Breaking News
Privacy Policy of LankaTalks
Effective Date: March 2026
Governing Law: Sri Lanka Personal Data Protection Act No. 9 of 2022 (PDPA)
Also aligned with: Singapore PDPA, US State Privacy Laws, GDPR principles
Important Notice: This Privacy Policy governs the collection, use, storage, and protection of personal data by LankaTalks, including sensitive identity and verification documents collected through the Member Area. By registering or using the Service, you acknowledge that you have read and understood this policy in full.
1. About This Policy
LankaTalks (“we”, “us”, or “our”) operates the website at https://www.lankatalks.com/ and the LankaTalks Member Area (collectively, the “Service”). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have in relation to your data.
This policy applies to all users of the Service, including visitors, registered general members, and verified members across all member types — Students, Academic Professionals, Professionals, and Business/Corporate entities.
By accessing or using the Service, or by completing registration as a member, you agree to the collection and use of your information in accordance with this policy.
Effective Date: March 2026
Governing Law: Sri Lanka Personal Data Protection Act No. 9 of 2022 (PDPA)
Also aligned with: Singapore PDPA, US State Privacy Laws, GDPR principles
Important Notice: This Privacy Policy governs the collection, use, storage, and protection of personal data by LankaTalks, including sensitive identity and verification documents collected through the Member Area. By registering or using the Service, you acknowledge that you have read and understood this policy in full.
1. About This Policy
2. Who We Are — Data Controller
For the purposes of applicable data protection law, LankaTalks is the Data Controller responsible for your personal data collected through the Service.
Our Data Protection Officer (DPO) is the designated point of contact for all privacy-related matters:
DPO Email: [email protected]
Website: https://www.lankatalks.com/
We are registered and operate under the laws of Sri Lanka. As required by the Sri Lanka PDPA and Singapore PDPA, our DPO contact details are made publicly accessible through this Privacy Policy.
For the purposes of applicable data protection law, LankaTalks is the Data Controller responsible for your personal data collected through the Service.
Our Data Protection Officer (DPO) is the designated point of contact for all privacy-related matters:
DPO Email: [email protected]
Website: https://www.lankatalks.com/
We are registered and operate under the laws of Sri Lanka. As required by the Sri Lanka PDPA and Singapore PDPA, our DPO contact details are made publicly accessible through this Privacy Policy.
3. Information We Collect
3.1 Registration Data (All Members)
When you create an account on LankaTalks, we collect the following:
Data
Purpose
Sensitivity
Full name
Account identity and display
Standard
Email address
Account access and notifications
Standard
Phone / WhatsApp number
Verification and member communication
Sensitive
Password (hashed)
Account security — never stored in plain text
Sensitive
When you create an account on LankaTalks, we collect the following:
Data | Purpose | Sensitivity |
Full name | Account identity and display | Standard |
Email address | Account access and notifications | Standard |
Phone / WhatsApp number | Verification and member communication | Sensitive |
Password (hashed) | Account security — never stored in plain text | Sensitive |
3.2 Usage and Technical Data
We automatically collect the following when you access or use the Service:
• IP address and approximate geographic location
• Browser type, version, and operating system
• Pages visited, time spent, and navigation paths
• Referring and exit URLs
• Device identifiers and diagnostic data
• Mouse movements, clicks, scrolls, and session interaction patterns (via Microsoft Clarity)
We automatically collect the following when you access or use the Service:
• IP address and approximate geographic location
• Browser type, version, and operating system
• Pages visited, time spent, and navigation paths
• Referring and exit URLs
• Device identifiers and diagnostic data
• Mouse movements, clicks, scrolls, and session interaction patterns (via Microsoft Clarity)
3.3 Cookies and Tracking Technologies
We use cookies, web beacons, tags, and tracking scripts to operate and improve the Service. Please refer to Section 13 for full details on our Cookie Policy and your consent options.
4. Member Verification Data
We use cookies, web beacons, tags, and tracking scripts to operate and improve the Service. Please refer to Section 13 for full details on our Cookie Policy and your consent options.
4. Member Verification Data
Important: This section describes the collection of government-issued identification documents and institutional credentials. This data is collected solely for verifying your member status and will not be used for any other purpose without your explicit consent.
After initial registration, members who choose to verify their status must provide additional documentation based on their member type. This data is collected under your explicit, separate consent at the point of verification.
Important: This section describes the collection of government-issued identification documents and institutional credentials. This data is collected solely for verifying your member status and will not be used for any other purpose without your explicit consent.
After initial registration, members who choose to verify their status must provide additional documentation based on their member type. This data is collected under your explicit, separate consent at the point of verification.
