Privacy Policy
Last updated: May 6, 2026
This Privacy Policy describes how MKB Supermarket ("MKB", "we", "us") collects, uses, and shares information when you use the MKB website (mkb.lk) and the MKB mobile applications for Android and iOS (collectively, the "Services").
1. Information we collect
Information you provide
- Mobile number — used as your account identifier and to send you a one-time password (OTP) for verification.
- Name — to address you in receipts and order updates.
- NIC (optional) — for membership and credit account verification only.
- Delivery addresses — including label, street, GPS coordinates and instructions you save.
- Order history and cart contents.
Information collected automatically
- Device information — model, OS version, app version, language, and a stable device identifier we generate locally (not the platform advertising ID).
- Push notification token issued by Firebase Cloud Messaging (Android) or Apple Push Notification service (iOS), used solely to deliver order status notifications.
- Approximate location — only when you grant permission and only to suggest the nearest branch or auto-fill a delivery address.
- Photos — only when you actively attach them to a delivery request, complaint, or profile picture.
- Usage logs — page views, action timestamps, and IP address, used for fraud prevention and service health.
2. How we use your information
- Authenticate you via OTP and keep you signed in.
- Process orders, deliveries, refunds, and customer support.
- Send you transactional notifications (order received, packed, on the way, delivered).
- Operate loyalty, membership, and credit-account features.
- Comply with tax, accounting, and legal obligations of Sri Lanka.
3. Data we do not collect
- We do not read your SMS inbox. We use Google Play Services' SMS Retriever API which delivers only an OTP message addressed to our app; no other SMS is exposed.
- We do not track you across other companies' apps (no IDFA tracking).
- We do not collect health, fitness, financial, or biometric data.
4. Sharing your information
We share information only with:
- Delivery partners (e.g., Uber, PickMe) when an order is dispatched — only the recipient name, phone number, and delivery address.
- Payment processors when you pay online — they receive only the transaction reference and amount.
- Firebase Cloud Messaging / APNs as the transport for push notifications.
- Government authorities when legally required.
We do not sell your personal information.
5. Data retention
| Data | Retention |
|---|---|
| Account profile | Until you request deletion |
| Order history | 7 years (tax law) |
| Push tokens | Until you uninstall or log out |
| OTP codes | 5 minutes |
| Server logs | 90 days rolling |
6. Your choices
- Notifications: turn off in your device settings or in the MKB app's profile screen.
- Location, camera, photos: revoke any time in your device's app permissions.
- Account deletion: tap Delete account in the app, or email privacy@mkb.lk. Order records older than 30 days are retained per Sri Lanka's tax law (item 5).
7. Children
The Services are not directed to children under 16. We do not knowingly collect personal information from children under 16.
8. Security
We use TLS in transit, hashed and salted authentication tokens, and access controls in our database. Push tokens and auth tokens are stored per-device and revoked on logout.
9. Changes
We may update this Policy. The "Last updated" date at the top reflects the most recent change. Material changes will be announced in-app.
10. Contact
MKB Supermarket (Pvt) Ltd
Dehiwala, Sri Lanka
privacy@mkb.lk · 011 273 9444
