Privacy Policy

Welcome to VegeBuddy (“we,” “our,” or “us”). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website.

VegeBuddy is operated from Malaysia and processes personal data in accordance with the Personal Data Protection Act 2010 (PDPA) and its 2024 amendments. Where this Policy refers to your rights or our obligations, those references should be read together with the PDPA and other applicable Malaysian laws.

We collect information that you provide directly to us, including:

• Account Information: Email address, username, profile picture, and other profile details when you create an account
• User Content: Photos, posts, comments, and other content you share through the app
• Location Data: With your permission, we collect location information to show nearby vegetarian restaurants and places
• Usage Data: Information about how you interact with the app, including features used and time spent
• Device Information: Device type, operating system, and unique device identifiers

If you use VegeBuddy Jio Connect (our community meet-up feature), we will ask you to take a live selfie as part of identity verification. Under the 2024 amendments to the PDPA, biometric data is treated as a special category of personal data and is subject to additional safeguards.

• Category: Facial photo (biometric data), captured live in-app via the device camera.
• Purpose: Identity verification and real-person ('liveness') check only — to confirm you are a real human and not an impersonator. We do not use it for marketing, ad targeting, face recognition across the platform, or any profile-matching feature.
• Legal basis: Your explicit, opt-in consent, captured by an in-app consent gate immediately before the camera is activated. You may decline, and you may withdraw consent at any time by deleting your Jio Connect profile or your VegeBuddy account.
• Retention: The selfie is stored only for as long as your Jio Connect profile remains active. It is deleted within 30 days of (a) you completing onboarding and passing verification, (b) you deleting your Jio Connect profile, or (c) your VegeBuddy account being deleted — whichever happens first.
• Sharing: Never shared with third parties. The selfie is stored in our Supabase backend (Singapore region) with access restricted to a small number of authorised reviewers for verification purposes. It is not sold, licensed, exported to ad networks, or used to train any machine-learning model.
• Your control: You can request immediate deletion of your selfie at any time via Settings → Privacy & Data → Delete biometric data, or by emailing the Privacy Team at the address in Section 11.

We use the collected information to:

• Provide, maintain, and improve our services
• Personalize your experience and show relevant content
• Enable community features like posts, comments, and social interactions
• Show nearby vegetarian restaurants and places based on your location
• Send you notifications about activity, updates, and promotions (with your consent)
• Display advertisements, including personalized ads
• Analyze usage patterns to improve our app
• Protect against fraud and ensure security

We use third-party advertising services to display ads in our app. These services may collect and use certain information about your device and app usage to provide personalized advertisements. Our advertising partners include:

• Google AdMob: Google may use cookies and device identifiers to serve ads based on your interests. Learn more at policies.google.com/privacy

You can opt out of personalized advertising in your device settings.

We rely on a small number of carefully selected service providers (“processors” and “sub-processors”) to operate VegeBuddy. Each processor only receives the categories of data they need to perform a specific function on our behalf, under a contract that requires them to protect your data and use it only for our stated purposes.

• Curlec (a Razorpay company) — payment processing (card, FPX, e-wallets) — data: name, email, phone, payment instrument details, transaction amount — hosting: Malaysia (Curlec is incorporated in Malaysia; Razorpay parent operations are in India).
• Billplz — payment processing (FPX, e-wallets) for food and mart orders — data: name, email, phone, transaction amount — hosting: Malaysia.
• Lalamove — on-demand courier dispatch for food/mart orders — data: recipient name, delivery address, phone number, order reference — hosting: Regional (Hong Kong HQ, Malaysia operations).
• EasyParcel — scheduled courier dispatch for mart orders — data: recipient name, delivery address, phone number, parcel details — hosting: Malaysia.
• Supabase — primary backend: authentication, database, file/photo storage, edge functions — data: all personal data held by VegeBuddy (account, content, location, biometric selfie, transactions) — hosting: Singapore (AWS ap-southeast-1).
• Firebase Cloud Messaging (Google Cloud) — push notification delivery only (no Firebase Analytics or Crashlytics is enabled in this build) — data: device push token, message payload metadata — hosting: US / global Google Cloud regions.
• Google AdMob — ad serving in the free tier of the app; also the only analytics provider currently in use (it reports aggregated ad impression, click, and frequency metrics) — data: advertising ID (resettable by you in device settings), device type, coarse usage signals tied to ad units — hosting: US / global. Personalised vs non-personalised ads are governed by your in-app consent choice (see Section 4b). No standalone product-analytics SDK (Firebase Analytics, Sentry, Amplitude, Mixpanel, Segment, PostHog) is bundled in the current app build.
• Cloudflare — CDN, edge caching, and well-known file delivery — data: IP address, request metadata — hosting: Global edge network.
• Resend — transactional and administrative email (verification, receipts, report acknowledgements) — data: email address, message content — hosting: US.

We may also share your information where required by Malaysian law, by a valid court or regulator order, or to protect the safety and rights of users and the public. We do not sell your personal information to third parties.

