Legal
Privacy Policy
WanderBees is committed to protecting your personal information. This policy explains what data we collect, why we collect it, how it is used, and your rights under Nepal's Individual Privacy Act 2075 (2018), the Digital Privacy and Data Protection Act 2082, the Electronic Transactions Act 2063 (2006), the E-Commerce Act 2081 (2025), and all other applicable Nepal laws.
Last updated: 22 May 2026
1. Who We Are and Our Legal Obligations
WanderBees (operated by Subas Gautam / WanderBees Pvt. Ltd., registered in Nepal under the Company Act 2063) is a digital travel discovery platform that helps people find weekend activities, destinations, city hubs, and travel bundles across Nepal. As a data handler operating in Nepal, we are bound by: • Individual Privacy Act 2075 (2018) — Byaktigat Gopyata Sambandhi Ain 2075 • Individual Privacy Regulation 2077 (2020) • Digital Privacy and Data Protection Act 2082 (2025) • Electronic Transactions Act 2063 (2006), Sections 43–58 • E-Commerce Act 2081 (2025) • Consumer Protection Act 2075 (2018) • Information Technology and Cyber Security Act 2082 (2025) Under Article 28 of the Constitution of Nepal 2072, privacy — including the privacy of your personal documents, data, and correspondence — is a fundamental right. We treat it as such.
2. What Personal Data We Collect
We collect only the data that is necessary to provide the WanderBees service. Collection is governed by the purpose limitation principle under Section 24 of the Individual Privacy Act 2075. Account and Identity Data • Full name and email address provided at registration • Password (stored as a one-way cryptographic hash — never in plain text) • Profile preferences: selected city hub, activity type interests Discovery and Usage Data • Activities viewed, bookmarked, or saved • Journey logs and trip plans you create • Searches and filter selections Location Data (only with your explicit, revocable consent) • Device GPS coordinates used solely for the "Nearby" discovery feature • We do not store a continuous location history; coordinates are used in real time and not retained after the response is returned User-Generated Content • Condition reports and safety observations you submit for activities or destinations • Optional GPS coordinates you attach to a condition report for geographic verification • Contact messages and support requests Communications • Email address for service notifications, booking confirmation, and newsletters you have opted into Device and Technical Data • Browser type and version, operating system, IP address, session identifiers • Collected automatically via server logs and cookies for security, fraud prevention, and performance monitoring Sensitive Personal Data: We do not request or process sensitive categories of personal data (caste, ethnicity, political affiliation, religion, health, sexual orientation, or biometric data) as defined under the Individual Privacy Act 2075.
3. Legal Basis and Purpose of Processing
Under Section 24 of the Individual Privacy Act 2075, personal data collected for one purpose may not be reused for another without fresh consent. We collect and process your data only for the following specific purposes: Contractual Necessity (providing the service) • Creating and maintaining your WanderBees account • Delivering activity, destination, and hub information relevant to your selected city • Displaying your bookmarks and journey plans • Processing and displaying community condition reports Legitimate Interest (safety and security) • Detecting fraudulent, abusive, or illegal activity • Server security monitoring and intrusion prevention • Anonymised analytics to improve content quality and platform performance Consent (optional features requiring your active agreement) • Using your device location for the "Nearby" feature — you may revoke this at any time through your device settings • Sending you newsletter or promotional emails — you may unsubscribe at any time • Attaching GPS coordinates to condition reports Legal Obligation • Retaining records required by Nepal's tax laws, the E-Commerce Act 2081, and applicable court orders We do not use your personal data for automated profiling, algorithmic scoring, or decisions that have significant legal or material effects on you.
4. Location and Condition Report Data
Location Data ("Nearby" Feature) The Nearby discovery feature requires access to your device's GPS coordinates. This access is: • Entirely optional — the full WanderBees platform is usable without enabling location access • Requested through your browser's standard permission dialogue before any coordinate is read • Used only to calculate distances to nearby activities at the moment of your request • Not stored on our servers after the response is delivered • Not shared with any third party You may revoke location permission at any time through your browser or device settings. Condition Reports and Safety Data When you submit a condition report for an activity or destination: • Your report content is stored and displayed publicly to help other travellers • Your account identity is not attached to the public display unless you explicitly choose to identify yourself • You may optionally attach a GPS location to anchor your report geographically • Condition report data helps maintain real-time safety signals for the WanderBees community Reports are retained for as long as the associated activity or destination exists on the platform. If you wish to delete a report you submitted, contact us at the address below.
