PRIVACY POLICY


Effective Date: 1 June 2026


At little ("little", "we", "our", or "us"), we are committed to protecting the privacy, dignity, rights, and security of individuals whose information we collect, process, or store. This Privacy Policy explains how we collect, use, disclose, protect, and manage personal information obtained through our website, littleimpact.co ("Site"), our communications, research activities, consultancy services, stakeholder engagements, and other related operations.


We recognise that privacy is closely linked to human dignity, autonomy, safety, trust, and the responsible use of technology. As a sustainable impact enterprise, we are committed to ensuring that personal information is handled lawfully, ethically, transparently, and securely.


This Privacy Policy is intended to comply with the Personal Data Protection Act No. 9 of 2022 of Sri Lanka (PDPA). It reflects internationally recognised principles relating to privacy, data protection, cybersecurity, responsible innovation, safeguarding, and ethical data governance.


By accessing or using our Site, you acknowledge that you have read and understood this Privacy Policy.


1. Information We Collect


We may collect and process the following categories of information.


1.1 Information You Provide Directly


This may include:


  1. Name

  2. Email address

  3. Telephone number

  4. Organization name

  5. Position or designation

  6. Professional information

  7. Information contained in correspondence, inquiries, forms, surveys, assessments, consultations, interviews, or stakeholder engagements

  8. Any other information voluntarily submitted to us


1.2 Information Collected Automatically


When you visit our Site, we may automatically collect certain information, including:


  1. IP address

  2. Browser type and version

  3. Device information

  4. Operating system

  5. Website activity

  6. Pages viewed

  7. Session duration

  8. Referral sources

  9. Geographic region

  10. Cookie identifiers

  11. Analytics information


1.3 Research, Consultation and Engagement Data


As part of our work, we may collect information through:


  1. Research studies

  2. Assessments

  3. Surveys

  4. Focus group discussions

  5. Consultations

  6. Interviews

  7. Stakeholder engagements

  8. Capacity-building programmes


Where such information is collected, participants will be informed of the purpose of collection and any applicable confidentiality arrangements.


2. Our Commitment to Data Minimisation


We seek to collect only the minimum amount of personal information reasonably necessary to fulfill legitimate operational, contractual, legal, research, safeguarding, service delivery, or business purposes.


We do not knowingly collect excessive, unnecessary, or irrelevant personal information.


3. How We Use Personal Information


We may use personal information for purposes including:


  1. Responding to inquiries

  2. Providing consultancy and advisory services

  3. Delivering programmes, research, assessments, and technical assistance

  4. Managing client and stakeholder relationships

  5. Improving our website and user experience

  6. Monitoring website performance

  7. Conducting analytics and reporting

  8. Producing aggregated research findings

  9. Sending newsletters, updates, publications, invitations, or marketing communications where permitted

  10. Complying with legal obligations

  11. Protecting our systems, personnel, clients, and stakeholders

  12. Supporting safeguarding, ethical compliance, and risk management functions


4. Legal Basis for Processing


Where required by applicable law, we process personal information based on one or more of the following grounds:


  1. Consent

  2. Performance of contractual obligations

  3. Legitimate business interests

  4. Compliance with legal obligations

  5. Protection of vital interests

  6. Public interest activities where applicable


5. Marketing Communications


We may communicate information relating to our services, events, publications, opportunities, research, or activities where:


  1. You have requested such information.

  2. You have consented to receive communications, or

  3. Such communication is otherwise permitted by law.


You may withdraw consent or unsubscribe at any time.


6. Cookies and Analytics Technologies


Our Site uses cookies and similar technologies to improve functionality, enhance user experience, and understand how visitors interact with our website.


We currently utilise Google Analytics 4 (GA4) and may use similar analytics technologies in the future.


These tools may collect information including:


  1. Device characteristics

  2. Browser information

  3. Pages visited

  4. Session duration

  5. User interactions

  6. Referral traffic

  7. Geographic region


We do not use analytics technologies to identify individuals by name or exact address.


Users may manage cookie preferences through browser settings.


7. Artificial Intelligence and Automated Technologies


Little may utilise artificial intelligence (AI), machine learning systems, automated digital tools, and related technologies to support:


  • Research

  • Analysis

  • Administrative functions

  • Drafting assistance

  • Knowledge management

  • Data organization

  • Operational efficiency


All significant decisions affecting individuals remain subject to appropriate human oversight and professional judgment.


We do not knowingly use personal information, confidential information, proprietary materials, or client data to train publicly accessible artificial intelligence models without appropriate authorisation.


8. Automated Decision-Making


Little does not currently use automated decision-making systems that produce legal or similarly significant effects on individuals without meaningful human review.


Should this practice change, affected individuals will be informed where required by applicable law.


9. Sharing and Disclosure of Information


We do not sell, rent, trade, license, or otherwise commercially exploit personal information.


