platehaus.my Privacy Policy (v1)
Effective date: 12 Mar 2026
Version: v1.7 • Last Updated: 12 Mar 2026
Who we are / Data Controller: Platehaus Sdn. Bhd. (SSM: 202501045049) operating platehaus.my
Contact (privacy): support@platehaus.my
Registered Address:
CT-06-21 Subang Square Corporate Tower,
Jalan SS15/4G, SS15
47500 Subang Jaya
Selangor
This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you use platehaus.my. We follow Malaysia’s Personal Data Protection Act 2010 (PDPA) principles: General; Notice & Choice; Disclosure; Security; Retention; Data Integrity; Access.
This Policy forms part of our Personal Data Protection (PDP) Notice. We present it at or before the time we collect your data, and again before any new purpose or new third-party disclosure. When we update it, we'll notify you in-app.
Bahasa Malaysia: A Bahasa Malaysia (BM) version will be provided. If there is any inconsistency, the English version controls.
1) Scope
- All websites, apps, APIs, and services under platehaus.my.
- All users: buyers, sellers, and affiliate partners.
- Data we collect directly, from your device/browser, and from providers (e.g., email, analytics, hosting/CDNs).
2) What we collect, why, and how long we keep it
| Category / Data | Required? | Main purposes | Retention |
|---|---|---|---|
| All users | |||
| Profile picture | Optional | Personalisation; shown on profile | Until you delete (subject to brief cache/backup cycles) |
| Full name | Required | Accounts, orders, anti-fraud, records | Only if you place an order → keep 7 years from completion; otherwise while account is active or until deletion |
| Required | Login, notifications, orders, anti-fraud | Same as full name | |
| Phone number | Optional | Order coordination, support, anti-fraud | Same as full name |
| Residential state/city | Required | Localisation, dealings, anti-fraud | Same as full name |
| Nationality | Required | Operate marketplace, anti-fraud | Same as full name |
| Business Accounts | |||
| SSM ID / company reg. no. | Required | Compliance, invoicing, records | 7 years from transaction completion |
| Disputes / on request | |||
| KYC docs (IC/passport, proof of address) | On request | Identity verification, anti-fraud, dispute handling, legal compliance | For duration of the investigation/dispute + 7 years (or longer if required by law) |
| JPJ-related docs | On request | Establish ownership/transfer; resolve disputes | Same as above |
| Screenshots / evidence | On request | Fact-finding; dispute resolution | Same as above |
| Sellers (listing & transfer support) | |||
| JPJ ownership document | Optional | Ownership proof; Verified badge | Only if listing proceeds to sale; otherwise removed. If retained → 7 years |
| Transfer documents | Optional | Anti-fraud; document successful transfer | If provided for a sale → 7 years |
Verified badge: If you upload ownership/transfer docs, we may show a Verified badge after surface-level checks. The badge is informational only (based on seller-submitted documents at that time) and not a warranty by platehaus.my. We may revoke it if issues arise.
3) How we use your data
- Operate the marketplace: accounts, listings, chats, orders, payouts, and affiliate attribution (last-click).
- Payments & anti-fraud: manage manual online banking transfers (DuitNow Transfer, DuitNow QR, RENTAS); verify payment reference codes; detect/prevent fraud, abuse, and fee-avoidance.
- Support & disputes: investigate issues, propose resolutions, and keep immutable logs (listing IDs, timestamps, referral/attribution records, messaging metadata).
- Compliance & records: tax/accounting, AML/CFT screening (when warranted), regulator requests.
- Improvement, advertising measurement & analytics: product measurement, advertising attribution, funnel analysis, campaign optimisation, and performance/security monitoring using tools such as Google Analytics, Google Ads, Vercel Analytics, TikTok Pixel, and TikTok Events API.
- Communications: transactional emails and optional marketing (you can opt out any time).
We do not sell your personal data.
4) Who we share with (processors & partners)
Service providers and business tools we use today (named): These providers help us deliver the service, measure usage, and measure advertising performance. We limit what we share to what’s necessary for each purpose.
