Privacy Policy

Last Updated: March 3, 2026

1. Introduction

Bundl.my ("we," "our," or "the Platform"), operated by VISLOGIK TECHNOLOGIES (CA0412428-D), is committed to protecting your privacy and personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia and applicable data protection regulations.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use our C2C (consumer-to-consumer) marketplace platform for buying and selling secondhand clothing (bundle items).

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, phone number, password (encrypted)
  • Profile Information: Display name, username, bio, profile photo, state/location
  • Payment Information: Processed and stored by Stripe Connect (our payment processor). We do not store full credit card numbers
  • Shipping Information: Delivery addresses, phone numbers for courier purposes
  • Listing Information: Photos of items, descriptions, measurements, pricing, condition assessments
  • Communications: Messages sent through our support channels, dispute evidence (photos, descriptions)

2.2 Information Collected Automatically

  • Device Information: IP address, browser type, device identifiers, operating system
  • Usage Data: Pages visited, time spent, listings viewed, search queries, clicks
  • Cookies: Session cookies, authentication tokens, preference settings
  • Transaction Data: Purchase history, order status, payment timestamps, refund records

2.3 Information from Third Parties

  • Stripe Connect: Payment verification, transaction status, account verification data
  • EasyParcel: Shipment tracking data, delivery confirmations, courier status updates
  • Google OAuth: Email address, name, profile photo (if you sign in with Google)

3. How We Use Your Information

We process your personal data for the following purposes:

  • Platform Operation: Account creation, authentication, listing management, order processing
  • Payment Processing: Escrow management, payment facilitation, refund processing
  • Shipping Logistics: AWB (Air Waybill) generation, tracking updates, delivery coordination
  • Dispute Resolution: Evidence review, claim investigation, refund determination
  • Fraud Prevention: Strike tracking, account monitoring, policy enforcement
  • Customer Support: Responding to inquiries, resolving technical issues
  • Platform Improvement: Analytics, feature development, user experience optimization
  • Legal Compliance: Record-keeping, dispute resolution, regulatory obligations
  • Marketing: Platform updates, promotional communications (you may opt out)

4. Legal Basis for Processing

We process your personal data based on:

  • Contractual Necessity: Processing required to fulfill transactions and provide platform services
  • Consent: Explicit consent for marketing communications and optional features
  • Legitimate Interests: Fraud prevention, security, platform improvement
  • Legal Obligations: Compliance with Malaysian law, tax reporting, dispute resolution

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

  • Stripe, Inc.: Payment processing, escrow management, seller payouts
  • EasyParcel: Courier integration, AWB generation, shipment tracking
  • Amazon Web Services (AWS): Cloud hosting, image storage (S3), database infrastructure
  • CockroachDB: Database hosting and management

5.2 Between Platform Users

When you engage in a transaction:

  • Sellers see buyer's name and shipping address (for fulfillment purposes)
  • Buyers see seller's username, state, and public profile information
  • Neither party sees the other's email address or phone number unless voluntarily shared

5.3 Legal Disclosures

We may disclose your information if required by law, court order, regulatory authority, or to protect our legal rights, prevent fraud, or ensure platform safety.

6. Data Retention

  • Active Accounts: Data retained while account is active
  • Deleted Accounts: Personal data deleted within 90 days, except records required for legal/tax purposes (retained for 7 years)
  • Transaction Records: Retained for 7 years for tax compliance and dispute resolution
  • Dispute Evidence: Retained for 2 years after resolution
  • Anonymous Analytics: Retained indefinitely in aggregated, non-identifiable form

7. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure password hashing (bcrypt)
  • Access controls and authentication (NextAuth.js)
  • Regular security audits and monitoring
  • Secure cloud infrastructure (AWS)

However, no system is completely secure. We cannot guarantee absolute security and are not liable for unauthorized access resulting from circumstances beyond our reasonable control.

8. Your Rights Under PDPA

You have the following rights regarding your personal data:

  • Right to Access: Request a copy of your personal data
  • Right to Correction: Update inaccurate or incomplete information
  • Right to Withdraw Consent: Opt out of marketing communications
  • Right to Data Portability: Receive your data in a structured format
  • Right to Deletion: Request account deletion (subject to legal retention requirements)

To exercise these rights, contact us at hello@bundl.my. We will respond within 21 days as required by PDPA.

9. Cookies and Tracking

We use cookies and similar technologies for:

  • Essential Cookies: Authentication, session management, security
  • Functional Cookies: Language preferences, user settings
  • Analytics Cookies: Usage statistics, performance monitoring

You may disable non-essential cookies through your browser settings, but this may affect platform functionality.

10. Third-Party Links

Our platform may contain links to third-party websites or services (e.g., Stripe, EasyParcel). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

11. Children's Privacy

Our platform is not intended for users under 18 years of age. We do not knowingly collect personal data from minors. If we discover that a minor has created an account, we will delete it immediately.

12. International Data Transfers

Your data may be stored on servers located outside Malaysia (AWS regional infrastructure). We ensure that such transfers comply with PDPA requirements and that adequate safeguards are in place. By using our platform, you consent to such transfers.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or platform notification. Continued use of the platform after changes constitutes acceptance of the updated policy. The "Last Updated" date at the top of this page indicates the most recent revision.

14. Contact Us

For privacy-related inquiries, data access requests, or complaints:

Email: hello@bundl.my
Subject Line: "Privacy Inquiry" or "PDPA Request"

We are committed to resolving privacy concerns promptly and in accordance with Malaysian data protection laws.