1. Introduction

Fio by Fems (the “App”) is the first female health app in Sri Lanka to introduce further privacy protections for your data with Anonymous Mode. With an even deeper layer of privacy, Anonymous Mode gives you the option to access the App without your name, email address, or technical identifiers being associated with the data you put into the App.

We comply with the Personal Data Protection Act No.9 of 2022 (‘PDPA’). This data protection notice (‘Notice’) sets out what personal data we collect from you and/or generate about you including how we collect or generate, use, store and process them. The notice intends to illustrate how we comply with the legal obligations in relation to protecting of your Personal Data that we collect or generate, use, store and process. Your privacy is important to us and we are committed to safeguarding the privacy of your personal data. It is important that you read this notice carefully and understand how and why we process your personal data on this App. Terms used in this Agreement such as “personal data”, “controller”, “data subject”, “processor”, “processing” shall have the same meaning as the PDPA.

Hemas Holdings PLC and consisting of its subsidiaries and affiliates, or hereinafter referred to as “Company”, “we”, “us” or “Hemas” is considered as “controller” under the PDPA and is committed to protecting the Personal Data of the users of this App or hereinafter referred to as “you”.

2. What Information is Collected and Why

The following table will indicate what data we collect and why.

Data We Collect

We collect two types of information through the App:

Information You Provide: This includes information you directly enter into the App, such as, Name or Nickname, Menstrual cycle data (periods, flow, symptoms)
Information Collected Automatically: This includes information automatically collected by the App, such as, Device information (device type, operating system version), Usage data (frequency of app use, features used), and Optional, if applicable) Location data (only with your permission)

How We Use Your Data

We use the information we collect to Provide and improve the App and its features, track your menstrual cycle and predict future period, offer personalized health insights and educational resources (based on anonymized data), free of charge doctor consultation within 48 hours, communicate with you about the App (e.g., account verification, updates) and perform analytics and research (with anonymized data)

Children’s Privacy

Communication with You

We may contact you from time to time via email or through other means (like pop-ups or push notifications) to communicate with you about Services, offers, promotions, rewards, and events offered by us and provide news and information that we think will be of interest to you. These communications may be based on the Services you have selected for use (e.g. your selected mode) and the App features you engage with.

Help Us Improve Fio (Optional)

If you consent, we may use technical information about your device and other information about you (such as your device’s unique technical identifier, age group, subscription status, emails and the fact you launch the App) to reach you for promotional purposes.

3. Legal basis for processing your personal data.

We comply with the ‘PDPA when we process your personal data. Depending on the respective purpose, we may rely on one or more of the following lawful basis:

Your consent, when we have specifically sought your consent to process your personal data for specific purpose(s). In the case of children under the age of 16, consent may relate to parents or legal guardians.
Contract performance, when we have an agreement with you to provide our services. This includes processing for any pre-contractual purposes as well.
Legal obligation, when we are required by law or a court order to process your personal data.
Public interest, when we are required to perform certain processing activities in the public interest as defined by law.
Our legitimate interests, when have a lawful and reasonable reasons to process your personal data, provided such interests do not override your rights and interests such as fraud prevention and network security.

When we process special categories of personal data (i.e. information relating to your health, information relating to a child etc. as defined in the PDPA) we may pursue the following legal basis:

Your consent, when we have specifically sought your consent to process your personal data for specific purpose(s). In the case of children under the age of 16, consent may relate to parents or legal guardians.
For preventive or occupational medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where such data is processed by a health professional licensed or authorised by law in Sri Lanka.
Public health purposes ensuring public safety, monitoring and public alert systems relating to impending health or other emergencies, the prevention or control of communicable diseases and other serious threats to public health and the management of public healthcare services in so far as it is provided for in any law.
Processing personal data which is manifestly made public by you.
For the establishment, exercise or defence of legal claims before a court or tribunal or such similar forum.
When necessary for to achieve a public interest purpose as laid down by law.
For archiving purposes in the public interest, scientific research or historical research purposes or statistical purposes in accordance with law in a manner that is proportionate to the aim pursued, and in accordance with the PDPA.

