thekhoji
Sign in

Privacy Policy

We collect the minimum data needed to run The Khoji and we never sell it. This page tells you exactly what we keep, why, and how to make us delete it.

1. What we collect

  • Account info — email, name, profile photo, and locale preference. From your sign-in method (magic link or Google).
  • Content you submit — reviews, photos, helpful votes, saved businesses, claim submissions, bookings, business listing edits.
  • Operational metadata — IP-derived city for rate limiting, browser/device for diagnostics, audit logs of privileged actions.
  • Payment metadata — when you book through Khalti, we store the payment intent id, status, amount, and refund history. We never see or store your card or wallet PIN.

2. What we don't collect

  • No third-party tracking pixels (Facebook, Google Ads, TikTok).
  • No precise GPS unless you opt-in to share for a service request.
  • No selling, renting, or licensing of personal data — ever.

3. Why we collect it

  • To deliver the service: search results, bookings, reviews, claims.
  • To prevent abuse: rate limits, spam filters, fraud detection.
  • To keep promises: dispute resolution, refunds, owner appeals.
  • To improve: aggregate usage trends. Never tied to your identity in product analytics.

4. How we share it

Only with the providers we need to run the service: Supabase (database + auth), Resend (email), Vercel (hosting), Khalti (payments), Sentry (error reporting). Each is a data processor bound by contract; none gets your data for their own marketing.

5. Your rights

  • Export — request a JSON copy of your data anytime.
  • Delete — request account + content deletion. We keep what's legally required (e.g. tax records of payments) for the minimum mandated period.
  • Correct — edit your profile, reviews (24-hour window), and claimed business pages directly in-app.

To exercise any of these, email hello@thekhoji.com. We respond within 7 days.

6. Cookies

We use one essential cookie for sessions (Supabase Auth) and one for locale preference (next-intl). No analytics or advertising cookies.

7. Where data lives

Database in Singapore (closest free Supabase region to Nepal), edge cached globally via Cloudflare. We make no representations about cross-border data transfers being legal in every jurisdiction; if that's a problem for you, please don't use the service.

8. Changes to this policy

Material changes will be announced on this page and via email to signed-in users at least 14 days before they take effect.