Privacy Policy — Himalos

This Privacy Policy explains how Himalos ("Himalos", "we", "our", "us") collects, uses, shares, and protects personal information in connection with himalos.com and any related applications or services (collectively, the "Platform"). It applies to travellers, business partners (Operators), visitors, and any other person whose personal information we process.

Please read this policy carefully. By using the Platform you acknowledge that you have read and understood it. If you do not agree, please do not use the Platform.

1. Who we are (data controller)

Himalos is the data controller responsible for personal information processed in connection with the Platform. Our primary contact for privacy matters is:

Email: [email protected]
Website: himalos.com/contact

Where we act as a processor on behalf of an Operator (for example when an Operator uploads traveller data directly), the Operator is the controller for that data and their own privacy notice applies alongside this one.

2. Definitions

Traveller — any individual who browses, registers, or makes a booking on the Platform.
Operator — a business or sole trader registered on the Platform to list and sell travel experiences.
Booking — a confirmed reservation for an experience listed on the Platform.
Personal information — any information that identifies or could reasonably identify an individual, including name, email address, IP address, and payment details. In EU/UK law this is called "personal data".
Processing — any operation performed on personal information, including collection, storage, use, disclosure, and deletion.

3. Information we collect

3.1 Information you provide directly

Account creation (Travellers) — email address used to authenticate via one-time code. No password is ever stored.
Traveller profile — display name, phone number, country of residence, and notification preferences you choose to add.
Booking details — participant information, special requirements, and any information you submit during checkout.
Operator registration — business name, registered address, contact name, email, phone number, business registration number, and proof-of-registration documents.
Operator bank details — bank account information provided for payout processing. This information is protected using industry-standard encryption and is accessible only to authorised personnel.
Communications — messages sent through the in-platform messaging system, contact form submissions, and support requests.
Reviews — any review or rating you submit following a booking.

3.2 Information collected automatically

Log data — IP address, referrer URL, and timestamps for requests to the Platform.
Device and browser information — user-agent string, operating system, browser type and version, screen resolution, and preferred language.
Approximate geographic location — country and region derived from your IP address via a geolocation service. We do not collect precise GPS coordinates.
Session and authentication data — encrypted session tokens stored in browser cookies to keep you signed in.
IP address on sign-in requests — when you request a sign-in code, your IP address is recorded for rate-limiting and fraud detection. It is deleted after 24 hours.
Search and browse data — search queries, filters applied, packages viewed, and wishlist interactions recorded to improve recommendations and detect abuse. Search events are linked to your traveller account and anonymised when your account is deleted.
Cookies and local storage — see Section 9 for details.

3.3 Information received from third parties

Payment data — Stripe, our payment processor, returns a payment confirmation, transaction reference, and partial card details (last 4 digits, card brand). We do not receive or store full card numbers, CVV codes, or other sensitive cardholder data.

4. How we use your information and our legal basis

The table below summarises the main purposes for which we use personal information, the legal basis we rely on, and where that basis is "legitimate interests", what those interests are.

4.1 All users

Providing and operating the Platform (legal basis: contract performance; legitimate interests — operating a reliable marketplace) — authenticating your identity, displaying content, processing bookings, and maintaining your account.
Security and fraud prevention (legal basis: legitimate interests — protecting users and the platform from fraud, abuse, and unauthorised access) — rate-limiting requests, logging anomalous activity, and reviewing flagged content.
Legal compliance (legal basis: legal obligation) — retaining financial records, responding to lawful requests from authorities, and complying with applicable tax, anti-money-laundering, and consumer protection laws.
Improving the Platform (legal basis: legitimate interests — understanding how the Platform is used to make it better) — analysing anonymised or aggregated usage patterns, running A/B tests, and resolving technical issues.