4. Sharing with Third Parties

We do not sell, trade, or otherwise transfer to third parties your personal data. However, we may need to share your personal data with third parties to complete the purposes stated in section 2 above. Broadly, we may share your personal data with the following entities:

Members of the Hemas Group of Companies: information may be shared with entities within the Hemas Group who provide IT and information security services to us. Information may also be shared within the organisation for product/service improvements, customer profiling, feedback escalations, market research and to conduct advertising.
Our Suppliers/Service Providers: we may need to engage with a host of external suppliers or service providers to carry out various operational work to support our relationship with you. These suppliers/service providers will be subject to a contractual and legal framework that will stipulate various conditions including but not limited to ensuring the confidentiality and privacy of your personal data. The access they may have will be limited to a need-to-know basis and in so far as strictly necessary for them to provide their services to us. Accordingly, these suppliers/service providers will provide services in relation to (including without limitation) IT infrastructure and support, delivery services, communication services, finance and accounting, audit, market research, legal, data analytics, processing payments, web indexing and search results, scoring, assessing and managing credit risk, customer relationship management, content transmission.
To government, regulatory or law enforcement authorities: we may share your personal data if we are of the opinion that the applicable laws require disclosure your personal data with the government including but not limited to tax and other regulatory bodies, the police or law enforcement authorities.
Prospective buyers or sellers including their advisers: we may be required to share your information in the context of an acquisition, merger, joint-venture, or any other form of change in control or any other form of strategic alliance.

5. Use of Automated Decisions Making Systems

We may adopt automated decision-making systems on this App. Automated decision-making means making decisions or profiling your Personal Data purely through automated means without any human intervention. These systems are generally used to support human decision-making processes by analysing your data subject to certain criteria set by us. We may use these systems for evaluation purposes of your preferences and make recommendations or offer personalised services, products or content.

6. Your Rights and Control over the Data

You have choices regarding your information:

Access and Update: You can access and update your information within the App settings.
Deletion: You can request deletion of your account and information by contacting us via Fiobyfems.consumer@hemas.com
Objection to the processing of your personal data You have the right to object to the processing of your personal data, for example, if we process it for direct marketing purposes.

Under the PDPA, you’d be entitled to the following rights subject to any exceptions permitted under the PDPA:

Access: you may access your personal data or get a confirmation whether we process any of your personal data. You may also request further information pertaining to how, where and why we process your personal data.

Withdraw consent: if we have sought your consent to process your information for any of the purposes listed in Section 2 above, then you may be in a position to withdraw your consent for those particular purpose(s). When you withdraw your consent, we will not be able to process your personal data thereafter. However, your withdrawal will not invalidate any processing which we’ve done prior to such withdrawal.

Object to processing: if we are processing your personal data pursuant to a legitimate interest of ours or due to public interest, then you may request us to refrain from processing your personal data for said purposes. However, your objection will not invalidate any processing which we’ve done prior to such objection.

Rectification & update: you have the right to request rectification of any inaccurate data or completion of incomplete personal data which we process.

Erasure: if you think that we are processing your personal data in contravention to the PDPA, or you have withdrawn your consent regarding any processing that was founded upon your consent, then you may request us to erase your personal data. Any request for deletion will be evaluated against our legal obligations to retain the said data.

Review of automated decisions: if any decision that affects your rights are taken by us based on purely automated means without human intervention, in certain circumstances you may have the right to request us to review the said decision.

However, please note that the exercise of the above rights is subject to certain conditions stipulated under the PDPA.

You also have the right to make a complaint to the Data Protection Authority of Sri Lanka established under the Personal Data Protection Act No.9 of 2022 regarding our use of your personal data.

7. Data Security

We are committed to securing your personal data and safeguarding the confidentiality, integrity and availability of your personal data by using appropriate organisational and technical measures.

Some of these measures include, using secure information systems and networks when we transmit and store your personal data, implementing access restrictions and allow access on need-to-know basis to our staff and our external service providers and suppliers, regular training and guidance to our staff on privacy and data protection, use of anonymisation and encryption as appropriate, implementing internal procedures to duly detect and respond to data breaches.

In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.

All transactions are processed through a payment gateway provider and are not stored or processed on our servers.

8. International Transfers

Your personal data may be transferred and processed outside of Sri Lanka in one or more countries in certain circumstances. Such circumstances may typically arise when your personal data may be stored/hosted on cloud platforms. Whist we strive to process personal data in countries where the Sri Lankan Data Protection Authority has given adequacy decisions, for operational reasons, this may not always be possible. Therefore, we have adopted appropriate safeguards to ensure the security and privacy of your Personal Data through comprehensive contractual and legal means.

9. Contact

If you need any clarifications regarding this data protection notice, you may contact us at

Fio by Fems: Hemas Manufacturing (Pvt) Ltd, 75, Braybrooke Place, Colombo 02, Sri Lanka.

To exercise any of your rights under this data protection notice, please complete the following form and sent it to Fiobyfems.consumer@hemas.com

Name
Email
Mobile No.
Request Type: [Access \| Withdrawal of Consent \| Object to Processing \| Rectification \| Update \| Erasure \| Review of Automated Decision \| Further Information]
Additional Information on the Request

10. Changes to Data Protection Notice

We may update this data protection notice from time to time to reflect the changes in our services, data protection practices or legal obligations. Any significant changes will be notified by posting the updated notice on our website, or by contacting you directly through registered channels.

Last update: 11/10/2024