Privacy Policy

Last updated: 31/12/2025

Central Finance Company PLC (“we”, “us”, “our”) is committed to safeguarding the privacy and security of the personal information you provide to us. This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our services.

By accessing or using our website, mobile applications, or services, you confirm that you have read, understood, and agreed to this Privacy Policy and consent to the collection, use, and disclosure of your personal data as described.

If you do not agree with this Privacy Policy, please refrain from using our services or providing personal data. If you wish to withdraw consent after providing personal data, you may do so at any time by contacting us. Upon receiving your request, we will take reasonable steps to delete your information, subject to legal or contractual obligations.

In accordance with the Personal Data Protection Act No. 9 of 2022 of Sri Lanka (PDPA), you have the right to lodge a complaint or appeal with the Data Protection Authority if you believe your personal data has been mishandled.

The information on this website does not constitute professional advice. Users should seek appropriate professional advice when required.

This Privacy Policy applies to personal data collected through:

• Central Finance Company PLC official website (https://cf.lk)
• Online platforms (https://careka.lk, https://careka.lk/tukeka)
• Mobile applications, including CF Click App and Centrix Payment App
• Online services (advertising, telephone services)
• Offline services (branch visits, paper applications, etc.)
• Third-party sources such as public databases or social media, where permitted by law

This policy also applies to personal data obtained through recruitment processes, customer complaints, and feedback systems.

The privacy of our customers is of utmost importance to us and this policy is to ensure the confidentiality of any personal data that you provide to us, or that we collect from you whilst you visit our Site/CF Click Mobile App is in keeping with applicable data protection regulations.

The policy covers information and data collected on this Website, our online advertisements and communications via computer, mobile or other electronic device.
We reserve the right to change or otherwise update this Privacy Policy at any time. Such changes or updates are effective immediately after we give notice of the change or update, which we may do by revising the “Date of Last Revision” date of this Privacy Policy or by otherwise posting on the Website. Your use of the Website after such notice is posted means that you accept these changes or updates. You agree that Company shall not be liable to you for any damages that might result from any changes to the Privacy Policy, if any.

We may collect the following categories of personal data:

• Identification Data: Name, National Identity Card (NIC) number, passport number, driver’s license number
• Contact Information: Address, email address, telephone number
• Financial Data: Bank account details, credit or debit card details, transaction history
• Employment Data: Job title and employment history (where relevant)
• Digital Information: IP address, browser type, device details, cookies, website usage data
• Sensitive Personal Data: Health information (where relevant) and biometric data for identification and security purposes

We collect personal data through:

• Information you provide directly when applying for services, completing forms, or communicating with us
• Automatic collection when you interact with our website or mobile applications (cookies, usage data)
• Third-party sources such as public databases, credit reference agencies, and social media, in compliance with law

We use cookies to improve functionality, analyze website traffic, and enhance user experience. You can manage cookie preferences through your browser settings. For more details, please refer to our Cookie Policy.

We process personal data for the following purposes:

• Service provision and account management
• Marketing and promotional communications (with consent)
• Compliance with legal and regulatory obligations (AML, CTF, fraud prevention)
• Research and development to improve products and services
• Customer support and complaint handling
• Security, risk management, and fraud prevention

We process personal data based on:

• Consent
• Contractual necessity
• Legal obligation
• Legitimate interest, including system security and service improvement

Under the PDPA Sri Lanka, you have the right to:

• Access your personal data
• Rectify inaccurate or incomplete data
• Request erasure where data is no longer required
• Restrict processing in certain circumstances
• Data portability in a machine-readable format
• Object to processing, including direct marketing
• Withdraw consent at any time
• Lodge a complaint or appeal with the Data Protection Authority
• Be informed about data processing activities
• Request safeguards against automated decision-making and profiling

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy or to meet statutory requirements. Data is securely destroyed or anonymized when no longer required.

We may disclose personal data to:

Third-Party Service Providers and Group Companies

Including providers of:

• Administrative and back-office services
• IT and system support
• Customer service and communications
• Marketing and analytics
• Payment processing and financial services
• Insurance-related services
• Legal, compliance, and audit support

All third parties are contractually bound to protect personal data.

Government and Regulatory Authorities

Including:

• Central Bank of Sri Lanka
• Financial Intelligence Unit
• Inland Revenue Department
• Commission to Investigate Allegations of Bribery or Corruption
• Credit Information Bureau of Sri Lanka
• Personal Data Protection Authority
• Courts and law enforcement agencies

Business Transfers

In the event of mergers, acquisitions, or restructuring, personal data may be transferred subject to confidentiality safeguards.

Where personal data is transferred outside Sri Lanka, we ensure adequate data protection measures or contractual safeguards are in place in compliance with applicable laws.

We implement robust security measures, including:

• Encryption of data at rest and in transit
• Data loss prevention mechanisms
• Strict access controls
• Continuous monitoring and security audits
• Incident response and breach management procedures

In the event of a data breach posing a risk to your rights, we will notify affected individuals and the Data Protection Authority within the timeframe required by law.

We may obtain credit information from the Credit Information Bureau of Sri Lanka (CRIB) to assess service eligibility, in compliance with applicable laws.

We operate CCTV systems within our premises for security and asset protection based on legitimate interest under the PDPA.
Footage is retained for a limited period and used solely for security purposes.

We may update this policy periodically. Any significant changes will be published on our website, and users are encouraged to review this policy regularly.

For questions or to exercise your data protection rights, please contact:

Data Protection Officer (DPO)
Email: dpo@cf.lk
Phone: +94 11 230 0555
Mailing Address:
Central Finance Company PLC
270, Vauxhall Street
Colombo 02
Sri Lanka