thekhoji
Sign in

Privacy Policy

What we keep, why we keep it, and how to make us delete it.

We collect the minimum data needed to run The Khoji, and we never sell it. This page tells you exactly what we keep, why, and how to make us delete it.

1. What we collect

  • Account info: email, name, profile photo, and locale preference, from your sign-in method (magic link or Google).
  • Content you submit: reviews, photos, helpful votes, saved businesses, claim submissions, bookings, and business listing edits.
  • Operational metadata: IP-derived city for rate limiting, browser/device for diagnostics, audit logs of privileged actions.
  • Payment metadata: when you book through Khalti or eSewa, we store the payment intent id, status, amount, and refund history. We never see or store your card details or wallet PIN.

2. What we don't collect

  • No third-party tracking pixels (Facebook, Google Ads, TikTok).
  • No precise GPS unless you opt-in to share it for a service request.
  • No selling, renting, or licensing of personal data, ever.

3. Why we collect it

  • To deliver the service: search results, bookings, reviews, claims.
  • To prevent abuse: rate limits, spam filters, fraud detection.
  • To keep promises: dispute resolution, refunds, owner appeals.
  • To improve: aggregate usage trends, never tied to your identity in product analytics.

4. How we share it

Only with the providers we need to run the service: Supabase (database and auth), Resend (email), Vercel (hosting), Khalti and eSewa (payments), Sentry (server-side error reporting only, with PII stripped). Each is a data processor bound by contract; none gets your data for their own marketing.

5. Your rights

  • Export: request a JSON copy of your data at any time.
  • Delete: request account and content deletion. We keep what's legally required (e.g. tax records of payments) for the minimum mandated period.
  • Correct: edit your profile, reviews (within the 24-hour edit window), and claimed business pages directly in-app.

To exercise any of these, email etherealfounderhq@gmail.com. We respond within seven days.

6. Cookies

We use one essential cookie for sessions (Supabase Auth) and one for locale preference (next-intl). No analytics or advertising cookies.

7. Where data lives

Database in Singapore (closest free Supabase region to Nepal), static assets cached globally via Vercel's edge network. We make no representations about cross-border data transfers being legal in every jurisdiction; if that's a problem for you, please don't use the service.

8. Children

The Khoji is not designed for users under 13. If you are a parent or guardian and believe a child has created an account, email us and we will delete it.

9. Changes to this policy

Material changes are announced on this page and by email to signed-in users at least 14 days before they take effect.