Privacy Policy
Last updated: 02 July 2026. Effective from: 02 July 2026.
1. About This Policy
National School of Business Management (Guarantee) Limited, operating as “NSBM Green University” (“NSBM”, “we”, “us”, or “our”), operates the NSBM Student Portal (students.nsbm.ac.lk), including all of its features such as the student dashboard, online payments, the GreenMate AI assistant, feedback tools, push notifications, the QR scanner, and the Gym & Pool module. This Privacy Policy explains how we collect, use, disclose, and protect your personal data, and sets out your rights under the Personal Data Protection Act, No. 9 of 2022 of Sri Lanka (as amended by the Personal Data Protection (Amendment) Act, No. 22 of 2025) (together, the “PDPA”), enforced by the Data Protection Authority of Sri Lanka.
Sri Lanka does not currently have a data protection treaty or adequacy arrangement with the European Union, and the Portal is operated solely for NSBM students and staff in Sri Lanka, so the EU General Data Protection Regulation (GDPR) does not, of itself, apply to our processing. We nonetheless design and operate the Portal to align with GDPR-equivalent principles as a matter of good practice. See Section 11 (Alignment with International Standards) below.
By accessing, logging into, or otherwise using the Portal or any of its features, you acknowledge that you have read and understood this Policy and you consent to the collection, use, and disclosure of your personal data as described in it. If you are under 18 years of age, please review this Policy with your parent or guardian. If you do not agree, you must not use the Portal.
2. Data Controller & Regulator
Data Controller: National School of Business Management (Guarantee) Limited (operating as NSBM Green University)
Address: Mahenwatta, Pitipana, Homagama, Sri Lanka
Website: nsbm.ac.lk
Contact: its@nsbm.ac.lk / raminda.k@nsbm.ac.lk
Questions about this Policy or your personal data should be directed to the contact details above. You may also contact Sri Lanka’s independent data protection regulator directly:
Data Protection Authority of Sri Lanka
First Floor, Block 5, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka
Email: info@dpa.gov.lk · Tel: +94 11 269 7241 / +94 11 269 7237
Web: dpa.gov.lk
3. Personal Data We Collect
3.1 Authentication Data
When you sign in using your NSBM Microsoft 365 account, we receive your institutional email address and display name from Microsoft. We use this solely to authenticate you and look up your student record. Your sign-in session is kept secure and automatically expires after 8 hours.
3.2 Student Profile & Academic Data
Upon successful authentication we retrieve your student profile from the University Management Information System (UMIS), which the university already holds as part of your enrolment. This includes: student ID, full name, faculty, degree programme, enrolment status, current year and semester, contact information, guardian details, exam results, attendance, exam schedules, timetables, degree fees, payment history, and Extenuating Circumstances (EC) applications. This data is displayed to you within the Portal and is not shared with unrelated third parties.
3.3 Portal Usage & Session Analytics (Automatic)
To operate the Portal securely and to allow authorised NSBM staff to monitor service usage and quality, we automatically record your activity on the Portal each time you sign in. This includes the pages and features you use, downloads, errors encountered, and searches you make, linked to your student ID, faculty, degree, and year/semester, together with your IP address and device/browser information. This tracking is separate from the cookie consent described in Section 3.4 and does not require it. It only applies once you have logged in, and is visible, in aggregate and per-student form, to authorised staff for institutional oversight.
3.4 Cookie-Based Analytics (Consent-Based)
Only if you accept analytics cookies via the consent banner, the following additional data is collected:
- Google Analytics 4: Anonymised IP address, browser type and version, operating system, pages visited, time on page, referral source, and approximate geographic region (country/city level).
- Microsoft Clarity: Session recordings, heatmaps, scroll depth, and click patterns. Clarity automatically masks text input fields; no passwords or sensitive form data are recorded.
3.5 GreenMate AI Assistant Data
GreenMate is an AI assistant built using an integration with a third-party artificial intelligence (AI) language model service provider. When you use GreenMate, we store the full conversation, your messages and the assistant’s replies, linked to your student ID and email. To answer your questions, GreenMate may draw on your own academic data, such as your profile, results, attendance, exam schedule, timetable, fees, payment history, and EC applications. It does not access another student’s data. Your messages are processed by our third-party AI provider in accordance with their own terms and privacy practices, and may be handled outside Sri Lanka. Please do not enter another person’s personal data, or other sensitive information, into the chat.
