Last Updated: January 5, 2026

Ambeon Securities (Private) Limited (“Ambeon”, “we”, “us”, or “our”) is committed to protecting the privacy and confidentiality of personal data entrusted to us.

1. Scope

This Privacy Notice applies to clients and prospective clients whose personal data is collected and processed by Ambeon for the purpose of providing our services as a licensed stockbroker, in accordance with the Personal Data Protection Act, No. 9 of 2022 of Sri Lanka (as amended) and applicable securities laws and regulations.

2. Personal Data We Collect

We may collect and process the following categories of personal data, as applicable:

• Identification data: name, NIC/passport number, date of birth, nationality.
• Contact details: address, email, telephone numbers.
• Financial and transactional data: bank account details, CDS account details, trading history, investment preferences, tax identification number, billing proof.
• Compliance data: Know You Customer (KYC), Customer Due Diligence (CDD), Anti-money laundering (AML), source of funds, sanctions screening results, affiliations to any Politically Exposed persons (PEPs).
• Technical data: IP address, device information, website usage data.
• Employment or corporate data (where applicable).

3. Purposes of Processing

Personal data is processed for legitimate business and regulatory purposes, including:

• Opening and maintaining client accounts and executing securities transactions;
• Compliance with laws, regulations, directives, and guidelines issued by regulators including the Securities and Exchange Commission of Sri Lanka and the Colombo Stock Exchange; The Central Bank of Sri Lanka, The Inland Revenue Department.
• Anti-money laundering, counter-terrorist financing, and fraud prevention;
• Risk management, audits, and internal controls;
• Client communications, reporting, and customer support;
• Business operations, analytics, and service improvement.

4. Legal Basis for Processing

We process personal data where:

• it is necessary for the performance of a contract;
• it is required to comply with a legal or regulatory obligation;
• it is necessary for our legitimate interests (provided such interests do not override data subject rights); or
• consent has been obtained, where required by law.

5. Disclosure of Personal Data

Personal data may be disclosed to:

• regulators, supervisory authorities, and law enforcement agencies as and where required by law;
• clearing and settlement systems, banks, custodians, and depositories;
• professional advisers, auditors, and service providers acting under contractual confidentiality obligations;
• group companies or affiliates, where applicable to facilitate effective and seamless provision of our services.

6. Cross-Border Transfers

For the purposes set out above in this Privacy Notice, your Personal Data may be transferred to, stored and maintained on servers and systems located outside of Sri Lanka. Any such transfers will be carried out in accordance with the Personal Data Protection Act, No. 9 of 2022 (as amended), and subject to appropriate safeguards to ensure an adequate level of data protection.

7. Data Retention

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, including statutory and regulatory retention requirements, after which it will be securely deleted or anonymised.

8. Data Security

We implement industry-standard technical and organizational measures—including encryption, firewalls, and secure access controls—to protect your data against unauthorised access, loss, misuse, alteration, or disclosure.

9. Your Rights

Under the PDPA you have the right to:

• access and obtain a copy of your personal data;
• request correction or erasure;
• object to or restrict processing;
• withdraw consent;
• lodge a complaint with the relevant authority.

Requests may be made using the contact details below.

10. Cookies and Website Use

Our website may use cookies and similar technologies to enhance user experience and analyse traffic. Users may manage cookie preferences through their browser settings.

11. Updates to the Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in legal, regulatory, or business requirements. Any updates will be published on our website, and the revised Privacy Notice will apply from the date of publication.

12. Contact Details

For queries, requests, or complaints relating to this Privacy Notice or the processing of personal data, please contact: privacy@ambeonsecurities.lk