Privacy Policy

1.1 We play two different roles under the PDPA, depending on whose data is involved.

(a) For Merchants' customers (for example, when you join a Merchant's loyalty program or send private feedback through a BigBigRed QR page): the Merchant is the "data user" — it decides why and how your data is collected — and we act as its "data processor", storing and processing that data on the Merchant's behalf to run the features it has purchased.

(b) For Merchants and website visitors (for example, your account login, business details and our communications with you): we are the "data user" and are directly responsible for that data.

1.2 If you are a Merchant's customer, the Merchant you visited is primarily responsible for how your data is used. This policy still tells you exactly what passes through our systems, and how to exercise your rights.

If you are a customer of a Merchant

2.1 Loyalty program (only if the Merchant runs one and you choose to join): your name, mobile phone number, and the day and month of your birthday (we do not ask for the year), together with your points balance, vouchers and transaction history. This information is typically entered by the Merchant's staff at the counter, with your agreement.

2.2 Private feedback / complaints (only if you choose to submit one): your name, phone number and the feedback you write. We pass these to the Merchant so it can follow up with you.

2.3 Review drafting: when you use a BigBigRed QR page to help draft a review or post, we record only the keywords you selected, any custom keyword, your chosen output language, any improvement note you write, and the text that was generated. We do not ask for your name or contact details in this flow, and we ask that you do not type personal details into the free-text fields.

If you are a Merchant

2.4 Your account username and password (stored only as a secure hash — we cannot read it), an optional contact email, the email address(es) you nominate for complaint notifications, your business name and profile details, branch login credentials, and login session records.

2.5 Billing and licensing communications (for example, invoices and WhatsApp messages) are handled outside the platform and retained as ordinary business records.

Technical data

2.6 We use only essential cookies — a session cookie that keeps Merchants and their staff logged in. We run no advertising, analytics or tracking cookies or scripts of any kind. Our infrastructure providers keep standard server logs (such as IP addresses and timestamps) for security and reliability.

3.1 We use personal data only to: (a) provide and operate the Service and its features, including maintaining loyalty balances, vouchers and transaction history; (b) deliver a customer's private feedback to the relevant Merchant by email and generate an automated acknowledgement; (c) generate AI-drafted content at a user's request; (d) communicate with Merchants about their account, licence and support requests; (e) protect the security and integrity of the Service and prevent fraud and abuse; and (f) comply with applicable law.

3.2 Providing personal data is voluntary. However, the loyalty program cannot operate without a name and phone number, and a complaint cannot be followed up without contact details — if those are not provided, those features simply cannot be used.

3.3 We do not use personal data for advertising, profiling or marketing to end customers, and we never sell personal data to anyone.

4.1 Text submitted through the Service (such as selected keywords, improvement notes and complaint text) is sent to third-party large-language-model providers to generate the requested content — for example, a draft review or an automated apology reply. Our current AI providers are DeepSeek, Qwen (accessed via OpenRouter) and Google Gemini, and they process this content under their own terms.

4.2 We do not use your personal data to train our own AI models. Please do not include personal, sensitive or financial details in free-text fields — they are not needed for any feature to work.

5.1 The Merchant you visited: loyalty details are visible to the Merchant and its branch staff in their dashboards (and exportable by them), and complaint details (name, phone, feedback) are emailed to the address(es) the Merchant nominates. Once exported or received, that data is under the Merchant's control as data user.

5.2 Our service providers (sub-processors), strictly to operate the Service:

(a) Supabase — database and storage hosting (PostgreSQL);

(b) DeepSeek, OpenRouter (Qwen) and Google (Gemini) — AI content generation, as described in section 4;

(c) Google (Gmail SMTP) — transmission of complaint notification emails to Merchants.

5.3 Authorities and legal process: we may disclose personal data where required by law, court order or a regulator with jurisdiction over us.

5.4 We do not sell, rent or trade personal data, and we do not share it with advertisers or data brokers.

6.1 Our service providers may store or process data outside Malaysia — depending on the provider, this may include jurisdictions such as Singapore, the United States and China. We transfer data abroad only as needed to operate the Service through the providers listed in section 5, and we choose providers that publish their own security and privacy commitments.

7.1 We deliberately keep end-customer data for short periods:

(a) AI-drafted content and review-drafting inputs — automatically deleted after approximately seven (7) days;

(b) Complaint records and improvement feedback — automatically deleted after approximately thirty (30) days;

(c) Loyalty records (name, phone, birthday, points, vouchers, transactions) — kept for as long as the Merchant's licence is active, and deleted after the Merchant's access period ends;

(d) Merchant account data — kept for the duration of the licence and a reasonable period afterwards for business records.

7.2 Long-term usage statistics are aggregate counts only and contain no personal data.

8.1 We protect personal data with measures appropriate to its nature: all traffic is encrypted in transit (HTTPS), passwords are stored only as secure hashes, the database is locked so that it can only be reached through our server-side code (no direct public access), and access by Merchant staff is limited to their own branch's data. Consistent with the PDPA's Security Principle, we require our service providers to apply their own appropriate safeguards. No system is perfectly secure, but we aim to hold as little personal data, for as short a time, as each feature allows.