5. Cookies and Tracking Technologies
We use the following types of cookies and similar technologies: Strictly Necessary Cookies • Session authentication: keeps you logged in across page navigations • Security tokens (CSRF protection): prevents cross-site request forgery attacks • These cookies cannot be disabled without breaking core functionality Functional Cookies • Remembers your selected city hub and preference settings between visits • Stores your consent choices Analytics Cookies (only with your consent) • Anonymised data about which pages are visited and how users navigate the platform • No individual user is identified in analytics data • You may decline analytics cookies through our cookie preference centre We do not use advertising cookies, cross-site tracking pixels, or retargeting technologies. We do not share cookie data with advertising networks. Your cookie preferences can be updated at any time. Withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal.
6. Data Sharing and Third Parties
Section 26 of the Individual Privacy Act 2075 prohibits sharing personal data with third parties without your consent, a court order, or a specific statutory exception. We do not sell your personal data under any circumstances. We may share limited data with the following categories of trusted service providers, who are contractually bound to process it only for the purposes we specify: • Cloud infrastructure and hosting: servers that store WanderBees data and serve the platform • Email delivery service: used to send account verification, password reset, and newsletter emails • Error monitoring and performance tools: receive anonymised technical logs to detect crashes • Maps and routing providers: receive origin/destination coordinates to generate route information displayed on activity pages • Payment processors (if applicable): if you purchase a bundle or paid service, payment card data is processed directly by a PCI-DSS compliant payment provider; WanderBees does not store card numbers We do not share data with government authorities except where required by a valid court order issued by a Nepal court, a lawful police request under the Electronic Transactions Act 2063, or other binding legal obligation. We will notify you of any such disclosure where we are legally permitted to do so. All service providers who receive your data are required to maintain data security standards consistent with Section 25 of the Individual Privacy Act 2075.
7. Cross-Border Data Transfers
Section 27 of the Individual Privacy Act 2075 requires that personal data may only be transferred outside Nepal with the data subject's consent and with assurance that the receiving jurisdiction provides equivalent safeguards. Some of our infrastructure service providers operate servers outside Nepal. By using WanderBees and accepting this Privacy Policy, you expressly consent to the transfer of your personal data to these providers for the specific purposes described in Section 6 above. We take the following steps to ensure equivalent protection: • We use only reputable providers who are subject to data protection frameworks (such as GDPR in the European Union, or equivalent national laws) that offer protections comparable to Nepal's Individual Privacy Act 2075 • Data processing agreements are in place with all international providers • No data is transferred to jurisdictions that we have reason to believe offer materially weaker protections without additional safeguards As Nepal's Digital Privacy and Data Protection Act 2082 and the Data Centre and Cloud Services (Operation and Management) Directive 2081 fully take effect, we will update our infrastructure arrangements to comply with any mandatory data localisation requirements for sensitive personal data categories.
8. Data Retention
We retain your personal data only for as long as is necessary for the purposes described in this policy or as required by Nepal law. Account Data: retained for the duration of your account and deleted within 90 days of account closure, except where retention is required for tax records (up to 7 years under Nepal tax law), dispute resolution, or a court order. Usage and Bookmark Data: retained for the duration of your account. Anonymised, aggregated analytics data may be retained indefinitely. Location Coordinates (Nearby feature): not retained after the response is returned. Condition Reports: retained for as long as the associated activity is active on the platform; you may request deletion by contacting us. Server Logs and Security Data: retained for 12 months for security audit purposes, then deleted. Contact and Support Messages: retained for 3 years from the date of correspondence. After the applicable retention period, data is securely deleted or anonymised so that it can no longer be associated with you.
