Privacy Policy

1.1 Commitment to Privacy

Sankat Mochan Sajilo Yatra Pvt. Ltd. (Registration No. 368115/81/82), operating the SubhYatra platform ("SubhYatra," "we," "us," or "our"), is committed to protecting your privacy and ensuring the security of your personal information. The SubhYatra application is developed by Nexalaris Tech Pvt. Ltd. (Technology Partner). This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our mobile application and services.

1.2 Legal Framework

This Privacy Policy is designed to comply with:

• Individual Privacy Act, 2075 (2018) - Nepal's primary privacy legislation
• Individual Privacy Regulation, 2077 (2020) - Implementation rules
• Digital Privacy and Data Protection Act, 2082 (2025) - New comprehensive data protection law
• Electronic Transaction Act, 2063 (2008) - Digital transaction regulations
• Consumer Protection Act, 2075 (2018) - Consumer rights protection

1.3 Data Controller

Sankat Mochan Sajilo Yatra Pvt. Ltd. is the data controller responsible for your personal data.

2.1 Information You Provide Directly

2.2 Information Collected Automatically

2.3 Information from Third Parties

3.1 Primary Purposes

As required under Section 4 of the Individual Privacy Act, 2075, we collect your data for the following specified purposes:

3.2 Secondary Purposes

With your consent, we may use data for:

• Personalized recommendations
• Marketing communications
• Analytics and research (anonymized)

3.3 No Unauthorized Use

We will NOT use your personal data for any purpose not disclosed in this Policy without obtaining your explicit consent, as required by Nepal's privacy laws.

4.1 Obtaining Consent

In compliance with the Individual Privacy Act, 2075:

• We obtain your consent before collecting personal information
• Consent is obtained through clear affirmative action (accepting this Policy)
• You are informed of the purpose of collection at the time of consent

4.2 Types of Consent

• Express Consent: Required for sensitive data and location tracking
• Implied Consent: For data necessary to provide requested services

4.3 Withdrawing Consent

You may withdraw consent at any time by:

• Adjusting app permissions
• Contacting us at privacy@subhyatranepal.com
• Deleting your account

Note: Withdrawing consent may limit your ability to use certain features.

5.1 Data Localization

In compliance with the Digital Privacy and Data Protection Act, 2082:

• User data is primarily stored on servers in the Asia-Pacific region
• Sensitive personal data may be stored on servers within Nepal or in compliant jurisdictions
• We ensure adequate data protection for any cross-border transfers

5.2 Security Measures

We implement robust security measures including:

5.3 Data Breach Notification

In compliance with the Digital Privacy and Data Protection Act, 2082:

• We will notify the Data Protection Authority within 72 hours of discovering a breach
• Affected individuals will be notified promptly if the breach poses high risk
• We maintain records of all data breaches and responses

6.1 Retention Periods

6.2 Retention Principles

• Data is retained only as long as necessary for stated purposes
• Anonymized data may be retained longer for analytics
• Legal requirements may mandate longer retention

6.3 Data Deletion

Upon account deletion or retention period expiry:

• Personal data is securely deleted or anonymized
• Backup data is purged within 90 days
• Legal hold data is retained as required

7.1 Sharing with Service Providers

We share data with trusted service providers who assist us:

All service providers are contractually bound to protect your data.

7.2 Sharing Between Users

• Passengers see: Driver name, photo, vehicle details, rating, live location during ride
• Drivers see: Passenger name, pickup/drop location, contact option

7.3 Sharing for Safety

We may share data with:

• Emergency services when safety is at risk
• Law enforcement pursuant to valid legal process
• Emergency contacts (when SOS feature is activated)

7.4 Legal Disclosure

We may disclose data when required by:

• Court orders
• Government authority requests
• Legal proceedings
• Protection of rights and safety

7.5 No Sale of Data

We do NOT sell your personal data to third parties for marketing purposes.

8.1 Rights Under Nepal Law

Under the Individual Privacy Act, 2075 and Digital Privacy and Data Protection Act, 2082, you have the right to:

8.2 Exercising Your Rights

To exercise your rights:

• Email us at privacy@subhyatranepal.com
• Use in-app privacy settings
• Contact customer support

We will respond to requests within 30 days as required by law.

8.3 Right to Complain

If you believe your privacy rights have been violated, you may:

• Contact us first for resolution
• File a complaint with the Data Protection Authority of Nepal
• Seek compensation through the District Court (Section 31, Individual Privacy Act)

9.1 Why We Collect Location Data

Location data is essential for:

• Connecting you with nearby drivers
• Providing accurate fare estimates
• Enabling real-time ride tracking
• Ensuring safety during rides
• Improving service coverage

9.2 Location Collection Practices

9.3 Location Permissions

• You control location permissions through your device settings
• Denying location permission will prevent core app functionality
• Background location for drivers is required for matching

9.4 Location Data Retention

• Real-time location: Not stored after ride completion
• Ride route data: Stored for 30 days
• Pickup/drop locations: Stored with ride history (5 years)

10.1 Mobile App Tracking

Our mobile app may use:

• Firebase Analytics for usage statistics
• Crash reporting tools
• Performance monitoring

10.2 Website Cookies

Our website (subhyatranepal.com) uses:

• Essential cookies for functionality
• Analytics cookies (with consent)

10.3 Managing Preferences

You can manage tracking through:

• App settings
• Device advertising settings
• Browser cookie settings

11.1 Age Restriction

• Our Services are not intended for individuals under 18 years
• We do not knowingly collect data from minors
• Minors may only use Services under adult supervision

11.2 Parental Rights

If you believe we have collected data from a minor:

• Contact us immediately at privacy@subhyatranepal.com
• We will promptly delete such data

12.1 Transfer Mechanisms

When data is transferred outside Nepal:

• We ensure adequate protection measures
• Transfers comply with Nepal's data protection requirements
• Service providers are bound by data protection agreements

12.2 Server Locations

• Primary servers: Asia-Pacific region
• Backup servers: Secure cloud infrastructure
• CDN: Global distribution for performance

13.1 Policy Updates

We may update this Privacy Policy to reflect:

• Changes in our practices
• New features or services
• Legal or regulatory requirements

13.2 Notification of Changes

• Material changes will be notified via email or in-app notification
• Updated Policy will be posted on our website and app
• Continued use constitutes acceptance of changes

13.3 Review History

• Version 1.0: January 2026 (Initial release)

14.1 DPO Appointment

In compliance with the Digital Privacy and Data Protection Act, 2082, we have appointed a Data Protection Officer.

14.2 DPO Contact

15.1 Privacy Inquiries

For questions about this Privacy Policy or your personal data:

15.2 Response Time

We aim to respond to all privacy-related inquiries within 30 days.

15.3 Regulatory Authority

Data Protection Authority of Nepal (Contact details to be updated when Authority is established)