Your Data
Privacy Policy
How The Cookie Circle collects, uses, and protects personal information when you browse, order, or create an account with us.
Effective date: 23 June 2026
How The Cookie Circle collects, uses, and protects personal information when you browse, order, or create an account with us.
1. Introduction
The Cookie Circle ("we", "us", "our") is a home-based handcrafted cookie bakery operating from Kandy, Sri Lanka. We respect your privacy and are committed to handling personal data responsibly and transparently.
This Privacy Policy explains what information we collect through our website at thecookiecircle.lk, how we use it, who we share it with, and the choices available to you. It applies to visitors, customers, and registered account holders.
This policy is prepared with reference to Sri Lanka's Personal Data Protection Act No. 9 of 2022 (PDPA) and good practice for food and e-commerce businesses. It is not legal advice.
2. Who Is Responsible for Your Data
For the purposes of applicable data protection law, The Cookie Circle is the data controller for personal information collected through our website and ordering services.
If you have questions about this policy or wish to exercise your rights, contact us at hello@thecookiecircle.lk or via WhatsApp at +94711796050.
3. Information We Collect
We collect only the information needed to operate our website, fulfil orders, provide customer support, and improve our service.
- Identity and contact details: name, email address, and phone number.
- Delivery and billing information: delivery address, delivery area, map pin or location notes you provide, and billing details where relevant.
- Order information: products ordered, quantities, order type (weekly delivery or catering), event name for catering orders, payment method selected, order notes, and order history.
- Account information: login credentials (stored securely in hashed form), email verification status, saved addresses, and product review submissions.
- Communications: messages you send to us by email, WhatsApp, or through order-related correspondence.
- Marketing attribution: UTM parameters and referral information (for example campaign source or medium) captured when you first visit, to understand how customers discover us. We do not use this to identify you in analytics tools.
- Technical and usage data: browser type, device information, pages viewed, and interactions with our site, including analytics information described in Section 8.
- Cookies and similar technologies: session, authentication, cart, and preference data stored in your browser or device, as described in Section 8.
4. How We Collect Information
We collect information when you place an order, create or use an account, complete checkout forms, contact us, subscribe to communications (where offered), or browse our website.
Some information is collected automatically through cookies, analytics tools, and standard server logs when you use our website.
5. How We Use Your Information
We use personal information for the following purposes:
- To process, confirm, prepare, and deliver your orders.
- To communicate with you about orders, delivery timing, payment instructions, and customer support.
- To create and manage your account, verify your email address, and maintain your order history.
- To operate our website, prevent fraud, maintain security, and troubleshoot technical issues.
- To understand how visitors use our website and improve our products, content, and ordering experience.
- To comply with legal obligations and respond to lawful requests.
- Where permitted and appropriate, to send service-related updates about your orders or account.
6. Legal Basis for Processing (PDPA)
Under the PDPA and related principles, we rely on one or more of the following grounds, depending on the activity:
- Performance of a contract: processing necessary to accept and fulfil your order or manage your account.
- Consent: where you voluntarily provide information, create an account, or agree to optional communications.
- Legitimate interests: to operate and improve our business, maintain website security, and understand general customer behaviour, balanced against your rights.
- Legal obligation: where we must retain or disclose information to comply with applicable law.
7. Food Orders & Sensitive Information
We may process delivery instructions, dietary notes, or catering event details you provide to fulfil your order. Please do not include medical diagnoses or unnecessary health information in order notes.
Ingredient information is published on our Products page for transparency. If you have allergies or dietary requirements, you are responsible for reviewing ingredient information and contacting us before ordering if you need clarification.
We do not intentionally collect special categories of personal data as defined under the PDPA unless you voluntarily provide such information in free-text fields.
10. International Data Transfers
Some of our technology providers may process data outside Sri Lanka (for example in the United States or European Union) as part of cloud hosting, email, or analytics services.
Where data is transferred internationally, we take reasonable steps to ensure appropriate safeguards are in place consistent with the PDPA and applicable requirements.
11. How Long We Keep Information
We retain personal information only for as long as necessary for the purposes described in this policy, including:
- Order and account records: retained for as long as needed to fulfil orders, handle enquiries, resolve disputes, and meet accounting or legal requirements.
- Marketing attribution data: retained in line with our customer relationship records.
- Analytics data: retained according to Google Analytics settings and our data retention practices.
- When information is no longer required, we delete or anonymise it where reasonably practicable.
12. Security
We implement appropriate technical and organisational measures to protect personal information, including secure transmission (HTTPS), access controls, and hashed password storage.
No method of transmission or storage is completely secure. While we work to protect your information, we cannot guarantee absolute security.
13. Your Rights
Under the PDPA and applicable law, you may have the following rights:
To make a request, contact us at hello@thecookiecircle.lk. We may need to verify your identity before responding. We aim to respond within a reasonable timeframe.
- Request access to personal information we hold about you.
- Request correction of inaccurate or incomplete information.
- Request erasure of personal information, subject to legal and contractual limitations.
- Withdraw consent where processing is based on consent.
- Object to or restrict certain processing, where applicable.
- Lodge a complaint with the Data Protection Authority of Sri Lanka if you believe your rights have been infringed.
14. Children
Our website and ordering services are intended for individuals who can enter into a contract under Sri Lankan law. We do not knowingly collect personal information from children without appropriate parental or guardian consent.
If you believe a child has provided us with personal information without consent, please contact us and we will take appropriate steps to delete it.
15. Third-Party Links & Platforms
Our website may link to third-party services such as WhatsApp, Instagram, or map providers. Those services have their own privacy policies, and we are not responsible for their practices.
When you choose to contact us or share order details through WhatsApp, your use of WhatsApp is governed by Meta's terms and privacy policy.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The effective date at the top of this page will be revised when we make material changes.
We encourage you to review this page periodically. Continued use of our website after changes are published constitutes your acknowledgment of the updated policy, subject to applicable law.
17. Contact Us
If you have questions about this Privacy Policy or how we handle personal information, please contact:
The Cookie Circle Email: hello@thecookiecircle.lk WhatsApp: +94711796050 Website: https://thecookiecircle.lk
Questions about this document?
Read our Privacy Policy and Terms & Conditions, or contact us directly.
