Privacy Policy

Last updated: May 1, 2026

This policy describes how ERAH Education (“we”, “us”) handles personal information when you use our website, enrol in programmes, and make payments. We aim to meet expectations for online businesses in Sri Lanka (including payment-gateway and banking due diligence) and applicable data-protection rules.

1. Data controller and scope

The data controller responsible for personal data described in this policy is ERAH Education, located at 349/A/3 #0086, Avissawella Road, Pannipitiya, Kottawa, Sri Lanka, 10230. This policy applies to our public website, enquiry and enrolment processes, and delivery of educational services.

2. Information we collect

We may collect:

  • Identity and contact data: name, email address, phone number, postal address (if you provide it), and similar details when you register, enrol, complete forms, or contact us.
  • Education and account data: course choices, progress where applicable, LMS or platform identifiers, and communications about your studies.
  • Technical data: IP address, browser type, device identifiers, approximate location from IP, and cookies or similar technologies as described below.
  • Payment-related data: we do not collect or store your full card number, CVV/CVC, or card PIN on our servers. When you pay online, you enter payment details on the secure checkout provided by our payment partner (see section 5). We may receive limited payment metadata such as transaction or order reference, amount, currency, payment status, timestamp, payment method type (for example “Visa”), and masked or tokenised identifiers supplied by the gateway for reconciliation.
  • Marketing preferences: where you opt in to promotional emails or similar.

3. How we use your information

We use personal data to:

  • Provide, administer, and improve our educational programmes and website
  • Process enrolments, verify identity where reasonable, and communicate about your courses
  • Take and confirm payments, issue receipts, prevent fraud, and meet accounting, tax, and audit obligations
  • Respond to enquiries and provide student support
  • Send service-related notices (for example, changes to schedules or access)
  • Send marketing where we have your consent or another lawful basis
  • Comply with law, court orders, and requests from regulators or law enforcement where required

4. Legal bases

Depending on the activity, we rely on one or more of the following: performance of a contract with you; our legitimate interests (for example, securing our systems and improving our services), where not overridden by your rights; compliance with legal obligations; and your consent where required (such as certain marketing messages).

5. Payments and PayHere

Card and other online payments may be processed by PayHere (PayHere (Pvt) Ltd and related entities—as identified on the checkout page and at www.payhere.lk), an authorised payment gateway in Sri Lanka. PayHere operates the payment flow and processes card or wallet data in line with its own security standards and regulatory obligations (including PCI DSS-aligned practices as described by PayHere).

For payment transactions, PayHere typically acts as a processor or payment service provider on our behalf; we remain responsible to you for the educational service you purchase. PayHere’s processing of payer data is also governed by PayHere’s terms of service and privacy policy, which we encourage you to read when you pay.

We only receive the payment information we need to confirm your order, support you, and meet legal record-keeping requirements—not your full card credentials.

6. Sharing and subprocessors

We may share personal data with:

  • PayHere and, where applicable, banks or card networks involved in settlement, strictly for processing payments
  • Service providers who host our website, email, analytics, customer-support tools, or learning platforms, under contracts that require protection of personal data
  • Professional advisers (lawyers, auditors) where confidential
  • Authorities when required by applicable law

We do not sell your personal data. We do not allow PayHere or our other providers to use your personal data for their own marketing unrelated to providing their services to us, except as set out in their own policies.

7. International transfers

Our systems or subprocessors may be located in Sri Lanka or other countries. Where personal data is transferred across borders, we take steps in line with applicable law (such as appropriate safeguards or your consent where required).

8. Retention

We keep personal data only as long as needed for the purposes above, including legal, tax, and accounting requirements. Enrolment and payment records are typically retained for at least the period required by Sri Lankan law and good business practice. When data is no longer required, we delete or anonymise it where feasible.

9. Security

We use appropriate technical and organisational measures to protect personal data (including TLS/SSL on our site, access controls, and reliance on PCI-scoped payment pages for card data). No online transmission is completely risk-free; please protect your account credentials and devices.

10. Your rights

You may have rights under the Personal Data Protection Act, No. 9 of 2022 (Sri Lanka) and other laws that apply to you, including to request access, correction, or deletion of certain personal data; to object to or restrict some processing; to withdraw consent where processing is based on consent; and to lodge a complaint with the competent supervisory authority in Sri Lanka in accordance with that Act and related regulations.

If you are in the UK, EEA, or other regions with specific privacy regimes, additional rights may apply—we will respond in line with applicable law.

To exercise your rights, contact us using the details below. We may need to verify your identity before fulfilling certain requests.

11. Cookies and similar technologies

We use cookies and similar technologies where necessary for site operation, security, preferences, and analytics. You can control cookies through your browser settings; blocking some cookies may affect site functionality.

12. Children

Our services are aimed at learners who can lawfully enter into a contract, or who enrol with appropriate guardian involvement. If you believe we have collected a child’s personal data improperly, contact us and we will address it promptly.

13. Refunds and disputes

Questions about refunds, billing, and course access are handled by us in accordance with our Terms & Conditions (including the non-refundable course fee policy). PayHere processes payments but is not responsible for delivering our educational services or deciding refund eligibility except where law or payment-scheme rules require otherwise.

14. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date will change, and for material changes we may provide additional notice (for example, on our website). Continued use of our services after updates constitutes acceptance where permitted by law.

15. Contact us

ERAH Education

349/A/3 #0086, Avissawella Road, Pannipitiya, Kottawa, Sri Lanka, 10230

Email: info@eraheducation.com

Phone: +94 70 291 2330

For data-protection requests, please mark your subject line “Data protection request” and include enough detail for us to locate your information.