Privacy Policy

1. Introduction

TenderAlerts MY ("we", "our", "us") operates the TenderAlerts MY platform, a tender monitoring and alert notification service for Malaysian contractors and suppliers. We are committed to protecting your personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights as a data subject under Malaysian law.

2. Personal data we collect

We collect the following categories of personal data when you register and use our service:

• Identity data: full name, company name
• Contact data: email address, Malaysian phone number (WhatsApp)
• Account data: subscription plan, account creation date, verification status
• Preference data: alert preferences including states, trade types, value ranges, and Bumiputera filter settings
• Usage data: tenders saved, bid pipeline status, RFQs sent and received
• Payment data: transaction references and payment status (we do not store card numbers or bank account details)
• Technical data: IP address, browser type, and access logs for security purposes

3. How we use your personal data

We use your personal data for the following purposes:

• Delivering tender alert notifications via Telegram and email
• Managing your account and subscription
• Processing payments via Billplz (FPX) and Stripe
• Matching tenders to your trade type, state, and preference filters
• Enabling the supplier directory and RFQ system
• Improving and maintaining the service
• Complying with legal obligations

We do not sell your personal data to third parties. We do not use your data for unsolicited marketing beyond the service you subscribed to.

4. Legal basis for processing

Under PDPA 2010, we process your personal data on the following bases:

• Consent: you provide consent at registration by accepting this Privacy Policy
• Contract performance: processing necessary to deliver the subscription service you signed up for
• Legitimate interests: fraud prevention, service security, and service improvement
• Legal obligation: compliance with Malaysian law including PDPA 2010

5. Data sharing and disclosure

We share your data only with:

• Supabase — our database provider (data stored in Singapore region)
• Railway — our cloud hosting provider
• Telegram — for delivering alert notifications (only your chat ID is shared)
• Billplz / Stripe — for payment processing (subject to their respective privacy policies)
• Sentry — for error monitoring (no PII is included in error reports)

We may disclose your data if required by Malaysian law, court order, or regulatory authority.

6. Data retention

We retain your personal data for 3 years from the date of your last active subscription, or until you request deletion, whichever is earlier. Payment records are retained for 7 years as required by Malaysian financial regulations. Anonymised analytics data may be retained indefinitely.

7. Your rights under PDPA 2010

As a data subject under the Personal Data Protection Act 2010, you have the right to:

• Access: request a copy of the personal data we hold about you
• Correction: request correction of inaccurate or incomplete data
• Withdrawal of consent: withdraw your consent to processing at any time (this may affect your ability to use the service)
• Complaint: lodge a complaint with the Personal Data Protection Commissioner of Malaysia

To exercise any of these rights, contact us at privacy@tenderalerts.my. We will respond within 21 days as required by PDPA 2010.

8. Data security

We implement appropriate technical and organisational measures to protect your personal data, including Row Level Security (RLS) on our database, encrypted connections (TLS), and access controls. However, no internet transmission is completely secure and we cannot guarantee absolute security.

9. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notification. Continued use of the service after changes constitutes acceptance of the updated policy.

10. Contact us

For any privacy-related queries, please contact our data protection officer at: