Privacy & Data Protection Policy

Yelo Group (Pvt) Ltd ("Yelo Group", "we", "us", or "our") operates the YMS – Yelo Group Management System, an internal enterprise resource planning (ERP) and human resource management platform used across all Yelo Group branches and subsidiaries in Sri Lanka.

This Privacy Policy ("Policy") explains how we collect, store, use, disclose, protect, and retain personal data and sensitive business information processed through the YMS platform. It applies to all authorised users of the system including permanent employees, contract workers, delivery personnel, branch managers, area sales managers, and system administrators.

We are committed to processing personal data in accordance with applicable Sri Lankan law, including the provisions of the Personal Data Protection Act No. 9 of 2022 (PDPA), and in alignment with internationally recognised data protection principles.

YMS is a strictly internal system — it is not a public-facing web application. Access is restricted to authorised personnel only and protected by role-based access controls.

This Policy applies to all data processing activities performed through the YMS platform, regardless of the user's role, branch, or employment type. The following categories of individuals are covered:

• Employees – All permanent and contract staff of Yelo Group registered in the system.
• Delivery Personnel & Promoters – Field staff whose daily activities, attendance, and performance are tracked in YMS.
• Customers – Trade customers and business partners whose credit, cheque, and transaction records are maintained.
• System Users – Managers, administrators, IT staff, and any other individuals granted login credentials.
• Third Parties – Banks, financial institutions, and external service providers whose data is entered in connection with business operations.

This Policy covers all modules of YMS including but not limited to: Human Resources, Attendance & Leave, Payroll & Salary, Cheque Management, Credit & Collections, Sales & Invoicing, Loan & Advances, Reporting, and AI-powered tools.

YMS processes the following categories of data in the course of normal business operations:

We collect only the data that is necessary for the stated business purposes. Employees are informed of all data fields requested at the time of registration.

All personal and business data collected through YMS is processed for the following clearly defined, legitimate business purposes:

• Human Resource Management: Maintaining accurate employee records, managing employment contracts, designations, and organisational structure across all Yelo Group companies and branches.
• Attendance & Leave Administration: Recording daily attendance (including biometric check-in/check-out), managing leave applications, approvals, and leave balances.
• Payroll Processing: Calculating salaries, deductions, EPF/ETF contributions, gratuity, incentives, salary advances, and loans based on attendance and performance data.
• Financial Operations: Managing cheque issuances, deposits, reconciliations, credit collections, customer payments, and bank statements.
• Sales & Operations: Tracking field summaries, delivery performance, loading/unloading data, credit bill issuance, and route-wise collections.
• Compliance & Audit: Maintaining records required under Sri Lankan labour law, EPF/ETF regulations, and internal audit requirements.
• System Security: Monitoring login activity, session management, and user access logs to detect and prevent unauthorised access.
• AI-Assisted Processing: Using AI tools (Gemini API, internal chatbot) to assist with cheque image analysis, data queries, and operational decision support. AI-generated outputs are reviewed by authorised personnel before acting upon them.
• Reporting & Analytics: Generating management reports, branch performance dashboards, and statutory returns.
• We do NOT use personal data for advertising, marketing to third parties, or any purpose unrelated to Yelo Group's internal business operations.

Under the Personal Data Protection Act No. 9 of 2022 (Sri Lanka), data processing must have a lawful basis. Yelo Group relies on the following lawful bases for processing personal data in YMS:

Access to data within YMS is strictly governed by a Role-Based Access Control (RBAC) model. Each user account is assigned a role that determines which modules, records, and actions are available to them.

• System Administrator: Full access to all modules, user management, permissions configuration, and system settings.
• HR Manager: Access to employee records, attendance, leave, payroll, and salary modules.
• Branch Manager / Area Sales Manager: Access limited to their assigned branch, field summaries, collections, and operational reports.
• Finance Officer: Access to cheque management, cash collections, deposits, and bank reconciliations.
• Field Representative / Delivery Person: Read-only or limited operational access specific to their duties.
• Auditor / Report Viewer: Read-only access to reports and financial summaries with no ability to modify records.

Yelo Group retains personal and business data only for as long as necessary to fulfil the purposes described in this Policy, or as required by applicable law.

After the applicable retention period has elapsed, data will be securely deleted or anonymised in accordance with our data deletion procedures.

Yelo Group implements comprehensive technical and organisational security measures to protect personal data processed through YMS against unauthorised access, disclosure, alteration, loss, or destruction.

