Privacy Policy

Who We Are

mydiio (Private) Limited operates Sri Lanka's first cloud-managed in-vehicle advertising platform. We place Android tablet screens inside Colombo tuk-tuks. Passengers see advertisements from local businesses. Drivers earn passive income. Advertisers receive GPS-verified proof that their ad was displayed.

Our registered business operates in Colombo, Sri Lanka. Our contact email is mydiiomedia@gmail.com and our website is mydiio.com.

We are the data controller for all personal information collected through our platform, portals, and website.

Who This Policy Covers

This policy applies to four groups of people who interact with mydiio:

• ●Advertisers — businesses that purchase advertising campaigns on the mydiio network, including those on our waitlist.
• ●Driver partners — tuk-tuk drivers who join the mydiio programme and host a tablet screen in their vehicle.
• ●Website visitors — anyone who visits mydiio.com or fills out our waitlist or interest forms.
• ●Passengers — members of the public who ride in tuk-tuks carrying a mydiio screen. Passengers are not registered users of our platform. We do not collect personal data about individual passengers. The screen they see displays advertisements; it does not capture images, audio, or identifying information about them.

Information We Collect

From advertisers

When you register an interest or create an account with mydiio as an advertiser, we may collect:

• ●Your name and the name of your business
• ●Your WhatsApp number and email address
• ●Your business category and preferred advertising tier
• ●Payment information including deposit transaction records (we do not store card numbers directly; payments are processed through our payment partners)
• ●The advertising creatives you upload — video files and image files
• ●Your campaign preferences, scheduling choices, and campaign history
• ●Login credentials for your advertiser portal account (passwords are stored in hashed, encrypted form and are never readable by our team)

From driver partners

When you join the mydiio driver programme, we collect:

• ●Your name, WhatsApp number, and bank account details for payment
• ●Your driver registration number and vehicle details
• ●The deposit you pay, which is tracked in our records
• ●Your daily operating hours, screen uptime data, and route bonus eligibility
• ●Your referral activity, including the names and contact details of drivers you refer
• ●Login credentials for your driver portal account
• ●The GPS location of your vehicle during operating hours (see Section 5 for full details)
• ●Device pairing information for the tablet installed in your vehicle

From website visitors

When you visit mydiio.com, we may collect:

• ●Information you voluntarily submit through our waitlist or driver interest forms
• ●Standard web analytics data such as your browser type, approximate location (city level, derived from IP address), pages visited, and time on site
• ●Your IP address for security and analytics purposes

Automatically from devices and tablets

Our tablet devices in the field generate operational data including:

• ●GPS coordinates of the device, transmitted every five minutes during operating hours
• ●Ad play logs recording which advertisement was displayed, at what time, for how long, and at which GPS coordinates
• ●Device online and offline status updated continuously
• ●Remote screenshots of the tablet screen captured automatically every thirty minutes during operating hours
• ●Device health signals including screen status and data connectivity

This operational data is tied to the vehicle and device, not to individual passengers. Screenshots capture the advertisement content being displayed, not the interior of the vehicle or its passengers.

How We Use Your Information

For advertisers:

• ●To set up and manage your advertising account and campaigns
• ●To deliver your advertisements to screens in the mydiio fleet
• ●To provide you with verified impression reports showing where, when, and how often your ad was displayed
• ●To process payments and manage billing
• ●To send you weekly performance reports and account communications
• ●To manage your loyalty points balance and category exclusivity status
• ●To contact you about your campaigns and any content review decisions

For driver partners:

• ●To manage your partnership agreement and earnings record
• ●To calculate and process your monthly payments on the 5th of each month
• ●To track your route bonus eligibility based on active screen hours
• ●To monitor tablet uptime and identify technical faults
• ●To send you daily WhatsApp updates about your screen status and earnings
• ●To manage the driver compliance programme and apply the graduated consequence system where applicable
• ●To track referral bonuses

For the platform generally:

• ●To prevent fraud and verify that ad impressions are genuine
• ●To ensure the security and integrity of the platform
• ●To improve platform features and user experience
• ●To comply with our legal obligations

GPS and Location Data

Location data is central to what mydiio does. Understanding this section is important.

Why we collect location data:

• ●To provide advertisers with GPS-stamped proof that their advertisement was displayed at a real location
• ●To monitor driver uptime and route activity for bonus calculations
• ●To detect when a device goes offline unexpectedly
• ●To show advertisers a live map of where their brand is travelling across Colombo

What we do not do with location data:

• ●We do not sell individual driver location data to third parties
• ●We do not share location data with any government or law enforcement authority unless compelled by a valid legal order under Sri Lankan law
• ●We do not use location data to build profiles of individual passengers

Aggregated and anonymised mobility data

Over time, the collective GPS data from our fleet builds a picture of how tuk-tuks move across Colombo. We may use this aggregated, anonymised data to produce mobility insights. Individual vehicle or driver data is not identifiable in any such output.