4.1 Student Members
Data Collected
Purpose
Sensitivity
National Identity Card (NIC) number
Identity verification
High
University name and faculty
Student status verification
Standard
Student ID card (uploaded image)
Institutional verification
High
Data Collected | Purpose | Sensitivity |
National Identity Card (NIC) number | Identity verification | High |
University name and faculty | Student status verification | Standard |
Student ID card (uploaded image) | Institutional verification | High |
4.2 Academic Professional Members
Data Collected
Purpose
Sensitivity
National Identity Card (NIC) number
Identity verification
High
University / institution name
Academic affiliation verification
Standard
University / institutional ID card (uploaded image)
Institutional verification
High
Data Collected | Purpose | Sensitivity |
National Identity Card (NIC) number | Identity verification | High |
University / institution name | Academic affiliation verification | Standard |
University / institutional ID card (uploaded image) | Institutional verification | High |
4.3 Professional Members
Data Collected
Purpose
Sensitivity
National Identity Card (NIC) number
Identity verification
High
Data Collected | Purpose | Sensitivity |
National Identity Card (NIC) number | Identity verification | High |
4.4 Business / Corporate Members
Data Collected
Purpose
Sensitivity
Business Registration Number
Legal entity verification
High
Registered business address
Entity verification
Sensitive
Business Registration (BR) Certificate (uploaded document)
Legal entity verification
High
Data Collected | Purpose | Sensitivity |
Business Registration Number | Legal entity verification | High |
Registered business address | Entity verification | Sensitive |
Business Registration (BR) Certificate (uploaded document) | Legal entity verification | High |
How We Handle Verification Documents
All uploaded documents (ID cards, BR certificates) are stored in a private, encrypted, access-controlled file storage environment. They are accessible only to authorised LankaTalks staff during the active verification process. Once verification is complete, uploaded documents are permanently deleted within 90 days unless retention is required by applicable law. Document URLs are never publicly accessible.
NIC numbers are stored encrypted in our database and are never displayed in full within the Service interface. Access is restricted to authorised personnel only and is logged for audit purposes.
All uploaded documents (ID cards, BR certificates) are stored in a private, encrypted, access-controlled file storage environment. They are accessible only to authorised LankaTalks staff during the active verification process. Once verification is complete, uploaded documents are permanently deleted within 90 days unless retention is required by applicable law. Document URLs are never publicly accessible.
NIC numbers are stored encrypted in our database and are never displayed in full within the Service interface. Access is restricted to authorised personnel only and is logged for audit purposes.
5. Legal Basis for Processing
Under the Sri Lanka Personal Data Protection Act No. 9 of 2022 and applicable regulations, we may only process your personal data where a lawful basis exists:
Data Category
Lawful Basis
Name, email, password
Performance of contract (account creation and service delivery)
Phone / WhatsApp number
Explicit consent; legitimate interest (account security)
Usage and technical data
Legitimate interest (service improvement and security)
Analytics and tracking cookies
Explicit consent (obtained via cookie consent banner)
NIC number and ID card documents
Explicit consent (separate, granular consent at verification step)
Business registration details and BR certificate
Explicit consent; legitimate interest (entity verification)
You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. To withdraw consent, please contact us at [email protected].
Under the Sri Lanka Personal Data Protection Act No. 9 of 2022 and applicable regulations, we may only process your personal data where a lawful basis exists:
Data Category | Lawful Basis |
Name, email, password | Performance of contract (account creation and service delivery) |
Phone / WhatsApp number | Explicit consent; legitimate interest (account security) |
Usage and technical data | Legitimate interest (service improvement and security) |
Analytics and tracking cookies | Explicit consent (obtained via cookie consent banner) |
NIC number and ID card documents | Explicit consent (separate, granular consent at verification step) |
Business registration details and BR certificate | Explicit consent; legitimate interest (entity verification) |
You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. To withdraw consent, please contact us at [email protected].
6. How We Use Your Data
We use the data we collect only for the following specified and legitimate purposes:
• To create and manage your LankaTalks account
• To verify your member type and grant appropriate platform access
• To communicate with you about your account, membership, and Service updates
• To provide customer support and respond to your enquiries
• To monitor and analyse usage patterns in order to improve the Service
• To detect, prevent, and address fraud, abuse, and technical issues
• To send platform notifications (you may opt out at any time)
• To comply with our legal obligations under applicable law
• To enforce our Terms and Conditions
We will not use your data for any purpose beyond those stated above without first obtaining your explicit consent or notifying you in a revised version of this policy.
