Privacy Notice
Privacy Notice – eChannelling PLC, No: 108, W A D Ramanayake Mawatha, Colombo 2.
Last Updated: 2026.05.22
1. How This Privacy Policy Applies
This Privacy Notice explains how eChannelling PLC (“eChannelling”, “we”, “us”, or “our”) collects, uses, discloses, store and protects personal data of our customers, employees, and other stakeholders (“Data Subjects”) in accordance with the Personal Data Protection Act, No. 9 of 2022 of Sri Lanka (“PDPA”).
This Privacy Notice applies to personal data collected and processed through:
The eChannelling mobile application
Any other eChannelling platforms, systems, or services that refer to this Privacy Notice
eChannelling acts as the Data Controller in relation to your personal data and will be responsible for your personal data that is processed in connection with hospitals and other medical centers.
By accessing or using eChannelling services, you acknowledge that you have read and understood this Privacy Notice.
2. Personal Data We Collect
We will collect Personal Data as necessary within the purpose, scope, and provisions of the law. In this regard, we will ask for consent from the Data Subject before or during collection of Personal Data through various methods , except where the law allows us to collect the Personal Data without consent.
We collect and process personal data of customers, doctors, consultants, healthcare professionals, vendors, service providers, business partners, employees, and visitors, depending on the services used and the nature of each individual’s or entity’s relationship with eChannelling.
Identification details (name, NIC/passport where applicable, age/date of birth)
Contact information, including phone number and email address
Account and login details (where registered)
Appointment, booking, and transaction details
Payment and financial information. We do not store your payment card details, and all payments are processed through secure payment service providers
Health-related information necessary to facilitate healthcare services, including medicine orders and health records
Communications (emails, call recordings, messages, letters)
Device and usage information (IP address, logs, cookies, location data)
Images or recordings (where applicable for events, security, or service features)
Health data, biometric data, and children’s personal data are treated as special category personal data and will be processed with enhanced safeguards.
3. Purposes of Processing
We process personal data only for clear, specific, and lawful purposes, including :
Service Delivery – to provide registration, appointment booking, payments, cancellations, refunds, online doctor consultations, medicine orders and storing health records.
Account & Relationship Management – to manage relationships with doctors, hospitals, agents, partners, and employees.
Payments & Financial Operations – to process payments, refunds, commissions, settlements, and reconciliations.
Customer Support & Communications – to handle inquiries, complaints, and service notifications.
Business Operations, Analytical Purposes & Improvements – to operate, analyze, improve systems, services, and reporting.
Marketing & Promotions – to conduct marketing and promotional activities, subject to consent and opt-out preferences.
Employment & Human Resource Management – to manage recruitment, payroll and allowances, attendance, and statutory compliance.
Legal, Audit & Risk Management – to enforce agreements, manage disputes, and conduct audits.
4. Consent and Legal Basis
We process personal data in accordance with the PDPA based on one or more lawful bases :
Performance of a contract - Where we have entered into a contract with you, we may process your personal information to fulfill the terms of our contract.
Compliance with a legal obligation - We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order (including in response to public authorities to meet national security or law enforcement requirements).
Legitimate interests - We may process your data when it is reasonably necessary for the purposes of, legitimate interests pursued by us or by a third party.
Consent - We may process your data when you have given us explicit consent to process your personal information for a specific purpose. (where required)
Vital interests- We may process your personal data where processing is necessary to respond to an emergency that threatens life, health or safety of you or another person.
eChannelling may process personal data relating to children under the age of 16 solely for the purpose of providing healthcare-related services, including appointment bookings and related support services.
Where the data subject is under 16 years of age, personal data is processed only on one or more of the following lawful bases, in accordance with the PDPA:
Explicit consent of a parent or legal guardian, obtained at the point of registration, booking, or service request; and/or
Compliance with applicable legal or medical obligations.
Parents or legal guardians may withdraw consent for the processing of a child’s personal data by contacting us, provided that such withdrawal does not conflict with any other legal obligations.
