- The Lekaly mobile app requires an account. You can sign up with email + password, with Sign in with Apple, or with Sign in with Google — all three create the same account.
- The app requests one system permission: notifications, only if you opt in. It does not request GPS, camera, contacts, microphone, or Apple’s App Tracking Transparency. Confirm in your phone’s Settings → Lekaly.
- Your saved plans and obtained-permits checklist sync to your account on api.lekaly.com so the same trip appears across devices. Waypoint notes and the AMS log stay on the device only.
- If you submit a quote request, we store it in MongoDB Atlas. Our Kathmandu ops team manually forwards it to two or three matched TAAN-licensed agencies — nothing is auto-shared.
- Both lekaly.com and the mobile app send anonymous product events (page/screen views + a small set of named events like “quote.submitted”) to our own server. No third-party analytics provider sees them. Analytics rows auto-delete after 365 days.
- We do not sell data. We do not run ads. No third-party ad SDK and no third-party analytics SDK ships with the app.
§01Accounts and sign-in
An account is required to use the Lekaly mobile app — every screen lives behind sign-in. You can create one of three equivalent ways: email + password, Sign in with Apple, or Sign in with Google. They all produce the same account; you can mix and match for later sign-ins.
Email + password. We store your email address, a bcrypt-hashed password (never the plaintext), and your name. A one-time code is mailed to you to confirm the address.
Sign in with Apple. Apple sends us an ID token signed by Apple. We extract your Apple user identifier (a stable opaque string) and your email — or Apple’s private-relay email if you chose to hide your real address. We store nothing else from Apple. We never request or receive a password.
Sign in with Google. Google sends us an ID token signed by Google. We extract your Google user identifier, your email, and the first and last name on your Google profile. We do not request any additional Google scopes — no Gmail, no Drive, no Calendar — and we never receive a password.
Once your account exists, you can optionally fill in profile fields the app uses to pre-fill quote requests and the permit checklist:
- Home base country and city, and trekking experience level.
- Emergency contact name, relationship, and phone.
- Insurance policy reference (provider + policy number + coverage in USD).
- A short medical-note field (e.g. “ciprofloxacin allergy”), blood type, and self-reported conditions.
- Last four characters of your passport number. Used only to pre-fill the permit checklist — not to verify identity.
- App preferences (units, language, theme, opt-ins for permit reminders and weather alerts).
All of those fields are optional. You can leave them blank or clear them later from Settings → Profile. None is shared with anyone unless you submit a quote request that includes the relevant value.
Your saved trek plans, obtained-permits checklist, and quote-request history sync to your account so the same trip appears across devices. Waypoint annotations and your AMS log (resting heart rate, headache score, dates) stay on the device only — they are not sent to api.lekaly.com.
§02Push notifications
When you tap the “Enable notifications” opt-in in the app, the app calls the standard iOS or Android permission prompt — the system dialog you see is the OS, not us. If you say Allow, the operating system issues a token that uniquely identifies your device to Apple’s APNs or Google’s FCM, routed through Expo’s push service. We store this token on your account in MongoDB Atlas alongside the platform (ios or android).
We send three kinds of notifications: an update when an agency replies to a quote you submitted, a reminder about a permit on your trip that you marked needed, and an alert if weather conditions on your trek change materially. We do not send marketing notifications.
You can revoke at any time, two ways: (a) toggle off in Settings → Notifications in the app, which clears the token on our side, or (b) turn off notifications for Lekaly in the system Settings, which the OS handles. Deleting your account also deletes the token.
§03What we deliberately don’t collect
- Your location. The app does not request NSLocationWhenInUseUsageDescription or Android ACCESS_FINE_LOCATION. The offline map renders a static SVG of the trail — there is no “where am I?” pin.
- Your address book, photos, microphone, or camera. None of those permissions are ever requested.
- Advertising identifiers. The app does not request App Tracking Transparency (Apple) or Advertising ID (Android). It does not bundle Meta SDK, AppsFlyer, Adjust, Branch, or any equivalent.
- Third-party analytics or crash SDKs. There is no Firebase Analytics, no Sentry, no PostHog, no Mixpanel, no Crashlytics in the mobile bundle. The screen-view and named-event telemetry we do collect (described in §07) goes only to our own server.
- Continuous background activity. The app has no background-fetch task and no silent push.
