Privacy Policy

Last updated: March 6, 2026 — Effective immediately

Summary: xyz complies with Malaysia's Personal Data Protection Act 2010 (PDPA). We collect only what's needed to connect you with service providers, we never sell your data, and you can request export or deletion at any time.

1. Who We Are

xyz ("we", "our", "us") is a service marketplace platform operated as an SSM-registered sole proprietorship in Malaysia. We connect customers with verified service providers across Malaysia, starting with the Klang Valley.

For questions about this policy, contact us at support@xyzmarketplace.my.

2. What Data We Collect

Data Type	Purpose	Required?
Name, email, phone	Account creation and communication	Yes
IC number (providers)	Identity verification	Yes (providers)
SSM number (providers)	Business verification	Optional
Bank details (providers)	Payout processing	Yes (providers)
Service addresses	Booking fulfilment	Yes (per booking)
Booking history	Service records and disputes	Automatic
Chat messages	Communication between parties	Automatic
Reviews and ratings	Trust and quality	User-initiated
App usage analytics	Improving the platform	Automatic
Push notification token	Sending notifications	With permission

Data We Do NOT Collect

We do not collect GPS/location tracking, contacts, camera/microphone access (except when you choose to upload photos), biometric data, or data from other apps on your device.

3. How We Use Your Data

We use your data to provide and improve our services, process bookings and payments, verify provider identities, send transactional emails (booking confirmations, payment receipts), resolve disputes, comply with Malaysian law, and communicate important platform updates.

We do not use your data for third-party advertising or sell it to any party.

4. Legal Basis (PDPA 2010)

Under Malaysia's Personal Data Protection Act 2010, we process your data based on your consent (provided at registration), contractual necessity (to fulfil bookings), and legitimate interest (platform security and fraud prevention).

5. Who We Share Data With

Third Party	Purpose	Data Shared
Billplz (Malaysia)	FPX payment processing	Transaction details
Supabase (Singapore)	Database and authentication	Account and booking data
Resend (Japan)	Transactional emails	Email address and name
PostHog	Product analytics	Anonymised usage data
Sentry	Crash reporting	Error logs (no PII)

We do not share your data with any other third parties. Service providers see only the information needed to fulfil your booking (name, service address, booking details).

6. Cross-Border Data Transfers

Some data is processed outside Malaysia (Singapore, Japan, EU) by our service providers. All transfers are protected by appropriate security measures and contractual obligations consistent with PDPA requirements.

7. Data Security

We protect your data with encryption in transit (HTTPS/TLS) and at rest, Row-Level Security on all database tables ensuring users can only access their own data, secure server-side payment processing (no card details ever touch our servers), input sanitisation to prevent injection attacks, and regular security audits following OWASP Mobile Top 10 standards.

8. Data Retention

Active account data is retained while your account is open. Booking records are kept for 7 years (Malaysian tax/business requirements). Chat messages are retained for 1 year after conversation ends. Deleted accounts enter a 30-day grace period, after which data is permanently anonymised (booking records are retained with anonymised references for financial compliance).

9. Your Rights Under PDPA

You have the right to:

Access — Request a copy of all your personal data (available in-app under Settings → Export My Data)
Correction — Update inaccurate information (via Settings → Edit Profile, or by contacting us)
Withdrawal of consent — Withdraw consent for data processing (this may limit platform functionality)
Data portability — Export your data in machine-readable JSON format
Deletion — Request account deletion (Settings → Delete Account, with 30-day grace period for reactivation)

We respond to all data requests within 21 days as required by PDPA. Contact support@xyzmarketplace.my for any requests.

10. Children's Privacy

xyz is not intended for users under 18 years of age. We do not knowingly collect data from minors. If we discover that a minor has created an account, we will delete it promptly.

11. Cookies and Tracking

The xyz mobile app does not use cookies. Our website (xyzmarketplace.my) may use essential cookies for basic functionality and analytics cookies (Google Analytics) to understand visitor behaviour. No advertising cookies are used.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via in-app notification and email. Continued use of xyz after changes constitutes acceptance. You can check the version of terms you accepted in-app at any time.

13. Complaints

If you believe your data rights have been violated, contact us first at support@xyzmarketplace.my. If we cannot resolve your concern, you may lodge a complaint with the Department of Personal Data Protection (JPDP) Malaysia.

Contact: support@xyzmarketplace.my · info@xyzmarketplace.my