Last updated: July 2026 — Version 1.0
This policy is issued in compliance with the Personal Data Protection Act No. 9 of 2022 of Sri Lanka (PDPA) and applies to all users, professionals, and organizations registered on the Legion CTI platform.
Legion CTI is a national cybersecurity threat intelligence platform operated in Sri Lanka. As the operator of this platform, Legion Offensive Security acts as the Data Controller under the PDPA.
Contact: noreply@legionoffensivesecurity.com
You may exercise your data rights at any time by submitting a request through the Data Rights portal (login required) or by emailing us directly.
Standard Personal Data
Sensitive Personal Data (PDPA Section 3 — requires explicit consent)
Organization Data
User-Generated Content
Consent (Section 7)
Registration data and KYC documents are processed based on your explicit, freely given consent recorded at the point of collection.
Legitimate Interest (Section 6(e))
Login history, IP addresses, and system logs are processed for platform security and fraud prevention.
Public Interest (Section 6(f))
Threat intelligence sharing serves the national cybersecurity interest of Sri Lanka.
Contract Performance (Section 6(b))
Account data is processed to deliver the platform services you have registered for.
Your data is used only for the following purposes, consistent with the purpose stated at the time of collection:
We do not sell, rent, or share your personal data with third parties for commercial purposes.
| Data Type | Retention Period |
|---|---|
| Account data (name, email, mobile, NIC) | Held while your account is active. Deleted within 30 days of account deletion request. |
| KYC documents (NIC images, video) | Auto-deleted 30 days after KYC approval via database TTL index. |
| System logs & audit trails | 90 days, then automatically purged. |
| Login history | Last 50 logins retained per account (older entries overwritten). |
| Notifications | 30 days, then auto-deleted. |
| OTP codes | 10 minutes from creation, then auto-deleted. |
| Published posts | Held until deleted by user, organization admin, or super admin. |
| Data rights requests | Retained for 3 years for compliance audit purposes. |
You have the following rights over your personal data. You can exercise them at any time via the Data Rights portal:
Right to Access (Section 18)
Request a copy of all personal data we hold about you.
Right to Correction (Section 20)
Request correction of inaccurate or incomplete personal data.
Right to Erasure (Section 21)
Request deletion of your personal data where there is no legitimate reason for continued processing.
Right to Restriction (Section 22)
Request that we limit processing of your data in certain circumstances.
Right to Data Portability (Section 23)
Receive your personal data in a structured, machine-readable format.
Right to Object (Section 24)
Object to processing based on legitimate interest or public interest grounds.
Right to Withdraw Consent (Section 7(3))
Withdraw consent at any time without affecting lawfulness of prior processing.
Right to Complain (Section 29)
Lodge a complaint with the Data Protection Authority of Sri Lanka.
We will respond to all data rights requests within 30 days as required by the PDPA.
In the event of a data breach that poses a risk to your rights, we will notify you and the Data Protection Authority of Sri Lanka within 72 hours of becoming aware, as required by PDPA Section 28.
This platform uses one cookie only: a session authentication token (JWT) stored as an HTTP-only cookie. It expires after 2 hours. We do not use advertising cookies, analytics cookies, or any third-party tracking technologies.
Your personal data is stored on servers located in Sri Lanka. If any third-party service (such as email delivery) processes your data outside Sri Lanka, we ensure such transfers comply with PDPA Section 26, including adequate safeguards such as contractual obligations equivalent to this policy.
This platform is intended for adults aged 18 and over. We do not knowingly collect personal data from persons under 18. If you believe a minor has registered, please contact us immediately for deletion.
We may update this Privacy Policy to reflect changes in law or platform features. Material changes will be communicated to registered users via email at least 14 days before taking effect. Continued use after that date constitutes acceptance. The version number and date at the top of this page always reflect the current policy.
Exercise Your Rights
Submit a Data Rights RequestLegion CTI — Sri Lanka Personal Data Protection Act No. 9 of 2022 — Version 1.0 — July 2026