9. Your Rights Under Nepal Law
Under the Individual Privacy Act 2075 and the Digital Privacy and Data Protection Act 2082, you have the following rights: Right to Information: You may ask what personal data we hold about you, how it is used, and with whom it has been shared. Right to Access: You may request a copy of the personal data we hold about you. Right to Rectification (Section 28, Individual Privacy Act 2075): If any of your personal data is inaccurate, you may request that we correct it. We will act on such requests within 15 days in accordance with our obligations under the E-Commerce Act 2081. Right to Erasure: You may request deletion of your personal data. We will comply unless retention is required by law, for security purposes, or to resolve a pending dispute. Right to Withdraw Consent: Where processing is based on consent (for example, location access or newsletter emails), you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal. Right to Restrict Processing: You may ask us to suspend the use of your data while a rectification or erasure request is being assessed. Right to Complain: If you believe we have violated your privacy rights, you may: • Contact us directly at the address below to resolve the matter informally • File a complaint with the Data Protection Authority of Nepal (once fully established under the Digital Privacy and Data Protection Act 2082) • File a complaint with the District Court under Section 30 of the Individual Privacy Act 2075 within 3 months of the incident To exercise any of these rights, please contact us at [email protected] or through the Contact page on our platform.
10. Children and Minors
WanderBees is intended for users who are 18 years of age or older. Under the Muluki Civil Code 2074 (National Civil Code), persons under 18 years of age lack the legal capacity to enter into binding contracts. Under the Individual Privacy Act 2075, processing of personal data belonging to minors requires the consent of their parent or legal guardian. We do not knowingly collect personal data from persons under 18. If you are a parent or guardian and become aware that a minor has created a WanderBees account without your consent, please contact us immediately at [email protected]. We will delete the account and associated data promptly. If you are under 18, you must not register an account or submit personal data to WanderBees without the consent and involvement of your parent or legal guardian.
11. Security Measures
We implement reasonable technical and organisational security measures as required by Section 25 of the Individual Privacy Act 2075 and the Data Centre and Cloud Services (Operation and Management) Directive 2081 (2025) to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include: • HTTPS encryption for all data in transit (TLS 1.2 or higher) • Encrypted storage of passwords using industry-standard cryptographic hashing (bcrypt) • Access controls: only authorised WanderBees personnel with a specific operational need may access personal data (per Section 23 of the Individual Privacy Act 2075) • Regular security audits and vulnerability assessments • Incident response procedures for security breaches Data Breach Notification In the event of a security breach that is likely to result in a risk to your rights and freedoms: • We will notify the Data Protection Authority of Nepal within 72 hours of becoming aware of the breach, in compliance with the Digital Privacy and Data Protection Act 2082 • We will notify affected users as soon as reasonably practicable • We will take immediate steps to contain the breach and mitigate harm No method of transmission over the internet or method of electronic storage is 100% secure. While we use commercially reasonable means to protect your data, we cannot guarantee absolute security.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes: • We will update the "Last Updated" date at the top of this page • For material changes — changes that significantly affect your rights or how we use your data — we will notify you by email (if you have an account) at least 14 days before the changes take effect • Continued use of WanderBees after the effective date of a material change constitutes acceptance of the revised policy If you do not agree with a material change, you may close your account before the change takes effect.
13. Contact and Grievance Officer
Under the E-Commerce Act 2081 (2025), we are required to designate a grievance officer and resolve complaints within 15 days of receipt. Grievance Officer: WanderBees Privacy Team Email: [email protected] Contact Form: thewanderbees.com/contact Response Time: We will acknowledge your request within 48 hours and aim to resolve it within 15 days. Registered Address: WanderBees Kathmandu, Nepal If you are not satisfied with our response, you have the right to escalate your complaint to: • The Data Protection Authority of Nepal (once fully operational under the Digital Privacy and Data Protection Act 2082) • The Department of Commerce, Supplies and Consumer Protection under the Consumer Protection Act 2075 and E-Commerce Act 2081 • The relevant District Court under Section 30 of the Individual Privacy Act 2075