landit.lk
List

Legal

Privacy Policy

Effective 21 April 2026 · Last updated 21 April 2026

This Privacy Policy explains how Citta Cube (Pvt) Ltd, a company incorporated in Sri Lanka with its registered office at 240/2 Thimbirigasyaya Road, Colombo 05, Sri Lanka (“Citta Cube”, “we”, “our”, “us”), collects, uses, stores, discloses, and protects your personal data when you use the landit.lk website and services (“the service”). We process personal data in accordance with the Personal Data Protection Act No. 9 of 2022 of Sri Lanka (“PDPA”) and applicable subsidiary regulations. For the purposes of the PDPA, Citta Cube is the Data Controller of the personal data described in this policy.

If any term in this policy is unclear, contact us at privacy@landit.lk.

1. Personal data we collect

We collect the following categories of personal data:

  • Account information. Your name, email address, phone number, password hash (handled by our authentication partner), profile photo, and account type (standard, broker, developer, admin).
  • Identity verification data (sensitive). To unlock higher verification tiers we may collect images of your National Identity Card (NIC) or passport and a selfie. NIC numbers and images are treated as sensitive personal data under the PDPA.
  • Contact and inquiry data. Phone number (used for OTP sign-up, inquiry routing, and optional WhatsApp handoff), messages you send through the in-app messenger, and property inquiries you submit.
  • Listing data. Property addresses, photos, floor plans, price, features, and any descriptive text you upload.
  • Location data. Approximate or precise geolocation of listings (latitude, longitude) that you enter or pin on a map. We do not silently track the real-time location of your device; any location we store is data you actively provided.
  • Usage data. Pages visited, searches performed, listings viewed, favourites saved, inquiries sent, device type, browser, approximate IP-based city, and timestamps.
  • Payment data. If paid features are offered in the future, payment details are handled by a PCI-DSS compliant payment processor. We do not store full card numbers.
  • Communications. Emails or support messages you send us.

2. How we use your personal data

We use personal data to:

  • create and secure your account, including SMS OTP sign-in and fraud prevention;
  • display listings and enable buyers, sellers, brokers, and developers to contact one another;
  • verify identities of sellers, brokers, and developers, and issue trust badges;
  • moderate content, detect fraud, and enforce the Terms of Service;
  • generate AI-assisted summaries, tags, and moderation verdicts for listings (our AI processor does not use your data to train its models);
  • send transactional notifications (inquiry replies, moderation outcomes, account alerts) and, where you have opted in, promotional emails;
  • improve the service through aggregated analytics and product research;
  • comply with legal obligations and respond to lawful requests.

3. Lawful basis for processing

Under the PDPA we rely on the following lawful bases:

  • Contract. Processing necessary to provide the marketplace service you requested when you registered.
  • Consent. For sensitive personal data (NIC images, passport images, selfies for verification), for marketing emails, and for optional features like WhatsApp handoff and precise geolocation, we rely on your explicit consent. You can withdraw consent at any time.
  • Legitimate interests. For fraud prevention, moderation, analytics, service security, and protecting our users.
  • Legal obligation. Where we must retain or disclose data to comply with Sri Lankan law.

4. Sensitive personal data: NIC, passport, and verification images

If you choose to complete identity verification, you will upload images of your NIC or passport. These are handled with extra care:

  • stored in a private storage bucket that is not publicly accessible. Files are only retrievable through signed URLs authorised to our moderation team;
  • used strictly to verify your identity and, where applicable, your right to list a property or operate as a broker or developer;
  • never sold, rented, or shared for marketing purposes;
  • retained only for as long as necessary to support your verification status — see §8 below.

You may withdraw consent and request deletion of your verification documents at any time; doing so will cause your verification tier to drop.

5. Phone numbers and SMS

Phone numbers are used to send one-time verification codes at sign-up, to route property inquiries, and — with your consent — to enable a WhatsApp handoff button on your listings so prospective buyers can contact you off-platform. We do not share your phone number publicly on your profile unless you explicitly choose to display it.

