PRIVACY NOTICE

1.3. Your Responsibility to Provide Accurate and Updated Information

Maintaining accurate, valid, and up-to-date Personal Data is essential. You are responsible for ensuring that the Personal Data you provide to us is accurate, complete, and up to date. We kindly request that you inform us immediately of any changes to your Personal Data throughout the duration of your relationship with us, to help us ensure the continued accuracy of our records.

1.4. Your Obligation to Secure Your Personal Devices

You are solely responsible for maintaining the security of any personal devices used to communicate with DIMO or to transmit Personal Data to us. While we implement appropriate security measures, no transmission of data over the internet is entirely secure. Accordingly, you must ensure that all devices used for such purposes are properly secured against cyber threats, unauthorized access, and other security risks. You are therefore responsible for safeguarding your Personal Data and account credentials and for verifying the authenticity of any communication claiming to originate from DIMO.

1.5. Obtaining Lawful Consent When Sharing Others’ Information

Where you provide DIMO with Personal Data relating to another individual, you confirm and warrant that you have obtained the informed and specific consent of such individual to share their Personal Data with us. This includes ensuring that the individual has been fully informed of the terms of this Privacy Notice and the purposes for which their Personal Data will be processed and they have accepted the same. You also undertake to ensure that any such third-party Personal Data is accurate, complete, and up to date and does not contain any false, misleading, or misrepresented information.

1.6. Caution Regarding External Websites, Plug-ins, Applications and Third-Party Links

This website or any link document provided by us may contain links to third-party websites, plug- ins, or applications that are not owned, operated, or controlled by DIMO. Accessing such third- party platforms may allow those parties to collect or process your Personal Data under their own privacy policies and terms of service. DIMO has no control and assumes no responsibility for the privacy practices, content, or security standards of such third-party websites or services. We strongly encourage you to review and understand the privacy notices of all external websites before providing any Personal Data. Your use of such third-party services is at your own risk, and DIMO disclaims all liability in this regard.

2.1. Types of Data We Collect About You

We may collect or receive the categories of personal information listed below, which may depend on the products or services you may use, as well as your device and account settings. Not all categories of personal information will be collected or received about every individual.

These data can be categorized as follows:

1. Basic Personal Identifiers, such as name, telephone number, residential or billing address, email address, government-issued identifiers (e.g., national identification/passport numbers, driver’s license numbers, etc), and signatures.
2. Device and Online Identifiers, such as account login information, MAC address, IP address, cookie IDs, mobile ad IDs, and social media information.
3. Internet and Other Network Activity Information, such as information about your browsing or search activity as well as your interactions with our websites, mobile applications, emails, social media platforms or advertisements (for example keystroke patterns which help us determine if it is you or a bot who is interacting with us).
4. Commercial Information, such as purchase and transaction history information (such as products or services you have purchased, rented, or returned), details about products associated with services you receive from or through us (e.g., car make, model, year, odometer reading, and Vehicle Identification Number when you visit our Service Centers), product / service reviews, travel and vacation information, and sweepstakes and contest entries.
5. Communications, such as the content of emails, WhatsApp or text messages, interactions with our sales teams or our bot (AI assistant chatbot), or other communications, call logs, and calendar information, where DIMO is a party to the exchange.
6. Demographic Information, such as age, gender, citizenship, ethnicity, date of birth, family or marital status, household income, education, professional and employment information, family health, number of children, number of cars owned, and software or virtual assets owned.
7. Financial Information, such as credit or debit card numbers, and financial account numbers.
8. Biometric Information, such as voice prints, imagery of the iris or retina, face geometry, and palm prints or fingerprints.
9. Geolocation, such as data about the location of your device, which may be imprecise (i.e., inferred from your device’s IP address). If you provide your consent, this data may be precise.
10. Sensory Information, such as audio, visual information, and other sensory information such as photographs and audio and video recordings.
11. Background Information, such as background checks and criminal convictions.
12. Inferences, such as individual preferences and characteristics. This may include inferences drawn from and related to shopping patterns and behaviours, intelligence, interests, and aptitudes.
13. Marketing and Communications Data: This includes your preferences in receiving marketing from us and our third parties, as well as your communication preferences.
14. Surveillance and Monitoring- use of CCTV Systems: For the safety and security of our customers, patrons, employees, service providers, and business partners, we may operate CCTV systems across our premises. This includes monitoring behaviour within our facilities. Where relevant, CCTV footage may be used to assist investigations into potential or actual criminal, fraudulent, or related incidents. We may also share such footage with law enforcement and/or judicial authorities to support investigations, proceedings, or other legal actions.

