NepalHRMNepalHRM
Legal

Privacy Policy

Last updated: 16 May 2026

NepalHRM (“NepalHRM,” “we,” “us,” “our”) is the cloud HR + payroll platform operated by Yoddhalab Pvt. Ltd., a private limited company incorporated in Nepal (see Section 17 for full identity details). This Privacy Policy describes how we collect, use, store, disclose, and protect personal data when you visit nepalhrm.com, create an account, or use the NepalHRM platform and mobile applications for Android and iOS.

We process personal data in accordance with the Individual Privacy Act 2075 (2018), the Electronic Transactions Act 2063 (2008), and other applicable laws of Nepal. Where employee data is handled on behalf of an employer, the employer is the “controller” and NepalHRM is the “processor” for the purposes of those laws.

1. Scope

This Policy applies to:

  • Visitors to nepalhrm.com
  • Prospective customers who contact us
  • Authorised users of the NepalHRM web platform and mobile apps
  • Employees of our customers whose data is processed via the platform

For employee personal data processed within the platform, the customer (your employer) is the data controller and NepalHRM acts as a data processor, processing data only on the customer's documented instructions, in line with the Privacy Act 2075. A separate Data Processing Addendum is available on request for customers who require formal documentation of the controller-processor relationship.

2. Information we collect

2.1 Information you give us

  • Contact details — name, work email, phone, company
  • Account credentials — username, hashed password (bcrypt + per-user salt)
  • Billing information — for paid subscriptions, including VAT / PAN number
  • Support interactions — email, chat, and ticket content

2.2 Information our customers upload (about their employees)

  • Identity — name, citizenship / passport / PAN number, date of birth
  • Contact — address, phone, personal email, emergency contact
  • Employment — role, department, reporting line, employment dates
  • Financial — salary, bank account, PF (Karmachari Sanchaya Kosh), CIT (Citizen Investment Trust), SSF, tax status
  • Attendance, leave, performance, and lifecycle data
  • Documents — contracts, certificates, citizenship copy, photo ID, visa

2.3 Biometric data (sensitive — handled separately)

When an employer enables biometric attendance, fingerprint, face, or vein templates may be enrolled on hardware devices (ZKTeco, Anviz, etc.) at the employer's premises. By default, NepalHRM stores only the device user-ID and the timestamped check-in / check-out event — not the underlying biometric template. Where an employer opts into our optional cloud face-template service, templates are stored encrypted, isolated per tenant, and never used to train shared models. We treat biometric data as a sensitive category of personal data under the Privacy Act 2075 and process it only with the employee's consent and the employer's lawful basis under the Labour Act 2074 (2017) for attendance recordkeeping.

2.4 Information we collect automatically

  • Device and browser information, IP address
  • Usage data — pages viewed, features used, actions taken
  • Cookies and similar technologies — see our Cookie Policy

2.5 Information our mobile apps may access

When you use the NepalHRM mobile apps, we may (with your explicit permission) access:

  • Camera — to capture selfies for attendance check-in verification
  • Location — to GPS-verify check-ins when your employer enables field attendance (precise GPS is captured only at the moment of the action, not continuously)
  • Storage — to save payslips and documents you download
  • Notifications — to deliver approvals, announcements, and reminders
  • Biometric (Face ID / Fingerprint) — only for on-device app unlock; the template never leaves the device and is never transmitted to our servers

You can revoke any of these permissions in your device settings at any time. Some app features may become unavailable if the relevant permission is revoked.

3. How we use information

  • To provide, operate, and improve the NepalHRM service
  • To process payments and manage subscriptions
  • To communicate about service changes, billing, and support
  • With your consent, to send marketing communications (you can unsubscribe at any time)
  • To prevent fraud and protect the security of the service
  • To comply with legal, tax, and statutory obligations under Nepali law (Income Tax Act 2058, Companies Act 2063, VAT Act 2052, PF / CIT / SSF schemes)
  • To enforce our Terms of Service

We do not use customer-uploaded employee data to train any artificial intelligence model or sell it to third parties.

