Privacy Policy
Effective July 3, 2026. This page is maintained by Vantarra Technologies to explain what data we collect, why we collect it, and the rights you have under Nepali and international law.
Who we are
Vantarra Technologies ("Vantarra", "we", "us", "our") is a digital studio registered in Nepal, providing web development, custom software, mobile applications, cloud, AI and cybersecurity services. We act as a data controller for information collected through vantarra.com and as a data processor for information our clients ask us to handle on their behalf.
Laws that apply to this policy
- Nepal — The Individual Privacy Act, 2075 (2018) and the Individual Privacy Regulation, 2077 (2020), which protect personal information, family, residence, documents, data, correspondence, character and reputation.
- Nepal — The Electronic Transactions Act, 2063 (2008) governing electronic records, digital signatures and cyber offences.
- Nepal — The Consumer Protection Act, 2075 (2018) covering consumer rights and complaint procedures.
- Constitution of Nepal — Article 28, guaranteeing the right to privacy of person, residence, property, documents, data, correspondence and reputation.
- European Union — GDPR (Regulation 2016/679) where we process data of individuals in the EU/EEA.
- United Kingdom — UK GDPR and Data Protection Act 2018.
- United States — CCPA/CPRA (California) and other US state privacy laws where applicable.
- Canada — PIPEDA, Australia — Privacy Act 1988, and equivalent frameworks in jurisdictions where our clients or their users are located.
Where any law grants you stronger rights than this policy describes, that law prevails.
What we collect
- You give us: name, email, phone, company, project brief, budget range, and anything you send through our contact or planner forms.
- Automatically: IP address, browser and device info, referring URL, pages visited, and timestamps — collected through server logs and privacy-respecting analytics.
- From clients (as processor): end-user data our clients store in systems we build or maintain, under a separate Data Processing Agreement (DPA).
- We do not knowingly collect data from children under 13 (or 16 in the EU) without verifiable parental consent.
Why we process it (legal bases)
Under GDPR / UK GDPR we rely on:
- Consent — for marketing emails and non-essential cookies.
- Contract — to answer proposals and deliver work you engage us for.
- Legal obligation — tax, accounting, and lawful requests from authorities in Nepal and abroad.
- Legitimate interests — securing our systems, improving our services, and preventing fraud, balanced against your rights.
Under Nepal's Individual Privacy Act, we collect and use your personal information only with your consent or where the law permits, and only to the extent needed for the stated purpose (Sections 3, 4 and 12).
Cookies and tracking
We use a small number of first-party cookies that are essential for the site to function, plus optional analytics that measure traffic patterns in aggregate. You can refuse or delete cookies through your browser settings. Where required by law we ask for consent before setting non-essential cookies.
Sharing and subprocessors
We do not sell personal data. We share it only with:
- Hosting, email, analytics and payment providers acting as our processors under written contracts.
- Professional advisers (accountants, lawyers) bound by confidentiality.
- Authorities where compelled by a valid Nepali order or by a foreign order recognised under Nepali law and international mutual legal assistance frameworks.
International transfers
Some of our tools are hosted outside Nepal. Where we transfer personal data to another country we rely on: your consent, contractual necessity, or — for EU/UK data — Standard Contractual Clauses and, where relevant, supplementary measures. We assess each provider's security posture before sharing personal data.
How long we keep it
We retain personal data only as long as needed for the purpose we collected it, or as required by law (typically up to seven years for tax and accounting records under Nepali law). Project artefacts are archived per the contract with each client.
Security
We apply technical and organisational measures appropriate to the risk: encryption in transit (TLS), access control on a need-to-know basis, secure secret storage, dependency and vulnerability scanning, and periodic review. No system is perfectly secure; if a breach affects your data we will notify you and the relevant authority as required by applicable law.
Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Delete data ("right to be forgotten") where the law permits.
- Restrict or object to certain processing.
- Withdraw consent at any time (without affecting past lawful processing).
- Data portability — receive your data in a machine-readable format.
- Lodge a complaint with a supervisory authority (in Nepal, the National Information Commission or the relevant court under the Individual Privacy Act).
To exercise any right, write to privacy@vantarra.tech. We respond within 30 days.
Changes to this policy
We may update this policy to reflect new services, legal changes or better practices. Material changes will be posted here with a new effective date.
Contact
Vantarra Technologies — Kathmandu, Nepal.
Email: privacy@vantarra.tech