Privacy Policy — evchargerhub.lk OCPI hub (v2, 2026-05-26)

This Privacy Policy describes how Volt Industrial Company (Pvt) Ltd ("we", "us", the "Operator"), the operator of the OCPI roaming hub at evchargerhub.lk (the "Hub"), collects, uses, shares, retains, and protects personal data. It is published in compliance with the Personal Data Protection Act No. 9 of 2022 ("PDPA") of Sri Lanka.

This policy applies to data we receive through the Portal (the web application at evchargerhub.lk) and through the OCPI machine-to-machine surface at /ocpi/*.

1. Who we are

• Data controller for portal & account data: Volt Industrial Company (Pvt) Ltd, registered office at [Registered address — Colombo, Sri Lanka]. Contact: privacy@evchargerhub.lk.
• Data Protection Officer (DPO): dpo@evchargerhub.lk. The DPO is responsible for monitoring our compliance with the PDPA and is your first point of contact for data subject requests and complaints.
• For OCPI traffic data (Tokens, Sessions, CDRs, Locations, Tariffs etc. that a Connected Party pushes through the Hub), the Connected Party is the controller and we act as a processor on its behalf. Section 6 describes how the controller / processor split works.

2. Categories of personal data we process

Category	Examples	Source
Account data	Name, work email, hashed password, phone number, role within the organisation	Provided by you when you register on the Portal
Session metadata	IP address, user-agent, login timestamps, CSRF / cookie identifiers	Captured automatically when you use the Portal
Company registration data	Legal name, registration number, registered address, country of incorporation, contact phone, supporting documents (certificate of incorporation, authorisation letters)	Provided by you in the application form
OCPI identity	country_code, party_id, OCPI role (CPO / eMSP / HUB), requested scope	Provided by you in the application form
OCPI traffic data	Method, path, HTTP/OCPI status, duration, request size, hub-routed message bodies for modules where the spec requires storage (e.g. Locations, Sessions, CDRs)	Generated by your machine-to-machine calls to /ocpi/*
Support correspondence	Emails to support@ or replies through the Portal	Provided by you when you contact us

Some OCPI traffic data (notably Token UIDs and Session records) can be used to re-identify EV drivers. We treat that data as personal data even though it does not contain a name.

3. Purposes & legal basis

We process personal data only for the following purposes, on the following legal bases (PDPA s.5–s.6):

1. Operating the Hub — authenticating you, routing OCPI messages between Connected Parties, maintaining audit logs, preventing abuse.
   • Legal basis: performance of a contract (these Terms / the Hub Service Agreement) and our legitimate interest in running a secure service.
2. Onboarding & due diligence — verifying your company registration, role-fit, and that you are not a sanctioned party.
   • Legal basis: legitimate interest in safe onboarding; compliance with applicable AML / sanctions law.
3. Support — answering your questions and investigating incidents.
   • Legal basis: performance of a contract and legitimate interest.
4. Legal compliance — responding to lawful requests, preserving records required by law, defending claims.
   • Legal basis: legal obligation; legitimate interest in establishing or defending legal claims.
5. Service improvement — analysing aggregate usage to fix bugs and improve the Hub. We do not build behavioural profiles or use this data for marketing.
   • Legal basis: legitimate interest, balanced against the limited intrusiveness of the analysis.

We do not sell personal data. We do not use personal data for automated decision-making that produces legal or similarly significant effects on you.

4. Cookies & similar technologies

The Portal sets the following first-party cookies. We do not use third-party analytics or advertising cookies.

Cookie	Purpose	Retention
session	Keeps you signed in to the Portal.	Cleared when you sign out or after 30 days of inactivity
_csrf	Cross-site request forgery protection token.	Session-bound

By using the Portal you consent to these strictly-necessary cookies. No consent banner is required under PDPA s.6 for cookies that are essential to a service the user has actively requested.

5. Sharing & disclosure

We share personal data only with the following categories of recipient:

• Other Connected Parties through OCPI roaming. Once you are admitted as a Connected Party, your OCPI identity (country_code + party_id + role) and the OCPI data you push (Locations, Sessions, CDRs etc.) is made available, in line with the OCPI protocol, to the other Connected Parties you have a roaming relationship with. Your registered company information is not made public — only your OCPI identity is.
• Our service providers (sub-processors) — see §6.
• Auditors and professional advisers — under standard confidentiality obligations.
• Authorities — where required by Sri Lankan law, a court order of competent jurisdiction, or to protect the Hub or its users from imminent harm.
• Successors — in the event of a corporate restructuring, merger, acquisition, or sale of the Hub business, on equivalent terms to this Policy.

We do not transfer personal data to third parties for marketing.

6. Sub-processors

We use the following sub-processors to operate the Hub. Each is bound by a written data-processing agreement that obliges them to process personal data only on our documented instructions and to maintain appropriate security measures.

