Your data, handled with care.

01Who we are

Astral Mantra Labs Pvt. Ltd. (“Astral Mantra Labs,” “we,” “us,” or “our”) is an AI studio based in Kathmandu, Nepal. We design and ship AI agents, conversational AI, computer vision systems, voice AI, synthetic AI, SaaS platforms, and workflow automation for clients worldwide.

This Privacy Policy explains what personal information we collect when you visit astralmantralabs.com (the “Site”) or engage with us as a prospective or active client, what we do with that information, who we share it with, and the choices and rights you have.

We are the data controller for personal information collected through the Site. For client engagements, we typically act as a data processor on behalf of our clients — that relationship is governed by a separate Data Processing Agreement (DPA), not this policy.

02The information we collect

2.1 Information you give us directly

When you fill out the “Start a Project” brief, the demo request form, or email us, we collect:

• Your name
• Your email address
• The project information you share — project type, timeline, problem description, the “perfect two-week demo” you'd want to see, and any other context you include
• Anything you choose to include in follow-up emails, calls, or messages — company name, role, phone or WhatsApp number, attachments

If you apply for a role through our Careers page, we additionally collect the information you provide in your application: CV, portfolio links, work history, references.

2.2 Information collected automatically

When you browse the Site, our hosting and analytics infrastructure may collect:

• Device and browser data: browser type and version, operating system, screen size, language preference
• Usage data: pages visited, time spent, referring URL, links clicked, approximate session duration
• Network data: IP address (truncated where supported), approximate geographic location derived from IP
• Cookies and similar technologies — see Section 7

2.3 Information from third parties

We may receive limited information about you from:

• Professional networks (e.g., LinkedIn) if you connect with us there
• Referrals — if an existing client or partner introduces you to us
• Public sources — your company website, public business registries, news articles — when we research a prospective engagement you've initiated

We do not buy contact lists or scrape personal data from social platforms for outreach.

2.4 What we do not collect

• We do not collect financial account numbers, payment card details, government ID numbers, or biometric data through the Site. Client invoicing is handled through separate, secure channels.
• We do not knowingly collect personal information from children under 18. If you believe a minor has provided us information, contact us and we will delete it.

03Sensitive personal information

Some of our work — particularly in healthcare intelligence — may involve sensitive data on behalf of clients. We treat the following as sensitive and apply heightened controls:

• Health or medical information
• Caste, ethnicity, religious belief, or political affiliation (sensitive categories under Nepal's Individual Privacy Act, 2075)
• Sexual orientation
• Financial information
• Information revealing the personal details of identified individuals processed through AI systems we build

We do not process sensitive personal information through the Site itself. Where a client engagement involves sensitive data, we operate under a written DPA, apply purpose limitation, and rely on the lawful basis the client has established with their data subjects.

04How we use your information

We use the information we collect for the following purposes:

We will not use your information for purposes materially different from those listed above without telling you first.

05How we use AI — and what that means for your data

Because we are an AI studio, we want to be specific about AI and your data.

5.1 The Site and your inquiries

• The contact and project-brief forms on this Site are read by a human — Bipin, KKP, or a teammate. We do not pipe your brief into a public AI service to auto-respond.
• We may use internal AI tools (e.g., assistants from Anthropic, OpenAI, or self-hosted models) to help us draft replies, summarise notes, or organise our inbox. When we do, these tools are configured to operate on enterprise terms that do not allow your data to be used to train the underlying model.

5.2 Client engagements

• When we build AI systems for clients, the data flowing through those systems belongs to the client. We are the processor.
• We never use a client's data, end-user data, or your project information to train our own models or any third-party model without explicit written consent.
• For each engagement, our DPA names the specific subprocessors (model providers, cloud vendors, observability tools) used and the regions they operate in.

5.3 Automated decision-making

The Site itself does not make automated decisions about you that produce legal or similarly significant effects. If a system we build for a client makes such decisions about you, the client — not Astral Mantra Labs — is responsible for explaining those decisions and providing the rights you're entitled to under applicable law (e.g., GDPR Article 22, the EU AI Act).

06Who we share your information with

We share personal information only with the following categories of recipients, and only when necessary:

• Service providers that help us run the Site and our business — for example: web hosting (Vercel / equivalent), email (Google Workspace), analytics (privacy-respecting providers where possible), customer-relationship tools, video conferencing, code hosting (GitHub). Each is bound by data processing terms.
• Subprocessors named in a client DPA for the relevant engagement.
• Professional advisors — lawyers, accountants, auditors — under confidentiality obligations.
• Authorities — courts, regulators, law enforcement — where we are required by Nepali law or other applicable law, or where disclosure is necessary to protect rights, safety, or property.
• Acquirers — if Astral Mantra Labs is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will notify you and honour the commitments in this policy.

