Effective Date: May 2025

Introduction

State Mortgage & Investment Bank ("SMIB", "we", "us", or "our") is committed to protecting your privacy and handling your personal data securely. This Policy explains how we collect, use, store, and disclose your information when you visit our website (www.smib.lk) or use our products and services. SMIB operates in accordance with the Personal Data Protection Act No. 9 of 2022 and adheres to international best practices, including principles similar to those under the EU General Data Protection Regulation (GDPR).

By accessing our website or using our services, you consent to the practices described in this Policy. We encourage regular review of this document to stay up to date with any changes.

Scope of Policy

This Policy applies to all customers, prospective customers, and visitors to our digital platforms. It covers personal information collected directly from you and automatically through your interactions with our services, both online and offline.

Personal Data We Collect

Information You Provide

When you interact with SMIB—whether by filling out forms, submitting documents, or communicating with our representatives—we collect personal data including:

Identification Details:

• Full name
• Title
• Date of birth
• National Identity Card (NIC) or passport number
• Account numbers and customer ID

Contact Details:

• Postal address
• Email address
• Telephone and mobile numbers

Financial Information:

• Income and employment details
• Account balances and transaction history
• Credit history
• Loan and mortgage details

Usage & Preferences:

• Product preferences and feedback
• Information shared through surveys, inquiry forms, or other communications

Note:Sensitive personal data (such as religious beliefs, genetic data, or health information) are only collected when necessary for a specific service and with your explicit consent.

Information Collected Automatically

Our systems may also gather the following information as you use our digital platforms:

Technical Data:

• IP address
• Browser type and version
• Device identifiers
• Operating system and referring website

Usage Data:

• Pages visited and time spent on our site
• Access dates/times
• Cookies and tracking information (detailed in our Cookie Policy)

Digital Application Data:

• Login timestamps and actions on our online banking platforms

Data from Third Parties

To enhance our verification and service delivery, we may collect relevant information from trusted external sources, such as:

• Credit Information Bureau of Sri Lanka (CRIB)
• Government registries and publicly available records
• Referrals provided during product applications
• Service partners (e.g., mobile payment platforms or insurance affiliates)

How We Use Your Data

Your personal information is essential for providing our services and ensuring compliance with legal requirements. Key uses include:

Service Delivery:

• Processing applications and transactions (e.g., opening accounts, granting loans)
• Verifying your identity (including meeting KYC requirements)

Customer Experience & Management:

• Maintaining and servicing your accounts
• Personalizing product offerings and website content
• Managing communications, including billing and notifications

Compliance and Security:

• Meeting regulatory and legal obligations (AML, tax reporting, court orders)
• Monitoring for fraud, unauthorized activity, and quality assurance
• Managing internal research and system improvements

Marketing (with Consent):

• Informing you about new products, promotions, or customer benefits
• Allowing you to opt out of marketing communications at any time

Legal Basis for Processing

SMIB processes personal data on various legal grounds, including:

• Contractual Necessity:To perform services you have requested.
• Legal Obligations:To comply with statutory and regulatory requirements.
• Legitimate Interests:Such as system security, fraud prevention, and business improvement, provided these do not override your fundamental rights.
• Consent:Where explicit permission is needed (for instance, direct marketing communications).
• Public Interest or Authority:In rare cases prescribed by law or as directed by governmental authorities.

Data Sharing and Disclosure

We maintain strict confidentiality and do not sell or rent your data. Your information may be shared only when necessary to deliver services or comply with legal requirements. Typical disclosures include:

• Service Providers and Business Partners:Entities assisting in IT support, payment processing, cloud storage, marketing, and customer support.
• Affiliates and Related Organizations:For example, in joint products like bancassurance or government-sponsored loan schemes.
• Credit Bureaus:Information may be shared with CRIB and other financial institutions for credit reporting.
• Regulatory and Legal Authorities:Such as the Central Bank of Sri Lanka, law enforcement, and tax authorities.
• Corporate Transactions:In the case of mergers, acquisitions, or restructuring, subject to strict data protection conditions.
• With Your Consent:When you authorize us to share certain data with a third party (e.g., for visa applications).

International Data Transfers

Although SMIB primarily operates in Sri Lanka, your information may occasionally be processed in other countries. In such cases, we ensure:

• The destination country provides an adequate level of data protection, or
• Appropriate contractual safeguards (e.g., standard contractual clauses) are in place, or
• Your explicit consent is obtained for the transfer.

Data Security

Your data security is paramount. SMIB employs robust technical and organizational measures to prevent unauthorized access, use, or disclosure. Our safeguards include:

• Encryption:Using SSL (256-bit encryption) for secure data transmission.
• Firewalls and Network Monitoring:Protecting internal systems from unauthorized access.
• Access Controls:Limiting data access to authorized personnel only.
• Authentication Mechanisms:Incorporating two-factor or biometric authentication for online services.
• Regular Security Evaluations:Periodic vulnerability assessments, antivirus updates, and testing of our security infrastructure.
• Physical Security:Secured storage for physical records and controlled access facilities.

In the unlikely event of a data breach, we have a response plan that complies with legal reporting requirements and notifies affected individuals promptly.

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes it was collected for or to meet legal and regulatory requirements. Specific guidelines include:

• Account and Transaction Data:Maintained for the life of your account and a defined period afterward as required by law.
• Application Records:Preserved for auditing and legal purposes even if the application did not result in an active service.
• Short-term Data:Information collected for specific purposes (e.g., marketing campaigns) is deleted or anonymized once that purpose has been served.

Your Rights Under the Law

You have certain rights regarding the personal data we hold about you. These include:

• Right to Access:Request details about the personal data we process and obtain a copy.
• Right to Rectification:Request correction of any inaccurate or incomplete information.
• Right to Erasure:Ask for deletion of your data, subject to legal limitations.
• Right to Object:Challenge the processing of your data based on our legitimate interests.
• Right to Restrict Processing:Ask that we limit the processing of your information while an investigation is underway.
• Right to Data Portability:Obtain your data in a structured, machine-readable format for transfer to another service provider.
• Right to Withdraw Consent:Revoke your consent for data use (e.g., marketing communications) at any time.
• Right to Lodge a Complaint:Contact the Sri Lankan Data Protection Authority or another relevant supervisory body if you believe your rights have been infringed.

To exercise any of these rights, please contact us using the details provided below. We may require identity verification and will endeavor to respond within 21 working days.

Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your experience. These technologies help us:

• Recognize returning visitors
• Retain user preferences
• Analyze website traffic and improve service quality

You can control cookies via your browser settings; however, disabling them may impact website functionality. For more information, please refer to our Cookie Policy.

Links to Third-Party Sites

Our website may contain links to external sites. Please note:

• We are not responsible for the privacy practices or content of these third-party sites.
• We recommend reviewing each site’s privacy policy before providing any personal information.

Changes to This Policy

We may update this Policy periodically to reflect changes in our practices, technologies, or legal obligations. The current version will always be posted on our website, with any significant changes communicated through appropriate channels.

Contact Us

If you have any questions, require further clarification, or wish to exercise your rights under this Policy, please contact our Compliance Department at:

State Mortgage & Investment Bank
No. 269, Galle Road, Colombo 03, Sri Lanka
Email: info@smib.lk
Tel: +94 11 7722722