Privacy notice

Who we are (the data controller)

Penang Renovations is operated as a Malaysian sole proprietorship by the website owner. For the purposes of the Personal Data Protection Act 2010 (PDPA), we are the data user (controller) for data submitted to or collected by this website.

Privacy contact: penangrenovations.com@gmail.com. We don’t currently meet the threshold for a designated Data Protection Officer under the 2024 amendments, but the privacy contact above is the right channel for any data-related request and we respond within 7 working days.

What we collect

The data we collect depends on how you use the directory:

• Visitors (everyone).Server access logs (IP address, user agent, referring page, request timestamps), retained for ~90 days for security and abuse-prevention purposes. We use Google Analytics 4 to understand aggregate traffic patterns. See “Cookies and tracking” below for what GA collects and how to opt out. We also use one essential first-party cookie for sign-in session continuity if you sign in.
• Homeowners contacting a contractor.When you send an inquiry through a contractor’s listing, we collect the name, contact method (email/phone/WhatsApp), and project details you provide. This is sent to the chosen contractor and retained on the directory for up to 24 months for inquiry-history purposes.
• Contractors claiming a listing. Business name, SSM business registration number, CIDB grade if applicable, business email and phone, services offered, suburbs served, photos you upload, and any other profile detail you choose to publish. Some of this is displayed publicly on the listing (the parts you intend to publish); the rest (private contact channels, internal notes) is retained for verification and support purposes only.
• Reviewers.Name (display name only is shown; full name not required), the contact method we used to verify your identity (typically WhatsApp), the contractor and project you’re reviewing, the review text, and an optional rating. The verification contact is not shown publicly.
• Paid claim and Featured/Premium subscribers. Payment is handled via DuitNow QR direct to a business bank account (no card data passes through this website). We retain transaction reference numbers and dates for accounting purposes for 7 years per Malaysian tax record requirements.

Why we collect it (lawful basis)

We collect personal data on these lawful bases under PDPA:

• Performance of contract: to deliver claimed-listing services to contractors who pay the claim fee, and to route inquiries from homeowners to chosen contractors
• Legitimate interest: to maintain a useful, accurate directory; to verify contractor credentials so homeowners can trust the listings
• Consent: for any optional communications (e.g. occasional product updates to claimed contractors, opt-out by reply)
• Legal obligation: to retain transaction records for tax purposes and to respond to lawful requests from Malaysian authorities

How we use it

The data flows we operate:

• Display claimed-listing content publicly on the directory (only the parts you mark as public)
• Route homeowner inquiries to the contractor selected on the listing page
• Send transactional emails (claim confirmation, payment receipt, occasional service updates) via Resend, our email-delivery provider
• Send internal operational alerts to ourselves via Telegram (e.g. “new claim submitted”); these alerts contain pseudonymous identifiers, not full personal data
• Verify contractor SSM and CIDB details against the public Suruhanjaya Syarikat Malaysia and CIDB registries
• Detect and prevent abuse (fake reviews, scraping, spam); we may temporarily inspect logs for suspicious patterns

Who we share with

We do not sell your data. We share specific personal data with specific parties for specific purposes, and only the minimum needed:

• Selected contractors: when you submit an inquiry, the contractor receives your name, contact method, and project details. They are bound by these terms not to use the data for any purpose other than responding to your inquiry.
• Supabase (data storage): listings, claims, reviews, and inquiries are stored in a Supabase Postgres database hosted in Singapore (ap-southeast-1). Supabase is our processor; they do not access your data for their own purposes.
• Vercel (web hosting): request logs and the deployed site are hosted on Vercel. Vercel processes the minimum data needed to serve pages.
• Resend (transactional email): outgoing emails (claim confirmations, payment receipts) are routed through Resend. Email addresses and message content are processed for delivery.
• Public registries (verification only):when we verify your SSM number or CIDB grade, we look it up against the relevant public registry. This is a one-direction lookup; we don’t hand your data to those registries.
• Google Analytics 4:aggregate traffic analytics. GA4 collects pseudonymous identifiers, page views, referring URLs, approximate location (city-level), device and browser info. Data is processed by Google LLC on US servers under Google’s own privacy and data-processing terms (see policies.google.com/privacy). We use GA4 to understand which content is found, where visitors come from, and what isn’t working, not to identify individual visitors.
• Google AdSense:we display third-party advertising on some content pages through Google AdSense. AdSense and its partners use cookies and similar identifiers to select ads and measure ad performance, which may include ads based on your prior visits to this or other websites. Ad serving is handled by Google LLC under Google’s own advertising terms (see policies.google.com/technologies/ads). We don’t pass your name, email, or inquiry details to Google for this.
• Lawful authorities: if compelled by a valid Malaysian court order, regulator request, or law-enforcement instrument, we will comply to the minimum extent required and, where lawful, notify the affected user.

Aside from the Google AdSense ads described above, we don’t run advertising-retargeting pixels (no Facebook Pixel, no LinkedIn Insight Tag) and we don’t sell or hand visitor inquiry data to any ad network.

How long we keep it

• Server access logs: ~90 days
• Homeowner inquiries: 24 months from submission
• Active claimed listings: indefinitely while the listing remains live
• Deleted listings: profile data is removed within 5 working days of a deletion request; underlying business name may persist as auto-imported (without your private contact methods, photos, or reviews)
• Transaction records: 7 years for tax compliance
• Email logs at Resend: per Resend’s retention policy (see resend.com/privacy)

Your rights

Under the PDPA, you have the right to:

• Access the personal data we hold about you
• Correct data that is inaccurate or out of date
• Withdraw consent for any processing based on consent (this may affect our ability to provide certain features)
• Limit processing in specific circumstances
• Receive your data in a portable format (data portability, recognised under the 2024 PDPA amendments)
• Lodge a complaint with the Personal Data Protection Department of Malaysia (Jabatan Perlindungan Data Peribadi, JPDP) if you believe we’ve mishandled your data

To exercise any of these, email penangrenovations.com@gmail.com from the email address associated with your data. We respond within 7 working days.

Cookies and tracking

Three cookie sources on the directory:

• One essential first-party cookie for sign-in session continuity, used only by claimed contractors and the directory admin, not by browsers of public listings.
• Google Analytics 4 cookies (typically_ga, _ga_<ID>) for aggregate traffic analytics. These are persistent first-party cookies set by GA4’s script. They contain pseudonymous IDs, not names or contact info.
• Google AdSense cookiesset by Google and its advertising partners to select and measure the ads shown on content pages. These are third-party cookies; you can block them with your browser’s third-party-cookie controls without affecting the rest of the site, and you can manage ad personalisation at myadcenter.google.com.

To opt out of Google Analytics: install Google’s official opt-out browser add-on (works site-wide across any GA-using site you visit), or use your browser’s built-in cookie / tracking-protection settings to block third-party cookies for this domain. Visitors from the European Economic Area, the UK, and Switzerland see a Google-managed consent banner before personalised ads load, as required by EU and UK rules. We don’t currently show a consent banner to visitors elsewhere; this may change as PDPA enforcement evolves.

Security

The directory uses HTTPS for all traffic, Supabase Row-Level Security to enforce access boundaries between users, and encrypted storage at the database layer. We follow standard security practice for a small operation: secrets in environment variables (never in code), minimum-scope API keys, and prompt patching of dependencies.

In the event of a personal data breach affecting you specifically, we will notify you by email at the contact on your listing or inquiry record, in line with the PDPA 2024 breach notification requirements (currently 72 hours for serious breaches affecting more than the threshold of data subjects).

Children

The directory is intended for adult users: homeowners hiring contractors and contractors running businesses. We don’t knowingly collect personal data from anyone under 18. If you believe a minor has submitted data to the directory, contact us and we’ll delete it.

International transfers

Personal data is stored within Asia (Singapore region for Supabase, edge cache for Vercel) and the following processors route through US-based servers: Resend (transactional email), Google LLC (analytics). Where data leaves Malaysia, transfers are made under the “reasonable precautions” standard required by PDPA section 129. We use providers with mature security practices and contractual data-protection terms.

Changes to this notice

We may update this notice as the directory evolves. The “Last updated” date at the top reflects the latest version. Material changes will be flagged via the directory’s contact email and, for claimed contractors, via the email on your listing record.

Contact

Privacy questions, data requests, or breach reports: penangrenovations.com@gmail.com. For broader directory questions, see the FAQ or the About page.