Privacy Policy
1. Data Controller and Contact Details
Rumi Financial Technologies Pvt. Ltd. is the data controller for all personal data collected through the Application.
| Data Protection Officer (DPO) | dpo@rumi.com.np |
|---|---|
| Privacy Enquiries | privacy@rumi.com.np |
| Security Incidents | security@rumi.com.np |
| Regulatory / Compliance | compliance@rumi.com.np |
| Complaints | complaints@rumi.com.np |
| Regulatory Body | Nepal Rastra Bank (NRB) | Securities Board of Nepal (SEBON) |
2. Personal Data We Collect
Under the Individual Privacy Act 2075, Section 2(c), and Section 27(2), the following data categories are classified as Sensitive Personal Information requiring explicit, informed, and specific consent:
- National Identity Number (NIN)
- Biometric data (facial liveness scan)
- Financial and transaction records
12.1 Identity and Authentication Data
| Data Element | Purpose | Legal Basis | Classification |
|---|---|---|---|
| Full legal name | Account registration, identity verification | Contractual necessity | NRB KYC Directive | Standard |
| Email address | Login, notifications, account recovery | Contractual necessity | Consent | Standard |
| National Identity Number | Identity verification via GovDataAxis, AML deduplication | Legal obligation (NRB KYC) | AML/CFT Act 2064 | SENSITIVE |
| Facial liveness scan | Liveness check during KYC; step-up auth for NPR 100k+ | Explicit biometric consent | NRB 2025 biometric KYC | SENSITIVE — Biometric |
12.2 Data We Do NOT Collect
Rumi does NOT collect the following — by design and by policy:
- Raw biometric templates or fingerprint data
- NID card physical image stored permanently
- Bank account numbers or payment card numbers
- GPS location data
- Contacts, microphone data, or camera access beyond the liveness scan flow
- Browsing history, third-party app usage data, or cross-app tracking
- Caste, ethnicity, religion, political opinions, sexual orientation, or health data
- Cryptocurrency wallet addresses or virtual asset data
3. How We Collect Your Data
- Directly from you: during registration, KYC, transaction submission, and customer support.
- Via GovDataAxis: NIN and NID record data fetched from DoNIDCR upon your explicit instruction and consent.
- Via Khalti: payment transaction reference data returned after payment processing.
- Via NEPSE / Stock Broker TMS: trade execution confirmations and market price data.
- Automatically: device and session data collected via the Application.
4. Legal Basis for Processing
| Explicit Consent | Biometric liveness scan | Facial recognition during KYC | Optional app analytics | Marketing communications |
|---|---|
| Contractual Necessity | Core account functions | Wallet operations | Trade execution | Portfolio management | Session management |
| Legal Obligation | KYC/AML compliance | NRB Directives | STR/SAR filing with FIU | SEBON reporting | Tax records |
| Legitimate Interest | Fraud prevention | Security monitoring | Service improvement (where not overridden by your rights) |
5. Biometric Data — Special Provisions
Biometric data is classified as Sensitive Personal Information under the Individual Privacy Act 2075, Section 2(c)(f). The following specific consents are required:
- Consent 1: Facial liveness scan during KYC onboarding to verify you are a live person matching your NID record.
- Consent 2: Biometric step-up authentication for transactions of NPR 100,000 or above.
- Consent 3: Transmission of liveness confirmation data to GovDataAxis for NIN matching.
- Consent 4: Retention of a cryptographic confirmation hash (not the raw biometric) for NRB audit compliance.
6. National Identity Number (NIN)
Your NIN is classified as sensitive personal information under the Individual Privacy Act 2075, Section 2(c)(d). We collect it for the following purposes only:
- Initial identity verification against DoNIDCR via GovDataAxis.
- Account deduplication to enforce the one-Account-per-person rule.
- AML/CFT screening as required by NRB Directives and the 2025 AML Rules.
- Integration with Nepal's Centralised KYC system as mandated by NRB.
- Response to lawful regulatory demand from NRB, FIU, SEBON, or the courts of Nepal.
7. How We Share Your Data
We do not sell your personal data. We share it only in the following limited circumstances:
| Recipient | Data Shared | Purpose | Legal Basis |
|---|---|---|---|
| GovDataAxis (DoNIDCR gateway) | NIN | Liveness confirmation | Identity verification | Consent | Legal obligation |
| Khalti (NRB-licensed PSP) | Wallet reference data | Transaction amounts | Payment processing | Contractual necessity |
| NEPSE / Stock Broker TMS | Trade orders | Portfolio data | Trade execution | Contractual necessity | Legal obligation |
| FIU-Nepal (NRB) | STR/SAR reports where legally required | AML/CFT compliance | Legal obligation |
8. Data Localisation
Sensitive personal data — including NIN records, biometric confirmation records, and financial transaction data — is stored on servers located within Nepal or on AWS infrastructure that meets Nepal data residency requirements.
9. Data Retention
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| KYC / AML records | 7 years from account closure | NRB KYC Directive | AML/CFT Act 2064 |
| Financial transaction records | 7 years from transaction date | NRB Directive | AML/CFT Act | Tax law |
| NEPSE order and trade records | 10 years | Securities Act 2063 | SEBON Regulations |
| Authentication logs | 2 years | Security | Fraud investigation |
10. Your Rights Under Nepal Law
Under the Individual Privacy Act 2075 (2018) and Privacy Regulation 2077 (2020), you have the following rights in respect of your personal data:
| Your Right | What It Means | How to Exercise |
|---|---|---|
| Right of Access | Request a copy of all personal data we hold about you. | Email privacy@rumi.com.np — response within 30 days |
| Right to Rectification | Request correction of inaccurate or incomplete data. | Via in-app Settings or privacy@rumi.com.np |
| Right to Erasure | Request deletion where we no longer have a legal basis to retain your data. | Via Account closure flow or privacy@rumi.com.np |
| Right to Object | Object to processing based on legitimate interests. | Via privacy@rumi.com.np |
11. Data Breach Notification
In the event of a personal data breach posing a risk to your rights:
- We will notify affected users without undue delay where a high risk to their rights is identified.
- We will notify NRB if the breach affects payment or financial data.
- We will notify FIU-Nepal if the breach affects AML/KYC records.
- We maintain an internal breach register in compliance with applicable privacy regulations.
12. Security Measures
We implement the following technical and organisational security measures:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for all sensitive data at rest
- Certificate pinning in the React Native application
- AWS VPC segmentation
- Role-based access control
- All credentials managed via AWS Secrets Manager
- Immutable audit logs in Amazon S3 with Object Lock
- Regular vulnerability scanning and annual penetration testing
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Modified" date.
14. Contact Us
If you have any questions about this Privacy Policy, please contact us at:
- Email: privacy@rumi.com.np
- Data Protection Officer: dpo@rumi.com.np