5. Disclosure of Personal Data
We may have to share with the parties listed below for the purposes specified in ‘Purposes of processing’: To any party, in compliance with legal and regulatory requirements To relevant security or law enforcement agencies, provided a valid court order or an authorized legal request is submitted to us, for prevention / detection of crime or prosecution of such offenders; Upon request of government institution, agencies or authorities; To any party for the performance of eChannelling services to customers; To any party that act as eChannelling’s payment channels, including but not limited to, where applicable to validate your information, as and when required; In the event that eChannelling, any division or Service undergoes re-organization or are sold to a third party, in which any of your Personal Information we hold may be transferred to the re-organized entity or third party subject to the principles in this Privacy Policy; and To protect eChannelling’s vital interests. We require all of our third parties to protect your personal information in adherence to local legal regulations and for specified purposes.
6. Data Transfers Outside Sri Lanka
We may transfer personal data to recipients located outside Sri Lanka where such transfers are necessary for legitimate business purposes or to provide our services. Any cross-border transfer of personal data will be carried out in accordance with the Personal Data Protection Act, No. 9 of 2022 (Sri Lanka) as amended and subject to appropriate safeguards.
Where personal data is transferred outside Sri Lanka, we will ensure that:
The recipient country, territory, or organisation provides an adequate level of protection for personal data, as determined in accordance with applicable law
Appropriate contractual, technical, or organisational safeguards are in place to protect personal data
The transfer is carried out with the explicit consent of the Data Subject, where required by law
The transfer is otherwise permitted or required under applicable legal or regulatory obligations
We take reasonable steps to ensure that personal data transferred across borders is protected against unauthorised access, disclosure, alteration, or loss and is processed only for the purposes for which it was originally collected.
7. Data Retention
Personal data is retained only for as long as necessary to fulfill the purposes stated in this Privacy Notice or to meet legal requirements. Retention periods are defined in internal policies. When there is no ongoing legitimate need to process your personal information, or when the retention period has expired, we will securely delete or anonymize such information.
8. Data Security
We implement appropriate technical and organizational measures to protect personal data from accidental loss, unauthorized access, use, alteration, or disclosure. Access to your personal data is restricted to employees, agents, contractors, and other third parties on a need to know basis. They process personal data only on our instructions and are bound by strict confidentiality obligations.
However, you also have a responsibility to exercise due care. Where we have provided you with (or where you have chosen) a password to access the eChannelling services or portal, you are responsible for keeping such login details confidential.
Our security measures include, but are not limited to:
Encryption of all the personal data, both in transit over the internet and at rest in our systems
Regular security assessments and updates to system components
Enforcement of strong access controls and data leakage prevention mechanisms
9. Your Rights
You are entitled to the following rights, and we are obliged to uphold them under the PDPA, subject to applicable legal requirements and limitations.
Right of access – to request confirmation of whether we process your personal data and to obtain a copy of such data
Right to rectification – to request correction of inaccurate or incomplete personal data
Right to erasure – to request deletion of your personal data where there is no lawful reason for us to continue processing it
Right to restriction of processing – to request that we limit the processing of your personal data in certain circumstances
Right to withdraw consent – where processing is based on consent, to withdraw such consent at any time without affecting the lawfulness of processing before withdrawal
Right to object to processing – to object to the processing of your personal data where permitted by law
Right to appeal to the Data Protection Authority – if you are dissatisfied with how we handled your data or your request, you may escalate the matter to the Data Protection Authority
Your requests to exercise any of the above rights can be submitted through the following formal channels:
Email: info@echannelling.com
Postal address: eChannelling PLC. No: 108, W A D Ramanayake Mawatha, Colombo 2.
Call center Contact Number: +94 71 0 225 225
We will respond to your request within 30 days from the date we receive it, after validating your identity.
10. DPO Contact Details
For privacy-related inquiries or to exercise your rights, please contact:
Data Protection Officer (DPO)
eChannelling PLC
Postal Address: eChannelling PLC, No. 108, W A D Ramanayake Mawatha, Colombo 2.
Phone: +94 70 259 0715
Email: apeksha@echannelling.com
11. Changes to This Privacy Notice
It is our policy to post any changes we make to our Privacy Notice on this page. Any such changes will be posted on this page, and the date of the latest revision will be indicated at the top of the Privacy Notice. The most recently published version shall prevail over all previous versions. We are not obligated to notify you of any changes, and you are encouraged to review this Privacy Notice periodically to remain informed of any updates
