Privacy Policy

Revello Specialty (“Revello Specialty”, “we”, “our”, or “us”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, store and protect personal data in connection with our handcrafted chocolates, desserts and baked products sold online through https://www.revellospeciality.com and related services. We process personal data in compliance with the Personal Data Protection Act, No. 9 of 2022 (Sri Lanka) and other applicable laws.

1.Controller and contact details

The data controller is Revello Specialty, a brand operating under CBL Foods International (Pvt) Ltd, a subsidiary of the CBL Group.

General enquiries: General number – 011 500 0000
Website: https://www.revellospeciality.com

2.Data Protection Officer (DPO) contact

If you have any questions about this policy or wish to exercise your data subject rights, please contact our Data Protection Officer:

Parami Jayawardene — Data Protection Officer
Phone (general): 011 500 0000
Mobile: 076 678 0306
Email: paramij.cblcs@cbllk.com

3. Who this policy applies to

This policy applies to:

  • Customers who purchase or order our products via https://www.revellospeciality.com/
  • Delivery recipients whose details are provided by customers for delivery purposes.
  • Visitors and users of our website and our social media channels.

If you provide personal data of another person (e.g., a delivery recipient), you must ensure you have informed them of this disclosure and directed them to this Privacy Policy.

4.Purposes of processing & legal bases

We process personal data for the following purposes and legal bases

  • Performance of a contract (primary)

Purpose: to accept, process, fulfil and deliver online orders for handcrafted chocolates, desserts and baked products; to manage payments, refunds and order communications.
Legal basis – necessary to perform the contract between you and Revello Specialty.

  • Legal and regulatory compliance

Purpose: respond to lawful requests by authorities, prevent/detect fraud, maintain records as required by law.
Legal basis – compliance with legal obligations.

  • Legitimate interests

Purpose: improving website/usability, analytics, fraud prevention, safety & security of our systems, and direct marketing where permitted. We will balance our legitimate interests against your rights; you may object to certain legitimate interest processing (see Section 9).

Legal basis – legitimate interests of Revello Specialty or third parties.

  • Consent

Purpose: where required (e.g., marketing emails, newsletters, special categories of data, certain analytics or tracking).
Legal basis – your explicit consent. You may withdraw consent at any time without affecting processing based on consent before withdrawal (see Section 9).

5.Categories of personal data collected

We collect the following categories of personal data:
Identity & contact data

  • Full name, delivery recipient name, billing and delivery addresses, telephone/mobile number, email address.

Order & transaction data

  • Order details, product preferences, invoice/receipt information, payment transaction reference (we do not store full card details on our servers where third-party payment processors are used).

Financial/payment data

  • Payment instrument identifiers or masked card details as required to complete the transaction (full card data is processed by our payment gateway).

Communications

  • Correspondence with customer service (emails, messages, call records where recorded for quality/control).

Device & technical data

  • IP address, device identifiers, browser and operating system, cookies and similar tracking technologies, time zone.

Location data

  • Delivery location, GPS coordinates or directions where provided to enable delivery.

Preferences & profile data

  • Marketing preferences, purchase history, account information (if you create an account), product reviews.

Non-sensitive only

We do not intentionally collect special categories of personal data (sensitive data such as race, religion, political opinions, health) unless you voluntarily provide them and we have a lawful basis to process them.

6.Recipients / third parties with whom data may be shared

We may share your personal data with:

  • Service providers and processors who support our business: payment gateways, payment processors, website host, cloud providers, analytics providers, marketing platforms, email providers, CRM suppliers.
  • Logistics & delivery partners for order fulfilment and delivery.
  • Customer support vendors who assist with inquiries or technical support.
  • Professional advisors such as auditors, legal counsel and accountants.
  • Government, regulatory and law enforcement authorities when required by law or to respond to legal requests.
  • Affiliates in the CBL Group where necessary for group-wide services (e.g., billing, IT support) and in compliance with data protection safeguards.

We will only share the personal data necessary for the recipient to perform their function and require contractual or other safeguards to protect the data.