Deleting a conversation removes it from your view, but the underlying record may be retained for a limited period for service quality and audit purposes; you may request permanent deletion under Section 8. GreenMate can be disabled by NSBM at any time.
3.6 Push Notification Data
If you enable browser push notifications, we store the information your browser provides to make this possible, together with your email address, so that NSBM can send you Portal notifications (e.g. announcements from authorised staff). This data is retained until you disable notifications or the subscription otherwise expires.
3.7 Feedback Data
When you submit feedback through the Portal, we store your survey ratings, rankings, optional free-text comments, and, if you choose “Detailed feedback”, any files you attach. Attachments are stored on NSBM’s servers and are not publicly accessible. Feedback is used to improve university services and is reviewed by authorised staff.
3.8 Profile Correction Requests
If you use “Request a correction” on your profile, the details you flag as incorrect and your proposed corrections are emailed directly to your Faculty’s Assistant Registrar, and an internal record is kept for audit purposes.
3.9 Payment Data
When you initiate a fee payment, we transmit your student ID, fee type, and amount to the Bank of Ceylon (BOC) payment gateway. Card details are entered directly on BOC’s PCI-DSS-compliant servers, and we never receive or store your card number, CVV, or expiry date. We do keep the transaction reference number and payment status for our own records.
3.10 Gym & Pool Facility Data
If your faculty enrols you in NSBM’s Gym & Pool facility, the Portal displays a read-only view of your facility card balance, top-up/deduction transactions, and check-in/check-out history, linked to your student ID.
3.11 QR Scanner (Camera Access)
The QR scanner requests temporary access to your device camera, with your browser’s permission. Video frames are decoded entirely on your device and are never transmitted to, recorded, or stored on NSBM servers.
4. Legal Basis for Processing
| Processing Activity | Legal Basis (PDPA 2022) |
|---|---|
| Authentication via Microsoft Entra ID | Contractual necessity (student services agreement) |
| Displaying your student profile & academic records | Contractual necessity; legitimate interest |
| Portal usage & session analytics (server-side) | Legitimate interest (security, service quality, institutional oversight) |
| Google Analytics / Microsoft Clarity | Consent |
| GreenMate AI assistant conversations | Consent (given by initiating a chat); contractual necessity for the requested service |
| Push notifications | Consent (given by enabling notifications) |
| Feedback submissions | Consent; legitimate interest (service improvement) |
| Profile correction requests | Consent (given by submitting the request); contractual necessity |
| Payment processing via BOC | Contractual necessity |
| Gym & Pool facility records | Contractual necessity (facility membership) |
5. Cookies & Local Storage
Essential Cookies
We use essential cookies to keep you securely signed in and to recognise your Portal session. These are required for the Portal to function and cannot be disabled.
Analytics Cookies (Consent Required)
If you consent, Google Analytics and Microsoft Clarity place cookies on your device to help us understand how the Portal is used. Google Analytics cookies are retained for up to 2 years; Microsoft Clarity cookies are retained for up to 90 days.
Your cookie preference is remembered in your browser. You can change it at any time by clearing your browser data.
6. Third-Party Services & International Transfers
- Microsoft: Handles sign-in and, if you consent, session analytics. Data may be processed outside Sri Lanka under Microsoft’s data processing terms.
- Google Analytics: Usage analytics, only where you consent to analytics cookies. Data may be processed outside Sri Lanka, with IP anonymisation enabled.
- Our AI service provider: GreenMate is built on a third-party AI (LLM) integration, so conversation content may be processed outside Sri Lanka under that provider’s own terms.
- Bank of Ceylon: Handles payment processing under industry-standard card security requirements and its own privacy policy.
Where data is transferred outside Sri Lanka, we rely on appropriate safeguards including contractual data processing terms or equivalent mechanisms recognised under the PDPA. We do not sell your personal data to any third party.
7. Data Retention
- Your login session expires after 8 hours, or immediately when you sign out.
- Student profile and academic data is held by the university for the duration of enrolment and thereafter as required by applicable Sri Lankan law and university policy.
- Portal usage records (Section 3.3) are retained for institutional oversight; access is limited to authorised staff.
- Google Analytics data is retained for up to 26 months; Microsoft Clarity recordings for up to 90 days.
- GreenMate conversations are retained to provide continuity of service unless you request deletion (Section 8).
- Push notification data is retained until you unsubscribe or the subscription otherwise expires.
- Feedback and attachments are retained for institutional quality-improvement purposes.
- Profile correction request records are retained for audit purposes.
- Payment transaction records are retained for a minimum of 7 years in accordance with Sri Lankan financial regulations.
8. Your Rights Under the PDPA
Under the Personal Data Protection Act, No. 9 of 2022 (as amended) you have the following rights:
- Right of Access: You can request a copy of the personal data we hold about you.
- Right to Rectification: You can ask us to correct inaccurate or incomplete data.
- Right to Erasure: You can request deletion of your personal data, including GreenMate conversations or feedback attachments, where there is no legitimate reason for us to keep processing it.
- Right to Restrict Processing: You can ask us to limit how we use your data in certain circumstances.
- Right to Withdraw Consent: You can withdraw consent for analytics cookies, GreenMate, push notifications, or feedback processing at any time. This will not affect the lawfulness of processing carried out before you withdrew it.
- Right to Object: You can object to processing we carry out on the basis of legitimate interest, such as portal usage analytics.
- Right to Data Portability: You can ask to receive your personal data in a structured, commonly used, machine-readable format.
- Right Regarding Automated Decisions: GreenMate only provides informational assistance and does not make decisions that produce legal or similarly significant effects about you. No NSBM system uses your data for automated decision-making of that kind.
- Right to Lodge a Complaint: If you believe your rights have been violated, you can complain to the Data Protection Authority of Sri Lanka (Section 2).
To exercise any of these rights, contact us at its@nsbm.ac.lk or raminda.k@nsbm.ac.lk. We will respond within 30 days of receiving your request, and may need to verify your identity first.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including encryption of data in transit, controls that prevent one student from accessing another student’s records or AI conversations, and restricted, role-based access for authorised staff to administrative and reporting systems. However, no system is completely secure and we cannot guarantee absolute security of data transmitted over the internet.
10. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Data Protection Authority of Sri Lanka without undue delay (and, where feasible, within 72 hours of becoming aware of it), and will notify affected students directly where the breach is likely to result in a high risk, in line with the PDPA.
11. Alignment with International Standards (GDPR & Others)
Although the EU General Data Protection Regulation (Regulation (EU) 2016/679) does not directly apply to NSBM, we voluntarily design the Portal around its core principles, which closely mirror those in the PDPA: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. The rights listed in Section 8 correspond to GDPR Articles 15 to 22 (access, rectification, erasure, restriction, portability, objection, and automated-decision safeguards), and our breach notification practice mirrors the GDPR’s 72-hour standard.
We also have regard to the Computer Crimes Act, No. 24 of 2007 and the Electronic Transactions Act, No. 19 of 2006 of Sri Lanka, which criminalise unauthorised access to, or interference with, computer systems and data, and give legal recognition to electronic records and signatures used on the Portal.
12. Children’s Privacy
The Portal is intended for use by enrolled NSBM students. If you are under 18, processing of your data is carried out under the university’s enrolment agreement, which may involve parental or guardian consent as collected during the admission process.
13. Changes to This Policy
We may update this Privacy Policy from time to time, including to reflect new Portal features. We will notify you of material changes by updating the “Last updated” date at the top of this page. Continued use of the Portal after changes are posted constitutes your acceptance of the revised Policy.
14. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of the Democratic Socialist Republic of Sri Lanka, including the Personal Data Protection Act, No. 9 of 2022, the Computer Crimes Act, No. 24 of 2007, the Electronic Transactions Act, No. 19 of 2006, and any regulations made thereunder.
15. Your Consent
By creating an account, logging in, or otherwise accessing or using the Portal or any of its features (including GreenMate, push notifications, feedback, the QR scanner, or Gym & Pool), you confirm that you have read and understood this Privacy Policy and you agree to the collection, use, storage, and disclosure of your personal data as described in it, and to our Terms & Conditions.