BiteOut Privacy Policy

Your privacy is important to us

We protect your information and aim to be clear and honest about how we use it. If you have questions, contact us (details at the end).

What information do we collect?

We collect personal information when you register or use the Service.

We collect:

• Basic profile: full name, mobile phone number, (optional) profile photo.
• Account details: OTP verification status, authentication tokens. BiteOut uses OTP-only authentication — we do not collect or store passwords.
• Booking & redemption data: partner restaurant, deal type, booking time/date, redemption status, ratings and reviews you submit, estimated savings.
• Subscription & payment: subscription plan type, purchase date, expiry date, and Khalti payment reference tokens. We do not store your Khalti PIN, bank details, or payment card numbers.
• Location data: approximate location (when you grant permission) to show nearby restaurants and calculate distances.
• Usage & device: app screens viewed, interactions, device model/OS, app version, session data, analytics events, IP address, and (with your consent on iOS via App Tracking Transparency) your advertising identifier (IDFA on iOS, GAID on Android) used for ad attribution.
• Communications: content you share with us by phone, email, SMS, or in-app support.

We do not collect:

• Passwords (we use OTP-only authentication).
• Email addresses (not required for registration).
• National identity numbers (citizenship/PAN), passport or driver's license details.
• Payment card numbers, bank account details, or Khalti credentials. All payments are processed entirely by Khalti; we receive only a transaction status and reference token.

If any of your details are incomplete, we may contact you by email or phone to verify them.

How do we collect your information?

• Online: when you register or use our website/app.
• By message: when you send documents or details via email/SMS/messaging apps.
• By phone: when you provide information during support calls.
• Automatically: via cookies/SDKs (to keep you signed in, remember preferences, measure performance, and prevent fraud).

App permissions (you control these)

With your prior permission, the app may access:

• Location — to show nearby restaurants and calculate distances. Your precise location is used only while the app is active and is not stored on our servers beyond the current session.
• Camera/Photos — to upload a profile photo. We do not access your photo library beyond the image you explicitly select.
• Notifications — to send deal alerts, booking updates, and relevant offers via OneSignal push notifications.

You can enable/disable these anytime in your device settings. Some features may not work without them.

How do we use your information?

We use your information to:

• Verify your identity via OTP and provide the Service you requested.
• Enable deal discovery, booking, and redemption at partner restaurants.
• Process subscription purchases via Khalti and manage your membership status.
• Show nearby restaurants based on your location (when permitted).
• Operate and improve our website/app and overall customer experience.
• Send push notifications about account updates, new deals, and relevant offers (via OneSignal).
• Analyze usage to improve features, prevent fraud/abuse, and measure performance.

Who do we share your information with?

We do not sell your personal information. We share only what's needed with:

• Partner restaurants — limited booking information (first name and booking code) to facilitate deal redemption. We do not share your phone number or location with partners.
• Khalti — payment gateway that processes subscription purchases. Khalti receives the transaction amount and your Khalti account details directly; we do not act as an intermediary for payment credentials.
• Sparrow SMS — our OTP delivery provider, which receives your phone number solely for sending verification codes.
• OneSignal — our push notification provider, which receives a device identifier (not your phone number or name) to deliver notifications.
• Meta (Facebook) — we use the Meta App Events SDK to measure how our ads perform and personalise the deals we show you. Meta may receive your advertising identifier (IDFA on iOS, GAID on Android), IP address, anonymous device information, and in-app events such as registrations, restaurant views, deals booked, and subscription purchases. On iOS this only happens if you tap "Allow" on the App Tracking Transparency prompt; you can change your choice any time in iOS Settings → Privacy & Security → Tracking. On Android you can reset or limit your advertising identifier from your device settings. Data shared with Meta is governed by Meta's Data Policy at facebook.com/privacy/policy.
• Hosting & infrastructure providers who store and process data for us under confidentiality.
• Regulators/law enforcement when required by law or to protect rights, safety, and property.
• Business transfers: if we merge, sell, or reorganize, your data may transfer under this Policy.

Keeping your information safe

We use technical and organizational measures (encryption in transit, access controls, hardened infrastructure, monitoring, backups). Data is stored in password-protected systems and accessible only to authorized staff trained in data protection.

We keep your information only as long as needed to provide the Service or as required by law. When no longer needed, we reasonably de-identify or delete it.

Cookies & SDKs

We use cookies and mobile SDKs to keep you signed in, remember preferences, personalize content, measure performance, and prevent fraud. You can control cookies in your browser and app permissions in your OS; some features may not function without them.

The SDKs we ship inside the BiteOut app today are:

• OneSignal — push notifications.
• Google Maps SDK — rendering maps and computing distances.
• Khalti SDK — payment processing for subscriptions.
• Meta App Events SDK — ad attribution and analytics, including Apple SKAdNetwork postbacks (iOS) and aggregated event measurement. On iOS, this SDK only sends data linked to your advertising identifier after you grant permission via App Tracking Transparency.
• Google Analytics for Firebase — product analytics (anonymous app usage and crash signals).

International transfers

Some trusted vendors (e.g., cloud hosting/analytics) may process data on servers outside Nepal. By using the Service, you consent to such transfers. We take reasonable steps to ensure protections consistent with this Policy and applicable law.

Your rights (Nepal)

Under the Privacy Act 2075 (2018) and other applicable laws, you may request to access, correct/update, or delete your personal information, and to opt out of direct marketing. We may request reasonable identity verification before acting on a request.

Making a privacy complaint

If you believe we mishandled your personal information or breached the Privacy Act 2075 (2018):

1. Contact us (see below).
2. We'll respond within 30 days with a written decision.
3. If we can't resolve it in 30 days, we'll explain the delay, reasons, and give a reasonable date for a decision.

All complaints are handled free of charge.

Legal references (Nepal)

We follow the Privacy Act 2075 (2018) and the Electronic Transactions Act 2063 (2008) as applicable to electronic records and fraud/abuse cooperation.

Changes to this Policy

We may update this Policy to reflect operational, legal, or regulatory changes. We'll post updates here and revise the "Effective date" above. Material changes may be notified via app/email. Please review periodically.