DATA DELETION & ACCOUNT ANONYMIZATION POLICY

1. INTRODUCTION AND OBJECTIVE

At Vasuko, we respect your fundamental right to digital privacy as protected by the Individual Privacy Act, 2075. This policy outlines the transparent procedures by which a user can request the permanent removal of their personal data from our systems. Our objective is to give you full control over your "digital footprint" while ensuring we remain compliant with Nepal's financial and legal auditing requirements.

2. USER RIGHTS TO DATA ERASURE

As a registered Member (Host or Guest) of the Vasuko Platform, you have the "Right to be Forgotten." This means you may request the deletion of your account and all associated personal identifiers at any time. This right applies to:

2.1. Identity Data

This is the "Who You Are" data. It is the most sensitive information because it links a digital account to a real human being in Nepal.

• Full Name & Date of Birth: Used to ensure you are over 18 (legal age for contracts in Nepal). When you delete your account, this is "unlinked" from your User ID.
• Nagarikta / Passport / NID Scans: These are the high-stakes documents. Vasuko uses these to prevent "Ghost Landlords" and "Fake Tenants."
  • In Deletion: Upon a verified deletion request, the image files (the actual photo of your Nagarikta) are marked for deletion from our Firebase Storage buckets.
  • The Exception: We may keep a "Hash" (a unique digital fingerprint) of the ID number. Why? To prevent a banned user from deleting their account and immediately signing up again with the same ID to scam someone else.
• Profile Photos: These are stored on a Content Delivery Network (CDN). When you delete your account, the link between your profile and the image is broken, and the image is purged from the server cache.

2.2. Interaction Data

This is the "What You Did" data. It represents your behavior and communication on the platform.

• Message History: This includes chats between Hosts and Guests.
  • The "Two-Sided" Rule: If Guest A deletes their account, the messages still exist in Host B's inbox. However, Guest A’s name and photo are replaced with "Deleted User." This protects the privacy of the person leaving while preserving the "legal record" for the person staying.
• Search Preferences & "Favorites": This is algorithmic data (e.g., "User likes 2BHK flats in Kathmandu").
  • In Deletion: This data is Anonymized. We delete the link to you, but we keep the data point for our business analytics (e.g., "100 people searched for 2BHKs today").
• Booking History: This moves from "Active Database" to "Archived Logs" for 7 years to satisfy the Inland Revenue Department (IRD).

2.3. Sensitive Data

This is "High-Risk" data. In the wrong hands, this data can be used for identity theft or physical stalking, which is why the Individual Privacy Act, 2075 is so strict about it.

• Biometric Metadata (Selfie-Verification): Vasuko doesn't just store your "selfie"; we store "Face Geometry" (mathematical points that prove the person holding the phone is the same person on the Nagarikta).
  • In Deletion: This is the first thing to be destroyed. Unlike a name, biometrics cannot be changed. Therefore, we purge all facial recognition metadata immediately upon account closure to ensure it can never be used again.
• Precise Location History: This is your GPS data used for the "Rooms Near Me" feature.
  • In Deletion: We delete your "Last Known Location" and "Home/Office" coordinates. We may only keep the City/Ward level data for general demand heatmaps (e.g., "Most people in Ghorahi-15 are looking for rooms").

3. Active Contractual Obligations

When a Guest confirms a booking, a legal contract is formed.

• The Scenario: A Guest is currently staying in a flat in Kathmandu and has 3 days left until check-out.
• Why the Hold? If the Guest deletes their account mid-stay, the Host loses access to the Guest’s identity and contact info. Vasuko needs this data active to facilitate the move-out process and ensure the "Limited License" to occupy the property is still tied to a valid user.
• Resolution: The account remains in a "Pending Deletion" state until the check-out date is reached and the Host confirms the Guest has vacated.

3.1. Financial Clearing

This is the most critical area for your Chartered Accountant (CA) and payment partners like eSewa.