4. Legal basis for processing

We process personal data on one or more of the following bases:

  • Performance of a contract — our agreement with you or your employer
  • Legitimate interests — running, securing, and improving our business in a manner consistent with the Privacy Act 2075 and the reasonable expectations of users
  • Consent — for marketing communications and optional features such as cloud biometric storage
  • Legal obligation — tax, accounting, and statutory requirements under Nepali law

For employee data, our customers are responsible for establishing and documenting the legal basis for processing (most commonly: the employment contract under the Labour Act 2074).

5. How we share information

We do not sell personal data. We share it only:

  • With sub-processors who help run the service (hosting, email, payments, analytics). Our current list of sub-processors and their location is available on request at privacy@nepalhrm.com. We provide 30 days' advance notice before adding or replacing a sub-processor that handles customer data
  • With professional advisors — lawyers, accountants, auditors — under confidentiality
  • With Nepali government authorities or regulators when legally required (see Section 6)
  • In the event of a merger or acquisition, with successors under equivalent protections
  • With your explicit consent

5.1 Statutory filings (initiated by your employer)

When your employer uses NepalHRM to file statutory returns, the following authorities may receive your employment data through your employer's submission:

  • Inland Revenue Department (IRD) — for eTDS, PAN-linked tax returns
  • Karmachari Sanchaya Kosh (PF Trust) — for monthly Provident Fund contributions
  • Citizen Investment Trust (CIT) — for voluntary tax-efficient contributions
  • Social Security Fund (SSF) — for SSF-registered enterprises
  • Banks — for salary disbursement files (NIC Asia, Nabil, Global IME, NBL, others)

NepalHRM facilitates these filings on behalf of your employer; the legal disclosure to the authority is performed by the employer as the data controller.

6. Government and law-enforcement requests

We disclose personal data to law enforcement, courts, or regulators only when we receive a legally valid request (court order, search warrant, or written demand validly issued under the laws of Nepal, including the Privacy Act 2075 and the Electronic Transactions Act 2063). Where the law permits, we will:

  • Review the request for validity and proportionality
  • Disclose only the minimum data the request actually requires
  • Notify the affected customer in advance so they can challenge the request — unless the law prohibits notice
  • Where lawful and operationally feasible, publish a periodic transparency note summarising the number and category of requests received

7. Data location and transfers

Our primary application servers and customer data are hosted in cloud regions located in Asia — chosen for low-latency access from Nepal — with disaster-recovery snapshots in a separate region. Backups are encrypted in transit and at rest. The current data-residency profile (the specific cloud provider, region, and any sub-processor regions) is published on the Security page and is updated when the configuration changes.

We do not transfer customer data to jurisdictions outside our published profile without your prior, documented instruction. Where a cross-border transfer is necessary to deliver the Service (for example, an email-delivery sub-processor with global infrastructure), we rely on contractual safeguards such as Standard Contractual Clauses and on our sub-processor agreements.

8. Data retention

We retain personal data only for as long as we have a lawful basis for the relevant processing. The table below sets out our default retention windows; customers may configure shorter retention where the platform supports it, and longer retention may apply when required to comply with Nepali law (for example, the record-keeping minimums under the Income Tax Act 2058 and the Companies Act 2063).

  • Account and billing data — for the life of the account plus the statutory record-keeping period applicable under Nepali law (typically up to 7 years).
  • Customer data in the service — processed per customer instructions; deleted or made available for export within 30 days of account termination, after which it is removed from primary storage on a documented schedule.
  • Statutory filings (PF / CIT / SSF / eTDS history) — retained for the period required by the relevant Nepali authority.
  • Biometric templates (cloud option) — deleted within a reasonable period of an employee being marked “separated.”
  • Audit logs — retained for up to 3 years from the event.
  • Marketing lists — until you unsubscribe.
  • Support tickets — up to 3 years after closure.
  • Web analytics — up to 26 months.

9. Security

We apply administrative, technical, and physical safeguards consistent with the Privacy Act 2075 — encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access, audit logging, regular backups, penetration testing, staff training, and physical security at our hosting partners. See our Data Security page for the current technical detail.

10. Breach notification

If we become aware of a personal-data breach that is likely to affect a customer's data, we will notify the affected customer (controller) without undue delay, and where feasible within 72 hours of confirming the breach, by email to the primary account contact. The notification will describe (to the extent known at the time) the nature of the breach, the categories and approximate volume of affected records, the likely consequences, and the remedial steps we are taking. Where full information is not yet available, we will provide an initial notice and a follow-up as the investigation progresses. Customers are responsible for downstream notification to their employees and, where required, to the relevant Nepali authority.

11. Your rights

Subject to applicable law, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data
  • Restrict or object to processing
  • Receive your data in a portable format (JSON / CSV / PDF)
  • Withdraw consent at any time, where consent is the legal basis
  • Lodge a complaint with the competent authority or the courts of Nepal having jurisdiction over the matter

To exercise these rights, email privacy@nepalhrm.com. We respond to verified requests within 30 days. If you are an employee of one of our customers, please contact your employer first, as they control your record.

To delete your personal account or request deletion of data you created directly with NepalHRM, visit our Account & Data Deletion page.

12. Children and minors

NepalHRM is a business-to-business service intended for use by adults aged 18 or above (see Section 2 of our Terms of Service for self-service signup). We do not knowingly collect personal data directly from any visitor under 16 through our public website.

A separate situation arises where an employer onboards a minor employee through the Service. The Labour Act 2074 (2017) regulates the employment of minors in Nepal and requires specific safeguards. Where an employer's NepalHRM record includes a minor employee (for example, an apprentice), the employer is solely responsible for verifying age, obtaining any parental or guardian consents required by the Labour Act, and configuring the employee's access so that features inappropriate for the employee's age are restricted.

13. Cookies and tracking

See our Cookie Policy for details on cookies and similar technologies used on nepalhrm.com.

14. In-app messaging

Messages exchanged within the NepalHRM platform (channels, direct messages, attachments) are subject to a separate Messaging Privacy Notice which describes how messages are stored, who can read them, and what the employer's visibility is.

15. Third-party links

Our website and apps may contain links to third-party sites. We are not responsible for their privacy practices. Please review their policies separately.

16. Changes to this policy

We may update this Policy from time to time. Material changes will be notified via email or in-product notice at least 15 days before they take effect. The “last updated” date at the top reflects the latest change. Continued use after the effective date constitutes acceptance.

17. Who we are, and contact

NepalHRM is a product of Yoddhalab Pvt. Ltd. (in Nepali: योद्धा ल्याब प्रा. लि.), a private limited company incorporated in Nepal. Where these legal pages refer to “NepalHRM,” “we,” or “us,” Yoddhalab Pvt. Ltd. is the contracting entity.

  • Registered office: Ward No. 7, Chabahil, Kathmandu Metropolitan City, Kathmandu, Nepal
  • PAN (Permanent Account Number): 619760380
  • Tax registration: Inland Revenue Office, Chabahil
  • Registered activity: information technology, computer programming, computer consultancy + service management, data processing, hosting and related activities (per the company's PAN registration)

We maintain a dedicated contact point for privacy and data-protection matters. Queries are routed to the team member responsible for data protection (acting as our Data Protection contact); we will treat that role as a formal Data Protection Officer where and when Nepali law requires the appointment of one.

  • Data Protection contact: dpo@nepalhrm.com
  • General privacy queries: privacy@nepalhrm.com
  • Postal: Yoddhalab Pvt. Ltd. (NepalHRM), Ward No. 7, Chabahil, Kathmandu Metropolitan City, Kathmandu, Nepal