Use Code:GET500 - Rs.500 Off On 1st Order on Bags Rs.8000+

Free Delivery On Orders Above Rs.1500

Use coupon code GET500 for Rs. 500 off your first order.

Cart 0

Congratulations! Your order qualifies for free shipping You are Rs 1,500 away from free shipping.
Sorry, looks like we don't have enough of this product.

Pair with
Subtotal Free
Continue Shopping
Shipping, taxes, and discount codes are calculated at checkout

Your Cart is Empty

Bestsellers
Bath & Body
Face & Skincare
Haircare
Fragrance

Activist Eau de Toilette

100 ml

Rs 10,800

Out of stock

Almond Milk Cleansing Face & Body Bar

100 g

Rs 2,380 Rs 2,800

Almond Milk Hand Balm

Rs 3,500

Out of stock

Aloe Caring Roll-on Deodorant

50 ml

Rs 4,200

Out of stock

Almond Milk Shower Cream

250 ml

Rs 3,850

Out of stock

Privacy policy



Effective Date:01-Apr-2026

Last Updated:01-Apr-2026

Controller: Quest Holdings Lanka (Private) Limited, registered in Sri Lanka at 1st Floor, No. 85, Cotta Road, Colombo-8, Post Code-00800, Sri Lanka.

Privacy contact:

Email: customercare@thebodyshop.lk

Address: Quest Holdings Lanka (Private) Limited, registered in Sri Lanka at 1st Floor, No. 85, Cotta Road, Colombo-8, Post Code-00800, Sri Lanka

Data Protection Officer (DPO):

Name: Awijit Singh

Email: awijit.singh@questretail.in

1. SCOPE

Quest Holdings Lanka Private Limited (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, store and transfer your personal data when you shop with us, use our websites/apps, contact customer care, or participate in our marketing and loyalty programs in Sri Lanka. We process personal data in accordance with the Personal Data Protection Act, No. 9 of 2022 (Sri Lanka PDPA) and related rules/guidance issued by the Data Protection Authority of Sri Lanka (DPA).

2. Key Definitions

Personal data: any information about an identifiable person. Processing: any operation performed on personal data (collection, use, disclosure, storage, retention, erasure, etc.). Controller and Processor are as defined in the Sri Lanka PDPA.

3. What Data we Collect

We collect only what is necessary and proportionate for the purposes below (data minimisation). This may include:

  • Identity & contact: name, title, date of birth/age range, postal address, email, phone.
  • Account & transaction: account credentials, order history, invoices, delivery/billing addresses, and payment method tokens from our payment providers (we do not store full card numbers).
  • Loyalty & marketing: preferences, opt-in/opt-out records, coupon use, campaign participation, survey responses.
  • Customer care: enquiries/complaints; recordings or chat transcripts where permitted and necessary.
  • Device/online: IP address, device identifiers, cookie/SDK IDs, browsing actions, interactions, approximate location (e.g., city).
  • Special categories: We do not routinely collect sensitive data. If you voluntarily share skin-sensitivity or allergy information for product advice, we will process it only with your explicit consent where required, with enhanced safeguards, and only for that purpose.
  • Children: Our services target a general audience. We do not knowingly collect personal data of minors without appropriate consent/authority.
  • Survey and Feedback Information: Opinions, responses, and comments provided in surveys, questionnaires or competitions.
  • Customer Ratings and Reviews.

Sources: Directly from you when you visit our store, use our website or interact with us through our online and offline channels; automatically via our sites/apps; and from service providers/partners (payments, delivery, marketing, analytics) strictly for the purposes described.

4. Why we process your Data and our Lawful bases

We define and limit processing to the purposes below and rely on a lawful basis recognised under the PDPA. You may withdraw consent at any time for consent-based processing without affecting prior lawful processing.

Purpose Examples Lawful basis (PDPA)
Account creation & administration Register/manage your account, authenticate logins, maintain preferences Contract
Sales & fulfilment Process orders, payments, delivery/returns, invoicing, warranties Contract; Legal obligation (tax/invoicing)
Customer care Handle enquiries/complaints, service updates Contract; Legitimate interests (service quality)
Service improvement & analytics Usage analytics, troubleshooting, UX improvements, product demand; Customer Feedback Legitimate interests (improving services)
Marketing & loyalty Email/SMS/app notifications, loyalty perks, personalised offers Consent (withdraw anytime)
Fraud prevention/security Prevent, detect and investigate fraud/abuse; secure systems Legitimate interests; Legal obligation
Legal & compliance Record-keeping, audits, responding to lawful requests Legal obligation
Corporate transactions Evaluate/execute M&A or reorganisation with safeguards Legitimate interests
5. Mandatory vs Optional Data and Consequences

Where we ask for data that is required (e.g., delivery address, payment details), we label it as mandatory. If you do not provide mandatory data, we may be unable to provide the service (e.g., fulfil your order). Optional fields (e.g., marketing preferences) have no impact on core services.

6. Special Category Data and Children

We do not routinely collect special-category data. If you voluntarily share health-related data (e.g., skin sensitivities), we will process it only where a Schedule II condition applies (e.g., explicit consent, vital interests, legal claims or requirements under written law/public interest), and we will apply enhanced safeguards. Children’s data (i.e. below 18 years of age) is handled with heightened protection and requests must be made by a parent/guardian or as permitted by law.

7. Consent – How we obtain it and record it
  • Consent is used only where required (e.g., marketing, special-category advice).
  • Consent is freely given, specific, informed, unambiguous, and separate from terms not necessary for the service.
  • It is granular per purpose/channel (email, SMS, push).
  • We specify controller identity, purposes, data categories, recipients, cross-border details, retention, withdrawal method, and consequences at or before consent.
  • You can withdraw consent at any time without detriment; withdrawal is effective going forward only.

Example (marketing short-form): ‘I consent to [Controller] sending me [offers/news] via [email/SMS/push] about The Body Shop products. My data may be processed in Sri Lanka and transferred to [India/other] with PDPA safeguards. I can withdraw at any time at [method].’

8. Cookies and Similar Technologies

We use cookies/SDKs to operate our sites/apps, measure performance, and (with your consent) personalise content/ads. We seek consent for non-essential cookies where required and describe cookie types, purposes, and lifetimes in our Cookie Notice.

9. Who we share your data with (Recipients)

We disclose personal data only where necessary, and strictly in line with purpose limitation, lawful basis, security, and accountability obligations under the Sri Lanka PDPA. Disclosures are made under binding contractual safeguards ensuring third parties process data solely on our instructions, implement appropriate technical and organisational measures, and provide equivalent protection. We remain accountable for their compliance.

9.1 Group companies & affiliates (including our parent entity in India)

We may share personal data with our parent entity and affiliates, such as Quest Retail Private Limited, having its Corporate Office at 7th Floor, Infinity Towers, Tower A, DLF Cyber City, DLF Phase II, Gurugram – 122002, Haryana, India, for centralised operational management, CRM, consolidated analytics/reporting, IT hosting/cybersecurity, and internal audit/compliance. These intra-group transfers are governed by inter-company data protection agreements that: (i) limit processing to specified purposes; (ii) require equivalent security and confidentiality; (iii) restrict onward disclosures; (iv) support PDPA data-subject rights; and (v) allow compliance audits. Cross-border elements are handled under Section 26 PDPA (see Section 7 of this Privacy Policy).

9.2 Service providers (processors)

We engage third-party processors for hosting/cloud, payments, delivery/logistics, fraud and cybersecurity, customer support, and analytics/marketing services. Each processor is bound by a Data Processing Agreement imposing confidentiality, purpose-binding, deletion/return at end of service, security (encryption, pseudonymisation, anonymization, access controls), breach notification duties, and prohibitions on independent use. They process personal data only on our documented instructions.

9.3 Professional advisers, regulators & law enforcement

We may disclose personal data to external legal advisers, auditors, consultants, regulators, statutory bodies, and law enforcement where necessary to comply with legal obligations, respond to lawful demands, establish/exercise/defend legal claims, or protect rights, safety, and property. We share only the minimum data necessary for the specific legal or professional purpose.

9.4 Business transferees (M&A and reorganization)

In the event of a merger, acquisition, joint venture, asset sale, or reorganisation, we may disclose personal data to potential or actual acquiring entities, their advisers, and relevant regulators to assess or complete the transaction. Prior to any transfer, we conduct data-protection due-diligence and impose contractual safeguards requiring continuity of protection, purpose compatibility, and notification of material changes to processing.

9.5 Safeguards applied across all disclosures
  • Purpose limitation: We disclose only what is required for the engagement.
  • Data minimization: We share the minimum data necessary for the task.
  • Security & confidentiality: All recipients must implement appropriate measures (e.g., encryption, access controls) and maintain confidentiality.
  • Accountability & oversight: We keep records, assess vendor risk, and enforce contractual compliance.
  • Data-subject rights: Recipients must support us in fulfilling PDPA rights requests (access, correction, erasure, objections).
10. Cross-Border Data Transfers (Sri Lanka to India and other Countries)

We may transfer certain personal data to our parent entity in India and to service providers outside Sri Lanka for centralised operations, analytics, support, and marketing administration.

Under Section 26 PDPA, cross-border processing may occur where a Ministerial adequacy decision exists; where it does not, we use appropriate safeguards ensuring compliance with PDPA Parts I–II and ss.20–25 via DPA-specified instruments (e.g., PDPA-aligned contractual clauses, binding corporate rules, code/certification, or a cross-border prqocessing impact assessment), along with technical/organisational measures.

For India (until an adequacy decision is issued), we rely on contractual safeguards aligned with the DPA’s draft Specification of Instruments for Processing of Personal Data Outside Sri Lanka, plus encryption, access controls, minimisation, and where appropriate, the transfer-impact assessments. We continue to honour Sri Lankan data-subject rights post-transfer.

11. How long we keep your Data (Retention)

We retain personal data only as long as necessary for the stated purposes and applicable legal obligations, then delete or irreversibly anonymise it. We disclose periods/criteria transparently and provide more granularity on request.

  • Orders & tax/audit records: As per the applicable tax laws prevalent in Sri Lanka for the time being in force and as amended notified and enforced by the appropriate authority/government from time to time.
  • Customer care records: 24 months after resolution (longer if a dispute persists).
  • Marketing/loyalty: until you withdraw consent or 24 months of inactivity (whichever earlier).
  • CCTV (in-store, if used): 30–90 days unless required for an investigation.
  • Cookies/SDKs: as described in our Cookie Notice (Refer to Annexure 1).
12. Your Rights under the Sri Lanka Personal Data Protection Act and how to exercise them
  • Access to your data and Schedule V information (s.13).
  • Withdraw consent and object in specified cases (s.14).
  • Rectification/Completion of inaccurate/incomplete data (s.15).
  • Erasure in specified circumstances (s.16).
  • Human review for solely automated decisions with significant effects (s.18).
  • Appeal to the Data Protection Authority (DPA) if dissatisfied with our response (s.19).

How to submit a request: email customercare@thebodyshop.lk or write to Quest Holdings Lanka (Private) Limited, registered in Sri Lanka at 1st Floor, No. 85, Cotta Road, Colombo-8, Post Code-00800, Sri Lanka. with identity proof. We respond without undue delay within PDPA timelines; extensions may apply for complex cases as allowed by law. Complaint to the DPA: info@dpa.gov.lk | +94 (0)112 697 241 / +94 (0)112 697 237 | www.dpa.gov.lk.

13. Security

We apply appropriate technical and organisational measures to protect personal data, including role-based access, encryption (in transit/at rest where feasible), logging/monitoring, secure development practices, and vendor due-diligence.

14. Personal Data Breaches

We assess breaches and will notify the DPA and affected individuals where required under the PDPA and DPA rules (when final). Internally, we target a conservative 48-hour window for notifying the Authority for notifiable breaches.

15. Third Party Links and Services

The Platform may contain links to other websites operated by other parties, such as our business affiliates, merchants or payment gateways. We are not responsible for the privacy practices of websites operated by these other parties. You are advised to check on the applicable privacy policies of those websites to determine how they will handle any information they collect from you.

Please note that even if the third party is affiliated with us, we have no control over these third-party websites, each of which may have their own separate privacy and data collection practices independent of us. We therefore have no responsibility or liability for the content, security arrangements (or lack thereof) and activities of these linked sites. These linked sites are only for your convenience and you therefore access them at your own risk. Nonetheless, we seek to protect the integrity of our Platform and the links placed upon each of them and therefore welcome any feedback about these linked sites (including, without limitation, if a specific link does not work).

16. Changes to this Policy

We keep our Privacy Policy under regular review. Any changes we make to this Privacy Policy in the future will be posted on this page and, where appropriate, we will give you reasonable notice of any changes and/or seek your consent.

17. Queries

If you have any questions regarding this Privacy Policy or the way we use your personal information, please contact the DPO team by email at customercare@thebodyshop.lk . It is important that any personal information that we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

(Annexure 1)

We use cookies, SDKs, and similar technologies on our website and mobile applications to ensure they function properly, keep your account secure, remember your preferences, understand how you use our services, and where you consent deliver personalised content and advertising. Strictly-necessary cookies are essential for core functionality and security and cannot be switched off, while analytics, functional, and advertising cookies/SDKs are optional and used only where permitted by law or with your consent. These technologies collect information such as device identifiers, IP address, browser type, usage patterns and interaction data. Each cookie or SDK retains data only for as long as necessary for its purpose, based on tool-specific time-to-live (TTL) settings, after which the data is deleted or anonymised. Some cookies/SDKs are placed by authorised third parties (such as analytics, performance and advertising partners) and may involve transfers of personal data outside Sri Lanka including to India or other jurisdictions—using safeguards as required under Section 26 of the PDPA, such as PDPA-aligned contractual clauses or other instruments recognised by the Data Protection Authority. You can manage or withdraw your cookie and SDK preferences at any time using our Cookie Settings panel or through your browser or device controls. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. For more information about how we process your personal data and your rights under the PDPA, including access, rectification, erasure, objection and appeals, please refer to our Privacy Policy.

Subscribe to our emails

Opt in to email and/or SMS to receive Rs.500 off your first order*, and be the first to hear about new product launches, exclusive promotions and the latest news from The Body Shop.