• For Hosts: If you have successfully hosted a guest but the money is still in the "Vasuko Escrow" and hasn't hit your bank account yet, deleting the account would break the payment link. We must keep the account open to ensure the final payout is successful.
• For Guests: If you have requested a refund for a bad experience, we cannot delete your account until that money is back in your wallet.
• The "Audit Trail": We must match the "User ID" to the "Transaction ID" for the final settlement. Once the balance is zero, the hold is lifted.

3.2. Security & Fraud Investigation

To prevent "Burner Accounts" (where scammers create an account, commit fraud, and then delete it to hide their tracks), we implement a strict security hold.

• The Flag: If our AI or the Nepal Police flags an account for identity theft, "bait-and-switch" listings, or payment scams, the "Delete" function is disabled.
• The Goal: We preserve the evidence. If a crime has been committed, the Electronic Transactions Act requires us to provide the account data to the authorities. Deletion is only permitted once the investigation is closed and the user is either cleared or permanently banned (in which case the data is archived as a "Blacklist" record).

3.3. Dispute Resolution (Damage Reports)

In Nepal, property disputes can take time to resolve. This hold protects the Host's investment.

• The Scenario: A Host files a Damage Report claiming the Guest broke a window.
• The Conflict: The Guest might try to delete their account to avoid paying for the repair.
• The "Legal Lock": Once a dispute ticket is opened in the Resolution Center, the account is "locked." The Guest cannot delete their profile until they either:
  1. Pay the agreed-upon damage amount.
  2. Provide evidence that clears them of the blame.
  3. The 30-day mediation period ends with a final decision.

4.1 Permanent Erasure (The "Identity Wipe")

This is the most critical step for compliance with the Individual Privacy Act, 2075.

• Target: The "User Document" in your NoSQL database (Cloud Firestore/Realtime Database).
• Action: We permanently delete fields that contain "Personally Identifiable Information" (PII). This includes your Full Name, Phone Number, Date of Birth, and Nagarikta Number.
• The Result: If a hacker were to breach the database the next day, they would find no trace of your specific identity.
• Technical Note: In Firebase, this usually involves a "Cloud Function" that triggers on account deletion to find all documents associated with that UID and delete them.

4.2 Anonymization (The "Statistical Ghost")

Vasuko needs to know its own growth metrics (e.g., "How many rooms were rented in Ghorahi in 2082?"), but we don't need to know who rented them.

• The Process: We detach the "Booking Record" from your "Identity."
  • Before: User "Pankaj Subedi" (ID: 123) rented Room X for 5,000 NPR.
  • After: An anonymous "Deleted User" rented Room X for 5,000 NPR.
• Why? This allows your Chartered Accountant to balance the books and your Data Analyst to see market trends without violating your privacy. The data becomes a "statistical point" that can never be traced back to a real person.

4.3 Media Purge (The "Storage Clean-up")

Photos are heavy files stored in Google Cloud Storage and distributed via a CDN (Content Delivery Network) for fast loading.

• Unlinking: First, the app deletes the "URL link" to the photo in the database.
• Physical Deletion: The system then sends a command to the storage bucket to delete the actual .jpg or .png files of your profile picture and your room photos.
• Cache Clearing: CDNs often "cache" (save copies) of images on servers across the world. Our architecture ensures these cached copies expire and are deleted, so the image eventually disappears from the entire internet.

4.4 Access Termination (The "Point of No Return")

This is the finality of the process handled by Firebase Authentication.

• UID Revocation: The unique User ID (UID) assigned to your phone number or Google account is disabled and deleted.
• Token Invalidated: Any "Login Tokens" currently saved on your phone are instantly made useless. If you try to open the app, it will treat you as a total stranger.
• Permanent: Because the "Identity Data" from Section 4.1 is gone, there is no way for a Support Agent to "Restore" your account. If you want to use Vasuko again, you must start from zero as a brand-new user.