4.2 Travellers

Booking and fulfilment (legal basis: contract performance) — confirming your booking, sharing relevant details with the Operator, sending itinerary information, and processing your payment.
Transactional communications (legal basis: contract performance; legitimate interests) — sending booking confirmations, cancellation notifications, OTP sign-in codes, refund updates, booking reminders, and checkout abandonment reminders where you have started but not completed a booking. These communications are essential to the service and cannot be opted out of while you hold an active booking or open session.
Marketing communications (legal basis: consent) — sending promotional emails, newsletters, and offers where you have opted in. You may withdraw consent at any time via your account settings or by clicking "unsubscribe" in any marketing email.
Reviews and reputation (legal basis: legitimate interests — maintaining the quality and trust of the marketplace) — publishing your review and rating after a completed booking. Reviews may be visible publicly with your first name and booking year.

4.3 Operators

Registration and approval (legal basis: contract performance; legal obligation for KYC purposes) — reviewing your business information and registration documents to verify legitimacy.
Payout processing (legal basis: contract performance) — using your bank account details to transfer earnings, generating payout statements, and maintaining financial records.
Platform management (legal basis: legitimate interests — enforcing our Terms of Service) — monitoring package content, pricing, and compliance with our policies.

5. Data sharing and sub-processors

We do not sell, rent, or trade your personal information. We share it only where necessary and with appropriate safeguards. Our current sub-processors are:

Stripe, Inc. (United States) — payment processing. Stripe is a PCI DSS Level 1 certified processor. Data transferred under Stripe's standard contractual clauses with the EU/UK and its Australian data processing addendum. Stripe Privacy Policy.
Postmark / ActiveCampaign, Inc. (United States) — transactional and marketing email delivery. Data transferred under Standard Contractual Clauses (SCCs). Postmark Privacy Policy.
Cloudflare, Inc. (United States) — image storage, document storage, and content delivery network. Cloudflare acts as a processor under a Data Processing Addendum (DPA). Cloudflare Privacy Policy.
DigitalOcean, LLC (United States) — cloud infrastructure hosting for our application servers and database. Data stored in US-based data centers. DigitalOcean provides a DPA meeting GDPR requirements. DigitalOcean Privacy Policy.
ipapi.co (United Kingdom) — IP-to-location API used to auto-detect your country during checkout. Your IP address is sent to ipapi.co solely to resolve the country code; no other personal data is shared. See the ipapi.co Privacy Policy.
Google LLC — Google Analytics 4 (United States) — web analytics used to understand how visitors use the Platform (pages viewed, session duration, traffic sources). Loaded only after you accept the analytics consent banner. Data is transferred under Standard Contractual Clauses. See the Google Privacy Policy.
PostHog, Inc. (United States) — product analytics platform used to analyse feature usage and user flows. Loaded only after you accept the analytics consent banner. Data is transferred under Standard Contractual Clauses. See the PostHog Privacy Policy.
Microsoft Corporation — Microsoft Clarity (United States) — session analytics tool that records anonymised heatmaps and session replays to help identify usability issues. Loaded only after you accept the analytics consent banner. Data is transferred under Standard Contractual Clauses. See the Microsoft Privacy Statement.

5.1 Sharing with Operators

When you complete a booking, we share the following traveller information with the relevant Operator so they can deliver your experience: name, booking reference, participant count, selected options, and any special requirements you submitted. Operators are contractually required to process this data solely to fulfil the booking and comply with our Data Processing Agreement.

5.2 Legal disclosures

We may disclose personal information where required to do so by law, court order, or government authority, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of Himalos, our users, or the public. Where possible and legally permitted, we will notify you of such requests.

5.3 Business transfers

If Himalos is involved in a merger, acquisition, asset sale, or restructuring, personal information may be transferred to the successor entity. We will notify affected users by email and/or a prominent notice on the Platform before any such transfer occurs, and prior to personal information becoming subject to a different privacy policy.

6. International data transfers

Himalos is based in Nepal. Our infrastructure and some sub-processors operate in the United States. If you are located in the European Economic Area (EEA), the United Kingdom, or Australia, your personal information may be transferred to and processed in countries whose data protection laws differ from your own.

We ensure such transfers are protected by:

Standard Contractual Clauses (SCCs) — EU Commission-approved clauses incorporated into our agreements with US-based sub-processors (Stripe, Postmark, Cloudflare, DigitalOcean).
UK International Data Transfer Agreements (IDTAs) — equivalent UK transfer mechanism where required by UK GDPR.
Australian cross-border disclosure safeguards — we take reasonable steps under Australian Privacy Principle 8 to ensure overseas recipients handle information consistently with the Australian Privacy Principles.

7. Data retention

We retain personal information for as long as necessary to provide the Platform, fulfil the purposes described in this policy, and comply with applicable law. Our principal retention periods are:

Booking and financial records — 7 years from the booking date, to comply with tax and accounting obligations in applicable jurisdictions.
Account data (inactive accounts) — we will notify you and delete your account if it has been inactive for 3 years with no bookings.
Operator registration documents — for the duration of the Operator relationship and 7 years thereafter, to satisfy KYC and anti-fraud obligations.
Conversations and messages — 3 years from the date of the last message, after which content is anonymised.
OTP codes — 24 hours from generation, after which they are permanently deleted.
Server logs — 90 days, after which they are permanently deleted.
Marketing consent records — for as long as the consent is active plus 3 years to evidence the consent and any withdrawal.

When we no longer need personal information, we securely delete or anonymise it. In some cases we may retain anonymised data for analytical purposes; anonymised data cannot be used to re-identify you.

8. Your rights

Depending on where you are based, you may have some or all of the following rights. To exercise any right, please contact us at [email protected]. We will respond within 30 days (or such shorter period as required by applicable law). We may need to verify your identity before acting on a request.

8.1 Rights for all users

Right of access — you may request a copy of the personal information we hold about you, including the purposes for which it is processed, who it is shared with, and how long it is retained. Travellers can exercise this right directly by visiting Account → Privacy & Data and clicking "Request data export". You will receive an email with a download link containing your profile, bookings, reviews, and message history, valid for 24 hours. Alternatively, contact us at [email protected].
Right to correction — you may ask us to correct inaccurate or incomplete personal information.
Right to deletion — travellers may delete their account directly by visiting Account → Privacy & Data and confirming the deletion request. You can also submit a request to [email protected].

What deletion means in practice: we anonymise rather than hard-delete certain records where retention is required by law or legitimate business need. Specifically:
- Your profile name, email, and contact details are permanently wiped.
- Booking financial records (amounts, references, dates) are retained for 7 years for tax and legal purposes, but your name and contact details are removed from those records.
- Reviews you submitted remain published but are shown anonymously (your name is removed).
- Messages you sent in the in-platform messenger are anonymised; messages sent to you by operators are retained as part of the operator's booking records.
- Search events linked to your account are anonymised.
Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

8.2 Additional rights — EEA and UK residents (GDPR / UK GDPR)

Right to restriction — you may ask us to restrict the processing of your personal data in certain circumstances, for example while a correction request is being assessed.
Right to data portability — where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly-used, machine-readable format.
Right to object — you may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless processing is necessary for legal claims.
Right to lodge a complaint — if you are in the EEA, you have the right to lodge a complaint with your local data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu. If you are in the UK, you may complain to the Information Commissioner's Office (ICO) at ico.org.uk.

8.3 Additional rights — California residents (CCPA / CPRA)

California residents have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to know — you may request the categories and specific pieces of personal information we have collected, the categories of sources, our business purpose for collection, and the categories of third parties with whom we share it.
Right to opt-out of sale or sharing — we do not sell or share personal information for cross-context behavioural advertising. No opt-out is therefore required, but you may contact us to confirm this.
Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond those permitted under CPRA.
Right to non-discrimination — we will not discriminate against you for exercising any CCPA/CPRA rights.
To exercise these rights, submit a verifiable consumer request to [email protected]. We will respond within 45 days of receipt.

8.4 Additional rights — Australian residents

Australian residents have rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs):

Right of access (APP 12) — you may request access to the personal information we hold about you. We will respond within 30 days. Where access is refused, we will provide written reasons.
Right to correction (APP 13) — you may ask us to correct personal information you believe is inaccurate, out of date, incomplete, irrelevant, or misleading.
Right to complain — if you are unsatisfied with our handling of your personal information or with our response to a complaint, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

9. Cookies and local storage

We use browser cookies and local storage to operate the Platform. We do not use third-party advertising cookies or cross-site tracking technologies.

Authentication cookies (strictly necessary) — encrypted tokens that keep you signed in during your session. These are essential to the Platform and cannot be disabled.
Session state cookie (strictly necessary) — a short-lived cookie used to maintain your signed-in state in the browser. It contains no personal data and is cleared when you sign out.
CSRF protection cookie (strictly necessary) — a token used to protect against cross-site request forgery attacks on form submissions.
Culture cookie (functional) — stores your preferred language (English or Nepali). Persists across sessions.
himalos-theme (local storage) (functional) — stores your dark/light mode preference. Cleared when you clear browser storage.
himalos-currency (local storage) (functional) — stores your selected display currency. Cleared when you clear browser storage.
himalos-wishlist-ids (local storage) (functional) — stores your saved package IDs locally to improve load speed. Cleared when you sign out.
himalos-cookie-consent (local storage) (functional) — stores your analytics consent choice. Cleared when you clear browser storage.
Google Analytics 4 (analytics, consent required) — collects anonymised data about page views, session duration, and traffic sources. Loaded only after you accept the analytics consent banner. See the Google Privacy Policy.
PostHog (analytics, consent required) — collects anonymised data about feature usage and navigation flows. Loaded only after you accept the analytics consent banner. Uses its own session cookies. See the PostHog Privacy Policy.
Microsoft Clarity (analytics, consent required) — records anonymised heatmaps and session replays to identify usability issues. Loaded only after you accept the analytics consent banner. See the Microsoft Privacy Statement.

You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from signing in.

10. Security

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, accidental loss, disclosure, or destruction. Our measures include:

TLS encryption for all data in transit (HTTPS only).
Industry-standard encryption for sensitive data at rest.
One-time-password (OTP) authentication — no persistent passwords are ever stored.
Sign-in codes expire within 10 minutes and cannot be reused.
Session tokens are short-lived and invalidated on sign-out.
Registration documents stored in access-controlled cloud storage, accessible only to authorised personnel.
Role-based access control limiting staff access to personal data on a need-to-know basis.
Audit logging of administrative actions taken on user data.
Application infrastructure hosted on a private network, not directly reachable from the internet.

If you believe your personal information has been compromised or you discover a security vulnerability, please contact us immediately at [email protected].

11. Children's privacy

The Platform is not directed at children under the age of 16 (or 13 in the United States). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at [email protected] and we will delete it promptly.

If you are booking an experience that includes minor participants, you represent that you have authority to provide their information and consent to its use as described in this policy on their behalf.

12. Third-party links

The Platform may contain links to third-party websites or services. This Privacy Policy applies only to the Platform. We are not responsible for the privacy practices of third-party sites and encourage you to read their privacy notices before sharing any personal information with them.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered users by email and update the effective date at the top of this page. We will also present the updated policy for re-acceptance through the Platform before it takes effect for existing users. Your continued use of the Platform after changes are effective constitutes your acceptance of the revised policy.

Minor updates that do not materially affect your rights (such as correcting typos or adding greater detail) may be published without individual notice.

14. Contact us

For any privacy question, data request, or concern, please contact us:

Email: [email protected]
Web form: himalos.com/contact

We will acknowledge your request within 5 business days and aim to resolve it fully within 30 days. If we need more time (up to an additional 30 days for complex requests under GDPR), we will let you know.

If you are not satisfied with our response, you have the right to complain to your relevant supervisory authority as described in Section 8.