Privacy Policy

  1. Home
  2. Privacy Policy

1. Introduction

This Privacy Policy describes how “we”, “us”, “our” (Xeptagon (Pvt) Ltd ) collect, use, process, store, share and protect the personal data of individuals including website visitors, clients, users, business partners, job applicants, and others when you interact with our website, services, platforms, or otherwise provide your personal data to us.

By using our website or services, or by providing personal data to us, you agree to the practices described in this Privacy Policy.


2. Data Controller & Contact Information

  • Controller / Responsible Entity: Xeptagon, headquartered at Level 2, Block D, IT Park, Port City Colombo, Sri Lanka (plus its global offices Cyberport, Hong Kong; Nairobi, Kenya; etc.)
  • Contact: info@xeptagon.com
  • For any privacy-related questions, data access or deletion requests, or complaints refer to the contact above

3. Who This Policy Covers

This Policy applies to personal data we collect from or about the following categories of individuals:

  • Visitors to our website (www.xeptagon.com and any subdomains)
  • Users of our digital products or services (e.g. carbon-market software, registries, trading platforms, fintech tools)
  • Clients, business partners, vendors, suppliers, consultants, or counterparties
  • Job applicants, employees, contractors (as applicable)
  • Individuals who contact us via forms, email, or other communication channels
This Policy does not apply to data which has been irreversibly anonymized.

4. What Personal Data We Collect

Depending on how you interact with us, we may collect the following types/categories of personal data:

4.1. Data You Provide Directly

  • Identity & Contact Data: name, email address, phone number, mailing / postal address, business address, company affiliation, job title, organization name, etc.
  • Credentials / Account Data: when you sign up for services
  • Financial & Transaction Data: payment method or payment-related information (processed via third-party payment gateways), billing history, transaction records, invoices, receipts
  • Communications & Correspondence Data: content of emails, support tickets, inquiries, proposals, quotations, contracts, job-application data (CVs, resumes, cover letters), business correspondence
  • Sensitive data (only if explicitly provided and required): e.g. background-check data, national ID / passport data, tax documentation only when strictly necessary and with explicit consent.

4.2. Automatically Collected and Technical Data

  • Cookies, tracking technologies, analytics data: we may collect data via cookies or similar technologies to enable website functionality, track usage, performance metrics, and monitor aggregate user behavior.

5. Purposes for Which We Use Your Data

We use the collected personal data for multiple legitimate and specific purposes, including:

  • To provide and deliver requested services or products (e.g. carbon-registry software, trading platforms, fintech solutions, custom development, consultancy)
  • To manage accounts, authentication, billing, invoicing, payments and contract fulfilment
  • To respond to inquiries, support requests, quotations, proposals, business communications
  • To communicate important information, such as service updates, policy changes, security notices, maintenance, regulatory or compliance communications
  • To improve, maintain, and monitor the performance, quality, security, and stability of our websites, platforms and services
  • To conduct analytics and usage analysis, for enhancing user experience and optimizing our offerings (e.g. usage statistics, traffic analysis, feature adoption)
  • To maintain records for business operations, audit, compliance, legal obligations, prevention of fraud or misuse
  • To manage recruitment, hiring, human-resources or contractor relationships (if you apply for a job or provide services)
  • To comply with legal, regulatory, tax or accounting requirements including record-keeping, financial audits, reporting, cross-border compliance, contractual obligations

6. Disclosure / Sharing of Personal Data

We may share your personal data with:

  • Third-party service providers and subcontractors for hosting, IT infrastructure, cloud services, payment processing, analytics, security monitoring, customer support, email or communication services, data storage. All such providers are required to adhere to confidentiality and data protection obligations.
  • Business partners, affiliates or collaborators when collaborating on projects, software deliveries, joint ventures, carbon-market deployments, consulting or carbon registry/trading implementations (subject to contractual safeguards).
  • Regulatory, governmental or judicial authorities if required by law, regulation, judicial order, or to enforce our rights, or to comply with audits or investigations.
  • Acquirers or successors in the event of a merger, acquisition, sale, corporate restructuring, or transfer of assets. In such cases, personal data may be transferred as part of the relevant transaction (with notice to data subjects where required).
We do not sell or rent personal data to third parties for marketing or other purposes. This follows their existing approach to data collection disclosure.


7. International / Cross-Border Data Transfers

Given our global operations and clients (e.g. Sri Lanka, Hong Kong, Kenya, EU clients, etc.), personal data may be transferred across borders to countries where we or our service providers operate. If data is transferred internationally, we ensure that:

  • Appropriate safeguards and contractual protections are in place
  • Data is handled in compliance with applicable data-protection obligations
  • Transfers are limited to necessary purposes (service provision, support, operations)


8. Data Security & Protection

We implement robust security and privacy controls to safeguard personal data, including but not limited to:

  • Secure encryption (in transit and at rest), when transmitting or storing sensitive data
  • Access control and role-based permissions to ensure only authorized personnel can access personal data
  • Secure authentication and credentials management
  • Logging, monitoring, and audit trails of data access and processing activities
  • Regular security assessments, vulnerability scanning, patching and secure software development practices
  • Data minimization: only collect data necessary for legitimate purposes, and avoid unnecessary collection of sensitive data
  • Confidentiality agreements for employees, contractors, and third-party service providers who process personal data


9. Data Retention

We retain personal data only for as long as needed for:

  • The purposes described in this policy (service provision, support, communication, billing, audit, compliance)
  • Legal, regulatory or contractual obligations (e.g. financial record-keeping, tax, audit, corporate governance)
  • Resolving disputes, enforcing agreements, or other legitimate business needs
Once data is no longer needed, we will securely delete, destroy, or anonymize it in a manner that prevents re-identification.


10. Cookies, Tracking & Web Analytics

  • We use cookies and similar tracking technologies to enable core website functionality, maintain user sessions, gather analytics, understand usage patterns, and improve user experience.
  • On your first visit (or per consent screen), you may be given a cookie-consent banner (or similar mechanism) to accept or manage cookie preferences.
  • You may control or disable cookies at any time via your browser settings or the cookie-preference controls; however, disabling certain cookies may affect website functionality or access to services.
  • Third-party services used on our site (hosting, analytics, cloud, payment gateways etc.) may also employ cookies or tracking; their use is governed by their own privacy policies and subject to our data-sharing practices.


11. Your Rights & Choices

Depending on where you are located (jurisdiction) and subject to applicable laws, you have certain rights regarding your personal data, including:

  • Right to access: request a copy of the personal data we hold about you
  • Right to correct or update inaccurate or outdated data
  • Right to delete or restrict processing: where data is not needed or consent is withdrawn (unless retention is required for legitimate reasons)
  • Right to object to certain processing: for marketing, profiling, or automated decision-making (if applicable)
  • Right to portability: request your data in a structured, commonly used format (if relevant)
  • Right to withdraw consent: if processing is consent-based, at any time
  • Right to complain: to our contact point (info@xeptagon.com ) if you believe data handling violates this Policy or your rights
Requests should be submitted to the email address above. We will respond within a reasonable timeframe and in accordance with legal/regulatory obligations.


12. Data of Minors / Children

Our website and services are not intended for, and we do not knowingly collect personal data of children below the age required by law. If we become aware that we have collected data from a minor without appropriate consent, we will take prompt steps to delete such data.


13. Data Breach Response & Notification

In the event of a security incident or data breach that compromises personal data, we will:

  • Promptly assess and contain the breach
  • Notify affected individuals and/or relevant authorities (if required under applicable laws/regulations)
  • Provide information about the nature of the breach, potential impact, recommended mitigation or remedial steps
  • Review and strengthen security measures to prevent recurrence
We aim to act transparently and responsibly to protect your personal data.


14. Updates to This Privacy Policy

We may update this Privacy Policy from time to time as our business evolves, or as data-protection practices, tools, legal or regulatory requirements change.
When we make significant changes, we will:

  • Update the “Last Revised” date at the top
  • Request renewed consent if required for changed data practices


15. Consent & Acceptance

By continuing to use our website, services, or by providing personal data to us, you expressly consent to the collection, processing, sharing, storage, and transfer of your personal data as described in this Privacy Policy.


16. Contact & Data-Protection Inquiries

For any questions, concerns, or requests (access, correction, deletion, data export, complaints, or other privacy-related matters), please contact us at: info@xeptagon.com