Privacy Policy
Last updated: March 20, 2026
About Us
We are Colombo City Express (Pvt) Ltd, a company incorporated in Colombo, Sri Lanka and whose registered office is at Nawala Road, Nugegoda, Sri Lanka. Throughout this policy, we may refer to ourselves as Colombo City Express, Colombo City Express (Pvt) Ltd, or CCExpress — these all refer to the same company.
This Privacy Policy describes our policies and procedures on the collection, use and disclosure of your information when you use the Service — including our website, the Colombo City Express Go mobile application for drivers, and the CCExpress mobile application for customers — and tells you about your privacy rights and how the law protects you.
Interpretation and Definitions
Interpretation
The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
Definitions
For the purposes of this Privacy Policy:
- Account: means a unique account created for You to access our Service or parts of our Service.
- Affiliate: means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
- Company: refers to Colombo City Express (Pvt) Ltd, 160 Koswatta Rd, Sri Jayawardenepura Kotte, Sri Lanka. Also referred to as 'we', 'us', or 'our' throughout this policy.
- Cookies: are small files that are placed on your computer, mobile device or any other device by a website, containing the details of your browsing history on that website among its many uses.
- Country: refers to Sri Lanka.
- Device: means any device that can access the Service such as a computer, a mobile phone or a digital tablet.
- Personal Data: is any information that relates to an identified or identifiable individual.
- Service: refers to the Website, the Dashboard, Colombo City Express Go, and CCExpress, collectively.
- Service Provider: means any natural or legal person who processes data on behalf of the Company. This includes third-party companies or individuals employed by the Company to facilitate the Service, provide the Service on our behalf, perform services related to the Service, or assist in analyzing how the Service is used.
- Usage Data: refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
- you: means the individual accessing or using the Service, or the company or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
Our Applications & Platforms
Colombo City Express operates the following products, each serving a different audience:
The public-facing marketing and order creation site, accessible at https://ccexpress.lk.
The web-based merchant portal accessible at https://dashboard.ccexpress.lk, used by businesses to upload orders, manage accounts, and view delivery reports.
The mobile application available on Android and iOS, used by parcel recipients to track their orders, subscribe to status notifications, and view live delivery progress.
The mobile application available on Android and iOS, used by CCExpress couriers to manage dispatches, scan barcodes, capture proof of delivery, and track routes.
Data Protection Principles
We abide by the following data protection principles, as stipulated in Sri Lanka's Personal Data Protection Act (PDPA), in all of our dealings with your personal data:
- Lawfulness, fairness, and transparency: we will only handle your personal data lawfully, fairly, and in a transparent manner.
- Purpose limitation: your personal data will only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation: your personal data will be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy: we will endeavour to keep your personal data accurate and up to date at all times.
- Storage limitation: we will retain your personal data for no longer than is necessary for the purposes for which it is used.
