← Back
Privacy Policy
Last updated: 18 June 2026
Choppkar ("we", "us", "our") operates the Choppkar loyalty platform. This policy explains how we collect, use, and protect your personal data in compliance with the Malaysia Personal Data Protection Act 2010 (PDPA).
1. Data We Collect
Customers (Members):
- Phone number — for OTP login and account identification
- Name — for personalisation and merchant records
- Stamp, redemption, and transaction history — to operate the loyalty programme
- Push notification subscription — only if you opt in
Merchants:
- Email and password — for account authentication
- Business name, slug, branding settings — to configure your loyalty page
- Staff names and PINs — for staff access management (PINs are encrypted)
2. How We Use Your Data
- Operate, maintain, and improve the loyalty platform
- Authenticate your identity via OTP or email/password
- Send push notifications you have opted into
- Generate analytics for merchants about their programme performance
- Detect and prevent fraud, abuse, and security incidents
3. Data Sharing
We do not sell your personal data. We share data only with:
- The merchant whose loyalty programme you join — they can see your name, phone, stamps, and transaction history
- Supabase (database hosting) and Railway (server hosting) — as infrastructure providers, under their respective privacy policies
- Twilio — to deliver OTP SMS messages (phone number only)
- Law enforcement — if required by Malaysian law
4. Data Security
- All data transmitted over HTTPS (TLS encryption)
- Staff PINs stored with bcrypt hashing
- Row-Level Security (RLS) enforced at the database level
- Rate limiting and IP-based intrusion detection
- Security event logging and automated threat blocking
5. Data Retention
- Account data is retained while your account is active
- Security event logs are retained for up to 90 days
- You may request deletion of your data at any time (see Section 7)
6. Cookies & Local Storage
We use browser localStorage to store your session token for seamless login. We do not use tracking cookies, third-party analytics, or advertising trackers.
7. Your Rights (PDPA)
Under the PDPA, you have the right to:
- Access your personal data held by us
- Correct inaccurate or incomplete data
- Withdraw consent for data processing
- Request deletion of your personal data
To exercise any of these rights, contact us at the email below.
8. Children
Our service is not directed at individuals under 18. We do not knowingly collect data from minors.
9. Changes to This Policy
We may update this policy from time to time. Changes will be posted on this page with an updated date.
10. Contact
For privacy-related enquiries:
Email: privacy@choppkar.com