2.2. Consequences of Withholding, Inaccurately Providing, or Falsifying Personal Data

Where the collection of Personal Data is mandated by law, required under the terms of a contract with you, stipulated by our website's terms and conditions, or necessary to furnish further information regarding the provision of any of our services, your failure to provide such Personal Data when requested may impede our ability to proceed with your requirements, including the performance of or entry into any contract with you. In such circumstances, we reserve the right to notify you and to cancel or refuse the acceptance of the services you seek.

Furthermore, should we have reason to believe that any Personal Data provided by you is false, inaccurate, constitutes a misstatement of fact, a misrepresentation, an act of identity theft, a violation of any third-party right, or a similar circumstance, we reserve the right to refuse any services you require, terminate any existing contract, and, where relevant, report the matter to the appropriate regulatory authorities.

2.3. How Your Personal Data is Collected

We use various methods to collect Personal Data from and about you:

1. Direct Interactions.

   You (or a person or agent acting on your behalf) may provide us with Personal Data by corresponding with us via post, phone, email, directly through our website, social media platforms, or otherwise. Our data collection spans both offline and online platforms. Offline sources include our Consumer Engagement Centres, branch offices, show rooms, direct marketing campaigns, sweepstakes, surveys and contests. Online, we collect data through our websites, applications, and branded pages on third-party platforms. When you engage with us, we may ask for your Personal Data to better serve your needs.

   We may obtain your personal information from another company within our DIMO Group companies, using it consistently with this Privacy Notice. We might also combine your data with other information to continually enhance our products, services, content, and advertising efforts.

   Some DIMO brands may also collect "special categories of personal data" about you. please see the relevant section below for more details on how we handle this.

2. Automated Technologies or Interactions (This Website and Mobile Applications).

   As you interact with our websites or mobile applications, social media platforms, we automatically collect Technical Data about your equipment, browse actions, and patterns using cookies, server logs, and similar technologies. We may also receive Technical Data if you visit other websites employing our cookies. Our mobile applications may access mobile device information to enhance service delivery. Collected from Another Solution or Asset. - When you speak to customer service we collect your personal information using call recording technology in accordance with applicable law.

3. Third Parties or Publicly Available Sources:

   We may receive Personal Data about you from various third parties and public sources, including:

   1. Analytics providers (e.g., Google-based analytics providers) within and/or outside Sri Lanka.
   2. Advertising networks within and/or outside Sri Lanka.
   3. Search information providers within or outside Sri Lanka.
   4. rusted partnerships with third parties and DIMO accounts on third-party platforms (e.g., "like" functionality on Facebook, +1 functionality on Google+).
   5. Information about interactions with our advertising to measure relevance and success.
   6. Third-party data enrichment providers who may provide insights about the Personal Data we hold.

2.4. Collection of "Special Categories of Personal Data"

"Special categories of personal data" can be categorised as data relating to race, ethnicity, religion, health, sexual orientation, genetic data, or biometric data, and receives additional protection under the law.

We limit the circumstances under which we collect and process these special categories of Personal Data. For instance, DIMO may collect data related to your health to provide tailored advertisements and relevant promotions. DIMO processes such Personal Data only when you have provided explicit consent. In some instances, your request for services or products may imply or suggest your religion, health, or other special categories of Personal Data without direct collection.

We will only process special categories of Personal Data where we can satisfy an additional condition for doing so. Accordingly, we may use one of the following additional conditions for processing special categories of Personal Data, where consent is not the appropriate basis:

1. The processing is necessary to respond to an emergency that threatens your life, health, or safety or that of another natural person.
2. The processing relates to Personal Data which you have manifestly made public.
3. The processing is necessary for the establishment, exercise, or defense of legal claims.
4. The processing is otherwise expressly permitted under relevant laws or regulations of Sri Lanka.

