A1. Identity of the Data User

A2. Personal Data Being Collected

• Identity Data: Full name and username;
• Contact Data: Email address and telephone/mobile number;
• Payment Data: Billing details processed via Billplz (billplz.com) — we do not store full card or bank account numbers;
• Delivery Data: Delivery address and, where enabled, location coordinates;
• Account Data: Encrypted password and account preferences;
• Technical & Usage Data: IP address, browser type, device identifiers, pages visited, and order history;
• Communications Data: Any feedback, enquiries, or correspondence you send us.

A3. Purpose of Processing

• To process and fulfil your food and beverage orders, including payment via Billplz and delivery coordination;
• To create, maintain, and manage your user account;
• To administer your Yolk Points loyalty reward account;
• To communicate with you about orders, account status, and customer service;
• To send promotional offers and marketing communications where you have given consent;
• To improve and personalise our Platform and services;
• To detect, prevent, and investigate fraud and security incidents;
• To comply with legal and regulatory obligations under Malaysian law.

A4. Right of Access and Correction

You have the right to request access to your personal data and to request correction of any inaccurate, incomplete, or outdated data under Sections 30 and 34 of the PDPA 2010. See Part C, Section 12 for the procedure.

A5. Classes of Third Parties to Whom Data May Be Disclosed

• Payment Processor: Billplz (billplz.com) — for payment processing;
• Delivery Partners: Third-party logistics and courier companies — name, contact number, and delivery address only;
• Service Providers: Cloud hosting and IT infrastructure providers — under confidentiality obligations;
• Analytics: Web analytics tools (e.g., Google Analytics) — anonymised and aggregated data only;
• Regulatory/Legal: Government authorities, law enforcement, or courts — where required by law.

A6. Obligatory or Voluntary Supply of Data

Provision of mandatory data fields (name, email, delivery address, and payment information) is obligatory. Without this, we cannot process your orders or create your account. All other fields are voluntary.

A7. Consequences of Failing to Supply Personal Data

If you decline to provide mandatory data, we will be unable to create or maintain your account, process your orders, administer your Yolk Points account, or provide order-related customer support.

A8. Right to Withdraw Consent to Direct Marketing

You may withdraw consent to direct marketing at any time, at no cost, by clicking the unsubscribe link in any marketing email or by writing to hello@egghey.com. Withdrawal will not affect the lawfulness of prior processing.

Personal data shall not be processed unless the data subject has given consent, or processing falls within a permitted exception.

How we comply:

We obtain your consent at account registration and order placement. We process data without consent only where permitted — for example, to fulfil your order or comply with a legal obligation. Separate consent is obtained for direct marketing.

A data user shall inform the data subject of the matters in Section 7 before or at the time of collecting personal data.

How we comply:

The mandatory Section 7 notice is provided in full in Part A above. This Policy is presented to you before registration and at checkout. You are required to acknowledge it before proceeding.

Personal data shall not be disclosed for purposes other than those stated at collection without consent.

How we comply:

We do not sell, rent, or trade your personal data. Disclosure is limited strictly to the classes of recipients in Part A (Section A5) for purposes directly related to your order or our services.

A data user shall take practical steps to protect personal data from loss, misuse, modification, unauthorised access, disclosure, or destruction.

How we comply:

• SSL/TLS encryption for all data transmitted between your browser and our servers;
• Payment data processed via Billplz's PCI-DSS compliant infrastructure — we do not store card or bank account numbers;
• Passwords stored using industry-standard one-way hashing;
• Access to personal data restricted to authorised personnel on a need-to-know basis.

Personal data shall not be kept longer than necessary for the fulfilment of its purpose.

How we comply:

• Account data: retained for duration of active account plus up to 2 years after closure;
• Transaction and order records: minimum 7 years (Income Tax Act 1967 & Companies Act 2016);
• Marketing consent records: duration of subscription plus 1 year after unsubscription;
• Technical/usage logs: up to 12 months.

Upon expiry, data will be securely deleted, destroyed, or anonymised.

A data user shall take reasonable steps to ensure personal data is accurate, complete, not misleading, and kept up-to-date.

How we comply:

We take reasonable steps to ensure accuracy. You are encouraged to keep your account details current. You may contact hello@egghey.com to request correction of inaccurate data.

A data subject shall be given access to their personal data and the data user shall correct any inaccurate, incomplete, or misleading data.

How we comply:

We honour all access and correction rights under the PDPA 2010. See Part C, Section 12 for the full procedure.

9. Sensitive Personal Data

Egghey does not intentionally collect sensitive personal data (e.g., health data, political opinions, religious beliefs). If sensitive data is inadvertently submitted, we will either delete it or obtain your explicit written consent before any processing.

10. Cookies and Tracking Technologies

• Essential Cookies: Strictly necessary to operate the Platform. No consent required.
• Analytics Cookies: To understand how visitors use the Platform (e.g., Google Analytics). Anonymised data only.
• Preference Cookies: To remember your settings and preferences.
• Marketing Cookies: Placed only where you have given explicit consent.

You may control cookies through your browser settings at any time.

11. Transfer of Personal Data Outside Malaysia

Where any third-party service providers process data outside Malaysia, we ensure the recipient provides adequate protection comparable to the PDPA, or we have contractual safeguards in place, or you have given consent. Payment processing via Billplz is conducted within Malaysia.

12. Your Rights Under the PDPA 2010

• Right of Access [s.30]: Request a copy of personal data we hold about you. A prescribed fee may apply.
• Right to Correction [s.34]: Request correction of inaccurate, incomplete, or misleading data.
• Right to Withdraw Consent [s.38]: Withdraw consent at any time without affecting prior lawful processing.
• Right to Prevent Direct Marketing [s.42]: Request that we cease processing your data for direct marketing, at no cost.

How to submit a request:

Email hello@egghey.com with subject line "PDPA Data Request", including your full name, registered email, and description of your request. We acknowledge within 7 days and respond substantively within 21 days.

If dissatisfied, you may lodge a complaint with the Personal Data Protection Commissioner of Malaysia at www.pdp.gov.my.

13. Children Under 18

Our Platform is not directed at persons under 18. We do not knowingly collect personal data from minors. Contact hello@egghey.com if you have concerns.

14. Amendments to This Policy

We may update this Policy from time to time. Material changes will be notified via the Platform or email at least 14 days before taking effect.

15. Contact Us — Data Protection Enquiries