Skip to main content

Privacy Policy

Last updated February 11, 2026 • PDPA Malaysia + GDPR Compliant

Privacy Policy

Tamu Hospitality Platform Effective Date: February 11, 2026 Last Updated: February 11, 2026

---

1. Introduction

Tamu ("we," "us," "our," or "Company") is committed to protecting your privacy and ensuring you have a positive experience on our website and platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website tamuhq.com (the "Site") and use the Tamu SaaS platform (the "Service").

This Privacy Policy complies with:

  • Malaysia's Personal Data Protection Act 2010 (PDPA) - our primary legal framework
  • General Data Protection Regulation (GDPR) - for EU guests booking Malaysian properties
  • Malaysian Communications and Multimedia Commission (MCMC) regulations

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use the Service.

---

2. Information We Collect

2.1 Information You Provide Directly

Account Registration

When you create a Tamu account, we collect:
  • Full name
  • Email address
  • Phone number
  • Physical address (property address)
  • Password and security questions
  • Business registration information (if applicable)
  • Tax identification number
  • Bank account information (for payment settlement)

Property Information

To set up your property for bookings, you provide:
  • Property name and description
  • Property address and GPS coordinates
  • Property photos and media
  • Room types and descriptions
  • Room pricing and availability
  • Amenities and features
  • House rules and cancellation policies
  • Check-in/check-out times and procedures

Payment Information

For processing payments:
  • Payment method (credit card, FPX bank details, etc.)
  • Billing address
  • Payment transaction history
  • Refund details

We use PCI-DSS compliant payment processors (Stripe, FPX partners) to handle sensitive payment data. We do not store full credit card numbers. Only your payment processor stores complete payment credentials.

Guest Information

Your guests provide:
  • Guest name and contact information
  • Email and phone number
  • Number of guests and guest names
  • Special requests and preferences
  • Government ID (optional, for security)
  • Payment information at checkout

Customer Support

When you contact us, we collect:
  • Email and communication content
  • Support tickets and inquiries
  • Chat conversations (WhatsApp, email, or in-app)
  • Screenshots or attachments you provide

Communication

  • Email newsletters you subscribe to
  • Marketing communications and preferences
  • Feedback, reviews, and survey responses

2.2 Information We Collect Automatically

Website and Platform Usage

When you visit tamuhq.com or use the Service, we automatically collect:
  • IP address
  • Device type and operating system
  • Browser type and version
  • Pages visited and time spent
  • Clicks and interactions with the interface
  • Features used and frequency of use
  • Login timestamps and duration
  • Search queries within your account

Cookies and Tracking Technologies

We use cookies and similar technologies to:
  • Maintain your login session
  • Remember your preferences
  • Track website traffic
  • Analyze user behavior
  • Prevent fraud and ensure security

Types of cookies:

  • Essential cookies: Required for the Service to function (session, authentication)
  • Analytics cookies: Google Analytics to understand user behavior
  • Marketing cookies: Retargeting and advertising purposes
  • Preference cookies: Remember your settings and language

You can control cookies through your browser settings. Disabling cookies may affect functionality.

Server Logs

Our servers automatically log:
  • HTTP request details
  • Server response codes
  • Error logs and exceptions
  • Database query patterns (anonymized)
  • API usage and endpoints accessed

Third-Party Analytics

We use Google Analytics to understand how users interact with our Site and Service. Google Analytics collects anonymized data about your visits. You can opt-out using Google's Browser Add-on.

2.3 Information from Third Parties

OTA Integrations

Through iCal synchronization with Airbnb, Booking.com, and Agoda, we receive:
  • Confirmed bookings and reservation details
  • Guest names and contact information (if shared by OTA)
  • Payment amounts and dates
  • Cancellation information

Payment Processors

From Stripe, FPX partners, and payment gateways, we receive:
  • Payment confirmation and transaction IDs
  • Settlement details and balances
  • Chargeback and fraud notifications

Visit Network Integration

From Visit destination portals (Visit Janda Baik, Visit Penang, etc.), we receive:
  • Property listing information and performance metrics
  • Click-through rates to your Tamu booking engine
  • Lead generation data

Third-Party Services

From services we integrate with, we may receive:
  • Email delivery status (Resend)
  • SMS delivery confirmations (if SMS is enabled)
  • Map data (Mapbox)

