Privacy Policy

LeasingMortgage operates an online comparison platform that connects borrowers in Sri Lanka with verified leasing companies, banks, and finance providers offering leasing, mortgage, personal, and business finance products. We respect your privacy and are committed to handling your personal data lawfully, fairly, and transparently.

By using our website and services, you acknowledge that you have read this Privacy Policy. If you do not agree with any part of it, please discontinue use of the platform.

For the purposes of the PDPA, the “Data Controller” is LeasingMortgage (referred to in this policy as “we”, “us”, or “our”), a service operated from Sri Lanka. You may contact us using the details set out in section 14.

We collect the following categories of personal data:

• Identity and contact data — full name, NIC number (where required for pre-approval), email address, mobile number, and postal address.
• Account data — login credentials, password hashes, account preferences, saved offers, and notification settings.
• Financial and eligibility data — declared monthly income, employment status, existing financial obligations, requested loan or lease amount, tenure, asset details, and any documents you upload to support a pre-approval request.
• Usage and device data — IP address, device type, browser, pages viewed, calculator inputs, search queries, and approximate location (district level).
• Communications — messages you send to us or to lenders through our platform, support tickets, and customer service recordings where permitted.
• Provider data — for users registering as a lender or company representative: business registration details, authorised signatory information, and verification documents.

We process your personal data for the following purposes:

• To create and maintain your account and authenticate sessions.
• To run eligibility, repayment, and pre-approval calculations against the products listed on our platform.
• To forward applications and pre-approval requests to lenders you select, so they can evaluate and respond to you.
• To verify lender accounts, prevent fraud, and meet record-keeping obligations.
• To send you service notifications, offer alerts, draw and campaign updates, and (where you have consented) marketing communications.
• To improve our services, develop new features, and analyse usage patterns.
• To comply with our legal, regulatory, and tax obligations in Sri Lanka.

Under the PDPA we rely on the following lawful bases (Section 5 of the Act), depending on the activity:

• Your consent — for marketing emails, optional analytics cookies, and forwarding your application to a specific lender.
• Performance of a contract — to provide the comparison, calculator, and pre-approval services you have requested.
• Compliance with a legal obligation — to comply with obligations imposed on us by Sri Lankan law.
• Legitimate interests — to keep our platform secure, prevent fraud, and improve our services, where this is not overridden by your rights.

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

We share personal data only as described below:

• Lenders and finance providers — when you submit a pre-approval request or apply for an offer, we share the relevant identity, contact, and financial data with the lender(s) you select so they can contact you and process your request. Each lender becomes an independent data controller for their own use of your data.
• Service providers — hosting, email delivery, SMS gateways, analytics, payment processors, and identity verification vendors who act as data processors on our behalf under written agreements.
• Authorities — where disclosure is required by court order, a lawful request from a regulator (such as the Central Bank of Sri Lanka), or to comply with the Computer Crimes Act, No. 24 of 2007 or other Sri Lankan laws.
• Corporate transactions — in the event of a sale, merger, or reorganisation, your data may be transferred to the successor entity, which will remain bound by this policy or an equivalent one.

We do not sell your personal data.

Some of our service providers (for example, cloud hosting and email delivery) may process your data outside Sri Lanka. Where this happens we ensure that an appropriate transfer mechanism is in place under section 26 of the PDPA, including contractual safeguards or transfers to jurisdictions recognised by the Data Protection Authority of Sri Lanka as providing adequate protection.

We retain personal data only for as long as necessary to fulfil the purposes described in this policy and to comply with our legal and regulatory obligations. Indicative retention periods are:

• Active account data — for as long as your account is active, plus 6 years after closure to meet record-keeping requirements.
• Pre-approval and application records — 6 years from submission, in line with general financial record retention practice.
• Marketing preferences — until you unsubscribe or withdraw consent.
• Server and security logs — typically 12 months.

We implement reasonable technical and organisational measures to protect your personal data, including encrypted transport (HTTPS), encryption of credentials at rest, role-based access controls, audit logging, and vendor due diligence. Despite these measures, no system is completely secure; you are responsible for keeping your account password confidential and for notifying us promptly of any suspected unauthorised access.

We use the following cookie categories:

• Strictly necessary — required to authenticate sessions, remember your selections, and maintain platform security. These cannot be switched off.
• Functional — remember your preferences such as language and saved calculator inputs.
• Analytics — help us understand how the platform is used so we can improve it.

You can manage cookies through your browser settings. Disabling strictly necessary cookies may prevent the platform from functioning correctly.

Subject to the conditions set out in the PDPA, you have the following rights in respect of your personal data:

• Right to be informed about the processing of your data.
• Right of access to a copy of your personal data.
• Right to rectification of inaccurate or incomplete data.
• Right to erasure in the circumstances permitted by the Act.
• Right to restrict or object to certain processing.
• Right to withdraw consent where processing relies on consent.
• Right to review of an automated decision that has a legal or similarly significant effect on you.
• Right to lodge a complaint with the Data Protection Authority of Sri Lanka.

To exercise any of these rights, contact us using the details in section 14. We will respond within the timelines set by the PDPA. We may need to verify your identity before acting on your request.

The platform is intended for individuals aged 18 years and above. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or industry practice. The latest version will always be available on this page with an updated “Last updated” date. Where changes are material, we will give you reasonable notice (for example by email or an in-platform notice) before they take effect.

If you have any questions about this Privacy Policy or wish to exercise your rights, you can reach our privacy team at:

• Email: privacy@leasingmortgage.lk
• General enquiries: info@leasingmortgage.lk
• Postal address: LeasingMortgage, Colombo, Sri Lanka.

You also have the right to lodge a complaint directly with the Data Protection Authority of Sri Lanka established under the PDPA.

See also our Terms of Service.