Privacy Policy

1. Who we are

HimalHomes is a real-estate and homestay marketplace that connects guests, buyers, renters with listing owners and agents in Nepal. For questions about this policy or your data, contact us at [email protected].

2. Information we collect

We collect three categories of information:

Information you give us directly

• Account details: your name, email address, mobile number, and password (stored only as a one-way hash; we never see the plaintext).
• Profile content: profile photo, optional vanity URL, biography, and agency / license details if you list properties.
• KYC documents (listers only): a copy of a national ID, passport, citizenship card, or driver licence. These are encrypted at rest on our servers and reviewed by an authorised administrator before your account is approved to list. We retain KYC documents even after account deletion, in a separate quarantined folder, to satisfy regulatory requirements; see section 7 for the retention period.
• Listing content: property details, photos, map location, price, and other attributes you choose to publish.
• Booking and inquiry content: dates, guest counts, messages, and any other information you exchange through the platform's booking + messaging flows.
• Reviews: ratings and review text you submit.
• Support content: support tickets, attachments, and messages you send to [email protected].
• Two-factor authentication secrets (optional): if you enrol in 2FA, we store a TOTP secret + hashed backup codes for your account. These can be reset by you (with password + a current code) or by an administrator after out-of-band identity verification.

Information we collect automatically

• Usage analytics: pages you view, listings you click on, and search filters you apply. Stored in our own database (analytics_events) and also reflected to Google Analytics 4 if the operator has configured it (see section 5).
• Device + network metadata: IP address, user-agent string, approximate timezone — typically captured in server logs and used for security, rate limiting, and abuse investigation.
• Cookies and similar technologies: we use a small number of cookies for authentication, language preference, and analytics. See our Cookie Notice for the full list.

Information from third parties

• Payment data from Stripe: when you book a homestay, Stripe handles the card charge directly. Stripe shares a payment ID, charge ID, and basic transaction status with us — we do not receive your card number, expiry, or CVV. Stripe's own privacy notice covers what they collect: stripe.com/privacy.

3. How we use it

We use the information above to:

• create and maintain your account;
• verify lister identity (KYC) before publishing listings;
• process bookings, payments, refunds, and host payouts;
• route inquiries and booking modifications between guests and hosts;
• send transactional email — verification, booking confirmations, refund updates, inspection reminders;
• send SMS notifications when configured and when you have provided a valid mobile number;
• analyse aggregate usage so we can improve the platform;
• detect, prevent, and respond to fraud, abuse, and platform-policy violations;
• comply with applicable law and respond to lawful requests from authorities.

4. Who we share it with

We share data only where necessary to run the service:

• Other users of the platform. Your listings, agent profile, and reviews are public. Your contact details are shared with the counterparty when you start an inquiry or accept a booking, subject to the privacy mode you set on each listing (Show phone, Hide until enquiry, or Platform-only).
• Stripe — payment processing. Lives in their infrastructure under their own privacy policy.
• Twilio — SMS delivery, when the operator has configured an SMS sender and you have a mobile number on file. We share the destination phone and the message text only.
• Google Analytics 4 — if the operator has enabled analytics. GA receives pseudonymous page-view events; you can opt out via the Google Analytics opt-out add-on.
• Cloudflare — proxies traffic to himalhomes.com. See their privacy notice for details.
• Our SMTP relay — outbound email is sent via our own Postfix server; we do not use a third-party email provider. Emails travel over the internet and may be processed by recipient mail servers we don't control.
• Authorities — when we receive a valid legal request (court order, subpoena, or equivalent).

We do not sell, rent, or trade personal information to third parties for marketing purposes.

5. Analytics & tracking

We use two layers of analytics. An on-platform event log (analytics_events) records page-view and listing-click counts so admins can see aggregate traffic; this never leaves our servers and is keyed by a per-visitor pseudonymous ID, not your name or email. Optionally, the operator can wire up Google Analytics 4 — when present, GA receives a pageview event per route change.

You can disable GA in your browser using the official add-on at tools.google.com/dlpage/gaoptout or by enabling Do Not Track / Global Privacy Control in your browser (GA honors GPC).

6. How we protect it

• HTTPS-only transport with HSTS preload.
• Passwords stored as Argon2id hashes; we never log plaintext passwords.
• KYC documents AES-256-GCM encrypted at rest with envelope encryption (per-file data key, wrapped under a master key only in server memory).
• Two-factor authentication (TOTP) available to all users; required for administrators.
• JWT sessions in HttpOnly + SameSite=Lax cookies; rate limiting on /auth/login and password recovery.
• Daily encrypted off-server backups via restic, with periodic verified restore drills.
• Access to the database is restricted to authorised operators; audit logs record privileged actions.

No system is perfectly secure. If you discover a vulnerability, please email [email protected] and give us a reasonable chance to fix it before disclosing publicly.

7. How long we keep it

• Account data — kept while your account exists and for a short grace period after deletion in case of recovery.
• Bookings and payment records — kept for at least 7 years to comply with tax/financial-records requirements. After your account is deleted, the booking row is anonymised (your name + ID link are removed) but the financial record remains.
• Reviews — kept indefinitely as part of the public record. After account deletion, your name + ID link are removed and the review is attributed to a deleted user.
• KYC documents — retained even after account deletion in a quarantined folder for the lifetime of the platform or until a regulator-imposed expiry, whichever is shorter. A tombstone file records who deleted the account and when.
• Server logs and analytics events — typically 90 days; backups may retain copies longer.
• Support correspondence — kept while the matter is open and for 2 years after closure for reference.

8. Your rights

Subject to applicable local law, you have the right to:

• Access and correct the personal information we hold about you — most of it is visible and editable in your /profile page; for anything that isn't, email us.
• Request deletion of your account. Self-serve account deletion is not currently exposed in the UI; email [email protected] and an administrator will action it within 10 business days. KYC documents are retained per section 7.
• Withdraw consent to optional processing (e.g. opt out of SMS reminders by removing your mobile number from your profile, or disable GA via your browser).
• Lodge a complaint with the relevant data protection authority in your jurisdiction if you believe we have mishandled your data.

A self-serve data-export endpoint and a self-serve "delete my account" flow are on the roadmap but not yet exposed publicly.

9. International transfers

Our primary servers are hosted in a single datacentre. Where third-party processors (Stripe, Cloudflare, Google) are involved, data may be processed outside Nepal under the respective provider's standard contractual safeguards.

10. Children

HimalHomes is not directed at children under 16. If you believe a child has created an account or submitted information, email us and we will delete it.

11. Changes to this policy

We may update this policy as the platform evolves. The “Last updated” date at the top reflects the most recent change; material changes will also be announced in-app or by email to your registered address.

12. Contact

Questions, requests, or complaints about this policy or your data: [email protected].