We do not sell your personal data to any third party, under any circumstances.
We use the data we collect only for the following specified and legitimate purposes:
• To create and manage your LankaTalks account
• To verify your member type and grant appropriate platform access
• To communicate with you about your account, membership, and Service updates
• To provide customer support and respond to your enquiries
• To monitor and analyse usage patterns in order to improve the Service
• To detect, prevent, and address fraud, abuse, and technical issues
• To send platform notifications (you may opt out at any time)
• To comply with our legal obligations under applicable law
• To enforce our Terms and Conditions
We will not use your data for any purpose beyond those stated above without first obtaining your explicit consent or notifying you in a revised version of this policy.
We do not sell your personal data to any third party, under any circumstances.
7. Analytics and Tracking Tools
7.1 Google Analytics
We use Google Analytics, a web analytics service provided by Google LLC, to monitor traffic patterns and understand how users interact with the Service. Google Analytics collects data such as page views, session duration, and geographic information. Google may use this data in connection with its own advertising network.
You can opt out of Google Analytics tracking by installing the browser add-on at: https://tools.google.com/dlpage/gaoptout
For more information on Google’s privacy practices, visit: https://policies.google.com/privacy
We use Google Analytics, a web analytics service provided by Google LLC, to monitor traffic patterns and understand how users interact with the Service. Google Analytics collects data such as page views, session duration, and geographic information. Google may use this data in connection with its own advertising network.
You can opt out of Google Analytics tracking by installing the browser add-on at: https://tools.google.com/dlpage/gaoptout
For more information on Google’s privacy practices, visit: https://policies.google.com/privacy
7.2 Microsoft Clarity and Microsoft Advertising
We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioural metrics, heatmaps, and session replay to improve and market our products and services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products and services and online activity. Additionally, we use this information for site optimisation, fraud and security purposes, and advertising.
For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement: https://privacy.microsoft.com/en-us/privacystatement
By consenting to analytics and behavioural cookies via our cookie consent banner, you consent to the processing of your interaction data by Microsoft Clarity and Microsoft Advertising. You may withdraw this consent at any time through the cookie settings on our website.
Data Protection Impact Assessment (DPIA): As the use of Microsoft Clarity involves systematic monitoring of user behaviour, we have conducted a DPIA as required under the Sri Lanka PDPA prior to enabling this service.
We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioural metrics, heatmaps, and session replay to improve and market our products and services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products and services and online activity. Additionally, we use this information for site optimisation, fraud and security purposes, and advertising.
For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement: https://privacy.microsoft.com/en-us/privacystatement
By consenting to analytics and behavioural cookies via our cookie consent banner, you consent to the processing of your interaction data by Microsoft Clarity and Microsoft Advertising. You may withdraw this consent at any time through the cookie settings on our website.
Data Protection Impact Assessment (DPIA): As the use of Microsoft Clarity involves systematic monitoring of user behaviour, we have conducted a DPIA as required under the Sri Lanka PDPA prior to enabling this service.
8. Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law:
Data Type
Retention Period
Account registration data (name, email, phone)
Duration of active membership + 2 years after account closure
Uploaded verification documents (ID cards, BR certificates)
90 days after verification is completed, then permanently deleted
NIC numbers (stored encrypted)
Duration of active membership; deleted upon account closure
Business registration details
Duration of active business membership + 2 years
Usage and analytics data
26 months (Google Analytics) / 13 months (Microsoft Clarity)
Communication records (support emails)
3 years from date of communication
Security logs and audit trails
12 months
When data is no longer required, we will securely delete or irreversibly anonymise it. You may request early deletion by exercising your right to erasure as described in Section 12.
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law:
Data Type | Retention Period |
Account registration data (name, email, phone) | Duration of active membership + 2 years after account closure |
Uploaded verification documents (ID cards, BR certificates) | 90 days after verification is completed, then permanently deleted |
NIC numbers (stored encrypted) | Duration of active membership; deleted upon account closure |
Business registration details | Duration of active business membership + 2 years |
Usage and analytics data | 26 months (Google Analytics) / 13 months (Microsoft Clarity) |
Communication records (support emails) | 3 years from date of communication |
Security logs and audit trails | 12 months |
When data is no longer required, we will securely delete or irreversibly anonymise it. You may request early deletion by exercising your right to erasure as described in Section 12.
