Master Privacy Policy

1. Definitions and Allocation of Regulatory Responsibility

For the purposes of this Privacy Policy, the "Company" refers to the owner, developer, and distributor of the hostel management software application and its associated infrastructure. The "Subscriber" refers to the hostel owner, property manager, or administrative entity utilizing the application to manage commercial hospitality operations. The "End-User" refers to the guests, tenants, employees, or visitors whose personal information is entered into the application.

Under applicable global data protection frameworks—including the Nepal Individual Privacy Act, 2018 (2075), the European Union General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA)—the Company operates exclusively in the capacity of a Data Processor (or Service Provider). The Subscriber operates as the Data Controller (or Business) and bears the sole, non-transferable legal responsibility for obtaining all necessary statutory consents from End-Users prior to entering, uploading, or processing their personal data within the application.

2. Categorization of Information Collected

The Company collects and processes information strictly to provide, secure, optimize, and maintain the application. The categories of information collected are systematically divided into Subscriber Data and End-User Data:

• Subscriber Account Information: To establish and maintain the commercial relationship, the Company collects the Subscriber's corporate name, administrative email addresses, telephone numbers, physical business addresses, and encrypted administrative credentials.
• Property and Occupancy Data (End-User Data): Information inputted directly by the Subscriber regarding End-Users. This may include government-issued identification details (such as citizenship numbers or passports), demographic data, health or dietary preferences relevant to hospitality services, and emergency contact information. Pursuant to Section 27 of the Nepal Individual Privacy Act, the collection of such sensitive personal information is performed under the direct authorization of the Subscriber, who guarantees that explicit consent has been secured from the End-User.
• Financial and Transactional Data: Billing information, payment gateway tokenization data, and historical transaction ledgers. The Company utilizes PCI-DSS compliant third-party payment gateways and does not independently store raw credit card numbers or highly sensitive financial routing data on its proprietary servers.
• Automated Device and Telemetry Data: Upon accessing the platform, the Company automatically collects IP addresses, operating system specifications, browser configurations, interaction metrics, and crash diagnostic reports. This telemetry data is essential for ensuring system stability, mitigating distributed denial-of-service (DDoS) attacks, and preventing unauthorized access.

3. Purpose and Utilization of Collected Information

The Company processes the collected information according to the principles of data minimization and purpose limitation. The data is utilized strictly to:

• Deliver the core functionalities of the hostel management system, including reservation tracking, room allocation, and automated billing.
• Facilitate account management, technical support, and the deployment of necessary software updates.
• Analyze aggregated, anonymized system performance metrics to drive future product enhancements.
• Comply with binding legal obligations, lawful court orders, or requests from authorized governmental entities pursuant to the Electronic Transactions Act, 2063.

4. Artificial Intelligence, Machine Learning, and Sub-Processor Disclosures

To provide advanced operational capabilities, the application may utilize integrated machine learning algorithms, artificial intelligence (AI) modules, and third-party Large Language Models (LLMs) for features such as automated guest communications, review analysis, and financial forecasting. The Company hereby discloses that End-User text inputs, reservation metadata, and queries may be transmitted to and processed by these authorized third-party AI sub-processors.

The Company enforces strict Data Processing Agreements (DPAs) with these providers, explicitly prohibiting the utilization of Subscriber or End-User personal data for the training, fine-tuning, or enhancement of public foundational models. The Subscriber affirmatively consents to this specific algorithmic processing and assumes the obligation to accurately disclose the use of automated processing systems to their End-Users in accordance with applicable transparency laws.

5. Disclosure, Sharing, and Extraterritorial Transfer of Information

The Company adheres to rigorous confidentiality protocols and categorically refuses to sell, rent, or lease personal information to unauthorized third parties or data brokers. Information may only be disclosed under the following controlled circumstances:

• To authorized third-party service providers, cloud hosting infrastructures, and communication APIs that are bound by stringent confidentiality and data protection agreements.
• To law enforcement agencies, regulatory bodies, or judicial authorities when mandated by a legally binding order, subpoena, or warrant.
• To acquiring entities, successors, or assignees in the event of a corporate merger, acquisition, bankruptcy proceeding, or total asset sale.

6. Data Retention and Statutory Destruction Protocols

The Company aligns its data retention practices with the strict mandates of Nepalese and international law. In explicit compliance with Section 22 of the Nepal Individual Privacy Act, 2018 (2075), personal information collected for a specific purpose shall be targeted for destruction within thirty (30) days after the definitive fulfillment of that purpose, unless a longer retention period is explicitly mandated by overriding federal tax, accounting, or anti-money laundering statutes.

The Company relies upon the Subscriber to actively manage, archive, delete, or anonymize End-User data through the application dashboard once a guest's occupancy concludes. In the event that a Subscriber actively terminates their commercial account, the Company shall initiate an automated, cryptographic purge of the associated databases within the stipulated legal timeframe, rendering the data permanently irrecoverable.

7. End-User Rights and Access Requests

Depending on the applicable jurisdiction, End-Users possess fundamental rights regarding their personal data, including the right to access, rectify, restrict processing, or request total erasure. Because the Company acts strictly as a Data Processor holding data on behalf of the Subscriber, all End-User requests regarding data privacy rights must be directed to the respective Subscriber (the hostel management entity). The Company shall not independently respond to End-User requests but will provide the Subscriber with the necessary technical tools and administrative dashboard access to efficiently fulfill these lawful requests.

8. Security Safeguards and Assumption of Risk

The Company implements robust, industry-standard security architectures, including transport layer security (TLS) encryption, role-based access controls, and routine vulnerability assessments, to protect data against unauthorized access, malicious alteration, or accidental destruction. Notwithstanding these efforts, the Company cannot guarantee absolute security over public internet transmissions or wireless networks. The Subscriber acknowledges the inherent risks of digital data storage and assumes all risks associated with the transmission of highly sensitive End-User data over public telecommunications infrastructure.