Legal

Privacy Policy

Effective date: 2 July 2026 · Last updated: 2 July 2026

This Privacy Policy describes how KACOF ("KACOF", "we", "us" or "our") — a digital product studio and agency based in Kathmandu, Nepal — collects, uses, shares, stores and protects personal information when you visit kacof.tech (the "Website"), contact us, engage our services, or use our products. We serve clients in Nepal and around the world, and we are committed to handling your information lawfully, fairly and transparently.

Please read this Policy together with our Terms of Service. By using the Website or providing us with personal information, you acknowledge the practices described here.

1. Who we are (data controller)

KACOF is the controller responsible for your personal information. You can reach us at:

For any privacy matter you may contact our privacy team using the details in Section 16 (Contact and grievances).

2. Scope and applicable law

This Policy applies to personal information we process through the Website and in the course of our business. Because we work with clients internationally, we seek to comply with the data-protection laws that apply to you, including but not limited to:

  • Nepal: the Constitution of Nepal, 2072 (2015) (Article 28, right to privacy); the Individual Privacy Act, 2075 (2018) and Individual Privacy Regulation, 2077 (2020); and the Electronic Transactions Act, 2063 (2008);
  • European Union / EEA: the General Data Protection Regulation (EU) 2016/679 ("GDPR");
  • United Kingdom: the UK GDPR and the Data Protection Act 2018;
  • India: the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Act, 2000;
  • United States: the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA") and other applicable state privacy laws;
  • Canada: the Personal Information Protection and Electronic Documents Act ("PIPEDA");
  • Australia: the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs").

Where any of these laws grant you stronger rights than this Policy describes, those rights apply.

3. Key definitions

  • Personal information / personal data — information that identifies or can reasonably identify an individual.
  • Processing — any operation performed on personal information, such as collection, use, storage, disclosure, or deletion.
  • Controller — the party that determines the purposes and means of processing (KACOF, for the Website).
  • Processor — a party that processes personal information on the controller's behalf (our service providers).

4. Information we collect

4.1 Information you provide to us

  • Identity and contact details — name, email address, phone number, company and role;
  • The content of your enquiry, message, or service interest submitted through our contact form;
  • Correspondence when you email, call, or message us (including via WhatsApp);
  • Information you share during a proposal, project engagement, or contract.

4.2 Information collected automatically

  • Device and connection data — IP address, browser type, operating system, and device identifiers;
  • Usage data — pages visited, links clicked, referring pages, and timestamps;
  • Cookies and similar technologies (see Section 8).

4.3 Information from third parties

We may receive limited data from analytics and infrastructure partners that help us run the Website, and from public sources where you have made information available (for example, a business profile).

4.4 Sensitive information

We do not intentionally collect sensitive or special-category data (such as health, religion, or biometric data) through the Website. Please do not submit such information in our forms.

5. How and why we use your information

We use personal information to:

  • Respond to your enquiries and provide the services or products you request;
  • Prepare proposals, deliver projects, and manage our client relationships;
  • Operate, maintain, secure, and improve the Website and our offerings;
  • Send administrative messages and, where you have consented, marketing updates;
  • Detect, prevent, and address fraud, abuse, or security issues;
  • Comply with legal obligations and enforce our agreements.

6. Legal bases for processing

Where the GDPR, UK GDPR, or similar laws apply, we rely on one or more of the following legal bases:

  • Consent — for marketing communications and non-essential cookies (you may withdraw consent at any time);
  • Performance of a contract — to provide services you have requested;
  • Legitimate interests — to run, protect, and improve our business, balanced against your rights;
  • Legal obligation — to comply with applicable law.

Under India's DPDP Act, we process personal data on the basis of your consent or other legitimate uses permitted by that Act. Under Nepal's Individual Privacy Act, we generally collect and use personal information with your consent.

7. Marketing and communications

We only send marketing messages where permitted by law and, where required, with your consent. Every marketing email includes an unsubscribe link, and you can opt out at any time by contacting us. We will still send essential service messages (for example, replies to your enquiry).

8. Cookies and similar technologies

The Website may use the following categories of cookies:

  • Strictly necessary — required for the Website to function;
  • Preferences — remember choices such as light/dark theme;
  • Analytics — help us understand how the Website is used, in aggregate.

You can control or delete cookies through your browser settings. Blocking some cookies may affect how the Website works. Where required, we request consent for non-essential cookies.

