T
Threelok Trusted Business Network
Back to Home
Nepal Individual Privacy Act, 2075

Privacy Policy

How Threelok collects, uses, protects, and respects your personal data.

Last updated: March 2026  ·  Effective from launch

Summary for quick reading: Threelok collects only what is necessary to operate a verified marketplace. Your KYC documents are used only for identity verification. We never sell your data. You can request deletion of your data at any time through your account dashboard.

Threelok ("we", "our", "the platform") is Nepal's trusted business network connecting buyers and sellers. This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use Threelok. It is written in compliance with Nepal's Individual Privacy Act, 2075 (2018), the Individual Privacy Regulation, 2020, and the Asset (Money) Laundering Prevention Act, 2008 (for KYC requirements).

By using Threelok, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our services.

01

What Information We Collect

A. Account Information

  • Full name and email address (required to create an account)
  • Password (stored as a one-way hash — we cannot read it)
  • Profile picture (from Google sign-in or auto-generated avatar)
  • Phone number (for sellers, required for business contact)

B. KYC & Verification Documents (Sellers only)

  • Citizenship certificate or passport (photo/scan)
  • PAN card (photo/scan of the physical card)
  • PAN number (alphanumeric, typed)
  • Business / shop name as registered
  • Timestamp of your explicit KYC consent
KYC documents are required under Nepal's AML Act, 2008 for all marketplace sellers

C. Usage & Technical Data

  • Pages visited and searches performed on Threelok
  • Device type and browser (for security and optimisation)
  • IP address (for fraud detection and rate limiting)
  • Order history and reviews you write
02

Why We Collect This Data

We collect personal information only for specific, stated purposes as required by Nepal's Individual Privacy Act, 2075 (purpose limitation):

  • Providing the service — to let you buy, sell, review, and message on Threelok
  • Identity verification (KYC) — to prevent fraud and comply with Nepal's AML laws
  • Security — to protect your account and detect unauthorised access
  • Legal compliance — to fulfil obligations under Nepali law
  • Communication — to send order updates, password resets, and important notices
  • Platform improvement — to fix bugs and improve features (using aggregated, anonymised data only)
We never use your data for advertising or sell it to third parties
03

How We Store & Protect Your Data

  • Encryption in transit — all data is transmitted over HTTPS (TLS 1.2+)
  • Encryption at rest — KYC documents and sensitive fields are encrypted on disk
  • Access controls — KYC documents are accessible only to authorised Threelok administrators; no automated system reads them
  • Secure file storage — documents are stored outside the public web directory with randomised filenames
  • Password hashing — passwords are hashed with bcrypt and are never stored in plaintext
  • Rate limiting — login and signup endpoints are rate-limited to prevent brute-force attacks
  • Two-factor authentication — available for all accounts; required for high-value sellers

Security incident disclosure: In the event of a data breach affecting your personal information, Threelok will notify affected users within 72 hours, as required by Nepal's Individual Privacy Act, 2075.

04

Data Retention & Deletion

We follow a strict "keep only as long as necessary" policy:

Data Type Retention Period Reason
Account data (name, email) Until account deletion Service provision
KYC documents (citizenship, PAN) Minimum 5 years after last transaction AML Act, 2008 — legally required
Order & transaction records 5 years Tax & legal compliance
Reviews & public content Until deleted by user or Threelok Platform integrity
Inactive account data Deleted after 2 years of inactivity Data minimisation principle
Server & access logs 90 days Security monitoring
05

Who We Share Your Data With

Threelok does not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

  • Within Threelok — authorised staff who need access to operate the platform
  • Payment processors — only transaction data required to complete a payment (no KYC documents shared)
  • Legal obligations — when required by a court order or Nepal's Financial Intelligence Unit (FIU Nepal) under the AML Act, 2008
  • With your explicit consent — any other sharing will only happen if you specifically approve it
We never share your documents with advertisers, data brokers, or marketing companies
06

Your Rights Under Nepal Law

Under Nepal's Individual Privacy Act, 2075, you have the following rights regarding your personal data:

Right to Access

Request a copy of all personal data we hold about you.

Right to Correction

Request correction of inaccurate or incomplete personal data.

Right to Deletion

Request deletion of your data (subject to legal retention requirements for KYC).

Right to Object

Object to processing of your data for purposes beyond what you consented to.

Right to Portability

Request your data in a structured, machine-readable format.

Right to Complain

File a complaint with Nepali courts if you believe your privacy rights have been violated.

To exercise any of these rights, contact us at privacy@threelok.com or use the Data Dashboard in your account settings. We will respond within 30 days.

07

KYC & Anti-Money Laundering Compliance

Threelok processes payments and is therefore subject to Nepal's Anti-Money Laundering requirements. This means:

  • All sellers must provide verified identity documents before accepting payments
  • We monitor transactions for suspicious activity as required by the AML Act, 2008
  • Suspicious transactions must be reported to FIU Nepal (Financial Intelligence Unit)
  • KYC records must be retained for a minimum of 5 years after the last transaction
  • We conduct ongoing due diligence on seller accounts for high-value transactions

Important: Your KYC documents cannot be deleted on request during the legal 5-year retention window, even if you close your seller account. This is a mandatory legal requirement, not Threelok's choice.

08

Cookies & Tracking

Threelok uses minimal, privacy-respecting cookies:

  • Session cookies — to keep you logged in (deleted when you close the browser)
  • Theme preference — stored in localStorage to remember your dark/light mode choice
  • Cart data — stored locally in your browser to persist your shopping cart
No third-party tracking, no advertising cookies, no analytics tracking without consent
09

Children's Privacy

Threelok is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has created an account, please contact us immediately at privacy@threelok.com and we will delete the account and all associated data promptly.

10

Changes to This Policy

We may update this Privacy Policy from time to time. When we do:

  • The "Last updated" date at the top of this page will be changed
  • For significant changes, we will send a notification to your registered email address
  • Your continued use of Threelok after the update constitutes acceptance of the new policy
11

Contact Us

For privacy-related questions, data requests, or complaints, contact our Privacy Officer:

Email
privacy@threelok.com
Response Time
Within 30 days
Jurisdiction
Nepal

On This Page

Manage My Data

View or delete your documents

Governing Laws

  • • Individual Privacy Act, 2075
  • • Individual Privacy Regulation, 2020
  • • Constitution of Nepal, Art. 28
  • • AML Prevention Act, 2008