Rush by appiGo Logo

Privacy Policy

Rush by appiGo

Effective date: 01 June 2026Last updated: 01 June 2026Version: 3.0

appiGo International Pvt Ltd (“Rush by appiGo”, “Rush”, “we”, “us”, or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what personal data we collect when you use the Rush services, how and why we use it, who we share it with, how long we keep it, and the rights and choices available to you.

We process personal data in accordance with the Personal Data Protection Act, No. 9 of 2022, as amended by the Personal Data Protection (Amendment) Act, No. 22 of 2025 (together, the “PDPA”), and with other applicable laws of Sri Lanka. References in this policy to specific PDPA obligations apply as and when the relevant provisions of the PDPA come into operation.

Please read this policy together with any notices we provide when we collect or process your personal data, so that you are fully aware of how and why we are using it.

1. Who We Are and How to Contact Us

Controller: appiGo International Pvt Ltd

Registered office: 48, Ward Place, Colombo 07, Sri Lanka

Privacy contact / Data Protection Officer: buffet@rush.lk (see note below)

For the purposes of the PDPA, appiGo International Pvt Ltd is the controller responsible for your personal data processed through the Rush services.

If you have any questions about this policy, wish to exercise your rights, or want to raise a concern about how we handle your personal data, please contact us using the details above.

2. Scope of This Policy

This Privacy Policy applies to personal data we process through the Rush services, including:

  • our mobile applications and guest-facing web experiences;
  • reservation, discovery, and profile features;
  • merchant and restaurant operational tools;
  • customer support and administrative operations.

This policy is directed at users in Sri Lanka. It does not apply to the practices of third parties (including restaurants and merchants) that we do not own or control, except where we act as the controller for the data concerned.

3. Key Terms

To help you read this policy, the following terms have the meanings given to them in the PDPA and are used in that sense here:

  • Personal data — any information that can identify you, directly or indirectly.
  • Special categories of personal data — more sensitive information, such as data revealing health, religious or philosophical beliefs, or other categories afforded heightened protection under the PDPA.
  • Processing — any operation performed on personal data, including collecting, recording, storing, using, sharing, and erasing it.
  • Controller — the person or entity that determines the purposes and means of processing personal data (here, appiGo International Pvt Ltd).
  • Processor — a person or entity that processes personal data on behalf of, and on the instructions of, the controller.
  • Data subject — the individual to whom personal data relates (here, you).

4. Personal Data We Collect

Depending on how you use the Rush services, we may collect the following categories of personal data:

  1. Account and profile data — phone number (including in the context of OTP verification), first and last name, email address (if provided), and profile image or avatar URL (if provided).
  2. Reservation and service data — reservation name and contact number; booking date and time, meal type, and party size; special requests, dietary notes, and occasion details; and reservation status and related operational records.
  3. Payment-related data — payment status, transaction references, and reservation payment metadata. We do not store full payment card numbers in Rush application databases; card payments are handled by our payment gateway partners.
  4. Discovery and social data — favourites, folders and lists, follows, likes, and comments; and your profile visibility and preference settings.
  5. Device and notification data — push notification tokens (FCM/APNS); device model, operating system version, and app version; and notification inbox and delivery/read status.
  6. Location and search data — latitude and longitude where location-based features are enabled; search queries and filter selections; and metadata relating to AI-assisted discovery requests and responses.
  7. Feedback and support data — ratings, reviews, and support messages; and account deletion request details.
  8. Analytics and technical diagnostics — usage events, crash and error data, and service performance telemetry.

Some of the data above (for example, dietary notes or occasion details) may reveal information that the PDPA treats as a special category of personal data. We explain how we handle such data in Section 6.

You do not have to provide the personal data we request. However, if you do not provide data that we need to deliver a feature (such as a contact number for a reservation), we may be unable to provide that feature.

5. How We Use Your Personal Data and Our Lawful Basis

We use personal data only where the PDPA permits us to do so. The table below sets out the main purposes for which we process personal data and the lawful basis we rely on for each. Where we rely on legitimate interests, we have weighed those interests against your rights and interests.

PurposeCategories of data usedLawful basis
Creating and authenticating your account; protecting account securityAccount and profile; device dataPerformance of a contract; legitimate interests (security and fraud prevention)
Processing reservations and related operational workflowsReservation and service; payment-relatedPerformance of a contract
Sending transactional messages (e.g. reservation confirmations and updates)Account and profile; reservation; notification dataPerformance of a contract
Sending promotional communications (SMS, email, in-app/push)Account and profile; notification data; preferencesConsent (which you may withdraw at any time)
Personalising your experience and improving search relevanceDiscovery and social; location and searchLegitimate interests; consent where required
Maintaining reliability, preventing abuse, and resolving incidentsAnalytics and diagnostics; device dataLegitimate interests
Providing customer supportFeedback and support; account and reservation dataPerformance of a contract; legitimate interests
Meeting legal, regulatory, audit, and tax obligationsAs required by the relevant obligationCompliance with a legal obligation

If we need to use your personal data for a new purpose that is not compatible with one set out above, we will provide you with a further notice and, where required, obtain your consent.

6. Special Categories of Personal Data

Certain information you provide — for example, dietary notes (which may indicate health conditions or religious observance) — may amount to a special category of personal data under the PDPA.

We process this information only to fulfil your reservation and related requests, and only to the extent necessary for that purpose. Where the PDPA requires it, we will rely on your explicit consent, which you provide by choosing to share this information with us. You can ask us to delete special-category data at any time using the contact details in Section 1.

