Privacy Policy

1. Who we are

This Privacy Policy applies to the NANDINI gamification platform, operated by NANDINI Interactive Labs, registered at Ghattekulo, Kathmandu, Nepal ("NANDINI", "we", "us"). For privacy enquiries contact us at [email protected].

2. Who this policy covers

NANDINI serves two distinct groups of people and handles their data differently:

• Business users — the marketers, agencies, and companies that create and manage campaigns in the NANDINI studio. This is your account data.
• End-players — the members of the public who interact with campaigns published by business users. NANDINI collects end-player data on behalf of, and under the instructions of, the business user (the data controller). NANDINI acts as a data processor for end-player data.

3. Data we collect

From business users (account data):

• Name, email address, and password (or OAuth token)
• Company name and billing information
• Campaign content, configuration, and assets you upload
• Usage logs: logins, studio actions, API calls

From end-players (campaign data — collected on behalf of the business user):

• Information the player voluntarily submits during a campaign — such as name, email address, phone number, survey responses, and quiz answers
• Anonymous first-party visitor identifiers (a random UUID stored in the player's browser) used to recognise returning players without requiring a login
• Gameplay and analytics events: game type played, step completed, prize outcome, timestamp, and device/browser metadata

We do not knowingly collect sensitive personal data (health, financial, or biometric information) from end-players. Business users must not configure campaigns to collect such data without explicit legal basis.

4. Consent and legal basis

NANDINI obtains end-user consent at the point of data capture within each campaign. The business user (data controller) is responsible for configuring appropriate consent language and complying with applicable promotion and data protection laws in their jurisdiction.

For business user account data, our legal basis is the performance of a contract (providing the NANDINI service to you) and, where applicable, legitimate interests (security, fraud prevention, product improvement).

5. How we use data

• Providing, operating, and improving the NANDINI platform
• Sending transactional emails (account confirmations, access invites)
• Generating aggregated, anonymised analytics to improve our product
• Responding to support requests
• Complying with legal obligations

End-player data is used solely to operate the campaign on behalf of the business user. We do not use end-player data for our own marketing or sell it to third parties.

6. Data sharing and sub-processors

We share data only as necessary to deliver the service. Our current sub-processors include:

• Hosting and infrastructure — cloud servers and storage where the NANDINI application and data reside
• MongoDB Atlas — managed database service for storing campaign and player data
• Optional integrations — if a business user enables integrations (such as Slack notifications or CRM connections), data may flow to those third-party services under the business user's control and their respective privacy policies

We do not sell, rent, or trade personal data to any third party for marketing purposes.

7. Data retention

Raw gameplay events and analytics are retained for the lifetime of the campaign or business account, whichever ends first. There is no automatic rolling deletion of event data at 90 days; events persist until the business user deletes the campaign, closes their account, or requests deletion by contacting us. Aggregated campaign reports are retained for the lifetime of the business account. End-player submission data (names, emails, etc.) is retained until the business user deletes the campaign or closes their account. Business user account data is retained for as long as the account is active and for a reasonable period thereafter to meet legal obligations.

8. Security

We implement industry-standard security measures including encryption in transit (TLS), encryption at rest, access controls, and regular security reviews. No system is perfectly secure; if you discover a vulnerability please contact [email protected] responsibly.

9. Your rights

Business users may access or correct their account data via the NANDINI studio. To export or delete account data, or to request deletion of all data associated with your organisation, please contact us at the address in section 14. Self-service export and deletion tooling is on our roadmap and not yet available.

End-players wishing to exercise data rights (access, correction, deletion) should contact the business user who ran the campaign, as they are the data controller for end-player data. Where the business user asks us to assist in fulfilling such a request, we will cooperate. Deletion of a campaign by the business user removes all associated end-player events, submissions, and identifiers from our systems.

10. Cookies and first-party identifiers

NANDINI uses a first-party anonymous visitor identifier (stored in localStorage or a first-party cookie) to recognise returning players within campaigns. This identifier is random, contains no personal information, and is not shared with third parties. We do not use third-party tracking cookies or cross-site advertising trackers by default. Business users may enable additional analytics tools on their own websites; those tools are governed by their own policies.

For websites that embed a Nandini campaign

This website may embed interactive campaigns powered by NANDINI (nandini.app). When you interact with a NANDINI campaign, a random anonymous identifier is stored in your browser's localStorage under the key gam_vid. This identifier contains no personal information; it is used solely to recognise you as a returning player within the same campaign (for example, to prevent multiple prize entries or to restore your progress). It is not shared with advertising networks or used for cross-site tracking. You can delete it at any time by clearing your browser's site data for this website.

11. International transfers and legal context

NANDINI is operated with particular attention to the Nepal context and the emerging data protection framework of South Asia, including compatibility with India's Digital Personal Data Protection Act (DPDP 2023). Our consent model is designed to be compatible with these frameworks: consent is obtained at the point of collection, data is used only for the stated purpose, and deletion mechanisms are available. Where data is transferred internationally (for example, to cloud infrastructure), we take steps to ensure appropriate safeguards are in place.

12. Children

NANDINI campaigns are intended for persons aged 18 and over (or the age of majority in their jurisdiction). Business users must not configure campaigns targeting minors without appropriate safeguards and parental consent mechanisms in place. We do not knowingly collect personal data from children under 13.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to business users by email or via an in-studio notice. Continued use of NANDINI after the effective date of a change constitutes acceptance of the revised policy.

14. Contact

For privacy-related questions, data access requests, or to report a concern, contact us at [email protected] or write to NANDINI Interactive Labs, Ghattekulo, Kathmandu, Nepal.