revisions. Material changes will be communicated via the cookie banner or a site notice.

12. Contact Us

• Email: alroengineering@gmail.com
• Phone: (+94) 76 0707 261
• WhatsApp: (+94) 76 0707 261