Privacy Policy

Account: name, email, phone, password (hashed). KYC: citizenship number + photo, driving license number + photo, selfie. Bookings: vehicle requested, dates, status, location pickup/return, km used. Handover photos: pre-ride and post-ride condition photos for every booking. Payments: transaction reference IDs and amounts (no full card numbers). Device: browser, IP, OS, time of access for security and fraud prevention.

Verify identity (KYC). Process subscriptions, deposits, and bookings. Calculate and disburse owner payouts. Resolve damage and theft disputes (handover photos are the canonical evidence). Detect fraud and abuse. Send transactional notifications (booking status, KYC outcome, deposit verification, payouts). Improve the platform through aggregate, anonymized analytics. We do NOT sell personal data to advertisers or third parties.

We share data only with: payment processors (eSewa, Khalti, banks) to settle transactions; insurance providers when a claim involves your booking; law enforcement when required by Nepali law (court order, FIR, regulatory request); cloud hosting providers under contractual data-protection obligations. All partners are bound by confidentiality terms.

Account, booking, transaction, and KYC data is retained while your account is active and for 5 years after closure to comply with Nepal Rastra Bank financial regulations. Handover photos are retained for 12 months after the booking, or longer if needed to resolve an open dispute. KYC images are deleted within 90 days of account closure, except where required for an open investigation. You may request earlier deletion subject to legal retention requirements.

We use essential cookies for authentication and session management — these cannot be disabled without breaking the platform. Analytics cookies are optional and only set with your consent. We do not use cross-site tracking cookies or sell session data.

You can access, correct, export (download a JSON of your data), or delete your personal data. To exercise these rights, email privacy@yatrux.com from your registered address. We respond within 30 days. Note: deletion may be limited where data is required for legal/financial compliance or active disputes.

YatruX is for users 18 and older. We do not knowingly collect data from minors. If we learn that a minor's data has been submitted (e.g. via fake KYC), we delete it immediately and terminate the account.

If we detect a security breach affecting your data, we'll notify you via email within 72 hours and provide guidance on protecting your account.

Material changes will be communicated via email and in-app notice at least 14 days before taking effect. Minor edits are reflected here with an updated 'Last revised' date.