7. Marketing and Service Communications

We may send you two kinds of messages:

  • Service and transactional communications that are necessary to provide the service — for example, reservation confirmations, changes, reminders, and security notices. We may continue to send these where necessary even if you opt out of marketing.
  • Promotional communications by SMS, email, and in-app or push channels. We send these on the basis of your consent, and you can withdraw that consent at any time, free of charge, through the controls available in the app or by contacting us at buffet@rush.lk.

Where Sri Lankan law regulates the sending of unsolicited or direct-marketing messages, we will comply with the applicable requirements, including any consent and opt-out obligations.

8. Analytics and Diagnostics

We use analytics and diagnostic tools to maintain and improve product quality, user experience, and service performance, relying on our legitimate interests in operating a reliable service.

You may contact us at any time to ask about the analytics and privacy controls available to you, or to object to processing carried out on the basis of legitimate interests (see Section 16).

9. Who We Share Personal Data With

We share personal data only where it is necessary for legitimate business and service purposes, and only with recipients who are bound by appropriate confidentiality and data-protection obligations. These recipients may include:

  • restaurant and merchant operators, for reservation fulfilment and customer service;
  • identity and authentication providers;
  • payment gateway partners;
  • SMS, email, and push communication providers;
  • cloud hosting, analytics, monitoring, and infrastructure vendors;
  • AI and discovery service providers; and
  • authorised members of our staff, subject to role-based access controls.

We may also disclose personal data where required to comply with a legal obligation, to respond to a lawful request from a public authority, or to establish, exercise, or defend legal claims.

We do not sell your personal data.

10. Merchant Access and Permitted Use

Restaurants and merchants may access the guest data they need to fulfil reservations and provide related customer service. Any use of guest data by a merchant for its own promotional or engagement purposes must comply with our platform rules, the merchant’s contractual terms with us, and applicable law. Where a merchant uses guest data for its own purposes, it acts as a separate controller responsible for that use.

11. AI-Assisted Discovery and Automated Processing

Rush uses AI-assisted workflows to improve the relevance of restaurant search and discovery. To do this, we may process your search inputs and related contextual parameters. We apply data-minimisation and operational safeguards to these processes.

These workflows support, but do not replace, the choices you make. We do not use them to make decisions that produce legal effects concerning you, or similarly significant effects, based solely on automated processing. If you have questions about how AI-assisted discovery affects you, you may contact us using the details in Section 1.

12. International Transfers

Some of our service providers may process personal data outside Sri Lanka. Where we transfer personal data abroad, we do so only in accordance with the PDPA — that is, to a country or recipient recognised as providing an adequate level of protection, under appropriate safeguards that create binding and enforceable obligations on the recipient, or where another lawful condition for transfer applies (such as your explicit consent or the necessity of the transfer to perform our contract with you).

You may contact us for more information about the safeguards we apply to a particular transfer.

13. Data Retention

We keep personal data only for as long as we need it for the purposes set out in this policy, including service delivery and operations, legal and regulatory compliance, security, and the management of disputes.

To decide how long to keep personal data, we consider its nature and sensitivity, the purposes for which we process it, the potential risk of harm from unauthorised use or disclosure, and applicable legal, accounting, tax, and reporting requirements. When we no longer need personal data, we securely delete or anonymise it.

Where you ask us to delete your account or data, we will action approved requests in line with our internal policy, subject to any retention we are legally required or permitted to maintain.

14. Security and Data Breaches

We apply reasonable technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, misuse, or loss. These measures include access controls, role-based permissions, and the use of payment partners for card processing. No system, however, can be guaranteed to be completely secure.

If a personal data breach occurs, we will assess it without undue delay and, where the PDPA requires, notify the Data Protection Authority and any affected individuals in accordance with the applicable notification requirements and timelines.

15. Children

The Rush services are not directed at children. Under Sri Lankan law, a child is a person under the age of 18.

We do not knowingly process the personal data of a child without the consent of a parent or guardian or another lawful basis as required by the PDPA. If you are a parent or guardian and believe that a child has provided us with personal data without appropriate consent, please contact us at buffet@rush.lk and we will take appropriate steps to address the matter.

16. Your Rights

Subject to the PDPA, you have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate or incomplete data;
  • request erasure of your data;
  • object to or request restriction of certain processing, including processing based on our legitimate interests; and
  • withdraw consent at any time, where we rely on consent (this does not affect processing carried out before withdrawal).

To exercise any of these rights, contact us at buffet@rush.lk. We may need to verify your identity before acting on a request.

We will respond to your request within the period required by the PDPA — currently 21 working days from the date of the request — and will tell you whether your request has been granted or refused, together with our reasons. Where we refuse a request, you have the right to appeal in accordance with the PDPA.

Exercising your rights is free of charge in most cases. We may charge a reasonable fee or decline to act where a request is manifestly unfounded, excessive, or repetitive, to the extent the PDPA allows.

17. Complaints to the Data Protection Authority

We hope to resolve any concern you raise with us directly. If you are not satisfied with how we have handled your personal data, you have the right to lodge a complaint with the Data Protection Authority of Sri Lanka. We would, however, appreciate the opportunity to address your concerns before you approach the Authority, so please consider contacting us first.

18. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the “Last updated” date above and, where the changes are material, provide additional notice through the service. We encourage you to review this policy periodically.

19. Contact Us

appiGo International Pvt Ltd

48, Ward Place, Colombo 07, Sri Lanka

Email: buffet@rush.lk