Let's Talk

Privacy Policy

Last updated: April 2026

Graviti Platforms (Pvt) Ltd., trading as Graviti Studio ("we", "us", "our"), is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what information we collect, how we use it, and the rights you have in relation to it. It applies to all visitors to our website and to clients who engage our services.

1. Who We Are

Graviti Platforms (Pvt) Ltd. is a company incorporated in Sri Lanka, operating as a full-service digital marketing and creative agency under the trading name Graviti Studio. We are the data controller for personal data collected through this website. If you have any questions about how we handle your data, contact us at privacy@graviti.studio.

2. What Data We Collect

Information you provide directly

  • Contact form submissions, name, email address, company name, project budget, message content, and your detected country of origin (derived from your IP address at the time of submission, used for business context and lead qualification).
  • Email correspondence, any personal data contained in emails you send to us.

Information collected automatically

  • Usage data, pages visited, time spent on pages, referral sources, and general browsing behaviour, collected via analytics tools.
  • Technical data, IP address, browser type and version, device type, operating system, and timezone.
  • Geolocation data, your approximate country of origin, derived from your IP address on your first visit. This is used solely to display prices in your local currency. Your IP address is transmitted to IPinfo (ipinfo.io) for this lookup and is not stored by us. No location data more precise than country level is collected or retained.
  • Cookies, see Section 6 below for full details.

3. How We Use Your Data

We use the data we collect to:

  • Respond to enquiries and manage client relationships
  • Deliver and improve our services
  • Analyse website traffic to improve performance and content
  • Comply with legal obligations
  • Send service-related communications (not marketing, unless you consent)

4. Legal Basis for Processing

We process personal data in accordance with the Personal Data Protection Act No. 9 of 2022 of Sri Lanka ("PDPA") and any other applicable data protection legislation. We rely on the following bases for processing:

  • Contract, processing necessary to fulfil a contract with you, or to take steps at your request before entering into a contract.
  • Legitimate interests, processing necessary for our legitimate business interests (e.g. website analytics, fraud prevention), where these do not override your rights and freedoms.
  • Legal obligation, processing required to comply with applicable Sri Lankan law.
  • Consent, where you have given explicit consent (e.g. marketing emails, non-essential cookies).

For clients and data subjects located in the European Union or United Kingdom, we also maintain equivalent standards of protection consistent with the EU GDPR and UK GDPR respectively.

5. Who We Share Your Data With

We do not sell your personal data. We may share data with trusted third-party service providers who process it on our behalf, including:

  • Supabase, Inc., database infrastructure for lead capture
  • Sanity AS, content management infrastructure
  • Vercel, Inc., website hosting and deployment
  • Google LLC (Google Analytics), website analytics. Google Analytics collects anonymised usage data (pages visited, session duration, device type, referral source) via cookies. Data is processed in accordance with Google's data processing terms. IP anonymisation is enabled. See Google's Privacy Policy.
  • IPinfo (ipinfo.io), IP geolocation service used to detect your country on first visit for the purpose of displaying prices in your local currency. Only your IP address is transmitted; no personal data beyond country-level location is returned or stored by us. IPinfo is GDPR-compliant. See IPinfo's Privacy Policy.

All third-party processors are contractually required to handle your data securely and only for the purposes we specify. Where personal data is transferred internationally, we ensure appropriate safeguards are in place in accordance with the PDPA and applicable law.

6. Cookies

Our website uses cookies, small text files stored on your device. We use the following categories:

  • Strictly necessary cookies, required for the website and client portal to function. These cannot be disabled.
  • Analytics cookies, help us understand how visitors use the site. Only set with your consent.
  • Preference cookies, remember your settings and choices between visits.

You can manage your cookie preferences at any time via your browser settings. Disabling analytics cookies will not affect your ability to use the website. See our full Cookie Policy for details.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy:

  • Contact enquiries,2 years from last contact, unless a contract is entered into.
  • Client data, for the duration of the engagement and 6 years thereafter for legal and accounting purposes.
  • Website analytics, aggregated data retained for 26 months.

8. Your Rights

Under the PDPA and applicable law, you may have the following rights regarding your personal data:

  • Access, request a copy of the personal data we hold about you.
  • Rectification, request correction of inaccurate or incomplete data.
  • Erasure, request deletion of your data where we have no lawful reason to retain it.
  • Restriction, request that we limit how we use your data.
  • Portability, receive your data in a structured, machine-readable format.
  • Objection, object to processing based on legitimate interests.
  • Withdraw consent, where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email privacy@graviti.studio. We will respond within 30 days. You also have the right to lodge a complaint with the Data Protection Authority of Sri Lanka, or with the supervisory authority in your country of residence if you are located outside Sri Lanka.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. Access to client data is restricted to authorised personnel only.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects when it was last revised. Continued use of our website after changes are posted constitutes acceptance of the updated policy.

11. Contact

For any privacy-related queries, contact us at privacy@graviti.studio or write to us at Graviti Platforms (Pvt) Ltd., at our registered address in Sri Lanka.