---

3. How We Use Your Information

3.1 Primary Purposes

We use the information we collect to:

Service Delivery

  • Create and maintain your account
  • Process bookings and guest reservations
  • Facilitate payments and settlements
  • Provide access to the dashboard and features
  • Synchronize calendars with OTA platforms
  • Send booking confirmations and notifications

Communication

  • Send confirmation emails and receipts
  • Notify you of new bookings and cancellations
  • Send reminder emails (check-in, payment pending)
  • Respond to your support inquiries
  • Send administrative updates about your account

Analytics and Improvement

  • Analyze how the Service is used
  • Identify technical issues and bugs
  • Improve features based on user behavior
  • Create aggregated, non-identifiable reports
  • Monitor platform performance and security

Marketing and Promotion

  • Send newsletters and marketing content (opt-in)
  • Inform you of new features and updates
  • Conduct surveys and gather feedback
  • Personalize content and recommendations

Security and Fraud Prevention

  • Detect and prevent fraud and unauthorized access
  • Monitor for suspicious account activity
  • Enforce our Terms of Service
  • Comply with legal obligations
  • Investigate abuse and violations

Guest Experience

  • Facilitate guest communications
  • Enable pre-arrival and post-checkout messaging
  • Collect guest feedback and reviews
  • Manage guest preferences and history
  • Process refunds and disputes

3.2 Legal Basis for Processing

Under PDPA, we process your information based on:

  • Consent: For optional communications like newsletters
  • Contractual Necessity: To provide the Service under our Terms
  • Legal Obligation: To comply with tax, tourism, or other regulations
  • Legitimate Interest: To improve the Service, prevent fraud, ensure security

---

4. Data Sharing and Disclosure

4.1 We Do NOT Share Your Data With

  • Competitors or third-party property management platforms
  • Data brokers or marketing data aggregators
  • Social media platforms (unless you choose to connect them)
  • Advertisers or analytics firms
  • Any third party without your consent

4.2 We DO Share Your Data With

Service Providers and Processors

We share limited data with:
  • Payment Processors: Stripe, FPX partners (payment information only)
  • Email Provider: Resend (email addresses, guest names, booking details for confirmations)
  • Mapping Service: Mapbox (property coordinates for map display)
  • Cloud Infrastructure: Supabase (all data stored, encrypted in transit)
  • Hosting Provider: Vercel (platform hosting and performance monitoring)
  • Analytics: Google Analytics 4 (anonymized usage data)
  • Security/CAPTCHA: Cloudflare Turnstile (bot protection, IP addresses)

All service providers are bound by data protection agreements and prohibited from using data for other purposes.

OTA Platforms

Through iCal synchronization, we transmit:
  • Your availability calendar
  • Booked dates (to prevent double-bookings)
  • Guest information you choose to share

Legal and Regulatory Authorities

We may disclose data if required by:
  • Court orders or legal process
  • Malaysian government agencies (MCMC, MOTAC, BNM)
  • Law enforcement investigations
  • Tax authorities
  • Tourism regulators

Visit Network Integration

We share property listing information with Visit destination portals to:
  • Display your property
  • Drive direct bookings through the "Book Direct" button
  • Report performance metrics

You control what property information is shared through your account settings.

Business Transfers

If Tamu is acquired, merged, or sold, your data may be transferred to the new owner. We will notify you and provide an opportunity to opt-out.

4.3 Guest Data Sharing

As a property operator using Tamu, you are the data controller for guest information. You are responsible for:

  • Obtaining guest consent for data collection
  • Communicating your privacy practices to guests
  • Compliance with PDPA regarding guest data
  • Responding to guest data access requests

Tamu is your data processor and follows your instructions for guest data handling.

