Privacy Policy

Who We Are:

• Company: Noble Nest Pvt. Ltd., operating as The House of Kaya (KAYA)
• Business: Premium Himalayan wellness products and natural supplements
• Compliance: GDPR (EU/EEA), CCPA (California), Nepal's Electronic Transactions Act, 2063

Personal Information

• Account Details: Name, email address, phone number, password
• Billing Information: Billing address, payment method details
• Shipping Information: Delivery address, contact number
• Order History: Products purchased, order dates, transaction amounts

Device Data

• Device Information: Device type, operating system, browser type and version
• IP Address: Your internet protocol address for security and fraud prevention
• Cookies and Identifiers: Session cookies, tracking pixels, device identifiers

Location Data

• Approximate Location: Based on IP address for shipping estimates and regional content
• Precise Location: Only if you grant permission through your device settings

Analytics Data

• Website Usage: Pages visited, time spent, products viewed
• Interactions: Clicks, searches, navigation patterns
• Referral Sources: How you found our website (search engines, social media, ads)

Blockchain Interactions

• Cryptocurrency Payments: Wallet addresses, transaction hashes (if you use crypto payments)
• Smart Contracts: Blockchain-based transaction records
• Decentralized Identity: If you use blockchain authentication methods

Orders and Fulfillment

• Process and complete your purchases
• Verify payment information
• Arrange shipping and delivery through logistics partners
• Send order confirmations and shipping updates
• Handle returns, exchanges, and refunds

Logistics and Delivery

• Coordinate with courier services (DHL, FedEx, local carriers)
• Track shipments and provide delivery status
• Ensure accurate and timely product delivery
• Resolve delivery issues or missing packages

Fraud Prevention and Security

• Detect and prevent fraudulent transactions
• Verify identity for high-value orders
• Monitor suspicious account activity
• Protect against unauthorized access
• Comply with payment card industry (PCI) security standards

Marketing and Communication

• Send promotional emails about new products and special offers
• Share newsletters with wellness tips and product information
• Deliver personalized product recommendations
• Conduct customer surveys and gather feedback
• Send abandoned cart reminders (with your consent)
• You can opt-out of marketing communications at any time

Website Improvement

• Analyze website performance and user behavior
• Improve navigation and user experience
• Test new features and optimize functionality
• Identify and fix technical issues

Customer Support

• Respond to your inquiries and support requests
• Provide product information and usage guidance
• Resolve complaints and issues
• Improve our customer service quality

Consent

• Marketing emails and promotional communications
• Optional cookies for analytics and advertising
• Sharing health-related information for personalized recommendations
• You can withdraw consent at any time without affecting previous processing

Contract

• Fulfilling your orders and delivering products
• Processing payments and managing your account
• Providing customer support services
• Essential for performing our agreement with you

Legitimate Interest

• Fraud detection and prevention
• Website analytics and improvements
• Product development and market research
• Network and information security
• We balance our interests against your privacy rights

Legal Obligation

• Complying with tax and accounting laws (7-year retention)
• Responding to law enforcement requests
• Meeting regulatory requirements for e-commerce
• Consumer protection and product safety compliance

Universal Rights (All Users)

• Access: Request a copy of your personal information
• Correction: Update or correct inaccurate data
• Deletion: Request deletion of your account and data
• Opt-Out: Unsubscribe from marketing communications
• Portability: Receive your data in a transferable format

GDPR Rights (EU/EEA/UK Residents)

• Restrict Processing: Limit how we use your data in certain circumstances
• Object to Processing: Object to processing based on legitimate interest
• Automated Decisions: Not be subject to solely automated decision-making with legal effects
• Withdraw Consent: Withdraw consent for consent-based processing
• Lodge Complaint: File a complaint with your data protection authority

CCPA/CPRA Rights (California Residents)

• Right to Know: Request details about data collected and shared
• Right to Delete: Request deletion with certain exceptions
• Right to Correct: Fix inaccurate personal information
• Right to Opt-Out: Opt-out of data “sales” (we don't sell data, but sharing with advertisers may qualify)
• Non-Discrimination: No penalties for exercising your rights

Service Providers

Logistics Partners: International and domestic shipping companies (DHL, FedEx, local carriers), warehouse and fulfillment services. We share: name, phone number, shipping address, order details.

Stripe (Payment Processor): Securely processes all credit card and online payments. PCI-DSS compliant payment handling. We do not store full credit card numbers. Stripe Privacy Policy: https://stripe.com/privacy

Analytics Providers: Google Analytics for website traffic analysis, Facebook Pixel for advertising effectiveness, heatmap and behavior analytics tools. Used to improve website performance and user experience.

Technology and Hosting: Cloud hosting services (AWS, Google Cloud, or similar), email service providers for transactional and marketing emails, customer support platforms, security and fraud prevention services.

Legal and Regulatory

We may disclose information when: required by law, court order, or legal process; necessary to protect our rights, property, or safety; investigating fraud or security incidents; complying with tax, customs, or regulatory requirements; responding to government or law enforcement requests.

