Koreesta

    Privacy Policy — Koreesta

    Last updated: 11 May 2026

    Protecting your personal data is a priority for us. Koreesta (“we”, “us”, “our”) operates the website koreesta.com and its sub-domains (api.koreesta.com, admin.koreesta.com, supplier.koreesta.com), which together form a tourism marketplace connecting travellers with suppliers in Sri Lanka. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have over it.

    We process personal data in line with applicable law, including the Sri Lanka Personal Data Protection Act No. 9 of 2022 (“PDPA”) and, where it applies to visitors from those regions, the EU/UK General Data Protection Regulation (“GDPR”).

    By using our services you agree to the practices described in this policy. If you do not agree, please do not use the platform.

    1. Definitions

    The following terms are used throughout this policy:

    • Activity / Product – a tour, attraction, experience or other tourism service offered by a Supplier through the Koreesta platform.
    • Supplier – the business or individual that lists and provides an Activity on the Koreesta platform.
    • Customer / Traveller – a person who browses or books an Activity through Koreesta.
    • Personal data – any information relating to an identified or identifiable person.
    • Booking – a confirmed or pending reservation for an Activity made through the platform.

    2. Who we are (Data Controller)

    Koreesta
    Email: privacy@koreesta.com
    Address: [registered business address to be inserted]

    For any privacy questions, complaints or data-rights requests, please contact us at the email above.

    Suppliers act as independent data controllers for the personal data they receive about a booking and for any further use they make of it (for example, contacting you about your reservation, keeping records for their own accounting, or following up after the Activity). Their use of your data is governed by their own privacy practices and is outside Koreesta’s control. If you have questions about how a Supplier handles your data, please contact the Supplier directly.

    3. Information we collect

    3.1 Information you give us

    • Account data – name, email address, password (stored hashed), phone number.
    • Supplier data – business name, NIC (National Identity Card) number, business phone, business address, location coordinates, business description, photos and other listing content.
    • Customer data – first/last name, contact details, and information you submit when making a booking or enquiry.
    • Verification data – one-time passwords (OTPs) sent to your email or phone for sign-in and account verification.
    • Listings & content – products, special offers, descriptions, images and pricing uploaded by suppliers.
    • Bookings & transactions – booking dates, party size, special requests, status, cancellation reasons. Some Activities may require additional details such as participant ages or identification numbers; you will be asked for these only when needed for the specific Activity.
    • Communications – messages, support enquiries and feedback you send us.

    3.2 Information collected automatically

    • Technical data – IP address, browser type and version, device information, operating system, time-zone, and pages visited.
    • Usage data – actions taken on the site, referring URLs, session timestamps.
    • Cookies and similar technologies – session cookies (for authentication via Laravel Sanctum) and functional cookies. See Section 9.

    3.3 Information from third parties

    • Google Maps – when you use map or location features, Google may collect data as described in Google’s Privacy Policy.
    • AI content generation (Google Gemini) – when suppliers use the AI content tools, the prompt content is sent to Google to generate a response.
    • Email/SMS providers – we use third-party providers to deliver OTP and transactional messages.

    4. How we use your information

    We use personal data to:

    1. Create and manage your user, supplier or admin account.
    2. Authenticate you and secure the platform (OTPs, session tokens, password reset).
    3. Verify supplier identity using NIC and phone-number checks.
    4. Publish supplier listings and connect travellers with suppliers.
    5. Process and manage bookings, cancellations and related communications.
    6. Send booking confirmations, reminders and updates (for example, if a meeting point or time changes). These are delivered by email and, where you have provided a phone number, by SMS. You can adjust which notifications you receive in your account settings, except for messages required to operate your account or booking.
    7. Generate AI-assisted content (e.g. listing descriptions, marketing emails) when a supplier requests it.
    8. Provide customer support and respond to enquiries.
    9. Send service notifications and, where permitted, marketing messages (you can opt out at any time — see Section 6).
    10. Detect, investigate and prevent fraud, abuse and security incidents.
    11. Comply with legal obligations and enforce our Terms of Service.
    12. Improve, monitor and analyse the platform.

    5. Legal bases for processing

    Where applicable data-protection law (such as the PDPA, and the EU/UK GDPR for users in those regions) requires a legal basis, we rely on:

    • Performance of a contract – to deliver the services you sign up for, including processing bookings.
    • Consent – for optional marketing and certain non-essential cookies (you can withdraw consent at any time).
    • Legitimate interests – to operate, secure and improve our platform, prevent fraud, and communicate with you about your account, where these interests are not overridden by your rights and freedoms.
    • Legal obligation – to comply with tax, accounting and regulatory requirements.

    6. Marketing communications

    With your consent, or where allowed by law for similar services to those you have booked, we may send you newsletters and promotional updates about new Activities, offers and platform features.

    You can opt out at any time by:

    • clicking the “unsubscribe” link in any marketing email;
    • changing your notification preferences in your account settings; or
    • emailing privacy@koreesta.com.

    Opting out of marketing does not stop transactional messages such as booking confirmations or security alerts, which are necessary to operate your account.