---

5. Data Retention

5.1 Retention Periods

We retain data for different periods based on purpose:

| Data Type | Retention Period | Reason | |-----------|-----------------|--------| | Account information | Duration of account + 3 years | Legal/tax compliance | | Transaction records | 7 years | PDPA and tax requirements | | Payment information | Duration of relationship | Dispute resolution | | Email communications | 2 years | Support history | | Login logs | 90 days | Security auditing | | Analytics data | 14 months | Google Analytics default | | Server logs | 30 days | Troubleshooting and security | | Backups | 30 days after deletion | Disaster recovery |

5.2 Deletion Practices

  • Upon account termination, we delete your data after 30 days
  • You can request data deletion anytime (subject to legal holds)
  • Tax and legal records may be retained longer as required by law
  • Backups are automatically purged after 30 days

---

6. Data Security

6.1 Security Measures

We employ industry-standard security practices:

  • Encryption in Transit: HTTPS/TLS encryption for all data transmission
  • Encryption at Rest: Database encryption for sensitive data
  • Access Controls: Role-based access with least-privilege principle
  • Authentication: Secure password hashing (bcrypt or similar)
  • 2FA: Optional two-factor authentication for account security
  • Firewalls: Network firewalls and intrusion detection
  • Monitoring: Real-time security monitoring and alerts
  • Backups: Regular encrypted backups with disaster recovery

6.2 Third-Party Security

Our hosting partners (Supabase, Vercel) maintain:

  • ISO 27001 certifications
  • SOC 2 compliance
  • 99.9% uptime SLA
  • Automatic backups and redundancy
  • DDoS protection

6.3 Limitations

While we maintain strong security, no system is perfectly secure. We cannot guarantee:

  • Protection against sophisticated cyberattacks
  • 100% availability of the Service
  • Prevention of all unauthorized access

---

7. Your Privacy Rights Under PDPA

7.1 Right to Access

You have the right to:

  • Request access to your personal data we hold
  • Request a copy of your data in portable format
  • Know how your data is being used
  • Know who has access to your data

To request access, contact us with your account email.

7.2 Right to Correction

You have the right to:

  • Correct inaccurate or incomplete data
  • Update your contact information
  • Modify your property details

Most updates can be made through your account dashboard.

7.3 Right to Erasure

You have the right to:

  • Request deletion of your personal data
  • Obtain confirmation of deletion
  • Request deletion of residual data from backups

Exceptions: We may retain data if required by law, for legal claims, or to fulfill contractual obligations.

7.4 Right to Restrict Processing

You have the right to:

  • Opt-out of marketing communications
  • Restrict data use for certain purposes
  • Pause analytics tracking

7.5 Right to Withdraw Consent

For data collected on the basis of consent, you may:

  • Withdraw consent anytime
  • Unsubscribe from marketing emails
  • Revoke permission for cookies (except essential cookies)

Withdrawal does not affect lawfulness of prior processing.

7.6 Right to Object

You have the right to object to:

  • Marketing communications
  • Analytics tracking
  • Profiling for service recommendations
  • Automated decision-making

7.7 Right to Data Portability

You have the right to:

  • Receive your data in a structured, portable format
  • Transfer your data to another service provider
  • Request data export for backup purposes

---

8. Data Processing for Guests

8.1 Your Responsibility as Data Controller

When you use Tamu to manage guest bookings, you are the data controller and responsible for:

  • Collecting guest consent for data processing
  • Communicating privacy practices to guests
  • Complying with PDPA regarding guest personal data
  • Responding to guest data access and deletion requests

8.2 Our Role as Data Processor

Tamu is your data processor and will:

  • Process guest data only as instructed by you
  • Maintain appropriate security for guest data
  • Not use guest data for our own purposes
  • Comply with PDPA data protection requirements
  • Assist with guest data requests and deletion

8.3 Guest Privacy Practices

When guests book through Tamu:

  • They receive a privacy notice explaining data use
  • Booking confirmation confirms data collection
  • They can access and delete their data
  • They can opt-out of marketing communications

---

9. International Data Transfers

9.1 Data Location

Your data is primarily stored in:

  • Supabase: Servers in Singapore or Region (APAC)
  • Backups: Geographically distributed for redundancy
  • CDN: Vercel edge locations worldwide

9.2 Data Protection

Data transferred across borders is:

  • Encrypted in transit
  • Protected by appropriate data transfer mechanisms
  • Subject to service provider agreements
  • Compliant with PDPA requirements

---

10. Children's Privacy

Tamu is not intended for individuals under 18. We do not knowingly collect data from children. If we become aware of data from a child, we will delete it promptly.

Parents or guardians concerned about child data should contact us immediately.

