PRIVACY NOTICE

Version: 3.0
Updated On: 25.02.2026

Who we are (the “Controller”): Dialog Axiata PLC including its subsidiaries, associates and affiliates (collectively referred to as “Dialog”, “Us”, “We” or “Our” in this Notice)

How to contact our Data Protection Officer: DPO@dialog.lk

1. What Personal Data do we collect

Depending on the services you use (mobile, fixed, television, apps, etc.), we may collect:

  1. Identity and contact: name, NIC/passport, date of birth, addresses, email, phone numbers, copies of Know-Your-Customer (“KYC”) documents, or any other information that identifies you as required by our business process / applicable regulations.

  2. Account and contract: SIM/eSIM details and preferences etc.

  3. Network and usage (“traffic data”): call/SMS records (numbers called/received, dates/times/durations), data session metadata, roaming usage, etc.

  4. Location data: cell ID/ location generated when your device connects to our network or services.

  5. Device and identifiers: IMEI/IMSI, Sim Number (ICCID), IP/MAC, OS/app version, cookie or advertising IDs, etc.

  6. Payments and care: financial information including your bank account/card details, your requests/complaints (call records and recordings, chats, emails, etc.).

  7. Security and diagnostics: logs, error reports, fraud/risk indicators, service quality metrics, CCTV footage, etc.

  8. Marketing and research: campaign interaction, surveys, etc.

2. Why we process your data and our legal bases

We process your data to:

  1. Provide and run your service (set up your account/SIM, connect calls/data, authenticate, deliver value-added services, customer care, billing, etc.). Legal bases: consent, performing our contract with you; legal obligation.

  2. Meet legal/regulatory obligations (identity/SIM registration, lawful requests by authorized bodies, tax and accounting, security obligations, etc.). Legal basis: legal obligation.

  3. Keep our network and customers safe (detect/prevent fraud, cyber threats, ensure service quality and continuity, etc.). Legal bases: legitimate interests; legal obligation where applicable. (See “Legitimate Interests” below.)

  4. Improve our products and support (troubleshooting, analytics, demand forecasting, service quality, training, etc.). Legal basis: legitimate interests.

  5. Marketing and promotions (sending you promotional communications). Legal basis: your consent; you can opt out at any time.

3. Our legitimate interests

When we rely on legitimate interests, we balance our needs with your rights. Typical interests for a telecom operator include:

  1. Providing you with the service.

  2. Running, maintaining and securing electronic communications networks and services;

  3. Carrying out analytics on your use of our services;

  4. Preventing fraud and revenue leakage;

  5. Credit and risk controls;

  6. Debt recovery;

  7. Understanding service performance and improving customer experience;

  8. Defending and exercising legal claims;

  9. Ensuring business continuity;

  10. Providing you information on our products and services based on your usage patterns.

4. When we ask for your consent and how to withdraw your consent

We rely on your consent for aspects such as promotional messages, or where the law requires consent.

How to withdraw: You may raise a Withdrawal of Consent request by emailing us at DPO@dialog.lk. Please note that withdrawing consent doesn’t affect past processing done before you withdrew it. Furthermore, please note that withdrawal of consent may negatively impact how we interact with you/personalize your service and in certain instances we may be unable to provide you with the service.

5. Whom do we share your data with

We share only what’s necessary, under contracts and safeguards, with:

  1. Our group of companies to provide you with an integrated service as a digital telecommunications service provider;

  2. Processors (IT, billing, analytics, customer support, ID verification, distribution, etc.);

  3. Telecom partners (interconnect/roaming partners, number portability administrators, other telecom operators, etc.);

  4. Payment providers and banks (for billing and collections, etc.);

  5. Law enforcement agencies/regulators when required by law;

  6. Emergency services where necessary to protect life, prevent natural disasters, etc.;

  7. Any other party with your consent or as allowed by law.

Sharing is controlled by written contracts and security measures.

6. Cross Border Transfers

Your Personal Data may be processed outside of Sri Lanka by providers or systems located outside Sri Lanka. We will process your Personal Data outside of Sri Lanka as permitted by the Personal Data Protection Act, No. 9 of 2022 (PDPA). Such processing will be done using instruments that make the recipient’s commitments binding and enforceable.

7. How Long We Keep Your Data

We keep personal data only as long as needed for the purposes above, including:

  1. while you have an account or service with us;

  2. for legal, tax, regulatory, judicial requirements (records required by law, etc.);

  3. to resolve disputes or enforce our rights;

  4. for security and fraud prevention (for as long as reasonably necessary).

If we cannot set a fixed retention time, we apply clear criteria per Section 9 of the PDPA.

8. Your Rights as a Data Subject

You can make a written request to:

  1. Access your personal data and get confirmation on your data that we process;

  2. Withdraw consent (where we rely on consent as a legal ground for processing your data) and object to further processing based on certain legal bases;

  3. Rectify/complete inaccurate or incomplete data;

  4. Erase data in specific circumstances;

  5. Ask for a human review of a decision based solely on automated processing that creates an irreversible and continuous impact on your rights.

We will respond to your request within 30 working days of your request (or explain if an exemption applies).

How to exercise your rights: Email DPO@dialog.lk

Appeals/Complaints: If you disagree with our decision or wish to raise any other concerns you can reach out to the Data Protection Authority of Sri Lanka (DPA): see dpa.gov.lk for contact details and procedures.

9. Consequences of not providing your data

Some data is required by law (e.g., identity/SIM registration) or essential for a contract we are entering into with you (to activate and bill your service etc.) If you don’t provide the required data, we may not be able to provide you with or continue the service.

10. Automated decisions and profiling

We use limited automated processing to run our services, for example, real time fraud detection, credit/risk checks, or segmentation to show relevant offers. These systems look at usage patterns, payment history, device/SIM identifiers and similar indicators to score risk or assign a customer segment.

Your rights: you can ask for a human review, express your point of view, and contest a decision made solely by automated processing that has a significant and ongoing effect on you. You may contact us via DPO@dialog.lk to exercise this right.

11. Third party links and apps

If you use our network or our platforms and services to access third party apps, services or content, the privacy practices of such third parties would apply to such use. Please read and review their privacy notices prior to proceeding.

12. Changes to this notice

We may update this notice from time to time. We will post the updated notice here.

Quick Contacts

  1. DPO: DPO@dialog.lk

  2. Reaching out to the Data Protection Authority: Data Protection Authority of Sri Lanka – see dpa.gov.lk.

Dialog Privacy Notice Version: 2.0