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These include transport encryption (HTTPS/TLS), encryption at rest for our database and storage, role-based access control, audit logging, and regular security reviews. However, no method of transmission over the Internet is 100% secure.

If we become aware of a personal data breach that is likely to cause significant harm to you, we will notify you and the relevant Malaysian authority (the Personal Data Protection Commissioner) without undue delay, and in any event within the timelines required under the PDPA and its 2024 amendments. The notification will describe the nature of the breach, the categories of data affected, the steps we have taken to contain it, and the actions you may take to protect yourself.

Malaysia is our primary jurisdiction and the place where most personal data is processed. However, because some of the service providers listed in Section 5 operate outside Malaysia, your personal data may be transferred to and processed in the following locations:

• Singapore — Supabase (primary backend, including database, storage, and biometric selfie).
• United States — Firebase Cloud Messaging / Google Cloud (push delivery only), Google AdMob (advertising and aggregated ad analytics), Resend (transactional email).
• India — Razorpay corporate operations behind Curlec (payment infrastructure).
• Global edge — Cloudflare CDN (caching and delivery, no permanent storage of personal data).

Legal basis for cross-border transfer: these transfers are necessary for the performance of the contract between you and VegeBuddy (i.e. to deliver the service you signed up for), and, where required, are made on the basis of your consent given when you create an account or activate a feature that depends on a specific provider. We require all overseas processors to provide a level of protection comparable to that required under the PDPA, including written contractual safeguards.

We retain your personal information only for as long as is necessary to provide our services, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

• Account Information (email, username, profile details): Retained for as long as your account remains active. If you delete your account, this information is removed from our active systems within 30 days, except where longer retention is required by law.
• User Content (posts, comments, photos, reviews): Retained until you delete the content or your account. Deleted content is removed from active systems within 30 days, though anonymised or aggregated copies may persist in analytics.
• Biometric data (Jio Connect selfie): Retained only while your Jio Connect profile is active; deleted within 30 days of onboarding completion, profile deletion, or account deletion (whichever is earliest). See Section 2a.
• Location Data: Precise location is used in-session to surface nearby vegetarian places and is not stored beyond the request, unless you explicitly attach a location to a post (in which case it follows the User Content rules above).
• Usage Data & Analytics: Retained for up to 24 months in aggregated or pseudonymised form to help us improve the app, after which it is deleted or fully anonymised.
• Device Information: Retained while your account is active and deleted with your account, subject to a 30-day cleanup window.
• Transactional & Order Records (where applicable): Retained for up to 7 years to comply with Malaysian tax, accounting, and consumer-protection laws, even after account deletion.
• Server Logs & Security Records: Retained for up to 90 days for fraud prevention, debugging, and security investigations, then automatically purged.
• Encrypted Backups: Residual copies of deleted data may remain in encrypted backups for up to 90 days before being overwritten.
• Marketing & Communication Preferences: Retained until you opt out or delete your account, plus a short suppression-list retention to honour unsubscribe requests.

When the retention period for a category of data ends, we either delete it or irreversibly anonymise it so it can no longer be linked to you. You may request deletion of your account and associated personal information at any time by emailing us at the address in the Contact Us section; we will action verified deletion requests within 30 days, subject to the legal-retention exceptions described above.

Under the PDPA and depending on your location, you have the right to:

• Access — request a copy of the personal information we hold about you
• Correction — request that inaccurate or incomplete information be corrected
• Deletion — request deletion of your account and associated personal data, subject to the legal-retention exceptions in Section 7
• Portability — receive an export of your personal data in a structured, machine-readable format
• Withdraw consent — for any processing that relies on your consent (including biometric data for Jio Connect)
• Opt out of marketing communications at any time
• Lodge a complaint with the Personal Data Protection Commissioner of Malaysia

To exercise any of these rights, open Settings → Privacy & Data inside the app and submit a request, or email us at the address in the Contact Us section. We will acknowledge your request within 7 business days and complete it within the timeline required by the PDPA.

Our app is not intended for children under 18 years of age. Under the Malaysian Child Act 2001, a “child” is a person under the age of eighteen. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact the Privacy Team immediately and we will delete it.

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last updated” date.

The data controller responsible for the personal data processed under this Policy is:

• Operating entity: VEGEBUDDY TECHNOLOGIES
• SSM business registration no.: 202603121374 (NS0322648-A)
• Registered address: 712, Jalan Damai 9/1, Taman Damai, 09400 Padang Serai, Kedah, Malaysia
• Email: vegelahmy@gmail.com

You may use the contact details above to exercise your rights under the PDPA or to raise any concern about how we handle your personal data. You may also lodge a complaint with the Personal Data Protection Commissioner of Malaysia.

Privacy-related questions, access/deletion requests, and biometric-data requests are handled by our Privacy Team. We do not have an appointed Data Protection Officer; the Privacy Team performs equivalent intake and triage functions.

Privacy Team email: vegelahmy@gmail.com

For all other support questions, please use the in-app Help & Support menu.