CONTROLLER IDENTITY AND SCOPE

1. Data controller: Nep Meals Technologies Private Limited ("NepMeals").
2. This Policy applies to customers, restaurant partners, delivery partners, applicants, website visitors, and support users.
3. This Policy applies to personal data processed through NepMeals websites, mobile apps, APIs, partner tools, and support workflows.

LEGAL FRAMEWORK CONTEXT

1. Data handling is aligned with applicable law of Nepal, including the Constitution of Nepal (right to privacy), the Privacy Act, 2075 (2018), the Electronic Transactions Act, 2063 (2008), and other applicable regulations.
2. Nothing in this Policy limits non-waivable rights under applicable law.

CATEGORIES OF DATA WE COLLECT

1. Account and identity data: name, phone, email, username, authentication metadata, and profile settings.
2. Order and transaction data: order details, delivery address, payment references, refund/cancellation history, and support records.
3. Partner onboarding data: business details, licensing/tax records, banking details, and verification documents.
4. Delivery operations data: rider assignment metadata, route status, handoff evidence, and communication logs.
5. Device and technical data: IP address, device identifiers, app and browser metadata, logs, crash diagnostics, and security telemetry.
6. Location data: approximate or precise location where needed for service coverage, dispatch, fraud control, and order tracking.
7. Communication data: calls, SMS, email, in-app chats, ticket notes, complaint records, and satisfaction feedback.

SENSITIVE OR HIGH-RISK DATA

1. We avoid collecting sensitive personal data unless necessary for legal compliance, fraud control, support resolution, or explicit user-provided context.
2. Where sensitive data is processed, access is restricted by role, purpose, and audit controls.

PURPOSES OF PROCESSING

1. To register and manage accounts and authenticate users securely.
2. To process orders, coordinate restaurants and riders, and provide delivery tracking.
3. To process payments, refunds, reversals, and settlement records.
4. To operate support, grievance handling, quality control, and incident management.
5. To prevent fraud, abuse, unsafe activity, and policy violations.
6. To maintain platform security, reliability, and performance.
7. To comply with legal, regulatory, tax, accounting, and law-enforcement obligations.
8. To send service communications, policy updates, and legally required notices.
9. To conduct analytics and product improvement.
10. To send marketing communications where lawful and where consent/opt-out rules permit.

LEGAL BASES

1. Contract necessity: providing requested platform and delivery services.
2. Legitimate interests: safety, fraud prevention, service optimization, and platform integrity.
3. Legal obligation: compliance with statutory and regulatory duties.
4. Consent: optional marketing, certain location uses, and other consent-based activities.

SHARING AND DISCLOSURE

1. With restaurant and delivery partners to fulfill orders and support operations.
2. With payment processors, communication providers, cloud vendors, analytics vendors, security providers, and other processors under contract.
3. With regulators, courts, public authorities, and law-enforcement where lawfully required.
4. With advisors, auditors, insurers, and acquirers during due diligence and business restructuring, subject to lawful safeguards.

CROSS-BORDER TRANSFERS

1. Some processors may store or process data outside Nepal.
2. Where cross-border transfer occurs, NepMeals uses contractual and organizational safeguards appropriate to risk and applicable law.

RETENTION SCHEDULE PRINCIPLES

1. Account and core transaction records are retained for legal, tax, and audit requirements, then deleted or anonymized.
2. Security logs, fraud indicators, and dispute records may be retained longer where required for legal defense and abuse prevention.
3. Marketing and preference data is retained until opt-out, withdrawal, or defined inactivity period.
4. Retention periods may differ by data type, legal hold obligations, and unresolved disputes.

TYPICAL RETENTION PERIODS

1. Typical data retention periods include:
2. Order and transaction records: up to five (5) years for legal, tax, and audit compliance.
3. Support, complaint, and dispute records: up to three (3) years.
4. Security logs and fraud indicators: up to two (2) years or longer where required for legal defense or abuse prevention.
5. Marketing and preference data: until user opt-out, withdrawal of consent, or defined inactivity period.
6. Actual retention may vary depending on legal obligations, unresolved disputes, or regulatory requirements.

SECURITY CONTROLS

1. We use layered technical and organizational safeguards, including encryption in transit, access controls, least-privilege models, logging, monitoring, and incident response procedures.
2. Access to sensitive data is limited to authorized personnel on a need-to-know basis.
3. No system is perfectly secure; users should protect credentials and report suspicious activity immediately.

DATA BREACH RESPONSE

1. NepMeals investigates suspected security incidents promptly.
2. Where required by law, impacted users and competent authorities are notified in accordance with legal timelines and risk severity.

USER RIGHTS AND CHOICES

1. Users may request access, correction, deletion, or other rights subject to applicable law. Requests are handled through support channels and may require identity verification.
2. Users may update certain profile fields directly in app/account settings.
3. Users can manage non-essential marketing preferences via available controls or support channels.
4. Identity verification may be required before fulfilling rights requests.

CHILDREN AND AGE-RESTRICTED USE

1. NepMeals services are not intended for minors who cannot lawfully contract independently under applicable law.
2. If unlawful child-data collection is detected, NepMeals will take steps to restrict or delete data as required by law.

COOKIES AND SIMILAR TECHNOLOGIES

1. NepMeals uses cookies, local storage, SDK tokens, and related technologies for authentication, preferences, analytics, and security.
2. See the Cookie Policy for category-specific details and controls.

THIRD-PARTY LINKS

1. The Platform may contain links to third-party services not controlled by NepMeals.
2. Third-party privacy practices are governed by their own policies.

AMENDMENTS

1. NepMeals may revise this Policy for legal, regulatory, technical, operational, or product reasons.
2. Updated versions are published with effective dates, and material changes may be additionally communicated through in-app notice, email, or website channels.

COMPLAINTS AND RESPONSE TIMING

1. NepMeals aims to acknowledge privacy complaints within two (2) business days.
2. NepMeals aims to resolve routine privacy complaints within seven (7) business days and complex matters within fifteen (15) business days, subject to verification and legal requirements.
3. NepMeals aims to acknowledge and resolve complaints within the stated timelines; however, actual timelines may vary depending on case complexity, partner response, and verification requirements.

Contact Details