Privacy
Policy.

At MMA Beauty Barwe treat your information the way we'd treat a guest's name at the counter — with discretion. This policy explains what we collect, why, and how you can ask for it back.

We comply with the Sri Lankan Personal Data Protection Act and aim to meet international good practice for small e-commerce maisons.

MMA Beauty Bar is a small, family-run cosmetics maison based in Sri Lanka. We are the “data controller” for any information you share with us through this site or our WhatsApp concierge.

You can reach us at +94 74 039 6073 for any privacy enquiry.

Only what we need to send you the order and follow up with care:

• Order details — the items in your cart, sent to us via WhatsApp message.
• Contact details — your name, phone number, and delivery address (shared by you in the chat).
• Payment confirmation — a transfer reference or last 4 digits of a card, never the full card number.
• Basic site analytics — anonymous page views & device type, kept aggregate.

We don't ask for, store, or want any sensitive information beyond this — no national IDs, no health data, no banking credentials.

To fulfil your order — pick, pack, dispatch, confirm. To send the occasional thank-you note. To verify authenticity claims if a question comes up. That's it.

We do not sell, rent, or trade your information. Ever. The maison would close before we did that.

Order records and contact details live in our Supabase-hosted database — encrypted at rest and accessed only by authorised staff with username + password authentication.

WhatsApp messages stay in the WhatsApp Business client, end-to-end encrypted per their policy. We back up order data within Sri Lanka when feasible, and within audited cloud regions otherwise.

Strictly the people who help us deliver:

• Our courier partners — receive only your name, address, and phone for the delivery.
• Supabase — our database provider, processes data on our behalf with industry-standard safeguards.
• WhatsApp / Meta — the chat platform itself, governed by their privacy policy.

We'll disclose information if compelled by a court order or by Sri Lankan law — and we'll tell you if we're allowed to.

We use a minimal set of first-party cookies to remember your bag between visits and to keep you signed in if you're on the admin panel. We do not use third-party advertising trackers.

You can block or clear cookies at any time in your browser — though your bag will reset if you do.

Order records: 7 years for tax and audit reasons. Marketing contact data: until you ask us to delete it. Anonymous analytics: 26 months rolling.

You can, at any time:

• Ask what we have on you — we'll send it within 30 days.
• Ask us to correct anything wrong.
• Ask us to delete your details (subject to tax-retention above).
• Ask us to stop messaging you.

Send any request to the WhatsApp number above. We respond personally, not via a ticket system.

The site and products are intended for adults aged 18 and over. We don't knowingly collect information from anyone under 18. If you believe we have, please write to us and we'll remove it immediately.

We'll update this page when something material changes — and bump the “Effective” date at the top. For substantive changes that affect existing customers, we'll also send a WhatsApp note.

Privacy enquiries, data requests, or anything else on this page — WhatsApp +94 74 039 6073.