    7. How we share your information

    We share personal data only as needed and with the following categories of recipients:

    • Suppliers (independent controllers) – when you book an Activity, we share the booking and contact details the Supplier needs to deliver the Activity. The Supplier becomes an independent data controller for that information.
    • Other participants on a booking – if you add other travellers to a booking and provide their contact details, we may send them booking confirmations and related communications. It is your responsibility to ensure those participants have agreed to share their details with us.
    • Service providers (processors) – including:
      • Hostinger – hosting of the website and backend infrastructure.
      • Google LLC / Google Ireland Ltd. – Google Maps Platform for location features and Google Gemini for AI-assisted content generation. Data may be processed outside Sri Lanka, including in the United States.
      • Email and SMS delivery providers – to send OTPs, booking confirmations and other transactional messages.
      • Analytics providers – where used and only with your consent where required, to help us understand how the platform is used.
      These vendors process data on our behalf under written contracts that restrict their use of the data to the purposes we set.
    • Professional advisers – lawyers, auditors and accountants where necessary.
    • Authorities – where required by law, court order or to protect rights, property or safety.
    • Business transfers – in connection with a merger, acquisition or sale of assets, subject to confidentiality protections.

    We do not sell your personal data.

    8. International data transfers

    Some of our service providers (e.g. Google) process data outside Sri Lanka, including in the European Economic Area and the United States. Where data is transferred internationally, we rely on appropriate safeguards such as the providers’ standard contractual clauses, recognised certifications (for example the EU–US Data Privacy Framework) or other legally accepted mechanisms.

    9. Data retention

    We keep personal data only for as long as needed for the purposes set out above:

    • Account data – while your account is active, plus a reasonable period after closure for legal and audit purposes.
    • Booking records – typically up to 7 years for tax and accounting compliance.
    • OTPs and session tokens – minutes to days; deleted after use or expiry.
    • Marketing data – until you opt out.
    • Logs and security data – up to 12 months unless a longer period is required for investigations.
    • IP addresses in raw access logs – typically up to 30 days, after which they are deleted or anonymised.

    If you delete your account, we permanently remove your profile but may retain limited data where required for legal obligations or to defend legal claims. Where data must be retained for legal reasons, we restrict its further use.

    10. Cookies and similar technologies

    We use cookies and similar technologies (such as session cookies, persistent cookies, local storage and tracking pixels) for the purposes described below. We group them into the following categories:

    • Strictly necessary – required for the platform to function (authentication via Sanctum session cookies, security, load balancing, CSRF protection). These cannot be turned off and do not require your consent.
    • Functional – remember preferences such as language, region or recently viewed listings.
    • Analytical – help us measure how the platform is used so we can improve it. Used only with your consent where required.
    • Marketing – if and when we run advertising campaigns, used to measure their effectiveness. Used only with your consent where required.

    You can control cookies through your browser settings or through any cookie-preferences tool we provide on the site. Disabling strictly-necessary cookies will break sign-in and booking.

    11. Security

    We use industry-standard measures to protect personal data, including:

    • HTTPS/TLS encryption in transit.
    • Hashed passwords (bcrypt) and token-based authentication.
    • Role-based access controls for admin and supplier areas.
    • Server hardening, regular updates and access logging.

    No system is completely secure. If we become aware of a personal-data breach that affects you, we will notify you and the relevant authorities as required by law.

    12. Fraud prevention and automated decision-making

    To protect Koreesta, our Suppliers and our Customers from fraud and abuse, we monitor transactions and account activity for suspicious patterns. In limited cases, this may include automated checks that block or flag a booking, sign-in attempt or account if it appears to present a high risk of fraud, takeover or abuse.

    Where an automated decision significantly affects you (for example, a blocked booking), you have the right to:

    • request human review of the decision;
    • express your point of view; and
    • contest the outcome.

    To do so, please contact us at privacy@koreesta.com.

    13. Your rights

    Depending on your jurisdiction, you may have the right to:

    • Access the personal data we hold about you.
    • Request correction of inaccurate or incomplete data.
    • Request deletion (“right to be forgotten”) subject to legal retention obligations.
    • Object to or restrict certain processing.
    • Withdraw consent at any time (without affecting prior lawful processing).
    • Receive your data in a portable, machine-readable format.
    • Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects (see Section 12).
    • Lodge a complaint with the data-protection authority in your country (in Sri Lanka, the Data Protection Authority established under the PDPA).

    To exercise any right, email privacy@koreesta.com. We may need to verify your identity before responding. We will respond within the timeframes required by applicable law (typically 30 days).

    14. Children’s privacy

    Koreesta is not directed to children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided us data, please contact us so we can delete it.

    15. Third-party links

    The platform may contain links to third-party sites, including Supplier websites and social-media pages. This policy does not apply to those sites — please review their own privacy notices.

    16. Changes to this policy

    We may update this Privacy Policy from time to time. The “Last updated” date at the top will reflect the latest revision. Material changes will be notified by email or a prominent notice on the platform.

    17. Contact us

    Questions, concerns or requests:

    Email: privacy@koreesta.com
    Postal address: [to be inserted]