Driver consent

GPS monitoring is a core and disclosed element of the mydiio driver partnership. All driver partners sign a written agreement before their screen is installed. That agreement explicitly describes the monitoring programme, including GPS tracking, screenshot capture, and play log recording. By signing the agreement, drivers consent to this monitoring for the purposes described in this policy.

Advertising and Impression Data

Every time an advertisement plays on a mydiio screen, our system records an impression log containing the advertisement identifier, the vehicle identifier, the timestamp, the GPS coordinates, and the play duration.

This data is the foundation of mydiio's Radical Transparency commitment. Advertisers can view their own impression logs at any time through the Advertiser Portal. They see data about their own campaigns only. Impression data is used to generate weekly reports and to calculate billing. It is never sold to third parties in identifiable form.

How Long We Keep Your Data

• ●Advertiser account data — retained for the duration of your contract plus three years
• ●Driver partner data — retained for the duration of your agreement plus three years; bank account details are deleted within 90 days of your agreement ending unless a payment dispute is outstanding
• ●GPS and play log data — retained for two years from the date of collection
• ●Remote screenshots — retained for 90 days
• ●Website enquiry data — retained for 12 months if no business relationship is established
• ●Waitlist submissions — retained until you ask us to remove them or until 24 months from submission, whichever comes first

When data is no longer required, we delete it securely from our systems.

Who We Share Data With

We do not sell your personal data. We share data only in the following circumstances.

Service providers (process data on our behalf under data protection agreements):

• ●Supabase — our cloud database and authentication provider (SOC 2 Type II compliant)
• ●Cloudinary — video and image hosting for advertising creatives
• ●Cloudflare — website and application hosting and DNS provider
• ●Resend — email delivery service for transactional emails
• ●OpenWeatherMap — weather data for informational interstitials on tablets. No personal data is shared.
• ●NewsAPI.org — Sri Lanka news content for informational interstitials. No personal data is shared.
• ●Fully Kiosk Browser / Fully Cloud — tablet device management software
• ●WhatsApp Business API — used to send automated messages to driver partners

Legal requirements

We may disclose personal data to government authorities or law enforcement if required by applicable Sri Lankan law, a court order, or a valid legal process. We will notify you of any such request to the extent permitted by law.

Business transfers

If mydiio is acquired by or merges with another company, your data may be transferred as part of that transaction. We will notify you before this happens.

Security

• ●Row-Level Security (RLS) enforced at the database level — each user can only access their own data
• ●Passwords stored in hashed, encrypted form — unreadable by anyone including our team
• ●API tokens and secrets stored as encrypted environment variables, never in code
• ●All portal access is role-based — staff see only the data relevant to their function
• ●All staff actions are logged with a timestamp and the identity of the person who took the action
• ●Device pairing codes expire after 30 minutes and are single-use

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at mydiiomedia@gmail.com.

Your Rights

You have the following rights regarding your personal data. To exercise any of them, contact us at mydiiomedia@gmail.com.

• ●Right to access — you can ask us for a copy of the personal data we hold about you
• ●Right to correction — if information we hold about you is inaccurate, you can ask us to correct it
• ●Right to deletion — you can ask us to delete your personal data, subject to any legal or contractual obligation to retain it
• ●Right to object — you can ask us to stop using your data for any purpose you disagree with
• ●Right to portability — you can ask for your data in a machine-readable format

We will respond to all valid requests within 30 days.

Cookies and Tracking

Our public website (mydiio.com) uses only the cookies necessary for the site to function. We do not currently use advertising trackers or third-party analytics cookies. If this changes, we will update this policy and notify registered users.

Our portal applications use session cookies to keep you logged in. These are deleted when you log out or close your browser.

Children

Our portals and services are not directed at or intended for anyone under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us so we can delete it.

All advertising content displayed on our screens is reviewed before approval. We enforce an age-appropriate content standard and do not approve content unsuitable for a general audience including minors.

Changes to This Policy

We may update this policy as our platform evolves. When we make meaningful changes, we will notify you by email (for registered users) and post a notice on the website. The updated policy will show a new effective date at the top of this page.

Continuing to use our services after a policy update means you accept the revised terms.

Contact Us