Privacy Policy.

This policy outlines how we collect, use, and protect your personal data, and your rights concerning this data.

Digimonde Private Limited ("we," "us," "our") is committed to protecting your personal data's privacy and security. This Privacy Policy explains how we collect, use, and protect your information when you use our platforms: Fedhubs, Fedhubs Pro, and Fedhubs Pro+.

By using our services, you agree to this policy's terms.

Table of Contents

1. Who We Are

Digimonde Private Limited is a technology company duly incorporated in Sri Lanka, with its registered office at 67/B Lt Co. Kudabanda Mawatha Gannoruwa Peradeniya Srilanka. We build digital tools for customer engagement, word-of-mouth marketing, and loyalty management.

EU Representative:

Deban Vithuran
88 Avenue Magellan, 94000 Créteil, France
Email: [email protected]
Phone: +33 7 43 34 87 87

2. Data Collection, Purposes, and Legal Basis

Quick overview: We collect data to make our platforms work for you, improve your experience, and handle payments. Each data type serves a specific purpose, always backed by a legal reason like your consent or our agreement with you.

We collect and process your personal data to provide and improve our services, enable specific features, and ensure legal compliance. Below, you'll find details on the types of data we collect, how we gather it, and the specific reasons (purposes) and legal grounds (legal bases) for processing it.

What Data We Collect

We may collect and process the following categories of personal data:

  • Identification Data: Your email address (used as a unique ID), name, surname, gender, and an optional profile photo.
  • Interaction Data: Information about your recommendations (sent or received), QR/OTR code scans, and the time and location of your visits.
  • Usage Data: Details about the pages you view, clicks you make, and time spent on content within our platforms.
  • Business Data (for Fedhubs Pro/Pro+): Store/Business name, public information about your business, and lead tracking data.
  • Payment Data: This is managed directly by our trusted third-party payment providers (Lemon Squeezy, Stripe, Paddle). We don't directly store your credit card information.
  • Gamification Data: Points you've earned, levels you've unlocked, and social quests you've completed on our platforms.

How We Collect Your Data

We collect data through various interactions you have with our platforms:

  • Forms submitted via our app or websites.
  • Your interactions with QR codes or OTR codes.
  • Recommendations sent via SMS, social media, or directly in-store.
  • Cookies and similar tracking technologies. When you first visit our site, our cookie banner allows you to "Accept" or "Refuse" cookies with equal prominence, or to manage your preferences with granular control. You can revisit and withdraw your consent for cookies at any time via a persistent link, typically found in our website's footer, which re-opens the cookie management tool. Please see our dedicated Cookie Policy for more details on how we use these.

Why and How We Process Your Data (Purposes and Legal Bases)

We process your data for the following specific purposes, relying on distinct legal bases in accordance with the GDPR. For detailed retention periods for each data category, please refer to Section 6: How Long We Keep Your Data.

Data Category Purpose of Processing Legal Basis (GDPR Article 6) Example
Identification Data Provide and manage your access to services, authenticate you, enable communication. Performance of a contract (for service access); Legitimate interest (for security and basic communication). When you sign up or log in, we use your email as your unique ID to grant you access to Fedhubs.
Interaction Data Enable word-of-mouth features, track recommendations, manage loyalty, notify businesses. Performance of a contract (for providing platform features); Legitimate interest (to enable core service functionality for users/businesses). When you send a recommendation, we record your email (ID) and the interaction to attribute it correctly to the business and track potential rewards for you. When you scan a QR code, we may collect location data to link your visit to a business.
Usage Data Improve our services, optimize user experience, troubleshoot issues, analyze trends. Legitimate interest (to enhance service quality and functionality). We analyze which pages are most visited to identify areas for improvement or new feature development, helping us make the platform more intuitive.
Business Data Enable business profile management, lead tracking, customer engagement tools. Performance of a contract (for Fedhubs Pro/Pro+ services); Legitimate interest (for service operation). When a business registers on Fedhubs Pro, we collect their store name and public information to create their profile, which is essential for the service to function.
Payment Data Process subscriptions and payments for paid services (Fedhubs Pro/Pro+). Performance of a contract (for paid services). When you subscribe to Fedhubs Pro+, your payment details are securely handled by Stripe or Lemon Squeezy to process your subscription fee.
Gamification Data Manage gamified experiences, track progress, award points/rewards. Performance of a contract (for providing gamification features). When you complete a social quest, we track your points earned and progress towards new levels within the platform.
All Data Categories Send relevant communications (transactional), comply with legal obligations, prevent fraud. Legal obligation; Legitimate interest; Consent (for marketing). We send you service notifications (e.g., password reset confirmations) to ensure secure account management (legitimate interest). With your consent, we might send you promotional emails. We may share data with authorities if legally required.

