Privacy Policy

Last updated: 14 February 2026

BengkelDay ("we", "us", or "our") is committed to protecting your personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia, including the 2024 amendments. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our workshop management platform.

1. Data Controller

BengkelDay is operated as a software-as-a-service (SaaS) platform for automotive workshop management in Malaysia. For questions regarding this policy or your personal data, contact our Data Protection Officer at support@bengkelday.com.my.

2. Information We Collect

2.1 Information You Provide

• Account information: Name, email address, phone number, and password (managed via Clerk authentication)
• Business information: Workshop name, SSM registration number, business address, contact details
• Customer data: Your customers' names, phone numbers, email addresses, and vehicle information that you enter into the system
• Financial data: Invoice amounts, payment records, and billing information (payment card details are processed directly by Billplz and never stored on our servers)
• Communication data: Support requests, feedback, and correspondence with us

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, time spent, and interaction patterns
• Device information: Browser type, operating system, device type, and screen resolution
• Log data: IP address, access times, and referring URLs
• Cookies and similar technologies: Session cookies for authentication, preference cookies for settings (see Section 9)

3. PDPA Principles

We adhere to the seven data protection principles under Malaysia's PDPA 2010:

• General Principle: We process your personal data only with your consent or as permitted by law
• Notice and Choice Principle: We inform you of the purpose of data collection and provide choices regarding your data
• Disclosure Principle: We only disclose your data for the purposes stated in this policy or with your consent
• Security Principle: We implement appropriate technical and organisational measures to protect your data
• Retention Principle: We retain your data only for as long as necessary to fulfil the stated purposes
• Data Integrity Principle: We take reasonable steps to ensure your personal data is accurate and up to date
• Access Principle: You have the right to access and correct your personal data held by us

4. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the BengkelDay platform
• Process your subscription payments and manage your account
• Send transactional emails (payment receipts, trial reminders, account notifications)
• Respond to your support requests and enquiries
• Monitor platform performance, security, and usage analytics
• Comply with legal obligations, including tax and regulatory requirements
• Improve our services based on aggregated, anonymised usage patterns

5. Data Storage and Cross-Border Transfers

Your data is processed and stored using the following service providers, some of which operate outside Malaysia:

• Supabase (Database): PostgreSQL database hosted in the Southeast Asia region (Singapore). Your primary business data is stored here.
• Clerk (Authentication): User authentication and identity management, servers located in the United States
• Vercel (Hosting): Application hosting with edge network, servers located globally including the United States
• Resend (Email): Transactional email delivery, servers located in the United States
• Billplz (Payments): Payment processing, operated and hosted in Malaysia

In accordance with the PDPA 2010, we ensure that any cross-border transfer of personal data is made to jurisdictions that provide an adequate level of data protection, or that appropriate safeguards are in place through contractual arrangements with our service providers.

6. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption in transit using TLS/SSL for all data transmissions
• Encryption at rest for stored data
• HMAC-SHA256 webhook signature verification for payment processing
• Role-based access controls within the platform
• Multi-tenant data isolation — each organisation can only access their own data
• Regular security reviews and monitoring

7. Data Breach Notification

In the event of a personal data breach that is likely to cause significant harm, we will:

• Notify the Personal Data Protection Commissioner within 72 hours of becoming aware of the breach
• Notify affected data subjects as soon as practicable
• Document the breach, its effects, and remedial actions taken

8. Data Sharing

We do not sell your personal data. We may share your information only in the following circumstances:

• With the third-party service providers listed in Section 5, solely to operate our platform
• To comply with legal obligations, court orders, or regulatory requests
• To protect our rights, privacy, safety, or property, and that of our users
• With your explicit consent

9. Cookies and Tracking

We use cookies and similar technologies for the following purposes:

• Essential cookies: Required for authentication, session management, and platform security. These cannot be disabled.
• Preference cookies: Remember your settings and display preferences
• Analytics cookies: Help us understand how users interact with the platform to improve our services

You can control non-essential cookies through your browser settings. Disabling essential cookies may prevent you from using the platform.

10. Multi-Tenancy and Data Isolation

BengkelDay is a multi-tenant application. Your organisation's data is logically isolated from other organisations. Each organisation can only access their own data through enforced access controls at the application level.

11. Data Retention

We retain your data according to the following schedule:

• Active accounts: Data is retained for the duration of your active subscription
• Cancelled accounts: Account data is retained for 90 days after cancellation to allow for reactivation, then permanently deleted
• Financial records: Invoice and payment data is retained for 7 years to comply with Malaysian tax and accounting requirements (Income Tax Act 1967)
• Log data: Server and access logs are retained for 12 months
• Backup data: Database backups are retained for 30 days

12. Your Rights

Under the PDPA 2010, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete personal data
• Withdrawal of consent: Withdraw your consent for data processing (this may affect your ability to use the platform)
• Data portability: Request your data in a structured, machine-readable format for transfer to another service
• Deletion: Request deletion of your personal data, subject to legal retention requirements
• Complaint: Lodge a complaint with the Personal Data Protection Commissioner if you believe your data rights have been violated

To exercise any of these rights, please contact us at support@bengkelday.com.my. We will respond to your request within 21 days.

13. Children's Privacy

BengkelDay is a business-to-business platform and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and, where appropriate, by sending you an email notification. Your continued use of the platform after any changes constitutes acceptance of the updated policy.

15. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at:

• Email: support@bengkelday.com.my
• Subject line: Privacy Policy Inquiry

You may also contact the Personal Data Protection Department (JPDP) of Malaysia at www.pdp.gov.my if you wish to lodge a complaint.