4.1. Purposes for Data Collection and Processing"

"We collect and process your personal data for a variety of essential reasons, ensuring we can provide you with the best possible service, improve our offerings, and operate our business effectively. These purposes include:

• Processing Transactions and Service Delivery: We use your data to process your payments when you purchase our products, provide you with order status updates, fulfill your orders and transactions, and offer comprehensive customer service. This also includes verifying your information, processing payments, and providing any associated financing or similar services.
• Responding to Your Communications: We process your inquiries, complaints and requests to provide accurate and timely answers, ensuring you get the support you need.
• Product and Service Improvement & Development: Your data helps us continuously develop and improve our products, services, communication methods, and the functionality of our websites. This includes undertaking activities to verify or maintain the quality or safety of our services or devices, as well as improving, upgrading, or enhancing them for example, by training our AI systems.
• Contests and Promotions: We use your data for the administration of competitions or promotions you've entered.
• Information and Subscriptions: We manage your registration and/or subscription to our newsletters, advertisements or other communications, ensuring you receive the information you've opted for.
• Business Operations and Analytics: This covers managing our everyday business needs related to your participation in contests, sweepstakes, promotional activities, or requests. It also includes conducting business analysis, such as analytics and projections, to identify areas for operational improvement.
• Identity Verification and Security: We authenticate the identity of individuals who contact us by telephone, electronic means, or otherwise. This is crucial for helping to ensure security and integrity and prevent fraud.
• Internal Training and Quality Assurance: We use data for internal training and quality assurance purposes, making sure our team operates at its best.
• Consumer Insights and Personalization: We analyze your data to understand and assess your interests, wants, and changing needs. This allows us to improve our website, current products and services, and develop new ones. Crucially, this enables us to provide personalized products, communications, and targeted advertising, as well as relevant product recommendations. This also covers short-term, transient use, such as non-personalized advertising shown during your current interaction with us.
• Advertising and Marketing: We perform and provide comprehensive advertising and marketing services, including targeted advertising, to connect you with relevant DIMO offerings.
• Auditing and Monitoring: We conduct auditing and monitoring of transactions and engagement, which includes counting ad impressions to unique visitors, verifying the positioning and quality of ad impressions, and auditing compliance.
• Debugging and Error Resolution: We use data for debugging to identify and repair errors in our systems and services.
• Research and Development: This involves undertaking internal research for technological development and demonstration.
• Fulfilling Legal Obligations: We process your data to meet our legal functions or obligations under laws of Sri Lanka.

When we collect your personal data for other purposes, we will inform you before or at the time of collection.

4.2. Legal Basis for Processing Your Data

Where appropriate, we will ask for your consent to process your personal data. If you have given consent for processing activities, you have the right to withdraw your consent at any time.

In some cases, we rely on legitimate interest (of ours or a third party) for processing your personal data. A legitimate interest could exist, for example, when you sign up for a loyalty scheme with one of our brands and we use the personal data collected to conduct data analytics to improve our products or services. This ground will only be used when it's necessary to achieve a legitimate interest, such as optimizing a service, and does not outweigh your rights as an individual. We assure you that if legitimate interest is used as a ground for processing your personal data, we will keep a record of this, and you have the right to ask for this information.

We also process your personal data to perform a contract to which you are a party or to take steps at your request prior to entering into a contract with you. For instance, we need to process your personal data to deliver a product or service you bought.

Furthermore, we process your personal data when we have a legal obligation (e.g., tax or social security obligations) to do so as per Sri Lanka law. For example, a court order or summons may require us to process personal data for a particular purpose, or we may be compelled to process personal data to report suspicious transactions under local anti-money laundering rules.

In some instances, we may have to process your personal data to respond to an emergency that threatens the life, health, or safety of you or another person.

We also process your personal data where it is necessary for the performance of a task carried out in the public interest.

4.3. Profiling

DIMO may use your personal data to build profiles. We may create these profiles by analysing your online surfing, searching, and buying behaviour, as well as your interactions with our brand communications. This involves building segments (creating groups that have certain common characteristics) and placing your personal data in one or more segments.

These segments are used by DIMO to personalize our website and communications to you (such as showing relevant content when you visit our site or in a newsletter), and to display relevant offers and advertisements from DIMO brands on DIMO sites and via third-party websites. The segments can also be used for third-party campaigns on DIMO sites. DIMO profiles your data where you have provided consent for us to do so by opting in; for example, by accepting the setting of cookies on your browser online or signing up for email newsletters from one of our brands.

You can withdraw your consent to prevent your personal data from being used this way at any time using the manage cookies section of our Cookie Notice or by unsubscribing to the use of your email address if you have logged into one of our websites or signed up for any marketing newsletters..

