Data & Privacy · Version 1.0

Maejousz Club Privacy Policy

This Privacy Policy explains how Maejouzs Club collects, uses, stores, discloses, and protects your personal data in compliance with Malaysia's Personal Data Protection Act 2010 (Act 709).

PDPA 2010 TLS 1.2+ Encrypted Bcrypt Password Hashing

The short version: We collect only the data necessary to operate your membership, process your bookings, and run the loyalty programme. We never sell your personal information.

Encrypted end-to-end

All data in transit is protected with TLS 1.2+. Passwords are hashed with bcrypt.

You stay in control

Access, correct, or delete your data anytime. Withdraw consent whenever you like.

No data selling

We never sell, rent, or trade your personal data to third parties for marketing.

PDPA 2010 compliant

We process your data lawfully under Malaysia's Personal Data Protection Act.

Contents

01Definitions
02Information We Collect
03How We Use Your Data
04Legal Basis for Processing
05Data Sharing & Third Parties
06Data Security
07Cookies & Tracking
08Your Rights
09Minors & Age Restrictions
10Cross-Border Transfers
11Data Retention
12Policy Updates & Contact

Section 01

Definitions

Personal Data — information relating directly or indirectly to an identified or identifiable natural person, as defined under the PDPA 2010.
Member / User — any individual who has registered an account on the Platform, whether via email or social login.
Platform — the Maejouzs Loyalty mobile app (iOS and Android) and the Maejouzs website.
Processing — any operation on personal data, including collection, storage, use, disclosure, transfer, or deletion.
Data Subject — the natural person to whom the personal data relates.
Consent — a freely given, specific, informed, and unambiguous agreement by the Data Subject to processing.

Section 02

Information We Collect

We collect personal data across multiple channels and at various stages of your interaction with the Platform.

Category	Examples
Registration & account	Full name, email, Malaysian mobile (+60), hashed password, date of birth, Member ID, referral code
Social login	Limited OAuth profile from Google / Apple (name, email). Passwords are never received.
Transactional & booking	Reservations, deposit amounts, minimum spend, tickets, bottle packages, parked bottles
Visit & check-in	QR scan logs, check-in timestamps, cumulative visits, in-venue spend
Loyalty & tier	Points balance, tier (Bronze/Silver/Gold/Platinum), multiplier, redemption history
Referral programme	Unique code, referred User IDs, pending vs. rewarded state, stats
Feedback	Ratings for venue, staff, drinks, and event/DJ suggestions
Device & technical	Device type, OS version, IP address, FCM push token, session tokens, analytics
Notification preferences	Toggle states for All Notifications, Event Alerts, and Reward Alerts

Note: Full payment card details are handled exclusively by the PCI-DSS compliant third-party payment gateway and are never stored on our servers.

Section 03

How We Use Your Data

3.1 Account & Membership Management

Create and maintain your digital membership account and card
Generate your unique dynamic QR code for venue entry
Authenticate identity at login and at the club via QR scan
Process OTP verification and password resets

3.2 Loyalty Programme Operations

Award, track, and deduct loyalty points from qualifying activity
Determine and upgrade your membership tier automatically
Process reward redemptions from the rewards catalogue
Administer the referral programme (code generation, tracking, dual rewards)

3.3 Bookings & Payments

Process table reservations, event bookings, and bottle package purchases
Transmit payment requests to and receive confirmations from the payment gateway
Generate digital tickets, countdown timers, and booking history

3.4 Bottle Parking Service

Record and manage your parked bottle inventory and volumes
Alert staff to prepare and store bottles on parking confirmation
Enforce the 21-day expiry policy

3.5 Club Entry & Security

Verify identity, VIP/Platinum status, and age eligibility on QR scan
Enforce the blacklist system to deny entry to restricted individuals
Maintain visit logs and entry records for audit and security

3.6 Marketing & Communications

Deliver INFO, REWARD, SYSTEM, and EVENT push notifications
Send birthday, tier upgrade, points expiry, and VIP offer notifications
Run happy hour promotions, flash rewards, and referral campaigns

3.7 Analytics & Business Intelligence

Visit frequency, customer lifetime value, and spend-per-visit analysis
Segment customers by tier, spend, and visit frequency
Improve Platform functionality, UX, and service quality

Section 04

Legal Basis for Processing

Consent — during registration, notification permissions, and voluntary profile fields. Withdrawable at any time.
Contractual Necessity — to perform the membership services contract, operate the loyalty programme, and process bookings.
Legal Obligation — to comply with Malaysian laws including record-keeping requirements.
Legitimate Interests — security, fraud prevention, analytics, and service improvement, balanced against your rights.

