Privacy Policy
Last updated: June 2026
Summary: TipMe.lk values your privacy. We collect and process data in strict compliance with the **Sri Lanka Personal Data Protection Act No. 9 of 2022 (PDPA)**. We explain our technical and non-technical data collection, storage, tracking, and deletion procedures below. We do not sell your data, and we do not share your details with SMS providers other than minimum routing information required to deliver transaction alerts to you.
1. Introduction & Scope
TipMe.lk ("Platform", "we", "our", or "us"), operated by GRATIFIER GLOBAL (PRIVATE) LIMITED (Company Registration No. PV00353545, registered in Sri Lanka under the Registrar of Companies), provides a voluntary digital tipping system. This policy explains, in both technical and non-technical terms, how we collect, track, process, secure, retain, and delete user data. It applies to all creators, service professionals, and tipping contributors using the Platform.
2. Sri Lanka Personal Data Protection Act (PDPA) Alignment
In compliance with the **Sri Lanka Personal Data Protection Act No. 9 of 2022 (PDPA)**, TipMe.lk acts as the **Data Controller** for the personal data collected from Sri Lankan citizens and residents using our tipping services.
Your Rights under the PDPA:
- Right of Access: You have the right to request a copy of the personal data we hold about you.
- Right to Rectification: You can request corrections to inaccurate or incomplete personal data via your dashboard.
- Right to Erasure ("Right to be Forgotten"): You may request the permanent deletion of your account and personal records.
- Right to Object/Restrict Processing: You have the right to object to specific processing operations (e.g., promotional communications).
- Right to Withdraw Consent: Where data processing is based on consent, you may withdraw it at any time.
Processing of Sensitive Personal Data (KYC):
Under the PDPA, national identifiers (National Identity Card - NIC, Passport images) are classified as sensitive personal data. We collect this information solely to fulfill financial verification obligations (Know Your Customer) and prevent money laundering. This data is handled through encrypted storage and is only accessible by verified verification personnel.
Data Protection Officer (DPO): For queries regarding your rights under the PDPA, please contact our DPO at dpo@tipme.lk.
3. Granular Data Tracking Details
To maintain platform security, prevent transaction fraud, and optimize delivery performance, we perform automated data tracking. Below is the technical breakdown and non-technical explanation of this tracking:
IP Addresses & Approximated Geolocation
Technical explanation: The server logs the client IPv4 or IPv6 address headers (`REMOTE_ADDR`, `HTTP_CF_CONNECTING_IP`) and matches them against database ranges to approximate location.
Non-technical explanation: We check the country/region of your network connection to verify transaction validity and block suspicious transactions coming from high-risk regions.
Browser User-Agents & Device Metadata
Technical explanation: We parse the HTTP request headers (`User-Agent`) to detect operating systems, browser engines, device viewports, and screen dimensions.
Non-technical explanation: We use this to properly format pages for your specific device (mobile, tablet, or desktop) and to detect automated scripts attempting fraud.
Cloudflare Turnstile (Bot Protection)
Technical explanation: Turnstile runs client-side JavaScript challenges and submits token payloads to Cloudflare's validation API (`https://challenges.cloudflare.com/turnstile/...`).
Non-technical explanation: This prevents automated spam bots from submitting forms, brute-forcing accounts, or triggering fake signups.
SMS Gateways (Hutch & Dialog)
Technical explanation: When triggering SMS alerts, our system makes API requests containing only the recipient phone number and transaction details (e.g. amount, receipt reference) to Hutch and Dialog networks.
Non-technical explanation: We work with Hutch and Dialog to send SMS updates directly to your mobile phone. **We do not share any personal profile information or credentials** with these telecom providers. We only transmit the bare minimum transaction details necessary to route and deliver the text messages to you.
Third-Party Advertising Tracking Pixels (Meta, Google, & TikTok)
Technical explanation: We embed scripts on the client-side that download tracking SDKs from Meta (Facebook Pixel), Google Ads, and TikTok. These scripts collect page view events, button clicks, registration completion flags, and browser cookie identifiers to construct cross-platform attribution records.
Non-technical explanation: We use tracking pixels from Meta, Google, and TikTok to measure how users interact with our site after clicking our ads, build target audience parameters, and run relevant promotional campaigns. You can opt-out of behavioral ad tracking using your social media settings or your browser privacy configurations.
4. External Providers Integration (Google & Facebook)
We integrate API OAuth services from Google and Facebook to provide passwordless login options. When you use these services, the following policies apply:
Google OAuth Integration
Data Accessed: The specific types of Google user data accessed by our platform include your email address, Google unique identifier, name, and profile picture URL.
Data Usage: We process this Google data to verify your identity, auto-fill your registration form, establish your TipMe profile, and associate your social login with your existing account. This ensures secure passwordless login.
Data Sharing: TipMe.lk does not share your Google user data with any third parties under any circumstances, unless compelled to do so by applicable laws of Sri Lanka.
Data Storage & Protection: Google user data is stored in our secure database. It is protected by SSL/TLS encryption during transit and strict access control measures at rest.
Data Retention & Deletion: Google user data is retained for the lifetime of your TipMe account. You can request the permanent deletion of your account and all associated Google data by contacting support@tipme.lk or via your profile dashboard settings. Data will be purged completely within 30 days of request.
By using Google Login, in addition to the above policies, you will also be under the policies below. Click to read more:
Facebook Login Integration
Data Accessed: If you choose Facebook login, we access your public profile (Facebook ID, name, profile image) and registered email address (if permissions are granted).
Data Usage: We use this details to create your user account, pre-fill registration fields, link your Facebook login, and show your public-facing display name on TipMe.
Data Sharing & Storage: We do not sell or share Facebook user data with third-party vendors. The data is securely stored on our servers under standard encryption protocols.
Data Deletion: You can delete your Facebook login link directly in your profile dashboard or request account deletion via email at support@tipme.lk. This will fully delete all retrieved Facebook data within 30 days.
By using Facebook Login, in addition to the above policies, you will also be under the policies below. Click to read more:
5. Data Storage and Protection
All personal data is processed using modern encryption standards. Data is protected by SSL/TLS protocols during transit and stored on secure cloud database servers. Our database access is audited regularly and restricted. All user passwords are encrypted using one-way bcrypt hashing before storage, ensuring that passwords cannot be retrieved or read, even by system administrators.
6. Data Retention and Deletion
We retain your data for the lifetime of your active account. If you choose to close your account, you can request full deletion. Upon receipt of your deletion request at support@tipme.lk, all profile pictures, linked social identifiers, names, bios, and email details will be completely purged from active systems within 30 days. Ledger transactions are anonymized for tax and compliance requirements under Sri Lankan financial regulations.
7. Contact Information
For inquiries, exercise of data rights, or complaints, please reach out to us:
- General Support: support@tipme.lk
- Data Protection Officer: dpo@tipme.lk