Legal
Privacy Policy
This policy explains how chassia — the multi-tenant content and commerce platform operated by No Names Collective (Pvt) Ltd ("we", "us", "our") — collects, uses, retains, and protects information. It covers both this website (chassia.com) and the platform that powers our clients' websites. We have written it in plain English on purpose.
1. Who we are & scope
chassia is built and operated by No Names Collective (Pvt) Ltd, a creative and digital agency at No 561, Sirimadura, Gangarama Road, Werahara, Boralasgamuwa, Sri Lanka. We use chassia to run the websites, storefronts, and email we deliver for our clients.
For most personal data that flows through the platform (for example, a visitor filling in a contact form on a client's website, or a customer placing an order in a client's store), our client — the site owner — decides what is collected and why. In those cases the site owner is responsible for their own privacy notice, and we process that data on their behalf and under our agreement with them.
2. This website itself
chassia.com is a plain informational site. It sets no advertising or analytics cookies, runs no third-party trackers, embeds no external fonts or scripts, and makes no calls to third-party services while you read it. The only thing stored in your browser is an optional light/dark theme preference kept in your device's local storage — it never leaves your device and we cannot see it. If you email us, we receive whatever you choose to put in that message.
3. Data we process on the platform
When we operate a client's site on chassia, the platform may process:
- Account information — names, email addresses, roles, and hashed passwords for the client staff who log in to manage a site.
- Content — the pages, posts, media, product listings, and settings that make up each client's website.
- Form submissions — information a visitor enters into a form on a client's site (for example a contact or enquiry form), which is stored for the site owner and/or emailed to them as a notification.
- Orders & transactions — for stores, the order details, delivery information, and contact details a customer provides at checkout, together with a record of the order.
- Technical and operational logs — limited records such as request timestamps, IP addresses, and error information used to keep the service secure, available, and debuggable. These are tagged to the relevant tenant and kept only as long as needed for operations and security.
We do not handle card numbers ourselves; where online payment is offered, it is handled by a specialist payment provider, and card data does not pass through our systems.
4. Why we process it
- To provide, operate, and secure each client's website and store.
- To let authorised staff sign in and manage their content.
- To deliver the transactional emails a site depends on (see below).
- To detect, prevent, and investigate abuse, fraud, and security incidents.
- To meet our legal and contractual obligations.
We do not use platform data to build advertising profiles, and we do not sell it.
5. Email & Amazon SES
chassia sends transactional email only — password resets, login verification, contact-form notifications to site owners, and order confirmations. Recipients are our clients' staff and customers who have submitted a form or placed an order. We send no marketing or bulk email and never buy, rent, or scrape contact lists.
Transactional email is sent through Amazon Simple Email Service (Amazon SES), part of Amazon Web Services. To deliver a message, the recipient's email address and the message content are processed by SES on our behalf. All mail is DKIM-signed with SPF and DMARC enforced. Bounces and complaints are handled automatically and the affected addresses are suppressed so we do not email them again.
6. Third-party processors
We keep our supplier list short and use established providers. The main processors that may handle platform data on our behalf are:
- Amazon Web Services (AWS) — Amazon SES, for sending transactional email.
- Cloudflare — content delivery, DNS, media storage, and security/DDoS protection in front of our sites.
- DigitalOcean — managed database hosting for platform data.
Each of these providers processes data only to perform the service we use them for, under their own security and data-protection terms.
7. How long we keep it
- Account information is kept while the account is active and for a short period after a site is closed, then deleted or anonymised.
- Content and orders are kept for as long as the client operates the site, and are removed on the client's instruction or when we wind the site down, subject to any legal record-keeping requirements.
- Form submissions are retained according to the site owner's configuration; where they are only forwarded by email, we do not keep a separate long-term copy.
- Suppression records (bounced or complained addresses) are kept for as long as needed to keep our sending compliant and to avoid re-emailing those addresses.
- Operational logs are kept only for a limited period for security and troubleshooting, then rotated out.
8. Sharing & selling
We do not sell, rent, or trade personal data. We share it only with the processors listed above, with the relevant site owner whose site the data belongs to, and where we are required to by law or to protect our rights and the safety of others.
9. Security
Tenant data is isolated so one client's data is not accessible to another. We host in a single region, restrict administrative access, store passwords only in hashed form, encrypt data in transit over HTTPS, and keep our infrastructure locked down and monitored. No system is perfectly secure, but we take these safeguards seriously and review them regularly.
10. Your choices
If your personal data sits on a website we operate for a client, the site owner is usually the right first point of contact for access, correction, or deletion requests, and we will support them in responding. You can also contact us directly using the details below and we will help route your request. To manage the emails you receive, follow the instructions in the relevant message or contact the site you interacted with.
11. Children
chassia is a business platform and is not directed at children. We do not knowingly collect personal data from children through this website.
12. Changes to this policy
We may update this policy as the platform evolves. When we do, we will revise the "last updated" date at the top. Material changes will be reflected here on chassia.com.
13. Contact us
For any question about this policy or your data, email info@nonames.lk — a monitored inbox — or write to No Names Collective (Pvt) Ltd, No 561, Sirimadura, Gangarama Road, Werahara, Boralasgamuwa, Sri Lanka.