By way of example, with your consent, DIMO collects personal data from:

• Our websites, regarding what you view and how you interact with our content.
• Our digital display advertising that we serve to you on social platforms and other publisher's websites.
• Forms you fill in online or otherwise and send to us about your interests.
• We also track the products you buy when you click on one of our display adverts and go on to purchase something from a selection of our retail partners.
• If you have asked to receive emails or SMS communications from us, we track whether you open, read, or click on the content to see what interests you. This helps us provide more content that we believe you're likely to enjoy.
• We use this data to profile your likes and dislikes.

Based on this profile information, we may also provide you with advertising (if you have asked us to do so) that we think you will like and want to see as you view content from us or from our network of publishers that we advertise with. Sometimes, with your consent, we may use your current location to serve advertising to you that relates to promotions or events happening nearby that we think you might be interested in.

We also use information you have provided to selected third-parties and consented to be shared, such as your age, sex, life stage, lifestyle, and wider interests. This helps us identify people we think will have similar interests to you and who we believe will be interested in similar advertising.

4.4. Artificial Intelligence Experiences

We may provide Artificial Intelligence (AI) powered applications or experiences such as Chatbots and virtual tools to you (“AI Tools”). For AI powered applications and Bots we will communicate to you that you are interacting with Artificial Intelligence and not a human. Many of these AI Tools will not require you to enter Personal Data. However, in the event that we may collect Personal Data through such AI Tools in accordance with the Privacy Notice. We may share your personal data with the providers of these AI tools for the limited purpose of providing the app/experience to you.

5.1. Within Our DIMO Group of Companies

As part of a larger business group, DIMO may disclose your personal data with other entities within our corporate family. This sharing is done for purposes consistent with this Privacy Notice, allowing for a more integrated and efficient service across our related operations.

5.2. Other Companies and External Partners

We work with various external entities to operate our business, deliver services, and enhance your experience. We may disclose personal data to the following categories of organizations:

• Vendors for Business Operations: We share your personal data with third-party vendors who perform services on our behalf. These vendors are crucial for our day-to-day operations and include, but are not limited to:
  • Shipping and logistics providers
  • Billing and refund processing companies
  • Payment card processors
  • Companies that help us improve our products and services
  • Cloud hosting or website operating providers
  • Data analysis and customer service providers
  • Sponsors or other third parties involved in administering our promotions

  These vendors only have access to the personal data necessary to perform their functions and are contractually prohibited from using it for other purposes. They must process this personal data in accordance with this Privacy Notice, subject to appropriate safeguards, and only as permitted by the Personal Data Protection Act No. 9 of 2022 of Sri Lanka (the “PDPA”).

• Marketplace and Direct-to-Customer Partners: We collaborate with companies that provide products or services directly to you, whether through a DIMO Marketplace (if applicable) or through co-branded and other promotional activities. When we share your personal data with these partners, they are specifically prohibited from using it for any purpose other than making their products or services available to you. For co-branded programs, DIMO may receive compensation for the co-branded activity.
• Advertising, Marketing, and Related Technology Partners: We work with various partners to market our products to you and to provide advertising services to other companies. This includes:
  • Advertisers: Companies that place ads through our advertising services. They may use pixels or cookies in their ads to collect information to help them understand how you respond to their ads.
  • Publishers: Companies that operate websites you visit (e.g., online news sites). We share personal data with publishers to help us serve ads to you on their websites and to help us understand ad performance.
  • Social Media Platforms: We share personal data with social media platforms to help us serve relevant ads to you on those platforms.
  • Advertising Technology Providers: Companies that use cookies, pixels, beacons, and similar technologies to tailor the ads you see. These include ad servers, advertising agencies, technology vendors supporting media buying and selling, and research firms. For more information about your choices related to interest-based advertising, please refer to the "How Can You Set Your Preferences?" section of this Privacy Notice.
  • Data Technology Vendors: Technology providers that help us manage and automate the use of collected data (including personal data), such as those automating advertising services or managing identity.
  • Measurement and Analytics Vendors: Companies that provide aggregate reporting on our website performance, the effectiveness of our advertising campaigns, services (e.g., Google Analytics) and research.
• DIMO Suppliers and Other Third Parties: To enhance customer experiences, we may offer insights and related services to companies, including our suppliers who provide us with products and services. These insights are derived by combining information, such as shopping history from many customers, in a way that does not directly identify you. DIMO may receive payment for these insights.

