Privacy Policy

Last updated: March 27, 2026

1. Who We Are

Doori ("we", "our", or "us") operates the Bus Tracking System mobile application. This policy explains how we collect, use, and protect your personal information.

Website: https://doori.co/  |  Email: dooribustracking963@gmail.com  |  WhatsApp: +977 9700269024

2. Information We Collect

We collect the following information when you register and use our app:

• Personal details: First name, last name, email address, phone number
• Real-time GPS location: Your saved pickup address (latitude/longitude). This is stored on our servers to determine when your bus is approaching.
• Driver real-time GPS location: Live GPS coordinates of drivers are collected continuously while their shift is active and broadcast to subscribed passengers. This data is not stored after a shift ends.
• Device push notification token (FCM token): A unique device identifier provided by Google Firebase is stored on our servers solely to send you push notifications. This token may change over time and is updated automatically.
• Payment information: We collect payment details necessary to process subscription fees. Payments are processed by Dodo Payments (Privacy Policy). We do not store full card numbers on our servers. Bank transfer references are stored for verification purposes.
• Usage data: Bus subscription preferences, notification history, route selections.

3. How We Use Your Information

• To provide the bus tracking service — calculating and broadcasting bus proximity to your pickup location
• To send push notifications (via Firebase) when your bus is approaching
• To allow drivers to be identified by name to passengers within the same organization
• To manage your account, subscription, and billing
• To communicate service updates, account changes, and subscription alerts via email

4. Real-Time Location Tracking

Driver GPS tracking: Drivers are explicitly informed at registration and must consent before their GPS location is tracked. Location is collected only while a shift is marked as active. No historical GPS trail is stored — data is deleted the moment a shift ends.

Passenger pickup location: Your saved pickup coordinates are stored on our servers and used solely to calculate bus proximity for notifications. This location is not shared with other users.

5. Push Notification Tokens (FCM)

We store a Firebase Cloud Messaging (FCM) device token on our servers to deliver push notifications to your device. This token:

• Is provided by Google Firebase and is unique to your device and app installation
• Is updated automatically each time the app starts
• Is deleted when your account is deleted
• Is governed by Google Firebase's Privacy Policy

6. Third-Party Services

We share data with the following third parties to operate the service:

• Google Firebase (Firebase Cloud Messaging): Sends push notifications to your device. Your FCM device token and notification payload are transmitted to Google's servers. Google Privacy Policy
• Dodo Payments: Processes subscription payments. Payment card data is handled directly by Dodo Payments and is not stored on our servers. Dodo Payments Privacy Policy
• Maptiler: Renders map tiles in the app. Your device's approximate location may be transmitted to Maptiler's servers to load map data. Maptiler Privacy Policy
• Hosting provider: Our servers are hosted on a third-party cloud provider. Data is stored in encrypted form at rest.

We do not sell your personal data to any third party.

7. Data Retention

• Account data (name, email, phone): Retained while your account is active. Permanently deleted 30 days after account closure or deletion request.
• Driver GPS data: Deleted immediately when a shift ends. No historical GPS trail is retained.
• FCM push tokens: Retained while your account is active. Deleted when your account is deleted.
• Notification history: Retained for 90 days, then automatically deleted.
• Payment records: Retained for 7 years as required by financial regulations.
• Account deletion: When you or your organization admin initiates account deletion, a 7-day recovery window applies. After 7 days, all personal data is permanently and irreversibly deleted from our systems.

8. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of your personal data
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your account and all associated data
• Portability: Request your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Withdraw consent at any time (e.g., disable location, revoke notification permissions)

GDPR (EU/EEA users): You have additional rights under the General Data Protection Regulation. You may lodge a complaint with your local supervisory authority.

CCPA (California residents): You have the right to know what personal data we collect, request deletion, and opt out of the sale of personal data. We do not sell personal data.

To exercise any of these rights, contact us at: dooribustracking963@gmail.com. We will respond within 30 days.

9. Children's Privacy (COPPA)

Our service is used by schools and organizations that may include users under 13 years of age. We comply with the Children's Online Privacy Protection Act (COPPA):

• Users registering as students are asked to confirm whether they are 13 or older
• Students under 13 must register through a parent or guardian who provides consent
• We do not knowingly collect personal data from children under 13 without verifiable parental consent
• If you believe a child under 13 has registered without consent, contact us immediately at dooribustracking963@gmail.com and we will delete the account

10. Security

We use industry-standard security measures including:

• Encrypted HTTPS/TLS connections for all data in transit
• Bcrypt password hashing — passwords are never stored in plain text
• Role-based access controls — users can only access data within their organization
• Encrypted data storage at rest on our hosting provider

No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security. In the event of a data breach affecting your rights, we will notify affected users and relevant authorities as required by applicable law.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes by updating the date at the top of this page and, where appropriate, by email. Continued use of the app after changes constitutes acceptance of the new policy.

12. Contact & Data Controller

For any privacy-related questions, requests, or complaints:
Doori
Email: dooribustracking963@gmail.com
WhatsApp: +977 9700269024
Website: https://doori.co/
YouTube: youtube.com/@Doori-c7y
Address: Kathmandu, Nepal