+94778854121

PRIVACY POLICY

First Light Tours (Private) Limited

Last Updated: March 25th 2026

  1. INTRODUCTION
    First Light Tours (ΓÇ£weΓÇ¥, ΓÇ£usΓÇ¥, or ΓÇ£ourΓÇ¥) is committed to protecting the personal data of our clients in accordance with the EU General Data Protection Regulation (GDPR) and the Sri Lanka Personal Data Protection Act No. 9 of 2022. This policy applies to all individuals located in the European Union (EU) and European Economic Area (EEA) whose data we process.
  2. DATA WE COLLECT
    In addition to standard identity and contact data, we collect data specific to our photography tours:

    • Identity and Contact: Name, passport details, phone number and email.
    • Photographic Data: Images and videos taken during our tours in which you are identifiable are considered “personal data” under GDPR.
    • Special Category Data: We may collect dietary requirements (which may reveal religious beliefs) or health information to ensure your safety on tour. We process this only with your explicit, opt-in consent.

  3. LEGAL BASIS FOR PROCESSING
    We process your data under the following legal grounds:

    1. Contractual Necessity: To book your hotels, transport, and guiding services.
    2. Consent: For marketing communications and the use of your likeness in promotional activities.
    3. Legal Obligation: To comply with Sri Lankan tax, immigration, and police registration laws.

  4. INTERNATIONAL DATA TRANSFERS (EU TO SRI LANKA)
    Because First Light Tours is based in Sri Lanka, your personal data will be transferred outside the EEA.

    • Standard Contractual Clauses (SCCs): As Sri Lanka does not have an EU “adequacy decision,” we ensure your data is protected by using Standard Contractual Clauses approved by the European Commission. These clauses legally bind us to provide the same level of data protection as required within the EU.

  5. DATA RETENTION
    We retain your basic identity and financial data for six years after your tour concludes to satisfy Sri Lankan tax and reporting requirements. Photographic data used for marketing is retained until you withdraw your consent.

  6. YOUR RIGHTS (GDPR)
    As an EU data subject, you have the following rights:

    • Right to Access: Request a copy of the data we hold on you.
    • Right to Erasure (ΓÇ£Right to be ForgottenΓÇ¥): Request that we delete your data where it is no longer legally required.
    • Right to Withdraw Consent: You may withdraw your consent for us to use your photographs or send marketing emails at any time. Withdrawal of consent is as easy as giving it; simply email info@firstlighttours.com.

  7. PHOTOGRAPHY AND MODEL RELEASES
    We do not use your image for marketing without your explicit, informed consent.

    • Opt-In: Consent must be given via an affirmative action (e.g., checking an un-ticked box on our booking form).
    • Street Photography: During tours, we adhere to ethical photography standards. If we capture a candid “street” image of you, we will seek your verbal or written consent before publishing it.

  8. DATA SECURITY
    We have implemented strict technical and organizational measures to prevent your personal data from being lost, used, or accessed in an unauthorized way.