Last updated: 1 April 2026 · Effective: 1 April 2026 · Version 4.2
1. Who we are
TaxWise (Pvt) Ltd is a company incorporated in Sri Lanka (Reg. No. PV 00307914) with its registered office at No. 42, 4th Floor, Janadhipathi Mawatha, Colombo 01. We are the data controller for the personal data described in this policy.
2. The data we collect
- Identification: name, NIC, Tax Identification Number (TIN), date of birth.
- Contact: email, mobile number, postal address.
- Financial: salary, freelance receipts, bank-interest statements, rent income, dividends, capital gains, EPF/ETF balances, and any documents you upload to substantiate a relief.
- Account: hashed password, 2FA secret, login timestamps, IP address, device fingerprint.
- Usage: the pages you visit within TaxWise, the actions you take, the questions you ask the AI assistant.
- Cookies: session cookies (required) and a single first-party preferences cookie. We do not place third-party advertising cookies.
3. Why we collect it
We collect this data to (a) prepare and file your tax returns with the Inland Revenue Department, (b) operate and improve TaxWise, (c) provide customer support, (d) comply with our own legal obligations under the Inland Revenue Act, the Companies Act, and the Personal Data Protection Act No. 9 of 2022.
4. Legal basis
Our legal basis for processing personal data is, in most cases, performance of a contract with you (the engagement to prepare and file your return). For certain categories — fraud prevention, audit retention, AML screening — we also rely on compliance with a legal obligation. We do not rely on consent to process the data necessary to perform our core service. For optional features (such as the AI assistant), we ask for explicit, separable consent that you may withdraw at any time.
5. Who we share it with
- Inland Revenue Department of Sri Lanka — the actual filings, on your instruction.
- Payment processors — name, billing address, and transaction amount only (not return contents).
- Our cloud infrastructure provider (Amazon Web Services, ap-south-1 and ap-southeast-1 regions) — as a data processor under a written Data Processing Agreement.
- Court or regulatory order — only if compelled by valid Sri Lankan legal process, and only the minimum required.
We do not sell, rent, or share your personal data for marketing.
6. How long we keep it
Tax return data is retained for seven (7) years after the end of the relevant assessment year — the period the IRD requires you to retain supporting records. After that, we delete or fully anonymise it within 30 days. Account metadata (last login, hashed password) is deleted within 30 days of account closure.
7. Your rights under the PDPA
You have the right, under the Personal Data Protection Act, to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Request erasure (subject to our seven-year retention obligation above).
- Restrict or object to processing.
- Receive your data in a portable format (JSON or PDF).
- Lodge a complaint with the Sri Lankan Data Protection Authority.
Exercise any of these rights by emailing privacy@taxwise.lk. We will respond within 14 days.
8. Children
TaxWise is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has used the service, please contact us and we will delete the account.
9. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email at least 30 days before taking effect. The version number and "Last updated" date at the top of this page reflect the latest revision.
10. Contact
Data Protection Officer · Tharushi Bandara
Email: privacy@taxwise.lk
Post: TaxWise (Pvt) Ltd, Attn: DPO, No. 42, 4th Floor, Janadhipathi Mawatha, Colombo 01, Sri Lanka.