07Cookies & tracking

The Site uses a small number of cookies and similar technologies for:

• Essential operation — keeping the Site working, remembering form state. These cannot be turned off.
• Analytics — understanding aggregate usage (which pages are read, where readers come from). We aim to use privacy-respecting analytics that do not build cross-site profiles.
• Embedded media — video and animation assets may set cookies from their host (e.g., a video CDN).

You can control cookies through your browser settings. Blocking analytics or non-essential cookies will not break the Site.

If we add advertising cookies in the future, we will update this section and provide a consent banner before they fire.

08International data transfers

We are based in Nepal. Most of our service providers (cloud hosting, email, AI model providers) are based in the United States, the European Union, or other regions. When your data is transferred outside Nepal or outside your home country, we rely on one or more of the following safeguards:

• Standard Contractual Clauses (for EU/EEA data subjects)
• The EU–US Data Privacy Framework, where the receiving party is certified
• Contractual confidentiality and security commitments with every provider
• Encryption in transit (TLS 1.2 or higher) and at rest wherever the provider supports it

You can contact us for a current list of subprocessors and the regions they operate in.

09How long we keep your information

We keep personal information only as long as we need it for the purpose it was collected, plus any legal retention period required of us. Indicative retention periods:

• Project briefs that do not become engagements: up to 24 months, then deleted or anonymised
• Active and past client records: for the duration of the engagement plus 7 years (tax and contractual record-keeping)
• Email correspondence: up to 5 years
• Server logs and analytics data: typically 14 to 90 days
• Career applications: up to 12 months unless you ask us to keep your file longer for future roles

You can ask us to delete your information sooner — see Section 11.

10How we protect your information

We apply the reasonable security measures required under Nepal's Individual Privacy Act, 2075 and align with international good practice. In particular:

• HTTPS / TLS encryption on every page of the Site
• Access to internal systems is restricted to named team members and protected with strong passwords and multi-factor authentication
• Code, secrets, and credentials are stored in encrypted vaults — never in shared documents
• Production data is logically separated from development environments
• Software (CMS, plugins, server, dependencies) is kept up to date
• Regular backups, with restore tested periodically
• Security incidents are logged, investigated, and — where there is a risk of harm — notified to affected individuals without undue delay

No system is 100% secure. If a breach affects your personal information and creates a risk of harm to you, we will notify you and any required authority as quickly as we reasonably can.

11Your rights

Under Nepal's Individual Privacy Act, 2075 (2018) and the Individual Privacy Regulation, 2077 (2020) — and under GDPR, CCPA, or other laws if they apply to you — you have the following rights:

• The right to be informed — what we collect, why, and how we use it (this policy)
• The right of access — to receive a copy of the personal information we hold about you
• The right to rectification — to correct inaccurate or incomplete information
• The right to erasure (“right to be forgotten”) — to ask us to delete your information, subject to legal retention requirements
• The right to restrict processing — to ask us to pause processing while we sort out a question or dispute
• The right to object — particularly to processing based on legitimate interest and to direct marketing
• The right to data portability — to receive your information in a machine-readable format
• The right to withdraw consent — at any time, where we rely on consent
• The right not to have sensitive personal information processed without explicit consent
• The right to lodge a complaint — see Section 13

12Children's privacy

The Site and our services are intended for businesses and adults. We do not knowingly collect personal information from individuals under the age of 18 without the consent of a parent or legal guardian, as required under Nepal's Individual Privacy Act. If you believe we may have inadvertently collected information from a minor, please contact us and we will delete it.

13Complaints & dispute resolution

If you believe we have handled your personal information in a way that breaches this policy or applicable law:

1. Contact us first — email info@astralmantralabs.com and we will investigate and respond within 30 days.
2. If you are in Nepal, you may file a complaint at the concerned District Court within three months of the alleged violation, under Section 29 of the Individual Privacy Act, 2075.
3. If you are in the EU/EEA, UK, or another jurisdiction with a supervisory authority, you have the right to lodge a complaint with the data protection authority in your country.

14Changes to this policy

We may update this Privacy Policy from time to time — for example, when we adopt new tools, change our practices, or to reflect changes in the law (including Nepal's pending Information Technology and Cyber Security Bill, 2082 and the EU AI Act).

When we make material changes, we will:

• Update the “Last updated” date at the top of this page
• Post a notice on the Site
• For active clients and people on our mailing list, send an email summarising what changed

Continued use of the Site after a change means you accept the updated policy.

15Contact us

Astral Mantra Labs Pvt. Ltd.
Kathmandu, Nepal
Email: info@astralmantralabs.com
Website: https://astralmantralabs.com

For privacy-specific questions, email us with “Privacy” in the subject line.

This Privacy Policy is provided in English. If we publish a Nepali translation and there is a conflict between the two, the English version governs unless Nepali law requires otherwise.