Legal
Privacy Policy
Last updated: 5 July 2026
olyone is a platform that lets Sri Lankan sellers create an online store and run their
business — orders, deliveries, customers and payments — from one app. This policy explains
what information we handle, why, and the choices you have. It covers the olyone mobile app,
the merchant dashboard, and storefronts hosted at *.oly.lk or on a merchant's
own domain.
1. Information we collect
If you are a seller (an olyone account holder)
- Account details — your email address and name, used to sign you in and secure your account.
- Store data — your store's name, logo, products, prices, stock, discounts, policies and settings.
- Business records — the orders, customer records and notes you create while running your store.
- Device push token — if you turn on order alerts, an anonymous token that lets us deliver notifications to your phone. No other device tracking: the app contains no advertising or analytics SDKs.
If you are a buyer (ordering from an olyone-powered store)
- Order details — the name, phone number and delivery address you enter at checkout, plus your order contents. This information belongs to the store you bought from; olyone processes it on that seller's behalf so your order can be fulfilled and delivered.
- Delivery-reliability signals — to protect small sellers from failed cash-on-delivery orders, we keep an internal record of delivery outcomes (delivered, refused, unreachable) linked to the phone number used at checkout. This record improves with successful deliveries, fades over time, and is never published or sold; sellers only ever see an advisory risk level on their own orders — never your history with other stores.
2. What we never collect
- Card or banking credentials. Online card payments are processed directly by the seller's own payment gateway (PayHere or OnePay); bank-transfer details flow directly between buyer and seller. olyone never sees or stores card numbers.
- Advertising identifiers or cross-app tracking. We show no ads and use no ad networks.
3. How we use information
- To provide the service: hosting stores, processing orders, printing courier labels, sending order notifications.
- To keep the platform safe: fraud prevention and the delivery-reliability signals described above (legitimate-interest basis under the Sri Lankan Personal Data Protection Act No. 9 of 2022).
- To communicate with sellers about their account and service updates.
- We do not sell personal information, and we do not share it with anyone for advertising.
4. Who processes data for us
| Provider | Purpose |
|---|---|
| Clerk | Seller sign-in and account security |
| Supabase | Database and file storage (product photos, labels, payment slips) |
| Railway & Vercel | Application hosting |
| Expo | Delivering push notifications to seller devices |
| Couriers chosen by the seller | Receive the delivery name, phone and address to deliver parcels |
| PayHere / OnePay (seller's own accounts) | Card payment processing |
5. Retention & deletion
- Sellers can permanently delete their account and every store they own — including all products, orders and customer records — directly in the app (More → Delete account). Deletion is immediate and irreversible. See Delete your account.
- Buyers can ask the store they purchased from to correct or remove their details, or contact us directly and we will assist.
- Delivery-reliability signals decay automatically: events older than 180 days no longer affect any assessment.
6. Security
All data moves over encrypted connections (TLS). Store data is isolated per store at the database level (row-level security). Payment-gateway secrets sellers save are write-once — they can never be viewed again, only replaced.
7. Contact
Questions or requests: hello@olyone.lk. We will respond within 14 days. If we make material changes to this policy we will update this page and the date above.