Skip to main content

Privacy Policy

How we collect, use, and protect your personal data.

Version 1.0

Last updated: 13 April 2026

This Privacy Policy explains what personal data MMA Central Sri Lanka collects about you, how we use it, who we share it with, and the rights you have over your data. It is written to comply with the Personal Data Protection Act No. 9 of 2022 of Sri Lanka ("PDPA") and to align, in good faith, with the core principles of the EU General Data Protection Regulation ("GDPR"): transparency, lawful basis, data minimisation, and data-subject rights.

1. Who We Are

The data controller responsible for your personal data is Peniel Uthayakumar, an individual proprietor in Sri Lanka, trading as "MMA Central Sri Lanka" (also "MMA Central", "we", "us", and "our"). When we say your data is "processed", we mean any operation performed on it: collecting, storing, using, sharing, or deleting it.

For the purposes of the PDPA, we are the Data Controller. Where we use external services to process data on our behalf (hosting, email delivery, analytics), those services act as Data Processors under our instructions and their own terms of service.

2. Contacting Us About Your Data

For privacy, data-protection, or data-subject-rights questions:

  • Email: [email protected]
  • Post: Peniel Uthayakumar, trading as MMA Central Sri Lanka, Sri Lanka

We will set up a dedicated [email protected] address post-launch; until then all data-protection correspondence goes to the address above.

3. Data We Collect

3.1 Data you give us

  • Account data:username, email address, password (stored securely, never in plain text), date you joined, whether your email is verified.
  • Fighter profile data:name, nickname, weight class, gym, hometown, height and reach, bio, fight record (wins/losses/draws), disciplines, grading and certifications, photos, social-media URLs, and any self-reported fight history you add.
  • Event manager profile data:organisation name, public contact email and phone, verification status.
  • Event content:event title, date, venue, poster, description, ticket information, fight card, and any post-event recap or gallery images you upload.
  • Consent record:the date, time, and IP address at which you accepted these Terms and this Privacy Policy at registration.

3.2 Data collected automatically

  • Technical data:IP address, browser user-agent, device type, referring URL, and the pages you visit.
  • Security data:limited records of failed login attempts and other abuse-prevention signals.
  • Authentication data:short-lived one-time email verification codes, deleted promptly on use or expiry.
  • Analytics data:pseudonymous visitor identifiers and page-view events collected by our analytics provider on every visit. See section 8 for how to opt out.

4. Lawful Basis for Processing

Under the PDPA (section 5) and the GDPR's equivalent framework (Article 6), we rely on the following lawful bases:

  • Performance of a contract:to create and operate your account, display your profile or events, and deliver the Platform to you.
  • Legitimate interest:to secure the Platform (rate limiting, login-attempt logging, breach detection), prevent abuse, audit content removals, maintain encrypted database backups, and measure aggregate, non-personalised usage of the Platform via analytics. We have considered the impact on your rights and concluded that these interests are proportionate to the data processed.
  • Consent:for any future advertising or marketing communications. You may withdraw consent at any time.
  • Legal obligation:where we must process or disclose data to comply with Sri Lankan law, court order, or valid law-enforcement request.

5. Processors and Sub-Processors

We do not sell your personal data. We share it only with reputable service providers who help us operate the Platform, under their standard data-processing terms. These providers fall into the following categories:

Category Purpose Location
Hosting providerOperating the website and databaseUnited States
Media delivery providerStoring and delivering uploaded imagesUnited States
Security & CDN providerTraffic delivery, abuse protection, encrypted backupsUnited States
Email providerSending verification and notification emailsUnited States
Analytics providerAggregate usage analyticsUnited States

We will update this list if we introduce new categories of processor, or before we enable any advertising network that personalises content based on your data.

6. Cross-Border Transfers

All of the processors listed above store or process data outside Sri Lanka, primarily in the United States. Sri Lanka has not, at the date of this Policy, issued adequacy decisions under the PDPA for these jurisdictions. Transfers therefore rely on the contractual safeguards included in each processor's standard data-processing terms, and on our selection of reputable providers with published security practices.

If you would prefer that your data not leave Sri Lanka, the Platform is not currently able to offer a local-only option. You may choose not to register, or you may request deletion of your account under Section 9.

