Privacy Policy
AMBOI MY SDN. BHD. (operating Amboi.my; "we", "us", "our", "the Platform") is committed to safeguarding the privacy of every customer, vendor, guest, and administrator. This Privacy Policy explains how we collect, use, disclose, and protect personal data, in compliance with the Personal Data Protection Act 2010 (PDPA), the Communications and Multimedia Act 1998, the Consumer Protection Act 1999, and other applicable Malaysian laws.
By using Amboi.my, you confirm that you have read, understood, and consent to the collection and use of your information as described in this Policy.
1. Definitions
- Personal Data — any information relating to a directly or indirectly identifiable individual.
- Customer — a registered user planning, booking, or paying for an event service.
- Vendor — a registered business listing services on the Platform.
- Guest — an event invitee submitting an RSVP via a tokenised link, without a Platform account.
- Processing — any operation performed on Personal Data, including collection, storage, analysis, and disclosure.
2. Data We Collect
2.1 Customers
- Identity: full name, email address, mobile number (used for WhatsApp).
- Account: hashed password, login timestamps, device fingerprint.
- Event & booking: event type, date, location, guest count, dietary preferences, venue address, special requests.
- Payment: card type, last four digits, payment provider tokens (we never store full card numbers).
- Communications: messages exchanged with vendors, dispute submissions, review content.
- Activity: search queries, page views, clicks, geolocation (only with explicit consent).
2.2 Vendors
- Business: company name, SSM registration number, business address, contact phone.
- Owner identity: full name, NRIC/passport (for KYC verification only — stored encrypted).
- Banking: bank account number and bank name for payouts.
- Listing: service descriptions, photographs, packages, pricing, service areas.
- Operations: bookings received, response times, delivery logs, ratings, dispute history.
2.3 Guests (RSVP only)
- Name, contact (provided by the host customer).
- RSVP response, seat count, dietary preferences, optional notes.
- No password is collected — guest access is via a one-time tokenised link.
2.4 Administrators
- Identity, role, and access logs for security and compliance auditing.
- Actions taken on the Platform (vendor approvals, dispute resolutions, refunds).
3. Legal Basis for Processing
We process your Personal Data on one or more of the following bases recognised under PDPA 2010:
- Consent — for marketing communications, geolocation, and optional features (you may withdraw at any time).
- Performance of a contract — to fulfil bookings, process payments, and deliver services you have requested.
- Legal obligation — to comply with tax, anti-money-laundering, and consumer protection laws.
- Legitimate interest — to prevent fraud, secure the Platform, and improve our services.
4. How We Use Your Data
- To create and authenticate your account.
- To match customers with relevant vendors via our search ranking algorithm.
- To process bookings, escrow holds, refunds, and payouts.
- To send transactional notifications (email, in-app, WhatsApp, SMS).
- To facilitate dispute resolution between customers and vendors.
- To detect and prevent fraud, abuse, or security incidents.
- To comply with legal obligations and respond to lawful requests from authorities.
- For aggregate analytics that improve the Platform (no individual identification).
6. Third-Party Service Providers
We share limited data with the following categories of providers strictly to deliver the Platform's services:
- Payment gateways — Stripe, Billplz, ToyyibPay (for FPX, cards, e-wallets). They receive transaction details necessary to process payment.
- Messaging providers — MSG91 for WhatsApp Business API delivery.
- Email infrastructure — for transactional and notification emails.
- Cloud hosting — for storage of Platform data, encrypted at rest.
- Authorities — when required by Malaysian law, court order, or to protect our rights and the safety of others.
We do not sell your Personal Data.
7. Cross-Border Data Transfers
Some service providers (notably Stripe and certain cloud-hosting providers) process data outside Malaysia. Where this occurs, we ensure adequate safeguards are in place — including standard contractual clauses, encryption in transit and at rest, and the provider's own PDPA-aligned commitments.
8. Location & Geo-Tagging
- Customers may opt in to geolocation to find vendors near their event venue.
- Vendors may opt in to geo-tagging for service-area visibility.
- Geolocation is processed only with your explicit consent and can be revoked anytime in account settings or your browser.
- Location data is anonymised in aggregate analytics.
9. Data Security
- Passwords are stored using industry-standard one-way hashing (bcrypt).
- Sensitive data (NRIC, bank details) is encrypted at rest using AES-256.
- All web traffic is encrypted in transit using TLS 1.2 or higher.
- Multi-factor authentication is available and recommended for all accounts.
- We perform regular security assessments and maintain an audit trail of administrative actions.
- Access to production data is role-based and logged.
10. Data Retention
We retain Personal Data only as long as necessary for the purposes set out in this Policy or required by law:
- Active accounts — for the lifetime of the account plus 12 months.
- Booking & payment records — 7 years (Malaysian tax record-keeping requirement).
- KYC documents — 5 years after the last transaction (anti-money-laundering compliance).
- Marketing consent records — until withdrawn, plus 3 months for audit.
- Server logs — 90 days, except security-incident logs which are retained for 1 year.
11. Your Rights Under PDPA 2010
Subject to the Act and applicable exemptions, you have the right to:
- Access the Personal Data we hold about you (Data Access Request).
- Request correction of inaccurate or incomplete data.
- Withdraw consent for processing (where consent is the legal basis).
- Object to direct marketing — by clicking "unsubscribe" in any marketing email or toggling preferences in Settings → Notifications.
- Request erasure of your data, subject to overriding legal retention obligations (e.g. tax records).
- Lodge a complaint with the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi) if you believe your rights have been violated.
To exercise any right, email our Data Protection Officer at dpo@amboi.my. We will respond within 21 days.
12. Children's Privacy
Amboi.my is not intended for children under 18. We do not knowingly collect Personal Data from minors. If you believe a child has provided us with their data, please contact us at contact@amboi.my and we will delete it promptly.
13. Data Breach Notification
If we discover a data breach that is likely to result in significant harm to you, we will notify you without undue delay, describe the nature of the breach, and outline the steps we are taking to mitigate it. Where required, we will also notify the relevant authorities.
14. Changes to This Policy
We may update this Policy from time to time. The version number and effective date at the top of this page will change accordingly. Significant changes will be communicated via email and an in-app banner at least 14 days before they take effect.
15. Contact Us
- General inquiries: contact@amboi.my
- Data Protection Officer: dpo@amboi.my
- Postal address: [Registered Office Address], Malaysia
By using Amboi.my, you acknowledge that you have read and understood this Privacy Policy.