7.Cross-border transfers

Personal data may be processed and stored in jurisdictions outside Sri Lanka by our service providers (such as cloud hosting providers, email service providers, or payment processors). Where personal data is transferred outside Sri Lanka, we will ensure that such transfers are carried out in compliance with applicable law, including the Sri Lanka Personal Data Protection Act.

Where required under Section 26 (3) (a), we will obtain the explicit consent of the data subject for cross-border transfers of personal data. In addition, we will ensure that appropriate safeguards are in place, such as contractual clauses, vendor assessments, or other lawful transfer mechanisms, to protect personal data and ensure an adequate level of data protection.

8. Data Retention – how long we keep personal data

We retain personal data only for as long as necessary for the purposes described in this policy and to meet legal, accounting, or reporting obligations. Retention periods are determined based on the type of data and applicable statutory requirements.

Retention criteria include:

  • Order and transaction records: Retained for the duration necessary to manage and complete your order, plus the legally required period for bookkeeping, accounting, and warranty purposes (as per applicable Sri Lankan regulations).
  • Customer account data: Retained while your account remains active, and for a reasonable period after account closure to ensure security, fraud prevention, and compliance.
  • Marketing data: Retained until you withdraw your consent or opt out of marketing communications.
  • Customer service and support communications: Retained as long as necessary for dispute resolution, quality assurance, or to comply with recordkeeping obligations.
  • Backup copies and system logs: Retained only for limited periods necessary for operational continuity and security purposes.

If a specific retention period is required by law for a given category of data (such as tax or financial records), we comply with that statutory period and delete or anonymize the data thereafter.
If a customer deletes their registered account, all associated personal data will be permanently deleted.

For customers who do not create an account, personal data collected for order fulfillment will be deleted once the order has been successfully delivered and closed.

9. Data subject rights and how to exercise them

Subject to applicable law, you have the following rights:

  • Right of access: request a copy of personal data we hold about you.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to completion: request completion of incomplete personal data, including by providing supplementary information.
  • Right to erasure: request deletion of your personal data where lawful.
  • Right to restriction of processing: request us to limit processing in certain circumstances.
  • Right to object: object to processing based on legitimate interests or direct marketing.
  • Right to data portability: where applicable, receive your data in a commonly used machine-readable format.
  • Right to withdraw consent: where processing is based on consent, you can withdraw consent at any time without affecting processing carried out before withdrawal.
  • Right to request review of automated decisions: where we rely solely on automated decision-making with legal or similarly significant effects, you have the right to request human review. (See Section 12.)

To exercise any of the above rights, please contact our DPO or the general number 011 500 0000. We will respond as required by law. We may ask for identity verification before fulfilling requests.

10. Right to lodge a complaint

If you are not satisfied with our handling of your personal data, you may lodge a complaint with the Data Protection Authority of Sri Lanka (or an equivalent supervisory authority). We encourage you to contact our DPO first so we can try to resolve the matter.

11. Requirement to provide personal data

Providing personal data is necessary to enter into and perform the contract for online purchases (order processing, payment and delivery). If you do not provide required data (for example, your delivery address or payment information), we may be unable to process or deliver your order.

Where provision of data is required by law (e.g., for tax/anti-money laundering checks), failure to provide it may prevent us from providing the relevant service.

12. Automated decision-making and profiling

We do not make automated decisions based solely on profiling that have a legal or similarly significant effect on you. If in future we introduce automated decision-making or profiling that produces such effects, we will provide you with meaningful information about the logic involved, the significance and envisaged consequences, and ways to exercise applicable rights, including the right to human intervention.

13. Cookies and tracking

Our website uses cookies, local storage and similar technologies to personalise your experience, analyse site usage and support marketing activities. Where cookies require consent, we will ask for your consent and provide cookie preferences in the cookie banner. You can change your cookie settings at any time via the cookie settings on the website or by contacting our DPO.

14. Security of personal data

We implement reasonable technical, physical and organizational measures to protect personal data from unauthorized access, alteration, disclosure or destruction. We train staff on privacy practices, require contractual safeguards from service providers, and periodically review our security practices.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The latest version will be published at https://revellospeciality.com/privacy-policy (or the page you place this content on) with the effective date.