Nextcode Sdn. Bhd. ("we", "us", "our") operates the POSje! platform. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data in accordance with Malaysia's Personal Data Protection Act 2010 (PDPA).
By using POSje!, you consent to the practices described in this policy. If you do not agree, please discontinue use of the Service.
Who This Policy Applies To
- Merchant accounts — business owners and staff who use POSje! to operate their POS, kitchen display, QR ordering, or loyalty programme.
- End customers — diners or shoppers whose data is processed through POSje! on behalf of a merchant (e.g. via the loyalty app or QR ordering).
If you are an end customer, your primary relationship is with the merchant who operates the service. We process end-customer data as a data processor on behalf of the merchant (data controller).
Data We Collect
From merchant accounts:
- Business information: name, address, email, phone number, business type.
- Account credentials: email address and hashed password.
- Billing information: handled directly by Stripe — we do not store full card numbers.
- Usage data: features used, session logs, IP addresses, device type, and browser.
From end customers (via merchant-operated features):
- Phone number and optional name, email, birthday, and gender — collected during loyalty registration or QR ordering.
- Order history, spending totals, points balance, and tier status.
- OTP verification logs (phone/email) to confirm identity.
Automatically collected:
- Server logs, timestamps, API request metadata, and error reports used for diagnostics and security.
How We Use Personal Data
- To provide the Service — processing orders, running loyalty programmes, displaying the kitchen screen, generating reports.
- To manage your account — onboarding, authentication, subscription billing, and customer support.
- To communicate with you — sending OTPs, transactional emails, system notifications, and (with your consent) product updates.
- To improve the Service — analysing aggregated, anonymised usage patterns. We do not use individual personal data for this purpose.
- To comply with legal obligations — where required by Malaysian law, court order, or regulatory authority.
Legal Basis for Processing
Under the PDPA 2010, we process personal data on one or more of the following bases:
- Performance of a contract — providing the Service you signed up for.
- Consent — e.g. marketing communications. You may withdraw at any time.
- Legitimate interests — e.g. security monitoring and fraud prevention.
- Legal obligation — e.g. tax record-keeping as required by Malaysian law.
How We Share Personal Data
Our commitment
We do not sell personal data — ever.
We may share data only in these limited circumstances:
- Service providers — Stripe (payments), Amazon Web Services (hosting), and email delivery providers. All are bound by data processing agreements.
- Merchants — end-customer data is accessible to the merchant whose platform the customer joined.
- Legal requirements — if required by law, court order, or Malaysian regulatory authority.
- Business transfers — in the event of a merger or acquisition, subject to the same protections.
Data Retention
- Active accounts: Data is retained for as long as your account is active.
- After cancellation: Tenant data is retained for 30 days, during which you may request an export. After 30 days, data is permanently deleted.
- Legal records: Billing records may be retained for up to 7 years as required by Malaysian tax law.
- End-customer data: Retained per the merchant's PDPA obligations. Merchants may delete customer records from their admin panel at any time.
Security
How we protect your data
- TLS encryption in transit
- AES-256 encryption at rest for sensitive fields
- Bcrypt-hashed passwords
- Role-based access controls
- Regular security assessments
No system is 100% secure. Please use strong, unique passwords and notify us immediately at hello@nextcode.my if you suspect a security incident.
Your Rights Under PDPA 2010
Your rights as a data subject
To exercise any of these rights, email hello@nextcode.my. We will respond within 21 days as required by the PDPA.
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate or incomplete data.
- Withdrawal of consent — withdraw consent for processing where consent is the legal basis, without affecting prior processing.
- Opt out of direct marketing — unsubscribe at any time via the link in any email we send.
Children's Privacy
POSje! is a business-to-business platform not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
International Transfers
Your data is primarily stored on servers within or operated by providers that meet adequate protection standards. Where data is transferred outside Malaysia, we ensure appropriate safeguards are in place as required by the PDPA and guidelines from the Personal Data Protection Commissioner.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you by email at least 14 days before material changes take effect. The "Effective date" at the top of this page reflects the latest revision.
Contact & Complaints
Questions about this policy or how we handle your data? Contact our data compliance team:
You also have the right to lodge a complaint with the Department of Personal Data Protection Malaysia at pdp.gov.my if you believe your data has been mishandled.