Privacy Policy

Last updated 28 May 2026

This policy explains how PocketLab ("we", "us") handles personal data in PocketPOS, in line with Malaysia's Personal Data Protection Act 2010 (PDPA), including the 2024 amendments. By using the Service you consent to this handling.

Data controller: PocketLab [registered entity name & SSM no. — to confirm], [registered address]. Privacy contact: hello@pocketlab.my.

1. What we collect

Tenant account data — your name, email, phone, business name, role, and login credentials (passwords stored as bcrypt hashes).
Owner / business profile — registered business name, business type, industry, SSM number (optional), address, and details you fill in under Owner Details.
Shop data you enter — products, categories, orders, expenses, suppliers, settings, and the catalogue you publish at your storefront URL.
Storefront branding (optional) — logo, tagline, About blurb, hero banner, and the social-media URLs you publish to your customer-facing surface.
Payment configuration — your payment-gateway credentials (e.g. ToyyibPay), encrypted at rest and used only to process your own sales.
Your customers' data (where you choose to record it) — names, phone numbers, email addresses, notes, account balances (store credit), loyalty points, standing discounts, and order history. See §3.
Customer membership accounts (Prime-tier opt-in) — when a tenant invites their customers to log in to the storefront, we additionally store a bcrypt-hashed customer password and short-lived invite tokens (single-use, 14-day expiry).
Customer-uploaded payment receipts — when a customer pays a transfer/QR order by their bank app and uploads the resulting screenshot or PDF, that file is stored against the order so the tenant can verify payment. Bank account numbers and transaction references visible in those uploads are personal data and treated as confidential.
Operational logs — login events (successful and failed) including email and IP, used to detect brute-force activity. Retained for incident-response purposes only.
Technical data — basic request log and device information needed to run and secure the Service.

2. How we use it

To provide and operate the Service, authenticate you, process your subscription, provide support, keep the Service secure, detect and respond to abuse, and improve the product. We do not sell your personal data and do not use it for third-party advertising.

3. Your customers' data (PocketPOS as your processor)

When you record customers, orders, payment proofs, loyalty points, or store-credit balances against your customers in PocketPOS, you are the data controller for that information. You are responsible for having a lawful basis to collect it under the PDPA. We process it on your behalf to provide the Service. If a customer of yours exercises a PDPA right against you (access, correction, withdrawal of consent), you must fulfil that request — contact us if you need help extracting the data.

4. Who we share it with (sub-processors)

We use a small set of trusted providers strictly to run the Service. Each processes data only as needed to provide their part of the Service.

Supabase — Postgres database and authentication infrastructure. Hosted in the ap-southeast-1 (Singapore) region.
Cloudinary — image and PDF hosting for product images, transfer QR codes, branding logos and banners, and customer-uploaded payment receipts. Assets use unguessable random identifiers and are not indexed publicly.
ToyyibPay — payment gateway. Used per-tenant for storefront / QR payments using your own ToyyibPay account, and at the platform level for your PocketPOS subscription billing.
Vercel — application hosting and CDN. Sees request metadata (IP, user agent) but does not persist app data.
WhatsApp (via wa.me deeplinks) — we generate "Send on WhatsApp" links you tap to open your own WhatsApp. No data is sent to Meta servers from the Service; you control the actual message before sending.

We may also disclose data where required by law (e.g. lawful court orders, statutory data-protection requests).

5. Cross-border transfers

Your data is stored with Supabase in the Singapore (ap-southeast-1) region. Cloudinary, ToyyibPay, and Vercel may process data outside Malaysia in jurisdictions with comparable data-protection law, and we rely on each provider's published security and data-handling commitments.

6. Storage & security

Data is transmitted over TLS and protected by row-level security policies, role-based access control, and per-account password hashing (bcrypt). Payment-gateway credentials are encrypted at rest. Login attempts on every login surface are rate-limited and failed attempts are recorded for brute-force detection. No system is perfectly secure, but we take reasonable measures to protect your data.

7. Retention

We keep your data for as long as your account is active and as needed to provide the Service or meet legal obligations. As of this policy:

Tenant accounts and shop data — retained for the lifetime of your subscription. On request we will delete your account; we retain a minimal record of billing transactions where required by tax law.
Customer-uploaded payment receipts — retained against the order for as long as the order exists. We are working towards a defined retention window after an order is marked paid; in the meantime tenants can delete a proof manually on the order detail page.
Failed-login audit logs — retained for incident-response purposes; we are working towards an automated 90-day prune for this surface.
Customer membership accounts — retained until the customer or the tenant requests deletion.

8. Your rights under the PDPA

You may request access to and correction of your personal data, and you may withdraw consent to its processing (which may mean we can no longer provide the Service to you). If you are a customer of a PocketPOS tenant, contact the tenant directly for requests about your shopping data — they are the data controller for that data. To exercise rights against PocketLab itself, contact hello@pocketlab.my. We respond within a reasonable period.

9. Cookies

We use essential session, authentication, and locale-preference cookies needed to keep you signed in and to operate the Service (including a pp_locale cookie that remembers your language choice on the marketing site). We do not use cookies for third-party advertising or cross-site tracking.

10. Children

The Service is for business use by adults. We do not knowingly process the personal data of children under 18.

11. Changes

We may update this policy; the "last updated" date at the top will change, and material changes will be communicated through the Service or by email.

12. Contact

Privacy questions or requests: hello@pocketlab.my.