Privacy notice

VisaLK is a Sri Lanka ETA application concierge operated by JK Innovations Pvt Ltd. We are not the Sri Lanka government; we prepare and submit your ETA application to eta.gov.lk on your behalf.

To submit a Sri Lanka ETA we collect the information shown on your passport (full name, passport number, nationality, dates of birth/issue/expiry, country of birth, sex), your travel plan (arrival/departure dates, airline, flight number, port of departure), your contact details (email, mobile), occupation, your home address and your Sri Lanka address. We also store the passport photo page and ticket image you upload.

All of the above fields are required by Sri Lanka Immigration to issue an ETA. We do not collect anything beyond what eta.gov.lk requires from us.

Application records live on a server we control. Uploaded passport and ticket images are encrypted at rest with AES-256-GCM using a key held only on the server. The decryption key is not in source code, not in the database, and never leaves the application server.

We submit your application data to the Sri Lanka Department of Immigration & Emigration ETA system (eta.gov.lk). We do not sell, rent, or share your data with marketers, advertisers, or any third party other than the Sri Lanka government and, where required, the payment processor that handles your card charge.

Application records and supporting documents are retained for 12 months after the trip end date for refund, fraud, and government audit purposes. After that, applicant fields and uploaded images are permanently deleted. Internal audit logs (who-did-what to your case) are retained for 24 months.

You can ask us at any time to access, correct, export, or delete your data. Email privacy@visalk.com. If we cannot honour your request because the Sri Lanka government has already received your application, we will tell you so you can pursue the matter with eta.gov.lk directly.

We hash admin passwords with bcrypt, require strong passwords (≥12 characters) and offer time-based 2FA on all admin accounts. Sessions are short (12 hours) and bound to HTTP-only secure cookies. All admin actions are written to a tamper-evident audit log. To report a vulnerability, see /.well-known/security.txt.

JK Innovations Pvt Ltd · privacy@visalk.com