This Privacy Statement governs the way Cinnamon Hotel Management Limited (“Company”) [company registration number PB 7] of No. 117, Sir Chittampalam A. Gardiner Mawatha, Colombo 02, Sri Lanka and the hotels it operates under the Cinnamon Brand (jointly “Cinnamon Hotels & Resorts”) collects, uses, maintains and discloses information collected before, during, and after your business relationship with Cinnamon Hotels & Resorts. This Statement applies to Suppliers, Service Providers and Business Partners (“Vendors”,” You”) who are involved in, but not limited to, the selling or buying of goods, services and other business transactions with Cinnamon Hotels & Resorts. This Privacy Statement may also be referred to as the “Vendor Privacy Policy” and forms part of your contract.

1. WHAT PERSONAL DATA DO WE COLLECT?

We collect, maintain, and use different types of Personal Information in the context of our business or potential business relationship with you. Please always use your business email, phone or other official contact information when communicating with us in the capacity of a vendor.  The following provides examples of the type of information that we collect from you.
 

Personal Information:

• Name
• Email Address
• Phone Number
• Employer

Financial Information:

• Bank Account Details
• Payment Card Information
• Financial Status and history
• Tax details
• Audit reports

Onsite Visit Information:

• Vehicle Information
• CCTV Footage

Government Documents:

• Business Registration Documents and Related Information
• National Identity Card or Passport
• Other Relevant Government-Issued Identification

Publicly available information:

• Social media
• Websites

2. WHEN DO WE COLLECT YOUR PERSONAL DATA?

We collect your personal data when you directly interact with us, such as sending us an email, filling a form or when you use any of our systems or applications. We also may collect your information from other John Keells Group Companies and third-party source like the internet, social media, private agencies or government authorities.

 

3. HOW DO WE USE YOUR PERSONAL DATA?

We always process your personal information based on one or more of the following legal grounds:

• Legitimate Interests: The legitimate interests of CH&R in conducting and managing its business in order to ensure a high standard of service, secure experience and legal compliance. We use best endeavors to balance any potential impact to you and your rights (both positive and negative) prior to processing your Personal Data for our legitimate interests. We will not use your Personal Data for activities where our interests are overridden by the impact on you (save with your express consent or as required/permitted by law).
• Performance of Contract:  Processing and using your data is necessary for the performance of any services or contract to which you are a party to or to take steps at your request before entering into such a contract and the provision of the same to our service providers, agents and other parties as required for the purpose of facilitating the performance of the contract with you.
• Comply with a legal or regulatory obligation: It may be necessary for us to process your Personal Data to ensure compliance with applicable legal obligations or to comply with requests from Government, law enforcement, regulatory, judicial or related authorities in relation to obligations under law, regulation, national or public security or related inquiry.
• Consent: Where you have explicitly provided your consent, we will process your Personal Data for the specific purpose(s) for which that consent was obtained. You have the right to withdraw your consent at any time; however, this will not affect the lawfulness of any processing carried out prior to withdrawal. Where consent is the basis for processing, we will ensure that it is freely given, informed, specific, and unambiguous.
• Public Interest: We may process your Personal Data where such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in CH&R. This may include situations where processing is required to support public functions or statutory duties that contribute to broader societal or community objectives, while ensuring that your rights and freedoms are respected.
• Vital Interests: In rare circumstances, we may process your Personal Data where it is necessary to protect your vital interests or those of another individual. This basis will only be relied upon where the processing is essential to protect someone’s life or physical safety, and when no other lawful basis is available.

Some of these instances are detailed below:

Purpose/Activity	Lawful Basis for Processing
To administer and manage our business relationship with you.	To administer and manage our business relationship with you.
For internal operations, such as billing, accounting, and improving our services.	Necessary for our legitimate interests (to ensure efficient internal administration, financial management, and continuous improvement of our services)
To comply with legal obligations, protect against fraud, and ensure the security of our systems.	Necessary to comply with our legal obligations (to meet statutory and regulatory requirements and prevent unlawful activity) Necessary for our legitimate interests (to manage and safeguard our systems and data)

Obtaining and Handling Your Consent
When we collect your personal data, we’ll let you know whether the details we’re asking for are optional. If you provide personal data about other individuals, we trust that you’ve received their permission to do so. Please note that choosing not to provide certain information may limit access to specific services or opportunities. For example, if you do not provide required contact or business information, we may not be able to engage with you fully or process certain requests.