We may share information with:


  1. Website hosting providers

  2. Cloud service providers

  3. Analytics providers

  4. Email service providers

  5. Professional advisers

  6. Technology vendors

  7. Regulatory authorities

  8. Law enforcement agencies

  9. Courts or tribunals where legally required


Such disclosures are limited to legitimate operational, legal, contractual, or security purposes.


10. International Transfers


Certain service providers engaged by little may process or store information outside Sri Lanka.


Where international transfers occur, we take reasonable steps to ensure that appropriate safeguards are implemented and that personal information is protected to an adequate level consistent with applicable legal requirements.


11. Research Ethics, Anonymisation and Aggregated Data


  1. Little may use anonymised, de-identified, or aggregated information for:

  2. Research

  3. Learning

  4. Reporting

  5. Monitoring and evaluation

  6. Statistical analysis

  7. Publications

  8. Knowledge generation


Such information will not be used to identify individuals.


Where confidentiality commitments have been provided, we will seek to honour those commitments subject to applicable legal obligations.


12. Sensitive Information


Given the nature of our work, we may occasionally receive information relating to:


  1. Gender

  2. Disability

  3. Migration

  4. Social protection

  5. Safeguarding concerns

  6. Human rights issues

  7. Vulnerability or protection risks


Where sensitive information is processed, we seek to apply additional safeguards proportionate to the level of risk involved.


Individuals are encouraged not to submit sensitive personal information unless reasonably necessary for the relevant purpose.


13. Safeguarding and Protection of Vulnerable Groups


Little recognises that certain individuals and communities may face heightened risks arising from misuse, disclosure, or unauthorised access to personal information.


Where our work involves:


  1. Children

  2. Women and girls

  3. Persons with disabilities

  4. Migrant workers

  5. Survivors of violence

  6. Older persons

  7. Vulnerable populations


We seek to apply enhanced privacy, confidentiality, safeguarding, and risk mitigation measures to protect their safety, dignity, and rights.


14. Information Security and Cybersecurity


We maintain appropriate technical, administrative, and organisational safeguards designed to protect personal information against:


  1. Unauthorized access

  2. Accidental loss

  3. Destruction

  4. Misuse

  5. Disclosure

  6. Alteration


These safeguards may include:


  1. Access controls

  2. Password protection

  3. Secure cloud storage

  4. Encryption where appropriate

  5. Vendor security reviews

  6. Monitoring and risk management measures


While no system can guarantee absolute security, we continually seek to strengthen our cybersecurity practices.


15. Data Breach Management


In the event of an actual or suspected data breach, Little will take reasonable steps to:


  1. Investigate the incident

  2. Contain and mitigate risks

  3. Assess impacts

  4. Implement corrective measures

  5. Notify relevant parties where required by law


16. Data Retention


Personal information is retained only for as long as reasonably necessary to:


  1. Fulfil the purposes described in this Privacy Policy;

  2. Deliver services;

  3. Maintain records;

  4. Meet contractual obligations;

  5. Comply with legal and regulatory requirements.


When information is no longer required, it will be securely deleted, anonymised, archived, or otherwise disposed of in accordance with our data management practices.


17. Your Rights


Subject to applicable law, you may have the right to:


  1. Request access to personal information held about you;

  2. Request correction of inaccurate information;

  3. Request deletion of information where appropriate;

  4. Withdraw consent;

  5. Object to certain processing activities;

  6. Request information regarding how your data is processed.

  7. Raise concerns regarding privacy practices.


Requests may be submitted using the contact information below.


18. Children's Privacy


Our Site is not intended for children under the age of 18.


We do not knowingly collect personal information from children without appropriate legal authorization, parental consent, or other lawful basis where required.


19. Third-Party Websites


Our Site may contain links to third-party websites.


We are not responsible for the privacy practices, content, security, or policies of external websites and encourage users to review their respective privacy notices.


20. Privacy by Design and Responsible Innovation


Little seeks to integrate privacy, security, safeguarding, ethical considerations, and responsible data governance into the design, development, review, and implementation of our systems, services, projects, and digital tools wherever reasonably practicable.


As emerging technologies continue to evolve, we remain committed to responsible innovation that respects privacy, human rights, equity, safety, and public trust.


21. Changes to this Privacy Policy


We may update this Privacy Policy from time to time to reflect changes in our operations, legal obligations, technology, or best practices.


Updated versions will be published on this page together with the revised effective date.


Continued use of our Site following publication of updates constitutes acceptance of the revised Privacy Policy.


22. Contact Us


If you have any questions regarding this Privacy Policy, your personal information, or your privacy rights, please contact:

little (Private) Limited
Email: hello@littleimpact.co
Website: littleimpact.co

Contact

076 797 4468

hello@littleimpact.co

privacy policy