9. How we share and disclose information

We do not sell your personal information. We disclose it only as follows:

  • Service providers (processors): hosting and infrastructure (e.g. Vercel); database, authentication, and storage (e.g. Google Firebase); and analytics or communication tools — each acting on our instructions under appropriate agreements;
  • Professional advisers: lawyers, accountants, and auditors, where necessary;
  • Legal and safety: where required by law, regulation, court order, or a lawful request by a competent authority, or to protect our rights, users, or the public;
  • Business transfers: in connection with a merger, acquisition, or reorganisation, subject to this Policy;
  • With your consent or at your direction.

10. International data transfers

We are based in Nepal, and our service providers may store or process data in other countries, including the United States, the European Union, and India. When we transfer personal data across borders, we take steps to ensure it remains protected in accordance with this Policy and applicable law. For transfers from the EU/EEA or UK, we rely on lawful transfer mechanisms such as the European Commission's Standard Contractual Clauses (and the UK Addendum) or an applicable adequacy decision.

11. Data retention

We keep personal information only for as long as necessary for the purposes described in this Policy — including to provide services, maintain business records, resolve disputes, and comply with legal, tax, and accounting obligations. When information is no longer needed, we securely delete or anonymise it.

12. How we protect your information

We apply reasonable technical and organisational measures appropriate to the risk — including access controls, encryption in transit, reputable infrastructure providers, and limiting access to those who need it. No system is perfectly secure, so we cannot guarantee absolute security, but we work to protect your information and to respond promptly to any incident.

13. Data breach notification

If a personal-data breach is likely to result in a risk to your rights, we will notify the relevant supervisory authority and affected individuals where and within the timeframes required by applicable law (for example, without undue delay and, where feasible, within 72 hours under the GDPR).

14. Your privacy rights

Depending on where you live, you have some or all of the following rights. We honour these rights for all users to the extent the law allows.

14.1 Rights available generally

  • Access — obtain a copy of the personal information we hold about you;
  • Correction — have inaccurate or incomplete information corrected;
  • Deletion — request erasure of your information, subject to legal exceptions;
  • Restriction / objection — limit or object to certain processing;
  • Portability — receive your data in a structured, commonly used format;
  • Withdraw consent — at any time, without affecting prior lawful processing;
  • Complain — to a competent authority (see Section 16).

14.2 Nepal

Under the Individual Privacy Act, 2075, your personal information may generally be collected, used, or disclosed only with your consent, and you may request access to and correction of your information.

14.3 European Union / EEA and United Kingdom

Under the GDPR / UK GDPR you have the rights listed in 14.1, including the right to lodge a complaint with your local Data Protection Authority or, in the UK, the Information Commissioner's Office (ICO). You also have rights regarding automated decision-making (see Section 15).

14.4 India

Under the DPDP Act, 2023 you may access and correct your personal data, request erasure, nominate another person to exercise your rights, withdraw consent, and lodge a grievance with us before escalating to the Data Protection Board of India.

14.5 United States (California and other states)

If you are a California resident, the CCPA/CPRA gives you the right to know, access, correct, and delete personal information; to opt out of the "sale" or "sharing" of personal information; to limit use of sensitive information; and to not be discriminated against for exercising your rights. We do not sell or share personal information as those terms are defined under the CCPA.Residents of other US states with privacy laws have similar rights.

14.6 Canada

Under PIPEDA you may access your personal information, request corrections, and withdraw consent, subject to legal or contractual limits. You may complain to the Office of the Privacy Commissioner of Canada.

14.7 Australia

Under the Privacy Act 1988 and the Australian Privacy Principles you may access and correct your personal information and complain to us and then to the Office of the Australian Information Commissioner (OAIC).

15. Automated decision-making

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without human involvement. If this changes, we will update this Policy and provide the information required by applicable law.

16. How to exercise your rights, contact & grievances

To exercise any right, ask a question, or raise a complaint, contact us:

We will verify your identity where appropriate and respond within the timeframe required by applicable law (generally within 30 days, or as your local law provides). If you are not satisfied, you may contact the relevant authority — for example, your EU/EEA Data Protection Authority, the UK ICO, the Data Protection Board of India, the California Privacy Protection Agency or your State Attorney General, the Office of the Privacy Commissioner of Canada, or the OAIC in Australia. In Nepal, you may pursue remedies available under the Individual Privacy Act, 2075.

17. Children's privacy

The Website is intended for adults and is not directed to children under 16 (or the minimum age set by your local law). We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us and we will delete it.

18. Third-party links and products

The Website may link to third-party sites and to our own products (such as KRMApp), each with its own privacy policy. We are not responsible for third-party practices; please review their policies before sharing personal information.

19. Changes to this Policy

We may update this Policy from time to time to reflect changes in law or our practices. We will post the updated version here with a new effective date and, for material changes, provide additional notice where required.