PDPA Compliance

The Personal Data Protection Act 2010 (Act 709) is the primary legislation governing the processing of personal data in Malaysia. It applies to any person who processes personal data in connection with a commercial transaction.

As a platform that collects and processes personal data from Malaysian residents, Strays To Home is subject to PDPA 2010 and takes our obligations seriously.

Personal data must not be processed without the data subject's consent, unless an exemption applies.

How we comply: We obtain explicit consent from users at the point of registration and again when collecting sensitive identity documents (IC/Passport). We clearly state what data is collected and how it will be used before asking for consent. Users may withdraw consent at any time.

Data subjects must be informed of the purpose of data collection and their rights.

How we comply: We provide clear notices at registration, during IC verification, and in this Privacy Policy. These notices explain what data we collect, why we collect it, who it may be shared with, and how users can exercise their rights. Users are never surprised by how their data is used.

Personal data must not be disclosed to third parties without consent, except where permitted by law.

How we comply: We do not sell or trade personal data. Data is only shared with:

• Verified vet clinics, when an adopter books an appointment (with user consent).
• Infrastructure providers (Supabase, Vercel, Resend) under data processing agreements.
• Malaysian law enforcement, only when required by a valid court order.

Practical steps must be taken to protect personal data from loss, misuse, modification, or unauthorised disclosure.

How we comply:

• All data in transit is encrypted using HTTPS/TLS.
• Passwords are hashed using bcrypt with salt rounds.
• Identity documents are stored in encrypted cloud storage with restricted access.
• Only authorised administrators can access identity verification data.
• Database access is restricted by IP allowlist and requires authentication.
• We conduct periodic security reviews of our infrastructure.

Personal data must not be retained longer than necessary for the purpose it was collected.

How we comply:

• Identity documents are deleted within 12 months of verification.
• Deleted accounts are anonymised within 30 days of deletion request.
• Inactive accounts (no login for 24 months) are flagged for deletion review.
• Message data older than 24 months is automatically purged.

Personal data must be accurate, complete, not misleading, and kept up to date.

How we comply: Users can update their profile information, including name and email, at any time from their dashboard. IC verification requires uploading a current, valid identity document. Users are encouraged to report any inaccuracies in their data.

Data subjects must be given access to their personal data and the ability to correct it.

How we comply: Registered users can access their personal data through their dashboard. For data not directly editable (e.g., verification records), users may submit an access or correction request by email.

IC numbers, passport numbers, and identity document images are classified as sensitive personal data under PDPA 2010. We apply additional safeguards:

• Sensitive data is only collected when strictly necessary for identity verification.
• It is stored with additional encryption layers beyond standard data.
• Access is restricted to a minimal number of authorised personnel.
• Sensitive data is never displayed publicly or shared with other users.
• Users receive explicit notice and provide explicit consent before submission.

Under PDPA 2010, you have the following rights which you may exercise by contacting us:

• Right of Access: Request a copy of personal data we hold about you.
• Right of Correction: Request correction of inaccurate or incomplete data.
• Right to Withdraw Consent: Withdraw consent for data processing at any time (may limit platform access).
• Right to Prevent Processing: Object to processing that causes damage or distress.

To exercise any right, email privacy@straystohome.com with your full name, registered email address, and the right you wish to exercise. We will respond within 21 days as required by PDPA 2010.

Our infrastructure providers (Supabase, Vercel) may store data on servers located outside Malaysia. In such cases, we ensure that data protection standards equivalent to PDPA 2010 are maintained through contractual data processing agreements.

In the event of a data breach affecting your personal data, we will:

• Investigate and contain the breach as quickly as possible.
• Notify affected users via email within 72 hours of becoming aware of a significant breach.
• Report to relevant Malaysian authorities where required.
• Provide guidance on steps you can take to protect yourself.

For PDPA-related enquiries, data access requests, or to report a concern:
Email: privacy@straystohome.com
Response time: Within 21 days as required by PDPA 2010