Privacy Policy

HadesReality (Pvt) Ltd is a software development company registered in Sri Lanka, providing custom self-service kiosk solutions, ERP systems, POS software, AR/VR experiences, and digital platforms. Our registered address is Colombo, Sri Lanka.

For the purposes of GDPR, HadesReality (Pvt) Ltd acts as the data controller for personal data collected through our website (hadesreality.com) and our direct business communications.

For client-delivered systems (e.g., kiosk or ERP software deployed at a client's business), HadesReality (Pvt) Ltd acts as a data processor on behalf of the client, who is the controller. Data processing in those engagements is governed by the applicable Data Processing Agreement.

We collect the following categories of personal data:

We do not collect sensitive personal data (health data, racial or ethnic origin, political opinions, biometric data) through our marketing website. Client systems may process such data only under explicit agreement and appropriate safeguards.

We use your personal data for the following purposes:

• To respond to enquiries submitted via our contact form
• To provide, operate, and improve our software services
• To send project updates and communications you have requested
• To analyse website usage and improve user experience
• To comply with legal obligations and enforce our agreements
• To prevent fraud and ensure the security of our systems

We do not sell your personal data to third parties. We do not use your data for automated individual decision-making or profiling that produces legal effects.

For individuals in the European Economic Area (EEA) and United Kingdom, we process your data under the following lawful bases as defined in Article 6 of the GDPR:

• Contractual necessity (Art. 6(1)(b))
  Processing required to perform a contract with you or to take pre-contractual steps at your request.
• Legitimate interests (Art. 6(1)(f))
  Processing necessary for our legitimate business interests — specifically, website analytics and fraud prevention — where those interests are not overridden by your rights.
• Legal obligation (Art. 6(1)(c))
  Processing required to comply with applicable law.
• Consent (Art. 6(1)(a))
  Where we ask for your consent (e.g., non-essential cookies), you may withdraw it at any time.

We share personal data only in the following limited circumstances:

• Service providersHosting providers (Vercel), email delivery services, and analytics platforms — bound by data processing agreements and restricted to processing data only on our behalf.
• Legal requirementsWhen required by applicable law, court order, or governmental authority.
• Business transfersIn the event of a merger, acquisition, or sale of all or part of our assets, your data may be transferred. We will notify you in advance.
• With your consentAny other sharing will only occur with your explicit consent.

We use the following types of cookies on hadesreality.com:

You can control cookie settings through your browser preferences. Refusing non-essential cookies will not affect the core functionality of the website.

We retain personal data for as long as necessary for the purpose it was collected:

• Contact form submissions24 months from date of submission, or until the enquiry is resolved
• Client project records7 years from project completion (statutory accounting requirement)
• Website analytics data14 months (Google Analytics default retention)
• Email correspondence5 years from last communication

Depending on your location, you may have the following rights regarding your personal data:

To exercise any of these rights, contact us at privacy@hadesreality.com. We will respond within 30 days.

HadesReality is based in Sri Lanka. When we receive data from individuals in the EEA, UK, or other jurisdictions with data transfer restrictions, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) — where required for transfers to Sri Lanka from the EEA/UK.
• Adequacy decisions — we use processors (e.g., Vercel) that have undergone adequacy assessment or provide equivalent safeguards.

Our website and services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@hadesreality.com and we will delete it promptly.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These include:

• TLS encryption for all data in transit
• Access controls and authentication for internal systems
• Regular security reviews of our infrastructure
• Processor vetting — we only engage sub-processors with adequate security practices

No method of transmission over the internet is 100% secure. In the event of a data breach that is likely to result in high risk to your rights and freedoms, we will notify you and relevant supervisory authorities within the timelines required by applicable law.

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to KnowYou may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to DeleteYou may request deletion of personal information we hold about you, subject to certain exceptions.
• Right to CorrectYou may request correction of inaccurate personal information.
• Right to Opt-Out of Sale/SharingWe do not sell or share your personal information for cross-context behavioural advertising.
• Right to Non-DiscriminationWe will not discriminate against you for exercising your CCPA rights.

To submit a verifiable consumer request, email privacy@hadesreality.com. We will respond within 45 days.

Sri Lanka's Personal Data Protection Act No. 9 of 2022 (PDPA 2022) grants individuals rights over their personal data. As a Sri Lankan company, we are committed to full compliance with the PDPA 2022 and its regulations as they come into force.

Your rights under the PDPA 2022 include:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure (subject to legal retention obligations)
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent

Our designated Data Protection Officer can be reached at privacy@hadesreality.com.

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email or a prominent notice on our website. Your continued use of our website after any changes constitutes your acceptance of the updated policy.

For any questions, requests, or complaints regarding this Privacy Policy or our data practices, please contact:

If you are unhappy with our response, you have the right to lodge a complaint with your local data protection authority (e.g., the ICO in the UK, or your EU member state's supervisory authority).