Section 05

Data Sharing & Third Parties

We do not sell, rent, or trade your personal data to third parties for commercial purposes. We may disclose data only as necessary to:

Payment Gateway Operator — PCI-DSS compliant; handles card details exclusively, not our servers
Push Notification Service — Firebase Cloud Messaging (or equivalent) for delivery to your device
Social Login Providers — Google LLC and Apple Inc. for OAuth 2.0 authentication
Cloud Infrastructure Providers — secure hosting under data processing agreements
Regulatory & Legal Authorities — where required by Malaysian law or court order
Corporate Transactions — in a merger or acquisition, subject to equivalent data protection obligations

Section 06

Data Security

We implement technical and organisational measures to protect your data, including:

Encryption of all data in transit using TLS 1.2 or above
Bcrypt (or equivalent) one-way hashing for all stored passwords
Role-Based Access Control (RBAC) for Club Staff, Club Admin, and Super Admin roles
PCI-DSS compliant standards applied to all payment data handling
Secure cloud-hosted database infrastructure with restricted access and audit logging
Session token management, including automatic invalidation on logout

Despite these measures, no transmission over the internet is completely secure. You are responsible for maintaining your account credentials and notifying us immediately of any suspected compromise.

Section 07

Cookies & Tracking Technologies

The Maejouzs website may use cookies and similar technologies for:

Session management and authentication
Performance monitoring and usage statistics
Storage of UI preferences
Marketing analytics (where applicable, subject to your consent)

You may manage cookies through your browser settings. The mobile app does not use browser cookies but employs session tokens for authentication.

Section 08

Your Rights as a Data Subject

Under the PDPA 2010 (and subject to statutory exceptions), you have the following rights:

Access — request a copy of personal data we hold about you
Correction — request correction of inaccurate or outdated data (or update directly via Edit Profile)
Withdraw Consent — adjust notification preferences in Settings or contact support in writing
Account Deletion & Data Erasure — use the two-step Delete Account function; active profile data is purged, subject to legal retention for financial records
Limit Processing — restrict marketing or promotional notifications via toggles in Settings
Lodge a Complaint — with the Personal Data Protection Commissioner of Malaysia at pdp.gov.my

We encourage you to contact us first so we can address your concern before a formal complaint is filed.

Section 09

Minors & Age Restrictions

The Platform is strictly intended for individuals 18 years of age or above. We do not knowingly collect data from minors. If we discover data has been collected from a minor, the data will be deleted and the account terminated promptly. Parents or guardians who believe their child has registered an account should contact privacy@maejousz.com immediately.

Section 10

Cross-Border Data Transfers

We primarily store and process personal data within Malaysia. Where data is transferred outside Malaysia (e.g. through international cloud, push notification, or social login providers), we take reasonable steps to ensure compliance with the PDPA 2010 via contractual data protection clauses or equivalent safeguards.

Section 11

Data Retention

Personal data is retained only as long as necessary to fulfil the purposes for which it was collected, to maintain your active membership, or as required by law. Full retention periods are set out in the Terms & Conditions (Section 9).

Active personal data — permanently deleted within 30 days of confirmed account deletion
Financial transaction records — retained for 7 years under the Income Tax Act 1967 and Financial Services Act 2013
Audit trail logs — retained for 3 years from the logged event
Anonymised & aggregated data — may be retained indefinitely for analytics

Section 12

Policy Updates & Contact

We reserve the right to amend this Privacy Policy. Material changes will be notified via a SYSTEM-type push notification and/or in-app notice, with the updated policy published on the Platform showing a revised Effective Date.

Maejouzs — Data Protection Officer
Registered Office: Malaysia
Email: privacy@maejousz.com
Support: hello@maejousz.com
Operating Hours: Monday – Friday, 10:00 AM – 6:00 PM MYT

We will respond to data subject requests within 21 business days of receipt of a complete request. Proof of identity may be required.

Exercise your data rights

Request access, correction, or deletion of your data at any time.

privacy@maejousz.com