Privacy Policy
Last updated: March 2026
PDPA Notice
This Privacy Policy is issued in compliance with the Personal Data Protection Act 2010 (Act 709) of Malaysia ("PDPA"). By providing your personal data to Tandaku, you consent to the collection, processing, and use of your data as described in this policy. You may withdraw your consent at any time by contacting us, subject to any legal obligations we may have.
1. Introduction
Tandaku ("we", "our", "us") is committed to protecting your personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website at tandaku.com and our related services.
2. Data We Collect
We collect the following categories of personal data:
Account & Contact Information
Full name, email address, phone number, and shipping address provided during account registration, checkout, or communication with our team.
Photos & Order Information
Photos you upload for portrait creation, selected styles and products, special instructions, order history, and delivery preferences.
Payment Information
Payment transactions are processed entirely by Billplz, our payment gateway. We do not store your credit card numbers, bank account details, or e-wallet credentials on our servers. We only receive transaction confirmation records from Billplz.
Usage Data
Browser type, device information, IP address, pages visited, and interaction data collected automatically through cookies and analytics tools (with your consent for non-essential tracking).
Communication Data
Messages sent through our contact form, WhatsApp conversations related to orders, and email correspondence.
3. Purpose of Data Collection
We use your personal data for the following purposes:
- Order fulfilment: To create your custom portrait, process payments via Billplz, and deliver your products.
- Communication: To send order confirmations, shipping updates, digital previews for approval, and respond to your enquiries via email (Resend) and WhatsApp.
- Account management: To maintain your account, order history, and preferences.
- Marketing (opt-in only): To send promotional emails or messages about new styles, products, and offers. Marketing communications are sent only with your explicit consent, and you can unsubscribe at any time.
- Website improvement: To analyse usage patterns and improve our website experience using anonymised analytics data.
- Legal compliance: To comply with applicable Malaysian laws, regulations, and legal processes.
4. Data Storage & Security
Your personal data is stored securely using industry-standard encryption and security measures:
- Our primary database is hosted on Supabase (Singapore region), providing low-latency access with enterprise-grade security and encryption at rest.
- All data transmissions are encrypted using TLS/SSL (HTTPS).
- Account passwords are hashed and salted; we never store plain-text passwords.
- Payment information is processed by Billplz and is never stored on our servers.
- Our website is hosted on Vercel, with globally distributed edge infrastructure and built-in DDoS protection.
Photo Retention Policy
Photos you upload for portrait creation are retained for 90 days after your order is delivered. After this period, your photos are automatically and permanently deleted from our storage. This allows time for any quality issues or reprint requests while ensuring your photos are not kept indefinitely.
We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law. Account information is retained as long as your account is active and for 2 years after account deletion to comply with Malaysian regulatory requirements.
5. Third-Party Service Providers
We do not sell or rent your personal data to anyone. We share your data only with the following third-party service providers, and only to the extent necessary to operate our Services:
| Service Provider | Purpose | Data Shared |
|---|---|---|
| Billplz | Payment processing | Name, email, payment details |
| Resend | Transactional & marketing emails | Name, email address |
| Supabase | Database & file storage (Singapore) | Account data, photos, orders |
| Vercel | Website hosting & CDN | Usage data, IP address |
| J&T Express / Pos Laju | Shipping & delivery | Name, phone, shipping address |
| WhatsApp Business | Customer communication | Phone number, message content |
| Google Analytics 4 | Website analytics (with consent) | Anonymised usage data |
| Meta Pixel | Advertising analytics (with consent) | Anonymised interaction data |
All third-party service providers are contractually obligated to protect your data and use it only for the specified purposes. We do not share your photos with any third party except as necessary for order fulfilment.
6. Your Rights Under PDPA
Under the Personal Data Protection Act 2010 (PDPA), you have the following rights regarding your personal data:
To exercise any of these rights, please contact us at hello@tandaku.com. We will respond to your request within 21 days as required by the PDPA. A nominal processing fee may apply for data access requests as permitted under the Act.
7. Children's Privacy
Our Services are not directed at children under 18. We do not knowingly collect personal data from children without parental consent. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it promptly.
8. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. Changes will be posted on this page with an updated "Last updated" date. For material changes that significantly affect how we handle your personal data, we will make reasonable efforts to notify you via email.
Privacy Questions?
If you have any questions about this Privacy Policy, how we handle your data, or wish to exercise your rights under the PDPA, please contact us at hello@tandaku.com or via WhatsApp.