RRIMS ยท Government of Nepal

Privacy Policy

Remote Resource and Infrastructure Monitoring System

Effective Date: June 1, 2026  |  Version: 2.0

RRIMS (Remote Resource and Infrastructure Monitoring System) is an official digital platform operated under the authority of the Government of Nepal, Ministry of Physical Infrastructure and Transport. This Privacy Policy explains how we collect, process, store, share, and protect personal data in accordance with the Nepal Individual Privacy Act, 2075 (2018) and international best practices including ISO 27001 and GDPR-aligned principles.

1. Data Controller

The data controller is the Ministry of Physical Infrastructure and Transport, Government of Nepal, operating through the RRIMS platform. For data protection inquiries, contact the Data Protection Officer at support@rrims.tech.

2. Information We Collect

We collect the following categories of personal data:

  • Identity Data: Full name, citizenship number, date of birth, gender, photograph of citizenship card.
  • Contact Data: Mobile phone number, email address, emergency contact details.
  • Account Data: Username, password hash (bcrypt, never stored in plain text), role, preferences.
  • Geographic Data: Province, district, local government, ward, GPS coordinates (when voluntarily provided).
  • Report Data: Infrastructure issue descriptions, severity, photographs, videos, audio recordings, timestamps.
  • Technical Data: Device model, OS version, IP address, device fingerprint, session tokens, API access logs.
  • Usage Data: Login history, feature usage, notification preferences, offline sync records.

3. Legal Basis for Processing

  • Consent: Account registration and voluntary report submission.
  • Legitimate Interest: Platform security, fraud prevention, service improvement.
  • Legal Obligation: Public records retention, audit compliance, government accountability.
  • Public Interest: Infrastructure safety monitoring, emergency response coordination.

4. How We Use Your Data

  • To register, verify, and authenticate user accounts via email OTP and WhatsApp verification.
  • To process infrastructure reports and route them to assigned engineers and government authorities.
  • To provide real-time notifications, chat, emergency alerts, and status updates.
  • To generate analytics, SLA compliance reports, and AI-powered infrastructure insights.
  • To maintain security through audit logging, device fingerprinting, session management, and anomaly detection.
  • To fulfill legal obligations including public records, government audits, and law enforcement requests.

5. Data Sharing and Disclosure

  • Government Bodies: Authorized federal, provincial, district, and local government personnel based on role and jurisdiction.
  • Service Providers: Cloud hosting (AWS), file storage (Cloudinary), email delivery (SMTP), under data processing agreements.
  • Legal Requirements: When required by court order, lawful government directive, or to prevent imminent harm.

We do not sell personal data to third parties for commercial purposes.

6. Data Security Measures

  • AES-256 encryption for sensitive data at rest; TLS 1.3 for data in transit.
  • Bcrypt password hashing with minimum 12-round salt.
  • Role-Based Access Control (RBAC) with 10 granular roles and geographic scoping.
  • Device fingerprinting, risk scoring, and zero-trust session validation.
  • Immutable audit logs with cryptographic integrity chain (HMAC-SHA256).
  • Rate limiting, SQL injection prevention, XSS filtering, CSRF protection.
  • Automated session expiration, maximum 5 concurrent sessions per user.

7. Data Retention

  • Active accounts: Data retained for the duration of the account plus 2 years after deactivation.
  • Infrastructure reports: Retained permanently as public government records.
  • Audit logs: Minimum 7 years per Nepal Public Records Act requirements.
  • OTP/Session data: Automatically purged after 24 hours.
  • Deleted accounts: Personal identifiers anonymized within 30 days; reports retained without attribution.

8. Your Rights

Under applicable Nepal privacy law and GDPR-aligned principles, you have the right to:

  • Access: Request a copy of your personal data held by RRIMS.
  • Rectification: Correct inaccurate personal information.
  • Erasure: Request deletion of your account (subject to public records exceptions).
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Restriction: Request limitation of processing in disputed cases.

To exercise these rights, contact support@rrims.tech or use the in-app account deletion feature.

9. Children's Privacy

RRIMS is not intended for use by individuals under 16 years of age. We do not knowingly collect data from minors.

10. International Data Transfers

Data may be processed on servers located outside Nepal (AWS Asia-Pacific region). All international transfers are protected by appropriate safeguards including encryption and contractual data processing agreements.

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated through in-app notifications. Continued use after changes constitutes acceptance of the updated policy.

12. Contact Information

  • Data Protection Officer: support@rrims.tech
  • Technical Support: support@rrims.tech
  • Phone: +977-9851234567
  • Address: Ministry of Physical Infrastructure and Transport, Singha Durbar, Kathmandu, Nepal