Legal

Privacy Policy

Last updated: June 1, 2026 · Effective in Sri Lanka and worldwide.

1. Introduction

HASA GOLD STORE Pvt Ltd ("HASA", "we", "our", "us") is a Sri Lankan company registered with the Registrar of Companies. We operate hasa.lk and the HASA GOLD STORE platform. This Privacy Policy explains what data we collect about you, why, and how we keep it safe.

This policy is written in line with Sri Lanka's Personal Data Protection Act No. 9 of 2022 (PDPA) and incorporates principles from the GDPR.

2. What information we collect

  • Account data: name, email, phone number, profile photo, password (hashed).
  • Gaming data: Player IDs and Server IDs you submit for top-up delivery.
  • Payment data: billing details, card last 4 digits, transaction history. Full card numbers are never stored — they are tokenized by our certified payment gateways.
  • Usage data: device type, browser, IP address, pages visited, referrer.

3. How we use your data

  • To process top-up orders and deliver them to the correct in-game account.
  • To verify your identity, prevent fraud and comply with KYC obligations.
  • To send transactional notifications via email, SMS and WhatsApp.
  • To improve the product, debug issues and analyze trends (always aggregated).
  • With your consent, to send promotions and personalised game recommendations.

4. Sharing with third parties

We share data only with vetted processors needed to run the service: payment gateways (PayHere, Stripe, Coinbase Commerce), game publishers (Garena, Tencent, Moonton), SMS/email providers (Twilio, Resend), and analytics (PostHog). We never sell your personal data.

5. Your rights

Under Sri Lanka's PDPA you may:

  • Access and download a copy of your personal data.
  • Correct or update inaccurate data.
  • Request deletion ("right to be forgotten").
  • Withdraw marketing consent at any time.
  • Lodge a complaint with the Data Protection Authority of Sri Lanka.

Submit requests to privacy@hasa.lk. We respond within 14 days.

6. How we protect your data

All traffic is encrypted in transit (TLS 1.3) and at rest (AES-256). Passwords are hashed with Argon2id. We run quarterly penetration tests and our infrastructure is hosted in PCI-DSS compliant data centers.

7. Data retention

We retain account data while your account is active and for 7 years thereafter to comply with Sri Lankan tax law. You may request earlier deletion subject to outstanding obligations.

8. Cookies

We use strictly-necessary cookies for login and checkout, plus optional analytics cookies (PostHog). You can decline non-essential cookies in our cookie banner without losing functionality.

9. Children

HASA GOLD STORE is not intended for users under 13. If you believe a minor has signed up, contact privacy@hasa.lk and we will delete the account.

10. Changes to this policy

We'll notify you of material changes via email and an in-app banner at least 14 days before they take effect.

Questions about this policy? Email legal@hasa.lk or visit our contact page.