9. Data Security
The security of your personal data is a priority. We implement the following technical and organisational measures:
• Encryption of sensitive data fields (including NIC numbers) at rest in our database
• Private, access-controlled storage for all uploaded documents — no public-facing URLs
• HTTPS/TLS encryption for all data transmitted between your browser and our servers
• Role-based access controls restricting staff access on a need-to-know basis
• Audit logging of all access to sensitive records, including NIC data and verification documents
• Secure, hashed storage of passwords — passwords are never stored in plain text
• Regular reviews of our data security procedures and access controls
No method of transmission over the internet or electronic storage is 100% secure. While we use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
The security of your personal data is a priority. We implement the following technical and organisational measures:
• Encryption of sensitive data fields (including NIC numbers) at rest in our database
• Private, access-controlled storage for all uploaded documents — no public-facing URLs
• HTTPS/TLS encryption for all data transmitted between your browser and our servers
• Role-based access controls restricting staff access on a need-to-know basis
• Audit logging of all access to sensitive records, including NIC data and verification documents
• Secure, hashed storage of passwords — passwords are never stored in plain text
• Regular reviews of our data security procedures and access controls
No method of transmission over the internet or electronic storage is 100% secure. While we use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Data Protection Authority of Sri Lanka as required by the PDPA and will notify affected users without undue delay where required by law. If you suspect your account has been compromised, please contact us immediately at [email protected].
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Data Protection Authority of Sri Lanka as required by the PDPA and will notify affected users without undue delay where required by law. If you suspect your account has been compromised, please contact us immediately at [email protected].
10. Sharing and Disclosure of Data
We do not sell, rent, or trade your personal data to any third party.
We do not sell, rent, or trade your personal data to any third party.
Service Providers
We may share your data with carefully selected third-party service providers who assist us in operating the Service, including:
• — analytics services (Google Analytics)Google LLC
• — behavioural analytics and advertising (Microsoft Clarity, Microsoft Advertising)Microsoft Corporation
• — for server, storage, and security servicesHosting and infrastructure providers
• — for transactional and notification emailsEmail service providers
All service providers are contractually obligated to process your data only on our instructions, to maintain confidentiality, and not to use your data for their own independent purposes.
We may share your data with carefully selected third-party service providers who assist us in operating the Service, including:
• — analytics services (Google Analytics)Google LLC
• — behavioural analytics and advertising (Microsoft Clarity, Microsoft Advertising)Microsoft Corporation
• — for server, storage, and security servicesHosting and infrastructure providers
• — for transactional and notification emailsEmail service providers
All service providers are contractually obligated to process your data only on our instructions, to maintain confidentiality, and not to use your data for their own independent purposes.
Legal Disclosure
We may disclose your personal data where required to do so in good faith, including to:
• Comply with a legal obligation, court order, or lawful government request
• Protect and defend the rights or property of LankaTalks
• Prevent or investigate possible wrongdoing, fraud, or abuse in connection with the Service
• Protect the personal safety of users of the Service or the public
• Protect against legal liability
We may disclose your personal data where required to do so in good faith, including to:
• Comply with a legal obligation, court order, or lawful government request
• Protect and defend the rights or property of LankaTalks
• Prevent or investigate possible wrongdoing, fraud, or abuse in connection with the Service
• Protect the personal safety of users of the Service or the public
• Protect against legal liability
11. International Data Transfers
Your personal data may be transferred to and processed in countries outside of Sri Lanka, including the United States and Singapore, by the third-party service providers named in Section 10 (Google, Microsoft).
Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with the Sri Lanka PDPA and Singapore PDPA, including binding contractual obligations on the recipient to provide equivalent protections for your data.
If you are located outside Sri Lanka and choose to use our Service, your data will be transferred to and processed in Sri Lanka. Your use of the Service constitutes your agreement to this transfer.
Your personal data may be transferred to and processed in countries outside of Sri Lanka, including the United States and Singapore, by the third-party service providers named in Section 10 (Google, Microsoft).
Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with the Sri Lanka PDPA and Singapore PDPA, including binding contractual obligations on the recipient to provide equivalent protections for your data.
If you are located outside Sri Lanka and choose to use our Service, your data will be transferred to and processed in Sri Lanka. Your use of the Service constitutes your agreement to this transfer.
12. Your Rights as a Data Subject
Under the Sri Lanka Personal Data Protection Act No. 9 of 2022 and applicable data protection laws, you have the following rights:
Your Right
What It Means
Right to Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or outdated personal data.
Right to Erasure
Request deletion of your personal data where it is no longer necessary.
Right to Restrict Processing
Request that we limit processing of your data in certain circumstances.
Right to Data Portability
Receive your personal data in a structured, machine-readable format.
Right to Object
Object to processing of your data based on our legitimate interests.
Right to Withdraw Consent
Withdraw any consent you have given at any time without penalty.
Right to Complain
Lodge a complaint with the Sri Lanka Data Protection Authority.
How to exercise your rights: Submit a written request to [email protected]. We will respond within 21 working days as required by the Sri Lanka PDPA. We may verify your identity before processing your request. There is no charge for submitting a request.
To escalate a complaint, contact the Data Protection Authority of Sri Lanka at: https://www.dpa.gov.lk/
Under the Sri Lanka Personal Data Protection Act No. 9 of 2022 and applicable data protection laws, you have the following rights:
Your Right | What It Means |
Right to Access | Request a copy of the personal data we hold about you. |
Right to Rectification | Request correction of inaccurate or outdated personal data. |
Right to Erasure | Request deletion of your personal data where it is no longer necessary. |
Right to Restrict Processing | Request that we limit processing of your data in certain circumstances. |
Right to Data Portability | Receive your personal data in a structured, machine-readable format. |
Right to Object | Object to processing of your data based on our legitimate interests. |
Right to Withdraw Consent | Withdraw any consent you have given at any time without penalty. |
Right to Complain | Lodge a complaint with the Sri Lanka Data Protection Authority. |
How to exercise your rights: Submit a written request to [email protected]. We will respond within 21 working days as required by the Sri Lanka PDPA. We may verify your identity before processing your request. There is no charge for submitting a request.
To escalate a complaint, contact the Data Protection Authority of Sri Lanka at: https://www.dpa.gov.lk/
13. Cookies and Consent
We use cookies and similar tracking technologies to operate and improve the Service. When you first visit LankaTalks, a cookie consent banner will allow you to accept or decline non-essential cookies.
Cookie Type
Purpose
Consent Required?
Strictly Necessary
Core functionality, security, session management
No — essential to the Service
Preference
Remembering your settings and language preferences
Yes
Analytics (Google Analytics)
Traffic analysis and usage reporting
Yes
Behavioural (Microsoft Clarity / Advertising)
Session recording, heatmaps, and advertising
Yes
You may change your cookie preferences at any time by clicking “Cookie Settings” in the footer of our website. You can also configure your browser to refuse all cookies; however, some parts of the Service may not function correctly as a result.
We use cookies and similar tracking technologies to operate and improve the Service. When you first visit LankaTalks, a cookie consent banner will allow you to accept or decline non-essential cookies.
Cookie Type | Purpose | Consent Required? |
Strictly Necessary | Core functionality, security, session management | No — essential to the Service |
Preference | Remembering your settings and language preferences | Yes |
Analytics (Google Analytics) | Traffic analysis and usage reporting | Yes |
Behavioural (Microsoft Clarity / Advertising) | Session recording, heatmaps, and advertising | Yes |
You may change your cookie preferences at any time by clicking “Cookie Settings” in the footer of our website. You can also configure your browser to refuse all cookies; however, some parts of the Service may not function correctly as a result.
14. Children’s Privacy
The LankaTalks Service and Member Area are not directed at anyone under the age of 18. We do not knowingly collect personally identifiable information from minors. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at [email protected]. Upon verification, we will take prompt steps to permanently delete that information from our records.
The LankaTalks Service and Member Area are not directed at anyone under the age of 18. We do not knowingly collect personally identifiable information from minors. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately at [email protected]. Upon verification, we will take prompt steps to permanently delete that information from our records.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal obligations, or Service features. When we make significant changes, we will:
• Post the updated policy on this page with a revised effective date
• Notify registered members via email prior to the change taking effect
• Display a prominent notice on the Service where appropriate
Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy. You are encouraged to review this policy periodically.
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal obligations, or Service features. When we make significant changes, we will:
• Post the updated policy on this page with a revised effective date
• Notify registered members via email prior to the change taking effect
• Display a prominent notice on the Service where appropriate
Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy. You are encouraged to review this policy periodically.
16. Contact Us and Data Protection Officer
If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact our Data Protection Officer:
LankaTalks — Data Protection Officer
Email: [email protected]
Website: https://www.lankatalks.com/
Response time: We aim to respond to all privacy-related requests within 21 working days as required under the Sri Lanka PDPA.
Complaints: You may also escalate complaints directly to the Data Protection Authority of Sri Lanka at https://www.dpa.gov.lk/
If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact our Data Protection Officer:
LankaTalks — Data Protection Officer
Email: [email protected]
Website: https://www.lankatalks.com/
Response time: We aim to respond to all privacy-related requests within 21 working days as required under the Sri Lanka PDPA.
Complaints: You may also escalate complaints directly to the Data Protection Authority of Sri Lanka at https://www.dpa.gov.lk/