Privacy Policy

COSMOPOLITAN Sri Lanka (“we,” “our,” or “us”) is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

This policy complies with the Sri Lankan Personal Data Protection Act No. 9 of 2022 (PDPA) and the European Union General Data Protection Regulation (GDPR) to ensure comprehensive protection of your personal data.

We process your personal information for the following legitimate purposes:

• Service Provision: To provide, maintain, and improve our content and services
• Communication: To send newsletters, updates, and respond to inquiries
• Analytics: To understand user behavior and improve website performance
• Legal Compliance: To comply with applicable laws and regulations
• Security: To protect against fraud, abuse, and security threats

Under GDPR and Sri Lankan PDPA, we process your personal data based on:

• Consent: When you voluntarily provide information or agree to cookies
• Legitimate Interest: For analytics, security, and website improvement
• Legal Obligation: To comply with applicable laws and regulations
• Contract Performance: To provide services you have requested

We match each purpose to a lawful basis and retention period under GDPR/PDPA:

Under GDPR and Sri Lankan PDPA, you have the following rights:

We implement appropriate technical and organizational security measures to protect your personal information:

• Encryption of data in transit and at rest
• Regular security assessments and monitoring
• Access controls and staff training
• Incident response procedures

We retain personal information only as long as necessary for the purposes outlined in this policy:

• Newsletter subscriptions: Until you unsubscribe
• Analytics data: 26 months from collection
• Contact inquiries: 3 years from last contact
• Legal compliance: As required by applicable law

We may share your information with trusted third parties in the following circumstances:

• Service Providers: Analytics, hosting, and marketing platforms
• Legal Requirements: When required by law or legal process
• Business Transfers: In connection with mergers or acquisitions
• Hearst Media: We may share data with Hearst Magazine Media, Inc., our parent company, for business operations and content development
• Consent: When you have given explicit consent

Some pages contain affiliate links and/or sponsored content. If you purchase through these links, we may earn a commission at no extra cost to you. Such content is labeled and separated from editorial. Any tracking associated with advertising/affiliates relies on Marketing cookies and will only run with your consent. Measurement and brand‑safety processing follow our legitimate interests where permitted.

In certain circumstances, your personal data may be transferred to:

• Hearst Magazine Media, Inc.: Our parent company may access your data for business operations, content development, and legal compliance
• Future Licensees: In the event of a business transfer, merger, or change in ownership, your data may be transferred to the new entity with appropriate safeguards
• Service Providers: Trusted third-party service providers who assist in our operations under strict data protection agreements

All data transfers are conducted with appropriate legal safeguards and in compliance with applicable data protection laws.

We align with the Sri Lankan Personal Data Protection Act No. 9 of 2022 (PDPA). Where we transfer personal data outside Sri Lanka or the EU/UK, we implement appropriate safeguards such as contractual clauses and strict access controls. You may request details of the transfer mechanisms by contacting our Data Protection Officer.

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us: