induwara.lk
induwara.lkAI · Privacy

AI PII Redactor — Sri Lanka NIC, Phone, Email, Card

Paste any text — customer lists, log lines, chat exports, transcripts — and get a redacted copy with NIC numbers, phones, emails, credit cards, IBANs, and IPs replaced. Detection happens in your browser; nothing is uploaded.

By Induwara AshinsanaUpdated May 12, 2026
Redact PII from textin your browser
100% client-side
Try a sample
156 / 100,000 chars· 4 detections pending

Plain text only. Nothing is uploaded — the redactor runs entirely in this tab.

Detectors
Replacement style

Sources: TRC numbering plan (mobile prefixes 070–078), DRP NIC format, ISO/IEC 7812-1 (card IINs), ISO 13616 (IBAN), RFC 5321 (email), RFC 791/4291 (IP). Last cross-checked 2026-05-12. The tool is an aid, not a legal guarantee — sensitive data should still get a human review.

How it works

Every detector is deterministic. A regular expression scans the input for a candidate (a 9-digit NIC, a credit-card-shaped run, an email), then a checksum or lookup confirms the candidate is actually what it looks like before anything is flagged. No probabilistic model, no training data, no download — just specifications turned into code.

1. Sri Lankan NIC numbers

Two formats are accepted. The old format is \d{9}[VX] — nine digits followed by V (citizen) or X (non-citizen). The first two digits are the last two digits of the year of birth, the next three are the day-of-year. A day code over 500 means female (subtract 500 to get the actual day). The newformat is twelve digits beginning with 19 or 20: full year, day-of-year, four-digit serial, one check digit. Both undergo a day-of-year range check before being flagged, so numeric strings that happen to look like an NIC don't get redacted.

2. Phone numbers

Sri Lankan phones are detected by prefix lookup against the TRC Numbering Plan: mobile prefixes 070, 071, 072, 074, 075, 076, 077, 078 and landline area codes (011 Colombo, 081 Kandy, 091 Galle, 045 Ratnapura, 052 Badulla, 037 Kurunegala, and the rest). International numbers in E.164 form (+CC NSN) are also detected — the digit count after the country code must be between 7 and 15 to count.

3. Credit cards

Any 13–19 digit run with optional spaces or hyphens is treated as a card candidate. It only sticks if it passes the Luhn mod-10 checksum and matches a known Issuer Identification Number range from ISO/IEC 7812-1: Visa (4), Mastercard (51–55, 2221–2720), Amex (34, 37), Discover (6011, 622126–622925, 644–649, 65), JCB (3528–3589), Diners Club (300–305, 36, 38, 39), UnionPay (62, 81), and RuPay (60, 65, 81, 82). Long order IDs and invoice numbers stay untouched.

4. IBAN

Two-letter country code + two check digits + 10–30 alphanumerics. The length is checked against the ISO 13616-1 IBAN registry (GB=22, DE=22, NL=18, FR=27, and so on), then the standard mod-97 check is run by shifting the first 4 characters to the end and converting letters to digits (A=10, B=11, …, Z=35). Anything failing either check is left in place.

5. Email and IP

Emails follow a simplified RFC 5321 regex with a 2–24-character alphabetic top-level domain. IPv4 octets are bounded 0–255; private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16) are skipped by default because they're rarely PII — flip the toggle if you need them redacted too. IPv6 supports full, leading-zero, and :: compressed forms.

6. Conflict resolution

When two detectors claim the same span, priority is NIC > credit card > IBAN > email > phone > IP. The text is rewritten right-to-left so character offsets stay valid as replacements are spliced in. A parallel verification path is exposed by verifyNicByAlternatePath() — a pure string-slice implementation that confirms the regex parser produces the same year, sex, and day-of-year. Both paths must agree before an NIC is considered valid.

Worked examples

Sri Lankan customer line

Customer: Kasun Perera, NIC 891234567V, phone +94 77 555 1234, email [email protected]. Card: 4111 1111 1111 1111.

  1. 891234567V → NIC (old). Year prefix 89 → 1989. Day-of-year 123 (≤500 = male). Born 1989-05-03. ✓
  2. +94 77 555 1234 → SL phone. Prefix 077 = Dialog mobile. Normalised +94775551234. ✓
  3. [email protected] → email, TLD .lk length OK. ✓
  4. 4111 1111 1111 1111 → Luhn passes (sum 30, mod 10 = 0). IIN 4 → Visa. ✓
  5. Output: 'Customer: Kasun Perera, NIC [NIC], phone [PHONE], email [EMAIL]. Card: [CC].'
  6. Note: the customer name itself is not detected — names need ML and are out of scope for v1.

Developer log (mask mode, preserve length)

[2026-05-12 10:14:22] User 192.168.1.42 logged in as [email protected] from country=LK; trace_id=78901234. Forwarded to 8.8.8.8.

  1. 192.168.1.42 → IPv4 private (192.168.0.0/16). Default: skipped — flip 'Include private IPs' to redact it.
  2. [email protected] → email (13 chars). Mask = '*' × 13.
  3. 8.8.8.8 → IPv4 public. Mask = '*' × 7.
  4. trace_id=78901234 → no pattern matches; left alone.
  5. Output: '[2026-05-12 10:14:22] User 192.168.1.42 logged in as ************* from country=LK; trace_id=78901234. Forwarded to *******.'

IBAN + international phone

Please remit invoice 224 to John Smith, IBAN GB82 WEST 1234 5698 7654 32, email [email protected]. Confirm by phone +44 20 7946 0958.

  1. GB82WEST12345698765432 → length 22 matches GB. Move 'GB82' to end, convert letters to digits, mod-97 = 1. ✓
  2. [email protected] → email match.
  3. +44 20 7946 0958 → international, 10 digits after country code, in range 7–15. ✓
  4. John Smith → not auto-detected; names are out of scope for v1.
  5. Output (placeholder mode): 'Please remit invoice 224 to John Smith, IBAN [IBAN], email [EMAIL]. Confirm by phone [PHONE].'

Privacy guarantee

Every byte of input stays inside your browser tab. The detection engine is plain JavaScript — no model download, no API call, no telemetry, no logging. Open DevTools → Network and watch — when you press Redact, you'll see zero outgoing requests carrying your text.

Hash mode generates a fresh random salt each time the page loads. The salt never leaves the page; tokens are only stable within the same session. Reload the page and the same input produces a different token.

Frequently asked questions

Sources & references

Related tools

Rate this tool
Be the first to rate

Comments & feedback

Spotted a bug or want an improvement? Tell us — our team reviews every comment, and good ideas get built. Comments are public and anonymous.

Found a false positive, a missing prefix, or a format the redactor misses?

Email me at [email protected] — fixes usually ship within a day.