Your data, your rights.

LokalGig (“LokalGig”, “we”, “us”, “our”) operates the website at lokalgig.my — a digital launchpad that helps Malaysians publish service listings and receive enquiries via WhatsApp. We are based in Malaysia and act as a data user as defined under Section 4 of the PDPA 2010.

For privacy questions, data access requests, or complaints, contact our data protection contact at hikayatdaily.app@gmail.com.

We only collect what we need to run the service. In practice, that is:

What we do NOT collect:bank account numbers, credit/debit card numbers, transaction amounts between buyer and seller, the contents of your WhatsApp messages, your phone’s contact list, your location beyond the state you select, or biometric data (other than an optional verification selfie if you opt in).

Under PDPA Section 6, we process personal data only for these stated purposes:

1. Run the service— create and secure your account, render your gig listings, route “Contact on WhatsApp” clicks.
2. Communicate with you — transactional emails (sign-up, password reset, booking enquiries, policy changes). Marketing emails only with your separate opt-in.
3. Keep the platform safe — detect fraud, scams, scraping, spam, abusive behaviour, and ToS violations.
4. Improve the product — measure feature performance and bug rates using aggregated analytics.
5. AI-assisted features — process the rough notes you paste into the AI Gig Builder so it can return a polished bilingual listing.
6. Comply with the law — respond to lawful Malaysian regulatory and law enforcement requests.

We do not use your data for automated decision-making that produces legal effects on you (e.g. credit scoring). Account suspensions are reviewed by a human operator.

We rely on the following lawful bases under the PDPA 2010:

• Your consent — for optional features like marketing emails, identity verification, or WhatsApp contact display.
• Contractual necessity — to provide the service you signed up for (your account, your gigs, your dashboard).
• Legitimate interest — fraud prevention, security logging, and aggregated product analytics, balanced against your rights.
• Legal obligation — when required by Malaysian law, regulators, or valid court orders.

We do not sell or rent personal data. We share only with the following categories of processors, all bound by confidentiality and data-protection terms:

Cross-border transfer.Some of our processors (e.g. AI providers, hosting CDN edges) are located outside Malaysia. We rely on contractual safeguards and the PDPA’s permitted transfer conditions (Section 129) when this happens. We do not transfer your data to a country that materially weakens your PDPA rights.

We use a minimal set of cookies and local-storage entries:

• Essential — auth/session cookies (so you stay logged in), CSRF tokens, language preference (BM/EN), theme preference (Terang/Malam). Cannot be turned off without breaking the site.
• Functional — remembers your bookmarks, draft gig autosave, recent searches.
• Analytics — counts page views and clicks, in aggregate.

We do not run third-party advertising trackers, fingerprinting libraries, or remarketing pixels. You can clear cookies anytime via your browser settings.

LokalGig is WhatsApp-first. When a buyer taps “Contact on WhatsApp” on your gig, they are taken to wa.me with a pre-filled message and your number. From that point on, the conversation is between you and the buyer on WhatsApp’s servers — not on LokalGig.

We log only the click event (which gig, what time) for analytics and abuse prevention. We never see your WhatsApp messages, media, or call logs. WhatsApp’s own privacy policy applies to that conversation.

• Active accounts: for as long as your account is open.
• Closed accounts: personal data is erased or anonymised within 30 days of closure, except for records we must retain by law (e.g. abuse investigations, financial records if any).
• Server logs: 90 days, then aggregated.
• AI helper inputs: raw inputs are retained at most 30 days for debugging; aggregated cost/usage metrics are retained indefinitely with no personal content.
• Backups: encrypted backups may persist up to 60 days after deletion before they roll off.

As a data subject under Malaysian law, you have the following rights. To exercise any of them, email hikayatdaily.app@gmail.com from the address registered on your account. We respond within 21 days.

• Right of access (s.30): request a copy of the personal data we hold about you.
• Right of correction (s.34): ask us to correct inaccurate or incomplete data. Most fields are editable directly in your profile.
• Right to withdraw consent (s.38): opt out of marketing or any consent-based processing at any time.
• Right to limit processing (s.42): ask us to pause processing for direct-marketing purposes.
• Right to delete: request closure of your account and erasure of your personal data, subject to lawful retention obligations.
• Right to lodge a complaint:with the Personal Data Protection Department (JPDP), Ministry of Digital, Malaysia. We’d appreciate the chance to address your concern first.

• HTTPS/TLS on every page; HSTS preload-eligible.
• Passwords are hashed with bcrypt-class algorithms; we never store them in plain text.
• Database access is row-level security (RLS) protected — even our backend code can’t read another user’s row without an explicit policy match.
• Service-role credentials are restricted to server-side cron and admin paths.
• Verification documents (if uploaded) are stored in a private bucket and never linked into public URLs.
• Internal access is least-privilege and audit-logged.

No system is unbreakable. If we ever discover a breach affecting your personal data, we will notify affected users without undue delay and report to the Commissioner where required by law.

LokalGig is not intended for users under 18. If you are under 18, please do not create an account or post a gig. If we learn we have collected personal data from someone under 18, we will delete it.

We may update this policy as the platform evolves. When we make a material change, we will:

• Update the “Last updated” date at the top of this page.
• Email registered users at least 14 days before changes that reduce your rights take effect.
• Surface an in-app notice on your dashboard.

Continued use of LokalGig after the effective date means you accept the updated policy. If you don’t agree, you can close your account at any time.

Privacy questions, data requests, or complaints — email hikayatdaily.app@gmail.com.

For everything else, hikayatdaily.app@gmail.com works.