• Authentication: All system access requires a username and password. Passwords are hashed using industry-standard algorithms and are never stored in plain text.
• Session Management: Sessions are secured with PHP session tokens; idle session timeout is enforced across all modules.
• Input Validation & SQL Injection Prevention: All user inputs are sanitised using mysqli_real_escape_string() and validated before database operations.
• Encrypted Transmission: YMS is served over HTTPS. All data transmitted between the browser and server is encrypted in transit.
• Database Security: The database is hosted on a secured server with restricted network access. Database credentials are stored in a dedicated config.php file outside the public web root where applicable.
• File Upload Security: Uploaded documents (photos, NIC copies, etc.) are stored in access-controlled directories. File type and size are validated before storage.
• Error Handling: PHP error display is disabled in production (display_errors = 0); errors are logged internally and not exposed to end users.
• Backup & Recovery: Regular database backups are maintained. Backup files are stored securely and tested periodically.
• Physical Security: Server infrastructure is hosted in a secure environment with restricted physical access.
• Staff Awareness: Authorised system users are briefed on data security responsibilities and confidentiality obligations.

In the event of a data breach, Yelo Group will take immediate steps to contain the incident and will notify affected individuals and relevant authorities in accordance with its obligations under the PDPA.

Yelo Group does not sell, rent, or trade personal data to any third party. Data may be shared only in the following strictly limited circumstances:

• Within Yelo Group: Data may be accessed by authorised personnel across different Yelo Group companies and branches as required for legitimate operational purposes, subject to the role-based access controls described in Section 06.
• Financial Institutions: Bank account details, cheque data, and payment information are shared with banks and financial institutions as part of normal business operations (e.g., cheque deposits, EPF/ETF remittances).
• Government & Statutory Bodies: EPF/ETF contribution data and other statutory information is reported to the Employees' Provident Fund Board, Inland Revenue, and other regulatory bodies as required by law.
• IT Service Providers: The system is hosted on a managed hosting platform. The hosting provider has access to server infrastructure but not to application-level data. Appropriate data processing agreements are in place.
• AI Service Providers: Certain YMS features use the Google Gemini API for cheque image analysis and the Anthropic API for AI chatbot functionality. Data submitted to these services is governed by the respective providers' terms of service and privacy policies. Users should avoid submitting highly sensitive personal information through AI-powered tools.
• Legal & Regulatory Requirements: We may disclose data when required to do so by law, court order, or at the request of law enforcement authorities.
• We will never share personal employee or customer data with any advertising networks, data brokers, or unauthorised third parties.

Under the Personal Data Protection Act No. 9 of 2022 (Sri Lanka), individuals whose personal data is processed have the following rights:

To exercise any of these rights, employees should contact their immediate HR representative or the designated Data Protection Officer. Requests will be processed within 30 days of receipt. Where requests are complex or numerous, this period may be extended by a further 60 days with notification.

Note that some rights are subject to limitations. For example, payroll and EPF/ETF records must be retained for the legally required period regardless of an erasure request.

Biometric Attendance (Hikvision Fingerprint Devices)

YMS integrates with Hikvision fingerprint-based biometric attendance devices. Biometric data (fingerprint templates) is classified as sensitive personal data under the PDPA and is subject to additional protections:

• Biometric enrolment requires written or acknowledged consent from the employee.
• Fingerprint templates are stored on the Hikvision device and transmitted only as attendance log entries (date/time/employee ID) to YMS — raw biometric templates are never stored in the YMS database.
• Biometric data is used exclusively for attendance verification and no other purpose.
• Fingerprint data is deleted from devices upon an employee's departure from the organisation.
• Employees who do not consent to biometric enrolment are provided an alternative attendance recording method.

AI-Powered Tools (Gemini API & AI Chatbot)

YMS includes AI-assisted features including a Gemini-powered cheque image reader and an internal AI chatbot. The following principles apply:

• AI tools are provided to assist authorised staff — they do not make autonomous decisions on matters with significant impact on individuals.
• Users should exercise caution when submitting data to AI tools. Avoid entering sensitive personal data (NIC numbers, bank accounts, health information) into AI prompts unless strictly necessary.
• AI-generated outputs are advisory only. Authorised personnel are responsible for verifying and acting on such outputs.
• Interaction data with Google Gemini API is subject to Google's privacy policy and terms of service. Interaction data with Anthropic's API is subject to Anthropic's privacy policy.
• YMS does not use AI tools for employee performance evaluation or disciplinary decisions without human review.

Yelo Group reserves the right to update this Privacy Policy at any time to reflect changes in our business practices, legal requirements, or system capabilities. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this page.
• Display a notice within YMS informing users of the update.
• Where changes are material, notify affected users via system notifications or through their HR representatives.

Your continued use of YMS after such changes constitutes acceptance of the updated Policy. We encourage all users to review this page periodically.

Previous versions of this Policy are available from the IT / System Administration team upon request.

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data within YMS, please contact us through the following channels:

If you believe that your data protection rights have been violated and your concern has not been adequately addressed, you have the right to lodge a complaint with the Data Protection Authority of Sri Lanka once it is fully established under the PDPA, or with any other applicable supervisory authority.