5.3. Legal Requirements and Protection of Our Company and Others

We may disclose your personal data when required by law or legal process, or when we genuinely believe it is necessary to protect the safety, property, or rights of individuals or DIMO. Examples include:

• Complying with Legal Obligations: To fulfill a legal obligation as per Sri Lankan law, such as responding to a court order, search warrant, or other valid legal inquiry.
• Governmental Investigations: At the request of governmental authorities conducting an investigation.
• Fraud and Security: To detect and protect against fraud, financial risk, or any technical or security vulnerabilities. This also includes assisting with fraud prevention and potential criminal activity.
• Emergency Situations: To respond to an emergency threatening the life, health, or safety of individuals.
• Protecting Rights and Property: To verify or enforce our "Terms of Use" or other applicable policies, or to protect the rights, property, safety, or security of third parties, visitors to DIMO's websites, DIMO, or the public.
• Alleged Breaches: Responding to a court or other investigative body in the case of an alleged breach of an agreement or violation of law.

5.4. Business Transfers

Should DIMO plan to merge, sell, or reorganize its business, your personal data, along with personal data of other DIMO customers, may be disclosed as part of the business arrangement. This may also include transfers of personal data made as a part of insolvency or bankruptcy proceedings. In such transactions, your personal data is generally one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless you consent otherwise). If another entity acquires DIMO, our businesses, or substantially all or part of our assets, or assets related to DIMO’s websites, your personal data will be disclosed to such entity as part of the due diligence process and will be transferred to such entity as one of the transferred assets. We will use reasonable measures to help ensure your information is handled in accordance with this Privacy Notice.

7.1. What are cookies?

Simply put, cookies are small text files, often containing letters and numbers, that are sent to your computer or device when you visit websites and use online services. If your web browser is set to accept them, these cookies are stored on your computer's hard drive. They allow our website, and sometimes other websites, to remember your preferences and to personalize content for you.

7.2. Your Choices:

You have control over cookies. You can adjust your browser settings to refuse all or some browser cookies, or to alert you when websites attempt to set or access cookies. However, please be aware that if you disable or refuse cookies, some parts of this website may become inaccessible or might not function properly.

For more detailed information about the specific cookies we use, please refer to our dedicated Cookie Policy.

8.1. Your Data Protection Rights

At DIMO, when we process your personal data, you have several important rights regarding how that data is handled. You can exercise these rights at any point, and we've outlined them below:

• The Right to Be Informed: You have the right to receive clear, transparent, and easily understandable information about how we use your personal data and what your rights are. This Privacy Notice serves to provide you with that information.
• The Right to Access, Rectification, and Completion: You have the right to access your personal data, and to request that we correct or complete any inaccurate or incomplete information we hold about you at any time.
• The Right to Erasure : Under specific circumstances, you can ask us to delete your data. If you wish to have your personal data deleted, please let us know. We'll take reasonable steps to respond to your request in line with legal requirements. If the personal data we collected is no longer needed for any purpose, and we're not legally required to keep it, we'll do our best to delete, destroy, or permanently de-identify it.
• The Right to Restrict Processing: In certain limited situations, you have the right to request that we restrict the processing of your personal data. This might apply, for example, if we're legally required to maintain your data for evidentiary purposes under Sri Lankan law or due to a court order, even if you've requested rectification.
• The Right to Object: Under specific circumstances, you have the right to object to the further processing of your personal data.
• The Right to Lodge a Complaint with the Data Protection Authority: You have the right to file a complaint directly with the Data Protection Authority of Sri Lanka if you have concerns about how we process your personal data.
• The Right to Withdraw Consent: If you've given us your consent to process your personal data (meaning we rely on your consent as the legal basis), you have the right to withdraw that consent at any time. Please note that withdrawing consent doesn't make any processing we've done with your consent up to that point unlawful.
• Rights Related to Automated Decision-Making: In certain circumstances, you have the right to request a review of a decision we've made that's based solely on automated processing, especially if it has or is likely to have a significant and lasting impact on your rights and freedoms.

8.2. How to Exercise Your Rights

You can exercise any of these rights by sending a request via email as stated in 12. below or by submitting a request through the "Contact Us" form on our websites.

Please note that we may charge a reasonable administrative fee for any requests we consider unreasonable or excessive, or for any additional copies of your Personal Data that you may request.