Back to Home
Legal

Privacy Policy

Last updated: July 2026 — Version 1.0

This policy is issued in compliance with the Personal Data Protection Act No. 9 of 2022 of Sri Lanka (PDPA) and applies to all users, professionals, and organizations registered on the Legion CTI platform.

1. Who We Are (Data Controller)

Legion CTI is a national cybersecurity threat intelligence platform operated in Sri Lanka. As the operator of this platform, Legion Offensive Security acts as the Data Controller under the PDPA.

Contact: noreply@legionoffensivesecurity.com

You may exercise your data rights at any time by submitting a request through the Data Rights portal (login required) or by emailing us directly.

2. Personal Data We Collect

Standard Personal Data

  • Full name, username, email address
  • Mobile phone number
  • Profile picture
  • IP address and device information (collected at login for security purposes)

Sensitive Personal Data (PDPA Section 3 — requires explicit consent)

  • National Identity Card (NIC) number — collected at registration for identity verification
  • NIC front and back images — collected only during KYC verification (optional)
  • Video selfie — collected only during KYC verification (optional), constitutes biometric data

Organization Data

  • Business name, Business Registration (BR) number, address, sector, country
  • Organization logo and email domain

User-Generated Content

  • Threat intelligence posts, reports, and associated images submitted to the platform

3. Legal Basis for Processing (PDPA Section 6–8)

Consent (Section 7)

Registration data and KYC documents are processed based on your explicit, freely given consent recorded at the point of collection.

Legitimate Interest (Section 6(e))

Login history, IP addresses, and system logs are processed for platform security and fraud prevention.

Public Interest (Section 6(f))

Threat intelligence sharing serves the national cybersecurity interest of Sri Lanka.

Contract Performance (Section 6(b))

Account data is processed to deliver the platform services you have registered for.

4. How We Use Your Data

Your data is used only for the following purposes, consistent with the purpose stated at the time of collection:

  • Creating and managing your platform account
  • Verifying your identity via email OTP and optional KYC
  • Enabling threat intelligence sharing between verified users
  • Sending transactional emails (OTP, notifications)
  • Detecting and preventing unauthorized access and abuse
  • Maintaining audit logs for security and legal compliance

We do not sell, rent, or share your personal data with third parties for commercial purposes.

5. Data Retention Periods (PDPA Section 11)

Data Type Retention Period
Account data (name, email, mobile, NIC)Held while your account is active. Deleted within 30 days of account deletion request.
KYC documents (NIC images, video)Auto-deleted 30 days after KYC approval via database TTL index.
System logs & audit trails90 days, then automatically purged.
Login historyLast 50 logins retained per account (older entries overwritten).
Notifications30 days, then auto-deleted.
OTP codes10 minutes from creation, then auto-deleted.
Published postsHeld until deleted by user, organization admin, or super admin.
Data rights requestsRetained for 3 years for compliance audit purposes.

6. Your Rights Under the PDPA (Part IV)

You have the following rights over your personal data. You can exercise them at any time via the Data Rights portal:

Right to Access (Section 18)

Request a copy of all personal data we hold about you.

Right to Correction (Section 20)

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Section 21)

Request deletion of your personal data where there is no legitimate reason for continued processing.

Right to Restriction (Section 22)

Request that we limit processing of your data in certain circumstances.

Right to Data Portability (Section 23)

Receive your personal data in a structured, machine-readable format.

Right to Object (Section 24)

Object to processing based on legitimate interest or public interest grounds.

Right to Withdraw Consent (Section 7(3))

Withdraw consent at any time without affecting lawfulness of prior processing.

Right to Complain (Section 29)

Lodge a complaint with the Data Protection Authority of Sri Lanka.

We will respond to all data rights requests within 30 days as required by the PDPA.

7. Security Measures (PDPA Section 27)

  • All passwords are hashed using bcrypt (industry standard one-way hashing)
  • Sessions use HTTP-only, Secure, SameSite=Lax JWT cookies — not accessible to JavaScript
  • All file uploads are renamed with a random token to prevent enumeration
  • Role-based access control restricts what each user can see and do
  • Full audit log of all significant actions on the platform
  • Database TTL indexes enforce automatic deletion of sensitive and expired data

In the event of a data breach that poses a risk to your rights, we will notify you and the Data Protection Authority of Sri Lanka within 72 hours of becoming aware, as required by PDPA Section 28.

8. Cookies

This platform uses one cookie only: a session authentication token (JWT) stored as an HTTP-only cookie. It expires after 2 hours. We do not use advertising cookies, analytics cookies, or any third-party tracking technologies.

9. Cross-Border Data Transfers (PDPA Section 26)

Your personal data is stored on servers located in Sri Lanka. If any third-party service (such as email delivery) processes your data outside Sri Lanka, we ensure such transfers comply with PDPA Section 26, including adequate safeguards such as contractual obligations equivalent to this policy.

10. Minors

This platform is intended for adults aged 18 and over. We do not knowingly collect personal data from persons under 18. If you believe a minor has registered, please contact us immediately for deletion.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in law or platform features. Material changes will be communicated to registered users via email at least 14 days before taking effect. Continued use after that date constitutes acceptance. The version number and date at the top of this page always reflect the current policy.

Exercise Your Rights

Submit a Data Rights Request

Legion CTI — Sri Lanka Personal Data Protection Act No. 9 of 2022 — Version 1.0 — July 2026