§04Quote requests (opt-in)
The quote flow is the only feature that sends what you typed off your phone. It runs only when you tap Send to agencies at the end of the request form.
We store the request in MongoDB Atlas with: trek and variant slug, start/end dates, party size, services requested (guide, porter, lodging, transport), budget band, a free-text preferences field, and the reply-to email you give us. If you were signed in, we attach your user id so you can see status in My quote requests.
Our Kathmandu ops desk reviews each request and forwards it to two or three TAAN-licensed agencies on the pilot panel. The forwarding is manual — there is no automatic distribution. Agencies receive the trek/dates/party/services payload; your name and contact details are revealed only after you accept a specific quote.
Quote requests are retained while the trip is being planned and for a period afterwards for our own records and dispute resolution. You can ask us to delete a specific request at any time (see §12); we confirm deletion within 14 working days.
§05Reviews (opt-in)
Signed-in trekkers can post a review of a trek. We store: your user id, the display name and country shown on your profile, the trek slug, a star rating, a title, and your review body.
Every review goes into a moderation queue before it appears publicly. Our ops team can approve, flag, or remove a review and records who did so and when. Published reviews appear on the public trek page; pending or flagged reviews are visible only to you and to ops staff.
§06Agency applications & messages from this site
The for-agencies page has an application form for TAAN-licensed agencies. When you submit it we store agency name, contact name/email/phone, city, license number, specialisations, website (if provided), and your free-text message. We use these to evaluate applications to the pilot panel and to contact you about the outcome.
If you write to [email protected] we keep the email thread in our inbox for as long as the conversation is open, plus an archive period for accounting and dispute records.
§07Page-view + product analytics
We collect two minimal streams of telemetry, both written directly to our own MongoDB on api.lekaly.com. No third-party analytics provider sees them.
From lekaly.com (the marketing site). A small page-view beacon fires when you load a page. Each row contains the page path, the referrer URL, a randomly-generated session id stored in your browser’s localStorage, your browser’s user-agent string, and a two-letter country code that Cloudflare attaches at the edge. The site also records named events on a short list of high-signal CTAs (e.g. cta.appstore.click, cta.contact.submit).
From the mobile app. When you move between screens, the app sends a screen-view row with the route name (e.g. HomeScreen) and a session id stored in AsyncStorage. It also records six product events tied to conversion moments: mobile.signup.completed, mobile.signin.completed, mobile.plan.saved, mobile.quote.submitted, mobile.quote.opened, and mobile.permit.done. Each event includes lightweight metadata (e.g. the chosen trek id, party size) — never free-text and never the contents of a quote request.
The mobile session id is not linked to your account in the row itself. Your authenticated requests do carry a bearer token, so a sufficiently determined correlation between the session id and a user id is technically possible — we don’t do that correlation, but we couldn’t honestly claim it’s cryptographically impossible.
Each row carries a TTL index of 365 days; MongoDB deletes them automatically after that. We do not extend or copy them out.
§08Cookies, sessions, and local storage
lekaly.comsets one item in your browser’s localStorage under the key lekaly.session — a randomly generated session id used only to deduplicate page-views from the same browser tab session. There are no cookies, no tracking pixels, and no third-party scripts on this site.
The mobile app uses AsyncStorage to keep your saved trek plans, waypoint notes, obtained-permits checklist, AMS log, app preferences, and (if you signed in) your JWT access and refresh tokens. AsyncStorage data lives in the app sandbox; it is wiped when the app is uninstalled.
The admin panel at admin.lekaly.com sets a JWT cookie for our ops/content team. Trekkers do not see that surface.
§09Email · OTP · password reset
We send transactional email for three reasons: a one-link account-confirmation when you register, a six-digit OTP when you start a password reset, and a confirmation when the password change succeeds. The OTP is valid for a short window; the email-confirmation link expires after 24 hours.
Email is delivered through a standard SMTP relay. We do not run marketing email, newsletters, or product-update campaigns from your address. If you write to ops we reply from a person.