Sub-processor	Role	Location	Data exposed
Amazon Web Services EMEA SARL ("AWS")	Cloud hosting (compute, database, storage)	ap-southeast-1, Singapore	All categories listed in §2 (encrypted at rest)
Resend, Inc.	Transactional email (sign-up, verification, alerts)	United States	Name, email, message content
Cloudflare, Inc. (DNS only)	Authoritative DNS for evchargerhub.lk	Global	None — DNS only, no plaintext request data

We will update this list before adding or replacing a sub-processor. Material changes will be notified to active Connected Parties at least 30 days in advance, and a Connected Party may object on data-protection grounds; if we cannot reasonably accommodate the objection, the Connected Party may terminate without penalty under the Hub Service Agreement.

7. Cross-border transfer

We host the Hub in Singapore (AWS ap-southeast-1). Any transfer of personal data out of Sri Lanka is covered by contractual safeguards that mirror PDPA s.26, including obligations on the recipient to maintain at least an equivalent level of protection. For Connected Parties or data subjects established in the European Economic Area, transfers from the EEA to Sri Lanka rely on the EU Standard Contractual Clauses (2021/914) — Module 3 (processor-to-processor) or, where applicable, Module 2 (controller-to-processor), which we will enter into on request.

8. Retention

Data	Retention	Rationale
Account data	Active for the life of the account, plus 12 months after closure	Allow re-activation, satisfy audit and dispute windows
Application form data + uploaded documents	7 years from approval or rejection	KYC / AML record-keeping under Sri Lankan financial-services norms
OCPI traffic logs (metadata only)	24 months	Operational audit, fraud and abuse investigation
OCPI message bodies stored per spec (Locations, Sessions, CDRs)	As long as the connected relationship is active, plus 12 months	Required for OCPI continuity, dispute resolution
Personal-data breach records	5 years from the date of the breach	PDPA s.23
Support correspondence	3 years	Service-quality review
Audit logs of administrative actions	5 years	Security, accountability

After the retention period, data is deleted or irreversibly anonymised. We may keep aggregated, non-identifying statistics indefinitely.

9. Security

We maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• TLS 1.2+ for all data in transit (Portal HTTPS, OCPI HTTPS);
• AES-256 encryption at rest for database storage and uploaded documents;
• access control on a need-to-know basis with audited administrative actions;
• separation of credentials and secrets from application code (no secrets in version control);
• regular dependency scanning and patching;
• periodic penetration testing of the OCPI surface;
• formal incident-response procedure with on-call rotation.

No system is perfectly secure. You are responsible for protecting your own credentials and tokens, and for notifying us promptly of any suspected compromise.

10. Personal data breaches

If we become aware of a personal data breach that involves a high risk to the rights or interests of data subjects, we will notify the Data Protection Authority of Sri Lanka within 72 hours of becoming aware, as required by PDPA s.23 and the Authority's published rules. Where the breach is likely to materially affect a Connected Party's controlled data, we will additionally notify the Connected Party without undue delay (and in any event within 24 hours of confirmation) so that the Connected Party can discharge its own controller obligations.

Connected Parties are reciprocally required to notify us of any breach affecting Hub-mediated data; see the Hub Service Agreement, §10 (Security obligations).

11. Your rights

Subject to the conditions in the PDPA, you have the right to:

• be informed about how we process your personal data (this Policy);
• request access to the personal data we hold about you;
• request rectification of inaccurate or incomplete personal data;
• request erasure of your personal data, where the legal basis allows;
• request restriction of processing in certain circumstances;
• object to processing based on our legitimate interest;
• withdraw consent at any time, where processing is based on consent (without affecting the lawfulness of processing prior to withdrawal);
• lodge a complaint with the Data Protection Authority of Sri Lanka.

To exercise any of these rights, email privacy@evchargerhub.lk or write to the DPO at the address above. We will respond within 30 days of a verified request. For OCPI traffic data where another Connected Party is the controller, we will route the request to that controller and confirm to you that we have done so.

There is no fee for a reasonable request. We may refuse or charge a reasonable fee for requests that are manifestly unfounded or excessive, especially if repetitive.

12. Children

The Hub is a business-to-business service and is not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact privacy@evchargerhub.lk and we will delete it.

13. Changes to this Policy

We may update this Policy from time to time. The current version is always available at /portal/legal/PRIVACY on the Portal, with an effective date. Material changes will be notified to active Connected Parties at least 30 days in advance. Continued use of the Hub after a change takes effect constitutes acknowledgement of the updated Policy.

14. Contact

• General privacy questions: privacy@evchargerhub.lk
• Data Protection Officer: dpo@evchargerhub.lk
• Postal address: Volt Industrial Company (Pvt) Ltd, [Registered address — Colombo, Sri Lanka]
• Supervisory authority: Data Protection Authority of Sri Lanka, https://www.dpa.gov.lk