| Provider (role) | What they do | Typical data they process | Primary processing locations* | Contractual safeguards |
|---|---|---|---|---|
| Cloudflare (DNS/CDN/WAF/Turnstile) | Serve content, protect against abuse | IP address, request headers, device/traffic logs; Turnstile response | Global edge network | Customer DPA; security & confidentiality obligations |
| Vercel (hosting & edge runtime) | Host app, run edge functions, web analytics | Request/response logs, app telemetry, page views, visitor data, minimal user metadata needed to serve requests | Singapore (primary), plus global edge | DPA incorporated in service terms |
| Supabase (database/auth/storage/realtime)** | Store account/marketplace data, auth, file storage | Account/profile data, order records, chat metadata, files you upload | Singapore (primary project region) | Signed DPA (via Supabase dashboard) |
| Twilio SendGrid (email delivery) | Send transactional/service email | Email address; message metadata; message content/templates you receive | Global email infrastructure | DPA incorporated in service terms |
| Google Analytics (product analytics) | Measure product usage | Pseudonymous IDs, event data, IP/address info per your GA settings | Per GA property settings | Platform terms incl. data protection addendum |
| Google Ads (advertising measurement) | Measure ad clicks, attributed conversions, and enhanced conversion matching | Click IDs (for example gclid, gbraid, wbraid), conversion metadata, and hashed identifiers such as hashed email / phone when available and permitted |
Per Google Ads account settings | Google Ads / Google platform contractual terms and data protections |
| TikTok Business Products (Pixel + Events API) | Measure ad performance, match web events to campaigns, improve delivery/retargeting suppression | Pixel/cookie IDs (for example _ttp), click IDs (for example ttclid), page URL/referrer, event metadata, device/browser data, IP address, user agent, and hashed identifiers (such as hashed email/phone/external ID) where available |
Provider service infrastructure / cross-border as operated by TikTok | TikTok Business Products terms and applicable data protections |
| Google Cloud Document AI (OCR—feature-dependent) | Extract text from images/docs you submit | Images/PDFs you intentionally upload for OCR; extracted text | Google Cloud regions | Google Cloud Data Processing Addendum |
| OpenAI API (AI inference—feature-dependent) | Process text you send to specific AI-assisted features | Only the text you choose to send to those features | Provider regions (service infrastructure) | Service agreement + data processing terms |
- Locations: Indicated regions reflect our current configurations and providers’ public documentation; CDNs/email systems may transit/cache data globally. See Section 5 on cross-border transfers.
Other necessary disclosures. We may also disclose personal data to banks/payment operators, auditors/advisors, insurers, regulators/courts, law enforcement, to protect users/our rights, or as part of a merger/acquisition (with continuity of protections).
Sub-processor changes
We keep this list up to date. If we add or replace a processor in a way that materially affects how your data is processed, we’ll give at least 14 days’ notice via this page and/or an in-site notice. The Effective date at the top reflects the latest update.
5) International transfers (Cross-Border Transfer Basis)
Some processing occurs outside Malaysia (e.g., Singapore and global locations used by our providers and their sub‑processors, including transient caching at the network edge). When we transfer personal data outside Malaysia, we do so only under bases permitted by the Personal Data Protection Act 2010 (PDPA) Section 129 and applicable regulations, and we take steps to ensure a level of protection that is comparable to the PDPA.
Transfer bases we may rely on include:
- Contractual safeguards with recipients (including onward‑transfer restrictions, security, confidentiality, and deletion/return obligations);
- Reasonable precautions and due diligence to ensure PDPA‑comparable protection by the recipient;
- Transfer to a prescribed country/territory (when a whitelist is designated by regulation);
- Necessity to perform a contract with you, or to take pre‑contract steps at your request;
- Necessity to conclude or perform a contract in your interest between us and a third party (e.g., logistics, payments);
- Establishment, exercise or defence of legal claims or obtaining legal advice;
- Protection of vital interests;
- Substantial public interest or where required by law, regulator, or court; and/or
- Your consent, where appropriate.
Additional information:
- Primary processing regions for core providers today include Singapore (database/hosting) and global network edges (CDN, email). See Section 4.
- We limit transfers to what is necessary, apply encryption in transit, and require recipients to implement appropriate technical and organisational measures.
- You may request a summary of key contractual safeguards (with commercially sensitive terms redacted) by contacting support@platehaus.my.
Where are processors located? See Section 4 (table) for current providers and typical processing locations. We minimise cross-border transfers and apply safeguards as described above.
6) Cookies & analytics (incl. Affiliate attribution)
We use cookies and similar technologies to keep you logged in, remember preferences, measure site usage, attribute affiliate referrals, and measure advertising performance. Attribution model: last-click. Default cookie window: 30 days (as shown in your dashboard). We may change the window with in-site notice. Analytics retention: event-level analytics typically 14 months (or the closest available setting). You can control non-essential cookies in your browser settings.
We currently use Google Analytics, Google Ads, Vercel Analytics, TikTok Pixel, and TikTok Events API as named in Section 4.
For Google measurement, we may collect or share:
- click identifiers and attribution identifiers (for example
gclid,gbraid,wbraid, and related Google click cookies); - page URLs, landing paths, referrers, browser/device information, IP address, and user agent as available through Google tags and conversion tooling;
- conversion metadata such as order identifiers, payment identifiers, timestamps, value, and currency; and
- hashed customer identifiers (for example hashed email and hashed phone number) for Google Ads Enhanced Conversions when available and permitted.
Our current browser-side Google tag configuration keeps ad personalization signals disabled. Enhanced Conversions, where enabled, are used for conversion measurement rather than browser-side ad personalization.
For TikTok measurement, we may collect or share:
- click identifiers and cookie identifiers (for example
ttclidand_ttp); - page URLs, referrers, event metadata, browser/device information, IP address, and user agent;
- hashed customer identifiers (for example hashed email, hashed phone number, and hashed internal user ID/external ID) when available and permitted;
- server-confirmed events such as registration, contact intent, checkout progression, and verified purchases.
We may also enable first-party cookies, Automatic Advanced Matching (AAM), and expanded data sharing in TikTok’s business tools to improve attribution, event matching, conversion measurement, and campaign optimisation. Where enabled, these settings may collect additional page metadata, visitor interaction signals, and site performance diagnostics. We do not intentionally send special-category/sensitive personal data to these tools.
7) Security (shared-responsibility with our providers)
We apply administrative, technical and physical safeguards across our stack; providers secure the infrastructure and offer features we configure and monitor.
Application & data layer (Supabase/Postgres)
- Encryption: TLS in transit; encryption at rest (e.g., AES-256 where supported).
- Fine-grained access: Row Level Security (RLS) policies for per-user access on PII/transaction tables.
- Backups & recovery: automatic daily backups; point-in-time recovery where applicable.
Edge & hosting (Vercel)
- Managed edge platform with DDoS mitigation and network hardening; SOC 2 / ISO certifications.
Network perimeter (Cloudflare)
- TLS/HSTS; WAF (XSS/SQLi/RCE rulesets) and always-on DDoS protection.
Operational controls (our commitments)
-
Breach response: If a personal-data breach likely risks harm, we’ll assess promptly and notify affected users and/or regulators where required.
-
Payment security: We do not collect or store card data. Payments are made via manual online banking transfers directly from Buyers' bank accounts to our collection account.
8) Sensitive data policy
We do not intentionally collect sensitive personal data (e.g., health information, religion, biometric templates). Please do not upload such data. If provided inadvertently, we will delete or restrict it where feasible and appropriate.
9) Your choices & rights
- Access & correction: Use Account Settings or email support@platehaus.my. We verify identity and aim to respond within 14 days. We may refuse where permitted by law and will explain why.
- Marketing opt-out / cessation: Click Unsubscribe in emails or adjust settings. You may issue a marketing cessation request to support@platehaus.my at any time.
- Deletion: You can delete optional data (e.g., profile picture). We remove it from active systems and, where feasible, from backups within normal cycles. Order/financial records may be kept as required by law. For account deletion(s), users are permitted to request deletion via in-site.
- Complaints: Contact us first. You may also lodge a complaint with Jabatan Perlindungan Data Peribadi (JPDP).
- Children / age gate: platehaus.my is not for children and not intended for persons under 18. We use reasonable measures to prevent under-age use and will delete/suppress such data if found.
10) Retention summary (quick view)
| Record type | Standard retention |
|---|---|
| Orders/transactions & business records (incl. SSM ID) | 7 years from completion |
| Disputes/investigations (incl. KYC/JPJ/evidence) | Duration of dispute + 7 years (or longer if legally required) |
| Analytics data | 14 months (or nearest provider setting) |
| Server/security logs | 90–365 days depending on log type |
| Encrypted backups | Up to 90 days on rolling overwrite schedules |
| No-order accounts | While account is active; delete on request |
11) Third-party links
Our site may contain links to third-party websites. Their privacy practices are their own; please review their policies.
12) Change-of-purpose notice
If we intend to process your data for a new purpose that is incompatible with this Policy, we will notify you in advance and, where required, obtain your consent.
13) Changes to this policy
If we make material changes, we’ll email you and/or display an in-site notification/banner. We will date-stamp this page and, where required, request your re-consent.
14) Contact us
Questions or requests about privacy? Email: support@platehaus.my
15) Registration note
Where required, we will register as a Class of Data User with the JPDP and maintain such registration in accordance with the regulations.