§10Third parties we actually use
We try to keep this list short. Every line below is something we have actively wired up; we add to this list before we add a service, not after.
| Service | What it does for us | What it can see |
|---|---|---|
| MongoDB Atlas | Hosts our database (treks, permits, accounts, quotes, reviews, analytics). | All data we store — they are our processor. EU/SG region cluster. |
| Cloudflare | Edge proxy for lekaly.com + api.lekaly.com. | Standard request metadata (IP, user-agent). We read the cf-ipcountry header into our analytics rows. |
| Amazon S3 | Storage for blog cover images and ops file uploads. | The uploaded files themselves. Signed-URL access expires after 1 hour. |
| SMTP email relay | Account-confirm + password-reset OTP delivery. | The email subject + body of those transactional messages. |
| Apple | Sign in with Apple. Apple authenticates you and issues a signed ID token to our backend. | Your sign-in to Apple. We receive only the Apple-side user identifier and your email (which may be Apple’s private-relay address). Apple sees nothing about your usage of Lekaly afterwards. |
| Sign in with Google. Google authenticates you and issues a signed ID token to our backend. | Your sign-in to Google. We request only the basic profile scope — your Google user identifier, email, and name. We do not request access to Gmail, Drive, Calendar, or any other Google service. Google sees nothing about your usage of Lekaly afterwards. | |
| Expo Push Service (APNs / FCM) | Delivers the push notifications we send to your device if you opted in. | Your device push token, the platform, and the notification payload at the moment of delivery. Apple (APNs) and Google (FCM) handle the final hop. |
| App Store / Play Store | App distribution. | Apple / Google’s standard install metadata. We don’t see your store identity. |
| TAAN-licensed agencies | Receive a quote request you opted to send. | Trek, dates, party, services, budget band. Not your name or contact. |
We do not currently run Sentry, Plausible, Google Analytics, Mixpanel, PostHog, Firebase, or any payment provider.
§11Data retention at a glance
| Data | Retention |
|---|---|
| App data on your phone (AsyncStorage) | Until you delete it or uninstall the app. |
| Server-access logs (api.lekaly.com) | ~30 days, then rotated out. |
| Page-views and events on lekaly.com | 365 days, auto-deleted by a MongoDB TTL index. |
| Account profile (if you signed up) | Until you ask us to delete it. |
| Quote request | While the trip is being planned + a records-keeping window. Delete on request. |
| Review you posted | Until you ask us to remove it, or moderation removes it. |
| Agency application | For the duration of the application + records-keeping window. |
| Email correspondence with ops | Until the conversation is closed + an archive window. |
§12Your rights & how to delete
You can:
- Read what we have. Email [email protected] from the address tied to your account. We send a copy within 14 working days.
- Edit your profile. Settings → Profile in the app for emergency contact, insurance, medical note, passport last 4, etc.
- Delete a specific quote request or review. Tap delete in the app, or email us.
- Delete your whole account in-app. Settings → Delete account. The action is immediate, no email round-trip required:
- Your user record, profile fields (emergency contact, insurance, medical note, passport last 4), and push-notification token are hard-deleted from MongoDB at the moment of the request.
- Your in-app notifications are hard-deleted.
- Your quote requests are kept in the agency’s conversation history but anonymised — your name, email, phone, and home base are stripped and the link back to your user id is severed.
- Reviews you posted stay published (other trekkers rely on them) but the author label is changed to Former trekker and the link back to your user id is severed.
- A confirmation email is sent to the address that was on the account.
- Ask us to also delete your quote requests and reviews entirely.If the anonymisation above isn’t enough — for example you want a specific review removed from the public page — email [email protected] and we’ll hard-delete those records within 14 working days.
- Clear all on-device data. Uninstall the app — AsyncStorage is removed automatically by iOS/Android.
§13Children
Lekaly is intended for adult trekkers and trekking professionals. We do not knowingly create accounts for, or collect personal data from, children under 16. If you believe an account belongs to a child, write to [email protected] and we will remove it.
§14Contact
Privacy questions go to [email protected]. We answer within 5 working days during the trekking season, 10 working days during the monsoon, when nearly nobody emails us anyway.
Postal: Lekaly Pvt. Ltd., 3rd floor, Bhagwan Bahal Marg, Thamel-29, Kathmandu 44600, Nepal.
§15Changes to this policy
Material changes — new third-party services, new categories of data, anything that affects what we know about you — are announced as a Field Note at least 30 days before they take effect, and the “Effective” date at the top of this page changes. Editorial fixes (typos, clarifications) go in without notice; the effective date still moves.