Privacy Policy

Last updated: 15 July 2026

1. Data We Collect

Guests: Email address, phone number (optional), check-in history, transaction records, wallet pass identifiers, consent preferences.

Venue operators: Business name, contact email, bank account details (via Stripe), staff credentials, venue configuration.

2. How We Use Data

3. Legal Basis (GDPR)

We process data based on: contract performance (providing the service), legitimate interests (analytics, fraud prevention), and consent (marketing, location alerts, CRM sharing).

4. Data Sharing

We share data with:

We do not sell personal data to third parties.

5. Data Retention

Guest data is retained for the duration of the account plus 30 days. Transaction records are retained for 7 years (tax obligations). Event logs are retained for 1 year.

6. Your Rights

Under GDPR, you have the right to:

7. Cookies

We use essential cookies only (session management, CSRF protection). No tracking cookies, no advertising cookies, no analytics cookies that identify individuals.

8. Security

We use industry-standard security measures: TLS encryption, PBKDF2 password hashing, CSRF protection, rate limiting, and regular security audits.

9. International Transfers

All data is processed within the EU. Our infrastructure providers (Neon, Cloudflare) process data in EU regions.

10. Contact

For privacy inquiries or to exercise your rights, contact privacy@zipcheck.my.

Data Protection Officer: dpo@zipcheck.my