- Integrity and confidentiality: your personal data will be handled in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
How we collect and use your information
| Purpose | Information Used | App |
|---|---|---|
| Merchant Registration | Bank details, business name, and business information for verification purposes | Dashboard |
| Data Analytics | Website usage data, product interactions, and customer relationship information to improve our services and marketing | Website / Dashboard |
| Order Management | Shipping information stored in secure database for product delivery purposes | Dashboard |
| Run Sheet Download | Couriers may download a run sheet containing order and dispatch reference information for their assigned deliveries. This document contains operational data only and does not include personal data of third parties. Run sheets are generated from our servers and saved to the courier's device as a PDF for offline reference. | CCExpress Go |
| Driver Authentication | Email address and password used to authenticate drivers via Supabase, a secure third-party authentication platform. Passwords are never stored in plain text. | CCExpress Go |
| Barcode Scanning | Camera access used solely to scan barcodes for dispatch management. No images or video are captured or stored. The scanned barcode value is linked to the relevant dispatch record, not to your personal identity. The camera is only activated when you explicitly use this feature — we do not access it in the background. | CCExpress Go |
| Attachment Uploads | Photos selected from your device's photo library or taken with the camera, uploaded as attachments to dispatch records. Images are transmitted securely and stored on our servers. We only access photos you explicitly select — we do not browse, collect, or store any other photos from your library. | CCExpress Go |
| Push Notifications — Dispatch Updates | Device push notification token collected via Firebase Cloud Messaging to send dispatch updates and alerts to your device | CCExpress Go |
| Location Tracking | Device location sent to our servers every 3 minutes while tracking is active. Tracking only occurs when you tap Start Route and stops when you tap Stop Route. A persistent notification is shown during tracking and cannot be dismissed while tracking is active, ensuring you are always aware it is occurring. You may disable location permissions at any time in your device settings, which will prevent route tracking from functioning. This feature is not available on iOS. | CCExpress Go |
| Parcel Tracking | Tracking ID entered by the customer to look up their parcel's status and delivery events. This ID is stored locally on the device as part of recent search history and subscribed orders. | CCExpress |
| Push Notifications — Order Status Updates | Customers can subscribe to any order to receive push notifications when its status changes. A device push notification token is collected via Firebase Cloud Messaging and associated with the subscribed tracking IDs on our servers. Customers can unsubscribe from any order at any time, which removes the association between their token and that tracking ID. | CCExpress |
| Live Delivery Map — Phone Verification Gate | When your order is actively out for delivery (a dispatch is in progress and not yet completed), a live delivery map view becomes available. To access it, you must enter the last 4 digits of your registered phone number. This value is verified against our records, then cached locally on your device per tracking ID for convenience. It is never stored on our servers. | CCExpress |
| Live Rider GPS & Delivery Info | Once phone verification is successful, our servers return the rider's real-time GPS coordinates (latitude, longitude, and timestamp), the rider's first name, and dispatch progress information (your stop number and how many stops remain ahead of yours). This data is fetched from our servers on each refresh and is not stored on your device. It is only available while the order is actively out for delivery and is no longer returned once the order is delivered or cancelled. | CCExpress |
| Map Tile Rendering | Map tiles are loaded from MapTiler (a third-party service) to render the background map in the live delivery view. Requests include your approximate viewport coordinates to determine which tiles to load, but do not include your identity or the rider's location. See the MapTiler Privacy Policy. | CCExpress |
| Crash Reporting & Diagnostics | Device type, operating system version, app version, and crash logs collected automatically via Firebase. Used solely for diagnosing issues and improving application stability. See the Firebase Privacy Policy. | CCExpress Go |
Advertising and Tracking
We do not use your data for targeted advertising or share it with data brokers. The device identifiers collected by Firebase Cloud Messaging are used solely to deliver push notifications relevant to your dispatches and are never used for advertising, profiling, or shared with third parties for commercial purposes.
We do not track you across third-party apps or websites for advertising purposes.
How we store your information
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
Data transmitted between Colombo City Express Go and our servers is encrypted using industry-standard TLS/HTTPS protocols.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
How long we store your information for
We will retain your information for as long as you have an account with us or are registered with us. If you delete your account or request us to do so, we will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
Push notification tokens associated with Colombo City Express Go are removed from our systems when your account is deleted or when you disable notifications.
Your Rights
Under the Sri Lanka Personal Data Protection Act (PDPA), you have the right to:
- access the personal data we hold about you
- request correction of inaccurate personal data
- request deletion of your personal data, subject to legal obligations
- object to or restrict the processing of your personal data in certain circumstances
- withdraw consent where processing is based on consent
Account Deletion
You may delete your account and all associated data directly via contacting us at legal@ccexpress.lk. Upon deletion, your personal data will be permanently removed from our systems, except where retention is required by law.
To exercise any of your other rights, please contact us using the details below.
Contact Us
If you have any questions about this Privacy Policy, you can contact us:
- By email: legal@ccexpress.lk
- By visiting this page on our website: https://ccexpress.lk/en/contact