Privacy Policy

Pynimox Pvt Ltd (“Pynimox”, “we”, “us”, or “our”) is an engineering and AI consultancy incorporated in Sri Lanka, operating globally with a primary focus on clients in Australia, New Zealand, and the United Kingdom. Our registered address is Colombo, Sri Lanka.

We are committed to protecting your personal information in accordance with the Australian Privacy Act 1988 (Cth), the UK General Data Protection Regulation (UK GDPR), and applicable Sri Lankan data protection legislation.

We collect personal information when you:

• Contact us or request a quote — name, email address, company name, phone number, and details about your project.
• Create a portal account — email address, password (hashed), organisation name, and billing details.
• Use our services — project scope documents, communications, deliverables, and feedback provided during engagements.
• Visit our website — IP address, browser type, pages visited, referral source, and session duration (via Plausible Analytics — a privacy-preserving, cookieless tool).
• Subscribe to communications — email address and communication preferences.

We do not collect sensitive information (e.g. health, racial origin, or biometric data) in the ordinary course of our business.

We use your personal information to:

• Respond to enquiries and provide project proposals and quotes.
• Deliver contracted services, manage projects, and communicate about your engagement.
• Process invoices and payments, and maintain financial records.
• Operate and improve our client portal and website.
• Send transactional emails (invoices, project updates, onboarding) and, where you have consented, marketing communications.
• Comply with applicable legal obligations and protect against fraud.
• Analyse aggregate, anonymised usage trends to improve our services.

We process personal data on the following legal bases: contract performance, legitimate interests (running our business, improving services), legal obligation, and consent (for marketing).

We do not sell, rent, or trade your personal information. We share data only as follows:

• Service providers — trusted third-party processors including Supabase (database hosting), Cloudflare (CDN and DNS), Resend (transactional email), Stripe (payment processing), and Vercel (web hosting). Each is bound by data processing agreements.
• AI processing — when you use our AI chat or project tools, queries may be processed by Anthropic API. No personal data is used to train third-party AI models.
• Legal requirements — where required by law, court order, or to protect the rights and safety of Pynimox, our clients, or the public.
• Business transfers — in the event of a merger or acquisition, personal data may transfer as a business asset, subject to equivalent privacy protections.

Pynimox operates globally. Your data may be processed in Sri Lanka, Australia, the United Kingdom, the United States, and the European Economic Area. When we transfer personal data from the UK or EEA, we rely on adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms.

We retain personal information for as long as necessary to fulfil the purposes described in this policy:

• Client project data — 7 years from project completion (for legal and financial compliance).
• Contact and marketing data — until you withdraw consent or request deletion, or 3 years of inactivity.
• Website analytics — anonymised/aggregated data is retained indefinitely; no personal identifiers are stored.
• Financial records — 7 years (statutory requirement under Australian tax law and UK Companies Act).

Depending on your jurisdiction, you may have the right to:

• Access — request a copy of the personal information we hold about you.
• Correction — request correction of inaccurate or incomplete information.
• Deletion (“right to be forgotten”) — request deletion of your personal data, subject to legal retention obligations.
• Portability — receive your data in a structured, machine-readable format (UK/EEA residents).
• Restriction or objection — object to or restrict certain processing activities.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.
• Complaint — lodge a complaint with your national data protection authority (e.g. the ICO in the UK, or the OAIC in Australia).

To exercise any of these rights, contact us at privacy@pynimox.com.au. We will respond within 30 days.

We implement industry-standard technical and organisational measures to protect your information, including TLS encryption in transit, AES-256 encryption at rest, role-based access controls, multi-factor authentication for internal systems, and regular security reviews. However, no transmission over the internet is 100% secure.

Our marketing website uses no tracking cookies. Analytics are provided by Plausible Analytics, which is cookieless and does not collect personal identifiers. Our client portal uses strictly necessary session cookies to maintain your logged-in state. See our Cookie Policy for full details.

Our services are directed to businesses and individuals aged 18 and over. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us immediately.

We may update this policy from time to time. Material changes will be communicated by email to active clients and via a notice on our website at least 14 days before taking effect. The “Effective date” at the top indicates the most recent revision.

For privacy-related enquiries, corrections, or complaints: