Privacy Policy

1. Who We Are

Commercial Accountancy Service (CAS) is a professional accountancy firm registered in Sri Lanka and regulated by the Institute of Chartered Accountants of Sri Lanka (ICASL). Our registered office is at No. 669, Galle Road, Wadduwa, Western Province, Sri Lanka.

For all matters relating to personal data, CAS is the data controller. You may contact our designated data officer at info@casfirm.com.lk.

2. Data We Collect

Information you provide directly

• Contact form: full name, company name, email address, phone number, service interest, and the content of your message.
• Client onboarding: National Identity Card (NIC) number or passport number, tax identification number (TIN), business registration number, financial statements, bank account details, payroll records, and other documents required to deliver accounting, tax, or advisory services.
• Communications: emails, letters, or phone records when you correspond with our team.

Information collected automatically

• Usage data: IP address, browser type and version, operating system, referring URL, pages visited, and time spent on each page.
• Cookies and tracking: session cookies for site functionality and analytics cookies to understand how visitors use our site (see Section 9).

Information from third parties

• Information provided by the Department of Inland Revenue, Registrar of Companies, or other government agencies in connection with our professional services on your behalf.

3. How We Use Your Data

We use the personal information we hold about you for the following purposes:

• To respond to enquiries submitted through the contact form or by phone or email.
• To provide, administer, and improve our professional accounting, tax, audit, and advisory services.
• To comply with legal and regulatory obligations, including obligations under the Inland Revenue Act No. 24 of 2017, Value Added Tax Act, and any applicable ICASL professional standards.
• To prepare and submit tax returns, financial statements, and regulatory filings on your behalf.
• To send service-related communications (appointment reminders, document requests, compliance deadlines).
• To send marketing communications where you have given us consent to do so. You may opt out at any time.
• To analyse website usage and improve the performance and content of casfirm.com.lk.
• To detect, investigate, and prevent fraudulent transactions or other illegal activities.

4. Legal Basis for Processing

We process your personal data on the following legal grounds:

• Contractual necessity: processing required to fulfil our professional services agreement with you.
• Legal obligation: processing required to comply with Sri Lankan tax law, company law, and professional accounting regulations.
• Legitimate interests: processing necessary for the legitimate interests of running our firm, including responding to enquiries and improving our services, provided such interests are not overridden by your rights.
• Consent: where we rely on your consent (e.g. marketing emails), you may withdraw that consent at any time by contacting us at info@casfirm.com.lk.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your data only in the following circumstances:

• Government and regulatory bodies: the Department of Inland Revenue, Registrar of Companies, ICASL, or other authorities where required by law or necessary to deliver our services.
• Professional advisors: lawyers, bankers, auditors, or insurers acting in that capacity, who are bound by obligations of confidentiality.
• Service providers: trusted third-party suppliers who assist us in operating our business (e.g. cloud storage, email platform, accounting software) under strict data processing agreements that prohibit them from using your data for any other purpose.
• Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction, subject to this policy or an equivalent one.
• Legal requirements: where we are required to disclose information by a court order, warrant, or other legal process.

6. Data Retention

We retain personal data for as long as is necessary to fulfil the purposes described in this policy, including any legal or regulatory requirements.

• Client records (tax returns, financial statements, correspondence): retained for a minimum of 7 years from the end of the relevant financial year, in accordance with the requirements of the Inland Revenue Act and ICASL professional guidelines.
• Contact enquiries that do not result in engagement: deleted after 12 months.
• Marketing consent records: retained until consent is withdrawn, then deleted within 30 days.
• Website analytics data: aggregated and anonymised after 26 months.

After the applicable retention period, personal data is securely deleted or anonymised.

7. Security

We take the security of your personal information seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, destruction, or disclosure. These measures include:

• Encrypted data transmission over HTTPS/TLS for all website communications.
• Access controls that restrict client data to authorised personnel on a need-to-know basis.
• Password-protected and encrypted storage for electronic client files.
• Secure physical storage for paper documents at our offices.
• Regular staff training on data security and confidentiality obligations.

No method of transmission over the internet is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. If you suspect a data breach, please contact us immediately at info@casfirm.com.lk.

8. Your Rights

You have the following rights in relation to the personal data we hold about you:

• Right of access: you may request a copy of the personal data we hold about you.
• Right to rectification: you may ask us to correct inaccurate or incomplete data.
• Right to erasure: you may request deletion of your personal data where there is no overriding legal requirement for us to retain it.
• Right to restrict processing: you may ask us to pause processing of your data in certain circumstances.
• Right to data portability: you may request that we provide your data in a structured, machine-readable format.
• Right to object: you may object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent: where processing is based on your consent, you may withdraw it at any time.

To exercise any of these rights, please submit a written request to info@casfirm.com.lk. We will respond within 30 days. We may need to verify your identity before processing your request.

9. Cookies

Our website uses cookies — small text files stored on your device — to improve your browsing experience and analyse site usage. We use the following categories of cookies:

• Strictly necessary cookies: essential for the website to function. These cannot be disabled.
• Analytics cookies: help us understand how visitors interact with the site (e.g. pages visited, time on site). Data is aggregated and anonymised. These are only set if you click "Accept" on our cookie banner.
• Preference cookies: remember your choices (e.g. cookie consent decision).

You can manage or withdraw your cookie consent at any time by clearing your browser cookies and revisiting the site. You can also configure your browser to refuse all or some cookies, though this may affect site functionality.

10. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to read their privacy policies before providing any personal information.

11. Children

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify active clients by email. Continued use of our website or services after any change constitutes your acceptance of the updated policy.

13. Contact Us