3. How We Share Your Data

Quick overview: We share your data only when necessary to provide our services, like with businesses you interact with or our payment providers. We never sell your personal data.

We share your data only when necessary and always in compliance with your rights. We never sell your personal data.

  • With Businesses Who Receive Your Recommendation: If you interact with a business via Fedhubs (e.g., by sending a recommendation, scanning a code), we may share limited data with that business. This includes your email (used as your ID), your first name, your optional profile picture, the content and timestamp of your interaction, and your referral or engagement data.
  • With Our Payment Providers: Your payment data is managed directly by our trusted third-party providers Lemon Squeezy, Stripe, and Paddle, who act as the Merchant of Record or payment processors. We don't directly store your credit card information.
  • With Our Service Providers: We use various third-party providers for essential services like hosting, data analytics, and customer support. Each of these providers is bound by a Data Processing Agreement (DPA) that complies with Article 28 of the GDPR, ensuring strict contractual obligations regarding data confidentiality and security.
  • With Agencies Using Fedhubs Pro+: If a business uses Fedhubs Pro+ through an agency, that agency may also access the shared data related to that specific business. These agencies are also subject to contractual obligations regarding data protection.
  • With Legal Authorities: If required by law or to protect our legitimate rights and interests.

When data is shared with merchants or agencies, Fedhubs remains the Data Controller for the data we collect and process on their behalf. Merchants or agencies are bound by our Terms of Service not to export, resell, or misuse any personal data. They may only use it to engage with you within the platform and must respect their own GDPR obligations.

4. International Data Transfers

Quick overview: For most data, it stays in the EU. For Fedhubs Pro+, we use strong legal and technical safeguards to protect your data if it's transferred outside the EU.

For Fedhubs and Fedhubs Pro, all personal data of users located in the European Economic Area (EEA) is collected, hosted, and processed exclusively on servers located within the European Union.

For Fedhubs Pro+, which is operated in white-label by Boomerangme under a Data Processing Agreement (DPA), your data may be transferred outside the EEA. We ensure appropriate safeguards are in place for such transfers:

  • A Data Processing Agreement (DPA) signed with Boomerangme ensures full compliance with the GDPR.
  • We use Standard Contractual Clauses (SCCs), specifically the latest versions approved by the European Commission, to guarantee conformity with Articles 28 and 46 of the GDPR.
  • Your data is protected by robust technical and organizational measures, including AES-256 encryption for data at rest, TLS 1.2/1.3 for data in transit, multi-factor authentication, regular audits, and secure logging.
  • We maintain a register of our sub-processors for all data processing activities. This register is available upon request by contacting our DPO. You may also request a copy of the DPA and the transfer clauses by contacting our DPO at [email protected].

5. Security Measures

Quick overview: We take security seriously! We use encryption, strict access controls, 24/7 monitoring, and regular security tests to protect your data.

We implement robust, industry-standard technical and organizational security measures to protect your data from unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: We use industry-standard encryption protocols for data protection. This includes AES-256 encryption for data at rest and TLS 1.2/1.3 with strong cipher suites (e.g., AES-256-GCM) for data in transit, ensuring secure communication. We also employ asymmetric encryption for backups.
  • Access Control: Access to our systems and databases containing personal data is strictly controlled. It's secured by mandatory multi-factor authentication (MFA), such as app-based authenticators or hardware tokens. We also conduct quarterly reviews of access rights to ensure least privilege principles are maintained.
  • Real-time Monitoring & Logging: Our systems are subject to real-time security monitoring using a Security Information and Event Management (SIEM) system to detect anomalies and potential security incidents promptly. Comprehensive security logs are retained for 90 days, and access logs for 12 months, providing essential audit trails. Automated alerts are configured for suspicious activities, enabling our security team to respond 24/7 with a guaranteed response time of less than 2 hours for critical incidents. We also maintain a detailed incident response plan (playbook).
  • Regular Assessments: We regularly review and update our security practices, including conducting periodic external penetration tests and vulnerability assessments by independent third parties, to adapt to evolving threats and maintain a high level of data protection.

However, please be aware that no system can guarantee 100% security.

6. How Long We Keep Your Data

Quick overview: We only keep your data for as long as needed for its purpose or to meet legal requirements.

We retain your personal data only for as long as necessary for the specific purposes for which it was collected, or to comply with our legal obligations. The retention periods are determined based on the data's nature, the processing's purpose, and legal or regulatory requirements.

Category of Data Main Purpose Retention Period Criteria for Determination
Identification Data User authentication and profile Until account deletion Data is kept as long as you're an active user of our services to maintain your profile and access. Deleted upon request or account inactivity.
Interaction Data Gamification and lead tracking 2 years of activity (configurable) Data is retained to track ongoing user engagement and loyalty programs, allowing businesses to understand customer behavior over a reasonable period.
Usage Data UX improvement and security 6 months after last visit Necessary for analyzing platform performance, identifying trends, and improving service design based on recent user activity. Also used for security incident investigation.
Payment Records Billing (third-party processors) Up to 10 years (as required by tax obligations) Legal and tax obligations often require retaining financial transaction records for a period of up to 10 years.
Email & Recommendation History Account activity As long as your email is active or until your deletion request Essential for maintaining your user history, allowing you to access past recommendations and for us to provide continuous service. Deleted upon your request to remove your email or account deletion.

7. Your Rights

Quick overview: You have rights over your data, like seeing what we hold, correcting it, or asking us to delete it. We've made it easy to exercise these rights.

Under the GDPR, you have strong rights regarding your personal data. We're committed to helping you exercise these rights.

✉️ Exercising Your Rights

In accordance with the General Data Protection Regulation (GDPR), you have the following rights: right to access, rectification, opposition, restriction, erasure (right to be forgotten), and portability of your data.

👥 For Individual Users (Fedhubs Application)

You can manage your personal data, including deleting it, directly within the application via the menu [My Account > Manage My Data]. This gives you direct control over your personal information.

🧑‍💼 For Merchants and Professionals (Fedhubs Pro & Pro+)

For any request concerning your personal data (access, rectification, deletion, etc.), please contact us at the following address:
📧 [email protected]

We respond to all requests within a maximum of one (1) month from receipt of the request, in accordance with Article 12 of the GDPR. This period may be extended by a further two months (making a total maximum of three months) where necessary, considering the complexity and number of the requests. In such a case, we'll inform you of any such extension within one month of receipt of the request, along with the reasons for the delay.

In case of disagreement or absence of response, you can lodge a complaint with the CNIL:
Commission Nationale de l’Informatique et des Libertés (CNIL)
3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07
https://www.cnil.fr – +33 (0)1 53 73 22 22
🔗 File a complaint online: https://www.cnil.fr/fr/plaintes

8. Minors

Our services aren't intended for individuals under 16 years of age. If we discover that we've collected personal data from a minor under 16 without appropriate parental consent, we'll take steps to delete that information promptly.

9. Data Protection Officer (DPO)

While appointing a Data Protection Officer (DPO) may not be legally mandatory for all our processing activities under GDPR, we've voluntarily designated a DPO to reinforce our commitment to data protection and to provide a dedicated contact point for data privacy matters.

You can contact our Data Protection Officer at:
📧 [email protected]

10. Changes to This Policy

We may update this Privacy Policy as needed to reflect changes in our practices or legal requirements. We'll notify you of any material changes by posting the updated policy on our website or by other appropriate communication channels. Your continued use of our services after such changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or your personal data, please contact us at:
📧 [email protected]

For Specific Privacy Policies for Each Platform:

This general policy applies across all our platforms. For more detailed information specific to the platform you're using, please refer to the dedicated Privacy Policy:

Last update: Aug 22, 2025