7. How Long We Keep Data

We keep personal data only as long as necessary for the purposes described in this Policy:

  • Fighter and manager profiles:until you delete your account or request erasure.
  • Account data:until deletion. Unverified accounts are automatically purged after a short grace period.
  • Consent record:for the life of the account, and for a limited audit window after deletion.
  • Email verification codes:short-lived; deleted promptly on use or expiry.
  • Abuse-prevention records:a short retention window to deter repeated attacks.
  • Analytics data:retained per the analytics provider's default retention (currently around 14 months). Anonymised aggregate statistics may be retained indefinitely.
  • Encrypted database backups:a limited rolling retention window, after which they expire automatically.
  • Server logs:short retention managed by the hosting provider.
  • Uploaded media:until the record it belongs to is deleted, after which the media file is removed by the delivery provider.

8. Cookies and Similar Technologies

We use two categories of cookies:

Category Purpose Consent
Essential cookiesKeep you signed in, protect form submissions, and secure administrative accessStrictly necessary
Analytics cookiesMeasure aggregate usage via our analytics provider (Google Analytics 4)Loaded by default; opt out via browser controls

Essential cookies are required for the Platform to function. They do not require consent under either the PDPA or the GDPR.

Analytics cookies load on every visit to help us understand which pages are useful. They do not personalise ads and we do not share the data for cross-site tracking. You can opt out by blocking analytics in your browser, installing the Google Analytics opt-out add-on, or using a content blocker. If we enable any advertising network in the future, advertising cookies will be listed in this table before they start loading.

9. Your Rights

Under the PDPA, and in line with the GDPR, you have the following rights in relation to your personal data:

  • Access:request a copy of the personal data we hold about you.
  • Rectification:correct inaccurate or incomplete data. Most profile fields are self-editable once you are signed in.
  • Erasure:ask us to delete your account and associated data. Some residual records (encrypted backups, anonymised statistics, legitimately-shared public content) may persist as described in Section 7 and in the Terms of Service.
  • Portability:receive your data in a structured, commonly-used, machine-readable format.
  • Objection:object to processing based on legitimate interest.
  • Withdrawal of consent:withdraw any consent you have given (for example, for future marketing communications).

To exercise any of these rights, email [email protected] from the email address on your account. We will respond within 30 days of receipt, in line with PDPA timelines.

If we refuse your request, we will explain why. You have the right to lodge a complaint with the Sri Lanka Data Protection Authority once it begins accepting complaints under the PDPA.

10. Security

We take security seriously. Technical and organisational measures in place include:

  • HTTPS / TLS encryption in transit, with modern transport-security headers.
  • Industry-standard password hashing; passwords are never stored in plain text, and a minimum password length is enforced.
  • Rate limiting and automatic lock-out on repeated failed login attempts.
  • Additional rate limiting on sensitive endpoints such as registration and verification.
  • Modern browser-security response headers on all pages.
  • Two-factor authentication for administrative access.
  • Encrypted database backups on a limited retention window.
  • Cryptographically random one-time verification codes, verified using constant-time comparisons.

11. Data-Breach Notification

If we become aware of a personal-data breach that is likely to result in a risk to your rights or interests, we will notify the Data Protection Authority of Sri Lanka within 72 hours of confirming the breach, where notification is required under the PDPA.

Where the breach is likely to result in a high risk to you, we will also notify you directly by email, without undue delay, and tell you what happened, what data was affected, what we are doing about it, and what you can do to protect yourself.

12. Children's Data

MMA Central is not directed at children under 13 and we do not knowingly collect personal data from children under 13. If you are under 18, you may only register and upload content with the permission of a parent or legal guardian.

Accounts representing minor fighters may be registered and operated by a parent, legal guardian, or coach on the fighter's behalf; that person is responsible for the account and for any content posted under it. If you believe a child has registered without the appropriate consent, email [email protected] and we will remove the account and its data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will give you at least 30 days' notice by email (to the address on your account) or by a prominent banner on the Platform. The revised Policy will take effect on the date stated in the notice.

Non-material changes (clarifications, typo corrections, or updates required by law) take effect when published, and the "Last updated" date at the top of this page will be revised accordingly.

14. Contact

Data-protection queries, rights requests, and breach reports:

  • Email: [email protected]
  • Post: Peniel Uthayakumar, trading as MMA Central Sri Lanka, Sri Lanka

See also the Terms of Service.