SMS delivery is provided by our authentication partner. Rates from your mobile carrier may apply.

6. Geolocation

When you create a listing you may pin its location on a map. The latitude and longitude you choose are stored and shown publicly on the listing. We do not collect your device's real-time GPS location in the background. If you use a feature that requests precise device location (for example, “show listings near me”), your browser will prompt you for permission and we only use that location for the active session.

7. Who we share personal data with

We share personal data only with:

  • Other users— your name, profile photo, listings, and (where you display it) contact information are visible to other users of the service. Inquiries you send become visible to the recipient.
  • Service providers who process data on our behalf under contractual confidentiality and security obligations, including authentication, database hosting, email delivery, error monitoring, analytics, and our AI summarisation partner.
  • Law enforcement and regulators where disclosure is required by law or in response to a valid court order or lawful request by a Sri Lankan authority.
  • Professional advisors (lawyers, accountants, auditors) where necessary to protect our legal rights.
  • Successors in the event of a merger, acquisition, or sale of assets, subject to the acquirer honouring this Privacy Policy.

We do not sell personal data. We do not share sensitive verification documents with third-party advertisers or marketing partners under any circumstances.

8. Retention

We retain personal data only for as long as necessary for the purposes described in this policy, subject to legal obligations. Indicative retention periods are:

  • Account profile. For as long as your account is active, plus up to 24 months after deletion for fraud prevention, dispute resolution, and legal recordkeeping.
  • Listings and listing photos. Until you delete the listing or your account, plus up to 12 months of archived soft-deleted records. Aggregated, de-identified listing market data may be retained indefinitely.
  • NIC and passport verification images. For as long as your verification status is active, plus up to 12 months after verification is revoked or your account is closed, unless a longer period is required to respond to a fraud investigation or legal process.
  • Messages and inquiries. Retained for up to 24 months after the last message, so users can return to past conversations.
  • Server logs and analytics. Retained for up to 12 months; security-relevant logs may be retained for up to 24 months.

Once a retention period ends, personal data is deleted or irreversibly anonymised.

9. Your rights under the PDPA

Subject to conditions in the PDPA, you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate or incomplete personal data;
  • Erase personal data that is no longer necessary for the purposes for which it was collected;
  • Restrict or object to certain processing, including automated decision-making;
  • Withdraw consent where processing is based on consent;
  • Data portability— receive a machine-readable copy of the personal data you have provided;
  • Complain to the Data Protection Authority of Sri Lanka if you believe your rights have been infringed.

To exercise any of these rights, email privacy@landit.lk. We will respond within 21 days of receipt, or sooner where required by law.

10. Security

We apply technical and organisational measures appropriate to the sensitivity of the data, including TLS encryption in transit, encryption at rest for databases and storage, row-level access control, signed URLs for sensitive documents, principle-of-least-privilege for employee access, and regular backups. No system is perfectly secure; please choose a strong password and never share your credentials.

11. International transfers

Some of our service providers (for example, cloud hosting, email delivery, error monitoring, and AI processing) are located outside Sri Lanka. Where personal data is transferred across borders, we rely on service providers that offer an adequate level of protection and contractually commit to the standards set out in this policy and, where applicable, in the PDPA.

12. Children

landit.lk is not intended for persons under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

13. Cookies

We use essential cookies for authentication and session management, and analytics cookies to understand how the service is used. You can control cookies through your browser settings. Disabling essential cookies will prevent you from signing in.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If a change is material, we will notify active users by email or an in-app notice at least 14 days before it takes effect. The “Last updated” date at the top of this page reflects the latest revision.

15. Contact the Data Controller

Citta Cube (Pvt) Ltd
240/2 Thimbirigasyaya Road, Colombo 05, Sri Lanka
Data protection queries: privacy@landit.lk
General support: support@landit.lk