5. STATUTORY DATA RETENTION (THE "7-YEAR RULE")

Under the Income Tax Act, 2058 and the Electronic Transactions Act, 2063, Vasuko is legally mandated to retain certain "Transaction Metadata" even after your account is deleted:

5.1 Financial Records: The "Tax & Audit" Trail

Under Section 81 of the Income Tax Act, 2058, any person or entity liable to pay tax in Nepal must maintain records for at least 5 years from the end of the relevant income year (which practically translates to a 7-year window to be safe for audits).

• What is Kept: Transaction IDs, the amount of rent paid, service fees, and any TDS (Tax Deducted at Source) certificates.
• The Reason: If the Inland Revenue Department (IRD) audits Vasuko App Solutions Pvt. Ltd. in the year 2029, you must be able to prove where every rupee came from and that the 10% House Rent Tax was accounted for.
• Privacy Guard: These records are moved from your "Active App Database" (where they are used for daily tasks) to a "Secure Archive." They are not used for marketing or shown to other users; they only exist for the government auditors.

5.2 Legal Logs: The "Cyber-Security" Trail

Under the Electronic Transactions Act, 2063, electronic records have the same legal validity as paper. If a crime happens in a room rented through your app, you are the first person the police will call.

• What is Kept: The history of KYC (Know Your Customer) verification. This includes a record that "User X was verified using Nagarikta Number Y on Date Z."
• The "Cold Storage" Concept: We don't keep your Nagarikta photo in the live app where a hacker could find it. Instead, we move it to "Cold Storage" (an offline or highly restricted server).
• The Reason: If the Nepal Police (Cyber Bureau or local Ward Police) investigates a case of illegal activity, human trafficking, or property theft that occurred 2 years ago, Vasuko is legally required to assist. If you deleted the data immediately, you could be charged with "Destruction of Evidence."

6. STEP-BY-STEP DELETION PROCESS

Channel A: In-App Self-Service (The "Fast Track")

This is the preferred method for 99% of users. It ensures the request is authenticated (we know it's really you because you are logged in).

• The Workflow:
  1. Navigation: Profile > Settings > Account Security > Delete My Account.
  2. The "Safety Check": The app runs a background script to check for Mandatory Holds (Active Bookings or Pending Payouts).
  3. The Confirmation: A pop-up appears: "Are you sure? This action is permanent and your 7-year financial record will be archived."
  4. Immediate Deactivation: The moment you tap "Confirm," your Firebase Auth Token is revoked. You are kicked out of the app, and your profile becomes invisible to all other Hosts and Guests.

Channel B: Verified Email Request (The "Backup Track")

This is for users who have lost access to their phone or have already uninstalled the app and don't want to re-download it.

• The Workflow:
  1. Verification: You must send the email from the exact same email address linked to your Vasuko account. We cannot delete an account based on a request from a random email (to prevent "Malicious Deletion" by others).
  2. Manual Processing: A Vasuko support agent reviews the request, verifies your identity, and manually triggers the deletion script in the Admin Console.
  3. Security Notification: We send one final "Warning" email to the user before the purge begins.

The Timeline: Deactivation vs. Purge

There is a big difference between an account being "Deactivated" and data being "Purged."

• 1. Deactivation (Instant):
  • Happens the second you click "Confirm."
  • Your Listing disappears from search results.
  • You cannot log in anymore.
  • Goal: To stop any new interactions immediately.
• 2. Full Back-End Purge (Up to 30 Business Days):
  • Modern cloud systems (like Google Cloud/Firebase) use "Asynchronous Deletion." When we tell the system to delete a user, it has to find that user's data in dozens of different "Buckets" (Storage, Firestore, Analytics, Crashlytics).
  • The Buffer: We keep a 30-day window to ensure that all "Backup" servers and "Edge Caches" have successfully synchronized and removed the files.
  • Legal Reason: This window also allows for a "Grace Period" in case a user claims their account was hacked and deleted maliciously (though restoration is technically difficult, the 30-day window provides a safety buffer for investigations).