Testimonials and Event Coverage
From time to time, we may use photos, videos, or testimonials to showcase our vendor partnerships, events, or collaborative achievements. If you do not want your personal data to be shared or published, you can let us know anytime by contacting our Data Protection Officer (DPO). Please note that this would not affect our ongoing relationship or access to services.

4. WHOM DO WE DISCLOSE YOUR PERSONAL DATA TO?

• To other John Keells Group Companies
• To public authorities
• To any other third-party organizations that are contracted with us to provide services
• If another company acquires, or plans to acquire part of our business, we will also share information with that company.

We may disclose your personal data to third parties, including professional advisors, auditors, regulators, and service providers, where required for our business operations or to fulfil contractual obligations. These parties are permitted to use your personal data only for the purposes for which it is shared with them and in accordance with applicable data protection laws.

In addition to the above, our service providers may directly collect personal data from you. You are required to read the privacy policy of every such service provider and direct any clarification to them. We have no control over their privacy practices and assume no responsibility.

5. TRANSFERS OF PERSONAL DATA

Please note that personal information submitted to us may be transferred to, stored, and processed on cloud servers located in and outside of Sri Lanka, in accordance with applicable laws and regulations.  The transfer of your personal data is carried out under organizational, technical and contractual protection.

 

6. HOW DO WE PROTECT YOUR PERSONAL DATA?

We implement industry accepted security measures to protect your personal information from unauthorized access, use, disclosure, alteration, or destruction. However, please be aware that no system is completely secure. In the event of a data security breach that could potentially impact your personal information, we will take appropriate steps to investigate the incident and notify you as required by applicable laws and regulations.

 

7. HOW LONG DO WE RETAIN YOUR PERSONAL DATA?

We will retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Statement or as required by applicable laws and regulations.  Once the retention period expires, we will dispose or securely anonymize your personal information to prevent unauthorized access or disclosure.

8. WHAT ARE YOUR RIGHTS?

You have the right to be informed of, access, rectify/correct, erase, withdraw consent for, and object to the processing of your personal information. You also have the right to data portability and to inquire about automated individual decision-making. To exercise these rights, please contact your relevant Data Protection Champion or the DPO. We will respond to your request within a reasonable timeframe. However, we reserve the right to decline such requests where permitted by law.

Appeal to the Data Protection Authority

If your request regarding the processing of your personal data is refused or not properly addressed, you have the right to appeal to the Sri Lankan Data Protection Authority (DPA) or a relevant Supervisory Authority.

No fee is usually required

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unfounded, unreasonable, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances

9. CONSEQUENCES OF NOT PROVIDING YOUR PERSONAL DATA

Failure to provide such information may:

• Limit or prevent access to features on our website or digital platforms.
• affect our ability to communicate with you.
• Hinder the degree of our ability to enter into a contract with you
• Be in violation of any applicable law or regulation that requires us to collect such personal data.

10. BY SUBMITTING PERSONAL DATA TO US, YOU ACKNOWLEDGE THAT:

You have read and understood this Privacy Statement and agree to the usage, processing, disclosure and transfer of personal data as set out herein.

All information and representations provided by you are true and correct to the best of your knowledge, and you have not knowingly omitted any relevant information.

If you are providing information on behalf of another person, you guarantee you have the authority to do so, and they are aware of this privacy statement.

11. VENDOR DATA PROTECTION AND PRIVACY OBLIGATIONS

Vendors shall strictly comply with the European Union General Data Protection Regulation (GDPR), Sri Lanka Personal Data Protection Act (SL PDPA) and all other applicable privacy or data protection related legislation at all times. The Company has the right to periodically request at its discretion for external audit reports from the Vendor, or conduct its own assessments from time to time, with the full support of the Vendor and at the sole cost of the Vendor. If there is any violation of legislation or written direction given by the company related to privacy or data protection to the Vendor, the Company has the right to terminate the contract with the Vendor. If there is any data breach, near miss or a violation of legislation by the Vendor, the Vendor must inform the Company within three calendar days.

12. WHOM CAN YOU CONTACT FOR MORE INFORMATION?

If you have any questions or complaints about this statement or about our privacy practices, kindly reach out to the Data Protection officer at [email protected]

13. UPDATES TO THE PRIVACY STATEMENT

We reserve the right to amend, modify, vary or update this Privacy Statement, at our discretion from time to time, as and when the need arises. The most recently published Privacy Statement shall prevail over any of its previous versions.

We’ll do our best to keep you informed about any updates to this Privacy Statement. You’re also welcome to check back on it from time to time so you always know how we look after your personal information.

Last updated date:11/12/2025