Legal

Privacy Policy

Effective: 6 May 2026Ref: TRUROUT-PP-2026-001

This Privacy Policy explains how TruRout Technologies (Private) Limited collects, uses, stores, shares, and protects your personal data. It applies to all Users of the TruRout Platform, including Riders, Cargo Customers, and Drivers. This Policy is compliant with the Personal Data Protection Act No. 9 of 2022 ("PDPA") of Sri Lanka.

1. Data Controller

  • Data Controller — TruRout Technologies (Private) Limited
  • Address — Colombo, Sri Lanka
  • DPO Email — dpo@trurout.com
  • Support Email — support@trurout.com
  • Website — www.trurout.com

2. What Personal Data We Collect

Data you provide directly

  • Identity: Full name, date of birth, national identity number or passport number;
  • Contact: Email address, phone number, residential address;
  • Account credentials: username and encrypted password;
  • Payment: Card details (tokenised — we do not store raw card numbers), bank account details for wallet refunds;
  • Driver-specific: Driver's licence number and expiry, vehicle registration, insurance details.

Data we collect automatically

  • Location data: GPS pick-up and drop-off points, real-time location during active Trips;
  • Device data: Device type, operating system, app version, unique device identifiers;
  • Usage data: App session logs, feature interactions, trip history, search queries;
  • Communications: In-app support messages, dispute submissions, feedback.

Data from third parties

  • Payment gateway data from WebXPay (transaction reference, status, payment method type);
  • Mapping and location data from Google Maps or equivalent service providers.

3. Legal Basis for Processing

We process your personal data on the following legal bases under the PDPA:

  • Contractual necessity — to perform our obligations under the Terms & Conditions: booking trips, processing payments, providing support.
  • Legitimate interests — to prevent fraud, ensure platform safety, improve our services, and conduct analytics.
  • Legal obligation — to comply with applicable Sri Lankan laws, regulatory requirements, and court orders.
  • Consent — for marketing communications and optional features where you have given express consent. You may withdraw consent at any time.

4. How We Use Your Personal Data

  • To create and manage your TruRout account;
  • To match Riders and Cargo Customers with available Drivers;
  • To process payments, subscriptions, and refunds;
  • To provide real-time GPS tracking during active Trips;
  • To investigate complaints, disputes, and accidents;
  • To ensure platform safety and prevent fraudulent activity;
  • To send operational notices, policy updates, and service communications;
  • To comply with legal, regulatory, and tax obligations;
  • To improve the Platform through anonymised and aggregated analytics;
  • To send marketing communications (only where you have opted in).

5. How We Share Your Personal Data

We share personal data only with the following categories of recipients, and only to the extent necessary:

  • Drivers (for Riders/Cargo Customers): your name and pick-up/drop-off location.
  • Riders (for Drivers): a Rider's first name and pick-up location. Full contact details are not shared proactively.
  • Payment processors: transaction data with WebXPay and associated wallet providers (eZ Cash, mCash, FriMi, LankaQR).
  • Mapping & infrastructure: Google Maps or equivalent services for routing and display, processed under their own privacy policies.
  • Law enforcement / regulators: where required by court order, statutory authority, or applicable Sri Lankan law.
  • Business transfers: in the event of a merger, acquisition, or sale of assets, subject to equivalent data protection obligations.

We do not sell your data

We do not sell, rent, or disclose your personal data to third parties for their independent marketing purposes.

6. Data Retention

Note: Real-time GPS pings are stored in Redis with a 30-second TTL and are never written to the permanent database. Trip summary GPS data (start/end) is retained in the database for operational and dispute resolution purposes.

  • Account & identity data — 5 years after account closure (legal compliance, dispute resolution).
  • Trip & transaction records — 5 years (Inland Revenue Act).
  • GPS location (real-time) — 30 seconds (Redis TTL); archived summary retained 5 years.
  • Payment records — 5 years (financial regulation).
  • Complaint & dispute records — 3 years (legal obligation).
  • Accident reports — 3 years minimum (insurance & legal compliance).
  • Marketing consent records — until consent is withdrawn (PDPA compliance).

7. Data Security

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant authority and affected individuals as required by the PDPA.

  • End-to-end encryption of data in transit (TLS 1.2+);
  • Encryption of sensitive data at rest;
  • Role-based access controls — staff access only what is necessary for their function;
  • Regular security audits and penetration testing;
  • Secure cloud infrastructure hosted on AWS (ECS Fargate) with data stored in Sri Lanka or compliant regions.

8. Your Rights Under the PDPA

As a data subject under the PDPA No. 9 of 2022, you have the following rights:

  • Right of access — request a copy of the personal data we hold about you.
  • Right of correction — request correction of inaccurate or incomplete personal data.
  • Right of deletion — request erasure of your personal data, subject to legal retention requirements.
  • Right to withdraw consent — withdraw consent for processing at any time (where based on consent).
  • Right to object — object to processing based on legitimate interests, including profiling.
  • Right to data portability — receive your data in a structured, machine-readable format.

How to exercise your rights

Contact us at dpo@trurout.com. We will respond within 14 calendar days of receiving your request.

9. Cookies

Our website uses cookies and similar tracking technologies. Please refer to our Cookie Policy for full details. You can manage cookie preferences at any time through your browser settings or our consent manager.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via the Platform or by email with at least 14 days' notice before the change takes effect.

The current version of this Policy is available at: www.trurout.com/privacy

11. Contact and Complaints

If you have concerns about how we handle your personal data, please first contact our DPO at dpo@trurout.com. If you remain dissatisfied, you may lodge a complaint with the relevant data protection authority under the PDPA.

Questions about this policy?

Email our team — we respond within 24 hours.

Contact us