Privacy Policy

Effective date: Jan 07, 2026

Privacy Policy of Bitcore technologies (Pvt) Ltd operating under Bitnomi Brand

Bitnomi (the "Company", "we", "us", or "our"), a Virtual Asset Service Provider ("VASP") incorporated and operating in Sri Lanka, is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you access or use our portal (the "Portal"), register an account, or engage in our services related to virtual assets (the "Services").

This Privacy Policy is in compliance with the Personal Data Protection Act, No. 9 of 2022 ("PDPA"), the Financial Transactions Reporting Act, No. 6 of 2006 ("FTRA"), the Prevention of Money Laundering Act, No. 5 of 2006 ("PMLA"), Financial Action Task Force ("FATF") recommendations (particularly Recommendation 15 on virtual assets and VASPs), directives from the Central Bank of Sri Lanka ("CBSL") and the Financial Intelligence Unit ("FIU"), and other applicable laws in Sri Lanka (collectively, the "Applicable Laws").

By accessing the Portal, registering an account, or using our Services, you consent to the practices described in this Privacy Policy. You must review and accept this Policy (by ticking the relevant box) before onboarding. If you do not agree, you must not use our Services.

We may update this Privacy Policy to reflect changes in Applicable Laws or our practices. Updates will be posted on the Portal with notice provided via email or the Portal.

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual (data subject), including sensitive personal data (e.g., biometric data, financial information, or data revealing ethnic origin), as defined under the PDPA.

  • Processing: Any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.

  • Data Subject: You, the individual whose personal data we process.

2. Personal Data We Collect

We collect the following categories of personal data:

  • Identity and Contact Data: Name, date of birth, National Identity Card/passport number, address, email, phone number.

  • Financial and Transaction Data: Bank account details, source of funds/wealth, transaction history, wallet addresses.

  • KYC/AML Data: Proof of identity/address, biometric data (if applicable), politically exposed person (PEP) status.

  • Technical and Usage Data: IP address, device information, browsing activity on the Portal, login details.

  • Sensitive Personal Data: Where required for enhanced due diligence under Applicable Laws (e.g., health data for risk assessment, if disclosed).

We collect this data directly from you during registration, onboarding, transactions, or ongoing monitoring, or indirectly through third-party verification services.

3. Purposes and Legal Basis for Processing

We process personal data only for lawful purposes under the PDPA and Applicable Laws, including:

  • To provide and manage Services (e.g., account creation, VA transfers).

  • To comply with legal obligations, particularly AML/CFT requirements:

  • Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) under FTRA and FATF Recommendations.

  • Transaction monitoring and reporting suspicious activities to the FIU.

  • Compliance with the Travel Rule (transmitting originator/beneficiary information for VA transfers).

  • Sanctions screening.

  • To assess and manage risks (ML/TF/PF).

  • For security, fraud prevention, and Portal improvement.

  • To communicate with you (e.g., service updates, alerts).

  • With your consent, for marketing (revocable at any time).

Processing is necessary for contract performance, legal compliance, legitimate interests (e.g., risk management), or consent.

4. Disclosure of Personal Data

We may disclose your personal data to:

  • Counterparty VASPs: Required originator/beneficiary information under the Travel Rule (FATF Recommendation 16).

  • Regulators and Authorities: FIU (for suspicious transaction reports), CBSL, Data Protection Authority (DPA), law enforcement, or courts as required by law.

  • Service Providers: Third-party processors (e.g., KYC verification, cloud storage, analytics) bound by confidentiality and PDPA-compliant agreements.

  • Affiliates or in Business Transfers: In case of merger, acquisition, or asset sale.

We do not sell your personal data. Disclosures for AML/CFT purposes override confidentiality obligations under Applicable Laws.

5. International Transfers

Personal data may be transferred outside Sri Lanka (e.g., to counterparty VASPs or cloud providers). Transfers comply with PDPA requirements, including adequacy decisions, appropriate safeguards (e.g., standard contractual clauses), or exceptions (e.g., legal compliance or consent).

6. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or breach, including encryption, access controls, and regular audits, in line with PDPA and FATF standards. In the event of a data breach likely to affect your rights, we will notify you and the DPA as required.

7. Data Retention

We retain personal data only as long as necessary:

  • For transaction records: At least 5-6 years under FTRA and FATF Recommendation 11.

  • For other data: As required for Services, legal compliance, or dispute resolution. 

After retention periods, data is securely deleted or anonymized.

8. Your Rights as a Data Subject

Under the PDPA, you have the right to:

  • Access your personal data.

  • Rectify inaccurate data.

  • Erase data (where not required for legal compliance).

  • Restrict or object to processing.

  • Withdraw consent (where processing is consent-based).

  • Data portability (in certain cases).

  • Lodge a complaint with the Data Protection Authority (DPA) at www.dpa.gov.lk.

To exercise rights, contact our Data Protection Officer (details below). We respond within the timelines prescribed by PDPA (e.g., 21 business days). Rights may be limited for AML/CFT compliance (e.g., retention for reporting).

9. Cookies and Tracking Technologies

The Portal uses cookies for functionality, security, and analytics. You can manage preferences via browser settings.

10. Children's Data

We do not knowingly process data of individuals under 18 years without parental consent.

11. Contact Us

For questions, requests, or complaints:

Data Protection and Compliance Officer: M.S.Jeyapriyanthan, Priyanthan@bitnomi.com

Address: Bitcore Technologies (Pvt) Ltd, No.56, Vijaya Kumaratunga Mawtha, Colombo 5, Sri Lanka

12. Governing Law

This Privacy Policy is governed by the laws of Sri Lanka.

Acceptance: By ticking the box and proceeding with onboarding, you confirm you have read, understood, and agree to this Privacy Policy.