7. THIRD-PARTY DATA HANDLING

7.1 Google & Firebase: The Infrastructure Layer

Vasuko is built on Google Cloud Platform (GCP) and Firebase. These are your "Digital Landlords."

• The Physical Deletion: When you click "Delete," Vasuko triggers a Firebase Authentication API call. Google then marks your User ID (UID) for "Hard Deletion."
• Distributed Storage: Because Google uses "Sharding" (breaking data into pieces and storing them on different servers for speed), it takes time for the "Delete" command to reach every corner of their global data centers.
• Backup Cycles: Google maintains encrypted backups to prevent data loss from disasters. Your data may remain in a "Restricted Backup" for up to 180 days before it is overwritten by new data. Vasuko cannot "force" Google to delete these backups faster, as they are part of their global security protocol.

7.2 eSewa & Khalti: The Financial Layer

This is the most misunderstood part by users. eSewa and Khalti are not part of Vasuko; they are independent "Payment Service Providers" (PSPs) licensed by Nepal Rastra Bank (NRB).

• Independent Controllers: When you pay rent via eSewa, you are performing a transaction on their platform. Vasuko only receives a "Success" or "Failure" token.
• The NRB Mandate: Under the Unified Directives of Nepal Rastra Bank, all PSPs are legally required to maintain transaction logs for at least 5 to 7 years to prevent money laundering and terrorist financing (AML/CFT laws).
• The "Double Record":
  1. On Vasuko: We delete your profile, but we keep the "Transaction ID" for our 7-year audit trail.
  2. On eSewa/Khalti: Your transaction history remains inside your eSewa app. Deleting Vasuko does not clean your eSewa statement. If a user wants to delete their eSewa data, they must contact eSewa directly and follow their separate deletion policy.

8. CONTACT & DATA PROTECTION OFFICER (DPO)

8.1 The Identity of the Data Controller

Vasuko App Solutions Pvt. Ltd. is the "Data Controller" of your information. Because we handle high-stakes data—including your home address, legal identity (Nagarikta), and biometric selfie-verification—we have appointed a dedicated Data Protection Officer (DPO). This ensures that privacy is not just a feature of our app, but a managed legal responsibility.

8.2 When Should You Contact the DPO?

You should reach out to Attn: Pankaj Subedi (DPO) for the following "Complex Data Requests":

• Data Subject Access Requests (DSAR): If you want a full digital report of every piece of data Vasuko has collected about you since you joined.
• Correction of Legal Identity: If your Nagarikta scan was rejected or contains a typo that prevents you from booking or listing a room.
• Withdrawal of Consent: If you want to stop Vasuko from using your property photos for Facebook/Instagram marketing, even if you want to keep your listing active.
• Security Reporting: If you suspect someone has gained unauthorized access to your Vasuko account or if you have found a technical vulnerability in our app.

8.3 The DPO’s Role in "Safety & Verification"

In the Nepal rental market, safety is the #1 concern. Our DPO oversees the Verification Engine:

• KYC Integrity: Ensuring that your sensitive ID documents are stored in "Restricted Access" folders where only authorized security personnel can see them.
• Biometric Purge: Managing the immediate destruction of facial geometry data (from your verification selfie) once your identity is confirmed.
• Police Liaison: Acting as the official point of contact for the Nepal Police (Cyber Bureau) or the National Information Technology Center (NITC) if a legal investigation requires data regarding a specific stay or user.

8.4 Transparency and Physical Accountability

Unlike "anonymous" international apps, Vasuko is a locally registered entity in Dang, Nepal. By providing a physical office address in Ghorahi-15 and a direct Nepali phone number, we provide:

• Physical Recourse: You know exactly where your data is being managed.
• Fast Resolution: We aim to respond to all privacy-related inquiries within 3 to 7 business days, significantly faster than global platforms.