Sarala

Privacy Policy

Last updated 2026-04-21

1. Who this policy is from

This Privacy Policy explains how WEDDZ IT ("we", "us"), operators of Sarala at sarala.lk, collects, uses, and shares information. It applies to the Sarala web app, mobile apps, and marketing site.

2. What we collect

When you create a Sarala account, we collect:

  • Your email address (required for authentication).
  • Your full name, if you choose to provide it.
  • Your business name, business phone number (optional), vertical/trade, currency, and preferred language — entered during onboarding.

When you use the service, we collect:

  • The business data you enter (customers, suppliers, products, invoices, cashbook entries, reports).
  • Usage metadata — pages you visit, actions you take, device and browser info, IP address.
  • Billing metadata from PayHere — the last four digits of your card, card brand, and a PayHere-issued token. We never see or store your full card number or CVV; those stay with PayHere.
  • Error and crash reports — stack traces, breadcrumbs, and Sentry event IDs.

3. Why we collect it

  • To authenticate you (email + password via Supabase).
  • To deliver the service — generate invoices, process cashbook entries, produce reports, send emails and SMS on your behalf.
  • To bill your subscription and process recurring payments.
  • To keep the service secure — detect abuse, rate-limit brute-force attacks, investigate bugs.
  • To improve the product — see which features are used, find dead code, prioritise the next thing to build.
  • To communicate with you about service changes, billing, and support.

4. Who we share it with

We use the following processors:

  • PayHere (payments) — receives transaction metadata to charge your card in LKR.
  • Supabase — handles authentication (email, password hashes, OAuth tokens).
  • Neon (database) — stores your business data on Postgres servers.
  • Cloudflare R2 (file storage) — stores uploaded logos, attachments, and generated PDFs.
  • Resend (email) — delivers invoice emails and account notifications on your behalf.
  • Text.lk and Dialog SMS (SMS) — deliver invoice SMS to your customers when you use the SMS feature.
  • Anthropic (AI summaries) — processes anonymised business metrics to generate the monthly dashboard summary. No customer PII is sent.
  • PostHog (product analytics) — receives pseudonymised usage events and optionally records session replays when an error occurs. You can opt out in Settings.
  • Sentry (error monitoring) — receives stack traces, breadcrumbs, and a user ID hash to help us debug crashes.
  • WhatsApp / Meta — when you click "Send via WhatsApp", the invoice content is passed to WhatsApp; their privacy policy applies to that message.

We do not sell your data to advertisers. We do not share it with third parties for marketing purposes. We only disclose data to law enforcement when required by a valid court order under Sri Lankan law.

5. Cookies and similar technologies

Sarala uses a small number of essential cookies: a session cookie for authentication, a locale cookie to remember your language, and a theme cookie to remember light/dark mode. We do not set any advertising or cross-site tracking cookies. PostHog may set a first-party pseudonymous ID cookie for analytics; you can disable this in Settings.

6. Data retention

We keep your active-account data for as long as your account is open. If you close your account, your data is retained for 12 months and then permanently deleted, except where we are required by Sri Lankan tax or company law to retain records longer (for example, invoice records may be kept for up to 7 years where applicable). Billing records are retained for 7 years for accounting compliance.

7. Your rights

You can:

  • Access — view any data we hold about you in the Settings and Reports pages.
  • Export — download all your business data as CSV or JSON from Settings → Export.
  • Correct — edit your profile, business info, and any records you own directly in the app.
  • Delete — close your account from Settings; your data is queued for deletion after the 12-month retention window.
  • Object / restrict — email hello@sarala.lk and we will pause non-essential processing within 7 business days.

If you believe your rights have been violated, you may also contact the Data Protection Authority of Sri Lanka.

8. Children

Sarala is a product for businesses and is not intended for people under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, email hello@sarala.lk and we will delete the account.

9. Security

We encrypt data in transit (TLS 1.3) and at rest (AES-256 on Neon and R2). Passwords are hashed with bcrypt by Supabase. We scope every database query to your tenant using Postgres Row-Level Security — one customer cannot read another customer's data even if there is an application bug. We log administrative access to an audit trail.

We aim to notify you within 72 hours of a confirmed data breach that affects your personal data, in line with international best practice.

10. International data transfers

Neon's Postgres servers, Cloudflare R2 buckets, and Supabase's auth service may be hosted outside Sri Lanka (typically in Singapore or the EU). By using Sarala, you consent to these transfers. We select providers that offer industry-standard security and privacy protections.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email and in-app at least 14 days in advance. The "Last updated" date at the top of this page is always current. Continued use of the service after a change constitutes acceptance.

12. Contact

WEDDZ IT
Email: hello@sarala.lk
Website: sarala.lk

For any privacy questions — including requests to access, export, or delete your data — email hello@sarala.lk. We respond within 7 business days.