Business Transfers

If we merge with or are acquired by another company, your information may transfer to the new entity. We will notify you of any such change and any new privacy practices.

With Your Consent

We may share information for other purposes with your explicit permission, such as: partnership programs you choose to participate in, third-party integrations you connect to your account, social media features you actively use.

Account Data

• Active Accounts: Retained while your account is active
• Deleted Accounts: 90-day grace period, then permanently deleted
• Reactivation: You can reactivate within 90 days

Order Records

• Duration: 7 years from transaction date
• Reason: Nepal tax law and accounting requirements
• Includes: Order details, invoices, receipts, shipping records
• Payment Cards: Immediately deleted after processing (Stripe retains per PCI standards)

Marketing Data

• Email Lists: Until you unsubscribe, then 30 days to process removal
• Campaign Data: 2 years for performance analysis
• Preferences: Retained while account is active

Analytics Data

• Website Analytics: 26 months (Google Analytics default)
• Session Logs: 90 days for troubleshooting
• Aggregated Data: Retained indefinitely in anonymized form

Blockchain Data

• Cryptocurrency Transactions: Permanent (blockchain is immutable)
• Wallet Addresses: Retained as long as associated with active account
• Transaction Records: Cannot be deleted from public blockchain

Legal and Compliance

• Dispute Records: 7 years after resolution
• Fraud Prevention: 7 years for security purposes
• Legal Matters: Duration of legal issue plus 7 years

Technical Security

• Encryption: SSL/TLS encryption for data transmission; AES-256 for data at rest
• Secure Payments: Stripe handles payment processing with PCI-DSS compliance
• Firewalls: Network security and intrusion detection systems
• Access Controls: Role-based access limiting employee data access
• Regular Updates: Software patches and security updates applied promptly

Administrative Security

• Employee Training: Staff trained on data protection and privacy
• Confidentiality Agreements: All employees sign non-disclosure agreements
• Vendor Management: Third parties contractually obligated to protect data
• Incident Response: Procedures in place for security breaches

Physical Security

• Data Centers: Secure facilities with restricted access
• Backups: Encrypted backups stored in multiple locations
• Redundancy: Systems in place to prevent data loss

Your Responsibility

You can help protect your account by: using strong, unique passwords; enabling two-factor authentication (when available); not sharing login credentials; logging out on shared devices; reporting suspicious activity immediately to security@thehouseofkaya.com.

Data Breach Notification

If a security breach occurs affecting your data, we will: notify you within 72 hours (as required by GDPR); explain what data was affected; describe steps we're taking to address the breach; provide recommendations to protect yourself; report to relevant authorities as required by law.

Age Restrictions

• Minimum age to create an account: 18 years
• Age verification may be required during registration
• Many of our wellness products are for adult use only

Parental Rights

If you are a parent or guardian and believe your child under 18 has provided us with personal information: contact us immediately at privacy@thehouseofkaya.com; we will verify the situation and promptly delete the child's data; we will terminate any account created by a minor.

Compliance

We comply with: Children's Online Privacy Protection Act (COPPA) in the United States; GDPR provisions regarding children's data in the EU/EEA; applicable children's privacy laws in other jurisdictions.

Transfer Locations

• Nepal: Our primary operations and headquarters
• United States: Cloud hosting and technology services
• European Economic Area: Payment processing partners
• Other Countries: As necessary for shipping and service delivery

GDPR Safeguards (EU/EEA Transfers)

When transferring data from the EU/EEA to other countries, we use:

Standard Contractual Clauses (SCCs): European Commission-approved contractual protections, legally binding obligations on data recipients, ensures adequate protection for your data.

Adequacy Decisions: Transfer to countries the EU recognizes as providing adequate protection, currently includes Switzerland, Japan, and others as designated.

Additional Security: Encryption during transmission and storage, access controls limiting data exposure, regular audits of international processors, supplementary measures per European Data Protection Board guidelines.

CCPA Compliance (California Transfers)

Service providers outside California must: provide equal data protection standards; comply with CCPA requirements contractually; limit use and disclosure of California resident data.

Your Rights

• Request information about where your data is transferred
• Object to certain international transfers (may affect service availability)
• Withdraw consent for consent-based transfers
• Lodge complaints with your data protection authority

How We Notify You

Material Changes: Email notification to your account, prominent notice on our website for 30 days, updated “Last Updated” date at the top.

Minor Changes: Updated “Last Updated” date, posted on our website, no individual notification unless required by law.

Your Acceptance

• Continued use after changes constitutes acceptance
• Review this policy periodically for updates
• For significant changes, we may request renewed consent
• If you object to changes, you may close your account

Our Policies

• Legal Terms
• Cookie Policy
• Return & Refund Policy

Third-Party Privacy Policies

• Stripe
• Google Analytics
• Facebook

Regulatory Information

• GDPR Information
• CCPA Information