9.1 Under the PDPA you may request access to or correction of your personal data, and you may withdraw consent to its processing.

9.2 If you are a Merchant's customer, the data user is the Merchant you visited, so the fastest route is to ask them directly (for example, to update or remove your loyalty record — their dashboard lets them do this). You may also contact us using the details in section 13 and we will assist or relay your request to the Merchant.

9.3 If you are a Merchant, contact us directly and we will respond within the timeframes the PDPA requires.

10.1 The only cookies we set are essential session cookies that keep Merchants and their staff signed in. We set no cookies at all for end customers using a QR page, and we use no analytics, advertising or cross-site tracking technologies anywhere on the Service.

11.1 The Service is not directed at children, and Merchant accounts may only be held and operated by adults. Loyalty registrations are entered by Merchant staff for their customers; Merchants must not register individuals below the age at which they can give valid consent under applicable law.

12.1 We may update this policy from time to time. The "Last updated" date at the top of this page shows the current version, and we will notify Merchants of material changes (for example, by email, WhatsApp or via the Service).

13.1 Questions, requests or complaints about personal data may be directed to BIGBIGRED DIGITAL SOLUTIONS via WhatsApp at +60 11-1100 8325. Our Terms and Conditions, including the data-protection responsibilities of Merchants, are published at https://bigbigred.com/terms.

Notis ini dikeluarkan menurut Seksyen 7 Akta Perlindungan Data Peribadi 2010 ("APDP") oleh BIGBIGRED DIGITAL SOLUTIONS (No. Pendaftaran 202603086052 (TR0339995-H)), sebuah perniagaan yang berdaftar dengan Suruhanjaya Syarikat Malaysia (SSM). Notis ini hendaklah dibaca bersama versi Bahasa Inggeris di atas; sekiranya terdapat percanggahan, versi Bahasa Inggeris akan diguna pakai setakat yang dibenarkan undang-undang.

Data peribadi yang dikumpul

(a) Program kesetiaan (jika anda menyertainya): nama, nombor telefon bimbit, hari dan bulan lahir (tahun tidak diminta), serta baki mata, baucar dan rekod transaksi anda.

(b) Maklum balas / aduan (jika anda menghantarnya): nama, nombor telefon dan kandungan maklum balas anda.

(c) Penjanaan ulasan: hanya kata kunci yang dipilih, nota penambahbaikan dan bahasa pilihan — nama atau butiran hubungan anda tidak diminta.

(d) Pelanggan perniagaan (Merchant): nama pengguna akaun, kata laluan (disimpan dalam bentuk "hash" yang selamat), e-mel, butiran perniagaan dan rekod log masuk.

(e) Data teknikal: kuki sesi log masuk yang perlu sahaja; tiada kuki pengiklanan, analitik atau penjejakan.

Tujuan pemprosesan

Data peribadi diproses untuk: (a) menyediakan dan mengendalikan perkhidmatan, termasuk program kesetiaan; (b) memajukan aduan anda kepada perniagaan berkenaan melalui e-mel dan menjana balasan automatik; (c) menjana draf kandungan menggunakan kecerdasan buatan (AI) atas permintaan anda; (d) keselamatan sistem dan pencegahan penyalahgunaan; dan (e) pematuhan undang-undang. Kami tidak menjual data peribadi dan tidak menggunakannya untuk pengiklanan.

Sumber data

Data diperoleh terus daripada anda, atau dimasukkan oleh kakitangan perniagaan yang anda lawati (bagi pendaftaran program kesetiaan) dengan persetujuan anda.

Pendedahan dan pemindahan ke luar negara

Data peribadi mungkin didedahkan kepada: (a) perniagaan yang anda lawati (sebagai pengguna data, ia bertanggungjawab terhadap penggunaan selanjutnya); (b) pembekal perkhidmatan kami — pangkalan data dan pengehosan (Supabase), pembekal model AI (DeepSeek, Qwen melalui OpenRouter, dan Google Gemini) serta perkhidmatan penghantaran e-mel (Gmail SMTP); dan (c) pihak berkuasa jika dikehendaki oleh undang-undang. Data mungkin disimpan atau diproses di luar Malaysia, termasuk di Singapura, Amerika Syarikat dan China, setakat yang perlu untuk mengendalikan perkhidmatan.

Tempoh simpanan

Draf kandungan AI dan input penjanaan ulasan: lebih kurang tujuh (7) hari. Rekod aduan dan maklum balas penambahbaikan: lebih kurang tiga puluh (30) hari. Rekod program kesetiaan: sepanjang tempoh lesen perniagaan berkenaan, dan dipadamkan selepas tempoh itu tamat.

Sifat sukarela

Pemberian data peribadi adalah sukarela. Walau bagaimanapun, tanpa nama dan nombor telefon, ciri program kesetiaan dan susulan aduan tidak dapat disediakan.

Hak anda

Anda berhak memohon akses kepada dan pembetulan data peribadi anda, serta menarik balik persetujuan anda. Bagi data program kesetiaan dan aduan, kemukakan permintaan kepada perniagaan yang anda lawati (pengguna data); anda juga boleh menghubungi kami dan kami akan membantu. Hubungi: BIGBIGRED DIGITAL SOLUTIONS, WhatsApp +60 11-1100 8325.