Legal
Privacy Policy
Last updated: 1 May 2026
Orina Travel ("we", "us", or "our") is committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, and share your data when you use our website and services. By using our platform, you agree to the practices described in this policy.
Information We Collect
We collect the following categories of personal information:
- Identity data: Full name, date of birth, nationality.
- Contact data: Email address, phone number, and mailing address.
- Booking data: Tour preferences, travel dates, group size, special requests, and payment records.
- Technical data: IP address, browser type, device identifiers, and cookies (see Cookie Policy below).
- Communications: Messages you send us via email, chat, or our contact forms.
How We Use Your Information
We use your personal data for the following purposes:
- To process and manage your tour and vehicle bookings.
- To communicate booking confirmations, updates, and reminders.
- To personalise your experience on our platform.
- To process payments and issue refunds securely.
- To send promotional offers and newsletters (only with your consent — you may unsubscribe at any time).
- To comply with legal obligations and resolve disputes.
- To improve our website, services, and customer experience through analytics.
Sharing Your Information
We do not sell your personal data. We share your information only with trusted third parties who assist us in delivering our services:
- Payment processors (e.g. Stripe, PayPal) for secure transaction handling.
- Tour guides and drivers assigned to your booking — limited to necessary booking details.
- Hotel and accommodation partners where overnight stays are included in your tour.
- Analytics providers (e.g. Google Analytics) to understand website usage — data is anonymised.
- Government or regulatory authorities when required by law.
All third-party partners are contractually required to protect your data and use it only for the specified purpose.
Data Storage & Security
Your data is stored on secure servers hosted in the European Union and Asia-Pacific regions. We implement industry-standard security measures including:
- SSL/TLS encryption for all data in transit.
- AES-256 encryption for sensitive data at rest.
- Regular security audits and penetration testing.
- Role-based access controls limiting staff access to personal data.
Despite our efforts, no method of transmission over the internet is 100% secure. We will notify you promptly in the event of a data breach affecting your information.
Cookies
We use cookies and similar tracking technologies to enhance your experience on our website. Types of cookies we use:
- Essential cookies: Required for core website functionality such as login sessions and booking flows.
- Analytics cookies: Help us understand how visitors interact with our site (anonymised data).
- Preference cookies: Remember your language, currency, and display settings.
- Marketing cookies: Used to show relevant advertisements (only with your consent).
You can manage your cookie preferences in your browser settings or through our cookie consent banner. Disabling essential cookies may affect website functionality.
Your Rights
Under applicable data protection laws, you have the following rights regarding your personal data:
- Right to access: Request a copy of the personal data we hold about you.
- Right to rectification: Request correction of inaccurate or incomplete data.
- Right to erasure: Request deletion of your personal data (subject to legal retention obligations).
- Right to restrict processing: Request that we limit how we use your data.
- Right to data portability: Request your data in a structured, machine-readable format.
- Right to object: Object to processing of your data for marketing purposes.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
International Transfers
If you are based outside Sri Lanka, your data may be transferred to and processed in countries where our servers or partners are located. We ensure all international transfers comply with applicable data protection regulations and are protected by appropriate safeguards such as Standard Contractual Clauses (SCCs).
Data Retention
We retain your personal data for as long as necessary to fulfil the purposes outlined in this policy:
- Booking records are retained for 7 years for accounting and legal compliance.
- Account data is retained until you delete your account, plus 90 days for recovery purposes.
- Marketing preferences are retained until you withdraw consent.
- Analytics data is anonymised after 26 months.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes via email or a prominent notice on our website. The "last updated" date at the top of this page reflects the most recent revision.
Continued use of our services after changes take effect constitutes your acceptance of the updated policy.