Last updated: May 28, 2026. We review this policy periodically and when our services or providers change. For detail on how cookies and similar technologies are used, see our Cookie Policy.
Who we are
Xclusive Adventures is a private adventure tour company based in Kitulgala, Sri Lanka. We are the data controller responsible for the personal information collected through this website. This policy explains what we collect, why, the legal basis for using it, how long we keep it, who we share it with, and the rights you have. It is written to align with the EU/UK General Data Protection Regulation (GDPR) and Sri Lanka's Personal Data Protection Act (PDPA).
We collect personal data only to plan trips, answer enquiries, run bookings, and improve the website.
We do not sell your personal information.
For any privacy question or request, contact us using the email address shown at the foot of this page.
Information we collect
We collect the information you choose to send us through enquiry and booking forms, the planning newsletter signup, WhatsApp links, and email. Depending on the form, this can include your name, email, phone or WhatsApp number, country, preferred contact method, contact-window preference, travel dates, group size, pickup and drop-off points, preferred start time, children's ages, water confidence, medical or suitability notes, preferred activities, budget range, accommodation level, and the content of your message.
Form submissions may also record the page URL, referrer, landing page, UTM campaign fields, and advertising click IDs so we can understand which pages and campaigns led to your enquiry.
The planning newsletter form collects your email and, optionally, name, country, and interest.
If you accept analytics, we collect usage data such as pages viewed, device and browser type, approximate location, and interactions like enquiry submits and WhatsApp clicks.
Spam-protection honeypot fields may be used to ignore automated bot submissions.
How we use your information and our legal basis
We use your information to reply to enquiries, prepare route and activity suggestions, manage bookings, send planning information you asked for, keep the service safe, measure campaign performance, and improve the website. Under GDPR and the Sri Lanka PDPA we rely on a specific legal basis for each purpose.
Contract and pre-contract steps: handling your enquiry, preparing a proposal, and managing a booking you have asked us to arrange.
Consent: sending the planning newsletter, and loading analytics and marketing cookies — you can withdraw this at any time.
Legitimate interests: responding to messages, preventing spam and fraud, keeping basic operational records, and understanding which pages help travellers, balanced against your rights.
Legal obligation: keeping records we are required to retain for tax, accounting, safety, or dispute reasons.
Cookies and analytics
The website uses only strictly-necessary cookies by default. Google Analytics 4 (loaded through Google Tag Manager) and the Meta Pixel are loaded only after you accept analytics and retargeting in the consent banner. If you decline, those optional scripts are not loaded, and enquiry forms, the newsletter, WhatsApp links, and normal browsing still work.
Your accept or decline choice is stored in your browser so the banner does not appear on every page.
You can withdraw consent at any time by clearing the site's stored choice or your browser cookies, which makes the banner appear again.
Full detail of each cookie category, purpose, and third party is set out in our Cookie Policy.
Third parties and processors
We use a small number of trusted service providers to store and handle data on our behalf. These act as our processors and are only permitted to use the data to provide their service to us. We share trip details with guides, drivers, and suppliers only where needed to deliver your booking.
Google Cloud / Firestore (project qrop-direct-1): secure storage of enquiry and booking leads, with email notifications sent to our team.
Google Workspace: our business email, used to receive and reply to your messages.
Google Analytics 4 and Google Tag Manager: website analytics, loaded only with your consent.
Meta (Facebook/Instagram) Pixel: retargeting measurement, loaded only with your consent and only if enabled.
Guides, drivers, accommodation, and activity suppliers: only the details needed to run your trip.
International transfers
Some of our providers (for example Google and Meta) are based outside Sri Lanka and the EU/UK and may process data in other countries, including the United States. Where personal data is transferred internationally, we rely on the providers' safeguards — such as standard contractual clauses and recognised certification frameworks — so that your information remains protected to an appropriate standard.
How long we keep your information
We keep personal data only for as long as needed for the purpose it was collected, or as required by law. Retention periods depend on the type of record.
Enquiries that do not lead to a booking are kept for up to about 24 months for follow-up, then deleted or anonymised.
Booking and payment records are kept for the period required for accounting, tax, safety, and dispute purposes.
Newsletter subscriptions are kept until you unsubscribe or ask us to remove you.
Analytics data is retained according to the settings in Google Analytics and is held in aggregated form.
Your rights
Under GDPR and the Sri Lanka PDPA you have rights over your personal data. To exercise any of these, email us using the address at the foot of this page; we will respond within a reasonable time and may need to verify your identity first.
Access: ask for a copy of the personal data we hold about you.
Rectification: ask us to correct information that is wrong or incomplete.
Erasure: ask us to delete your data where there is no overriding reason to keep it.
Objection and restriction: object to, or ask us to limit, certain uses such as marketing.
Withdraw consent: turn off the newsletter or analytics consent at any time, without affecting earlier processing.
Complaint: raise a concern with your local data-protection authority, or in Sri Lanka with the Data Protection Authority.
Contact and updates
If you have any question about this policy, want to exercise your rights, or wish to update or unsubscribe from communications, contact us by email or WhatsApp. We review this policy periodically and when our services or providers change, and we will update the date at the top when we do.