Skip to content

Privacy Policy

Last updated:

Draft: This policy is a working draft pending legal review. Contact support@jomjual.my for questions.

1. Introduction

This Privacy Policy describes how JomJual (“we”, “us”, or “our”), operated from Malaysia, collects, uses, discloses, and safeguards personal data collected through our multi-tenant e-commerce platform at jomjual.my, merchant subdomains (e.g. mystore.jomjual.my), and our merchant dashboard at app.jomjual.my (together, the “Services”).

We process personal data in accordance with the Malaysian Personal Data Protection Act 2010 (PDPA). This policy applies to both visitors of JomJual-hosted storefronts and merchants using our dashboard.

2. Data We Collect

2.1 Account information

  • Name, email address, phone number
  • Authentication identifiers provided via Supabase Auth (magic-link tokens, OAuth IDs)
  • Business details for merchants: store name, slug, pickup address, bank details for payouts

2.2 Merchant store data

For merchants, we store and process your store’s product catalog, orders, customer records, and homepage block configurations. This data is scoped to your store and not shared with other merchants.

2.3 Customer and buyer data

When a shopper places an order on a storefront powered by JomJual, we collect their name, email, shipping address, phone number, and order history on behalf of the merchant. The merchant is the primary data controller for their customers; JomJual acts as data processor.

2.4 Analytics and device data

  • Page views, clicks, and session metrics via Google Analytics 4 (GA4)
  • Conversion events via Meta Pixel and TikTok Pixel (when enabled by the merchant)
  • IP address, user-agent, approximate geolocation derived from IP
  • Cookies and similar technologies — see our Cookie Policy

2.5 Transactional data

  • Payment metadata (transaction ID, method, amount) via Razorpay / Curlec
  • Shipping label and tracking data via EasyParcel

We do not store full card numbers, CVV, or bank credentials — these are handled directly by the payment processor.

3. Legal Basis for Processing

Under the PDPA 2010, we rely on the following legal bases:

  • Consent — for analytics, advertising cookies, and marketing communications.
  • Contractual necessity — to provide the Services you signed up for (creating a store, processing orders, issuing payouts).
  • Legitimate interests — for fraud prevention, platform security, and product improvement, balanced against user rights.
  • Legal obligation — to comply with tax, accounting, and anti-money-laundering law in Malaysia.

4. Third-Party Sub-Processors

We rely on the following sub-processors to operate the Services. Each is bound by data processing terms consistent with the PDPA 2010.

ServicePurposeData sharedRetention
SupabaseDatabase, authentication, file storageAll account, store, order, and customer dataUntil account deletion
VercelApplication hosting and CDNIP address, request logs, edge cache data30 days (logs)
Google Analytics 4Aggregate traffic and conversion analyticsAnonymised page views, clicks, device class14 months
Meta PixelAdvertising attribution (where merchant enables)Hashed email, event metadata, page URLPer Meta’s policy (typically 180 days)
TikTok PixelAdvertising attribution (where merchant enables)Hashed email, event metadata, page URLPer TikTok’s policy (typically 180 days)
Razorpay / CurlecPayment processing (FPX, cards, e-wallets)Customer name, email, amount, order reference7 years (financial records)
EasyParcelShipping label creation and trackingRecipient name, address, phone, parcel dimensionsAs required for delivery + returns window

5. International Transfers

Some of our sub-processors (Supabase, Vercel, Google, Meta, TikTok) host or process data outside Malaysia, including in Singapore, the European Union, and the United States. Where data leaves Malaysia, we rely on the recipient’s published data protection terms and standard contractual clauses where available, consistent with Section 129 of the PDPA 2010.

6. Retention

  • Account data: retained for the life of your account. You may request deletion at any time (see Section 8).
  • Financial records (invoices, payment receipts, payouts): retained for 7 years per Malaysian Institute of Accountants (MIA) and Inland Revenue Board of Malaysia (LHDN) guidance.
  • Analytics data: up to 14 months (GA4 default).
  • Server and audit logs: up to 90 days.

7. Security

We use TLS 1.2+ for data in transit, database-level encryption at rest via Supabase, and row-level security to enforce tenant isolation between merchants. Access to production systems is restricted and audited.

8. Your Rights under the PDPA 2010

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Withdraw consent at any time for processing based on consent (analytics, marketing).
  • Request deletion of your account and associated data, subject to our legal retention obligations.
  • Limit processing for direct marketing.

To exercise any of these rights, email us at support@jomjual.my. We respond within 21 days per the PDPA 2010.

9. Children

The Services are not directed to individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, please contact us.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. Material changes will be communicated via email (for merchants) or a prominent banner on our site. The “Last updated” date at the top of this page reflects the most recent revision.

11. Contact

For privacy questions, data subject requests, or complaints, contact our support team at support@jomjual.my.

If you are unsatisfied with our response, you may lodge a complaint with the Personal Data Protection Department of Malaysia (JPDP) at www.pdp.gov.my.

Privacy Policy - JomJual