---

11. Cookies and Tracking

11.1 Cookie Types

| Cookie Type | Purpose | Consent Required | |-------------|---------|------------------| | Session cookies | Maintain login | No (essential) | | Authentication | Verify identity | No (essential) | | Preferences | Remember settings | Optional | | Analytics | Track usage patterns | Optional | | Marketing | Advertising retargeting | Optional |

11.2 Cookie Management

You can:

  • Accept or reject non-essential cookies on first visit
  • Change cookie preferences in account settings
  • Clear cookies from your browser anytime
  • Opt-out of Google Analytics

Note: Disabling essential cookies may prevent the Service from functioning.

11.3 Third-Party Cookies

Third-party cookies from:

  • Google Analytics
  • Facebook (if social features enabled)
  • Other advertising partners

These are governed by those companies' privacy policies.

---

12. Third-Party Links and Services

Our Site may contain links to third-party websites and services, including:

  • Airbnb, Booking.com, Agoda
  • Visit destination portals
  • Payment processors
  • Social media platforms

We are not responsible for their privacy practices. Please review their privacy policies before sharing information.

---

13. Marketing Communications

13.1 Email Communications

We send you:

  • Service announcements (transactional emails)
  • Booking confirmations and notifications
  • Monthly newsletter (opt-in)
  • Product updates and feature announcements

13.2 Unsubscribe

You can unsubscribe from marketing emails by:

  • Clicking "unsubscribe" in the email footer
  • Managing communication preferences in your account
  • Contacting support@tamuhq.com

Note: You cannot unsubscribe from transactional emails (booking confirmations, payment receipts).

13.3 SMS and WhatsApp

If you opt-in to SMS or WhatsApp notifications:

  • You provide explicit consent
  • Messages relate to your bookings and account
  • You can opt-out anytime

---

14. Sensitive Personal Data

We do not intentionally collect sensitive personal data (race, religion, political affiliation, medical information, etc.) unless:

  • Necessary for your hospitality business operations
  • You voluntarily provide it
  • Required by law

If you provide sensitive data, we will:

  • Minimize its collection
  • Restrict access
  • Apply heightened protection
  • Delete it as soon as no longer necessary

---

15. PDPA Compliance

15.1 PDPA Principles

We comply with PDPA requirements:

  1. Notice and Consent: We provide this Privacy Policy and obtain consent
  2. Purpose Limitation: We use data only for stated purposes
  3. Data Accuracy: We maintain accurate and current data
  4. Data Security: We employ security measures
  5. Retention Limitation: We delete data when no longer needed
  6. Data Integrity: We prevent unauthorized alteration
  7. Openness: We are transparent about our practices

15.2 PDPA Data Subject Rights

Under PDPA, you have rights to:

  • Access your personal data
  • Correct inaccurate data
  • Request processing limitations
  • Withdraw consent
  • Lodge complaints with the Personal Data Protection Commissioner

---

16. GDPR Compliance (European Union)

16.1 Applicability

While Tamu is a Malaysian company primarily serving Malaysian properties, we recognize that EU residents may book accommodations through our platform. For EU guests, we comply with the General Data Protection Regulation (GDPR).

16.2 Legal Basis for Processing (GDPR)

We process EU guest data based on:

  • Contractual Necessity: To fulfill booking and accommodation services
  • Legitimate Interest: To provide customer support, prevent fraud, improve services
  • Consent: For marketing communications (explicit opt-in required)
  • Legal Obligation: To comply with tax and financial regulations

16.3 GDPR Rights for EU Guests

EU guests have enhanced rights under GDPR:

  1. Right to Access: Request a copy of your personal data
  2. Right to Rectification: Correct inaccurate information
  3. Right to Erasure ("Right to be Forgotten"): Request deletion of your data
  4. Right to Restrict Processing: Limit how we use your data
  5. Right to Data Portability: Receive your data in a structured format
  6. Right to Object: Object to processing based on legitimate interest
  7. Right to Withdraw Consent: Withdraw consent for marketing at any time
  8. Right to Lodge a Complaint: File a complaint with your local Data Protection Authority

16.4 Data Transfers Outside EU

If your data is transferred from the EU to Malaysia or other regions:

  • We use appropriate safeguards (Standard Contractual Clauses)
  • Data is encrypted in transit and at rest
  • Service providers are GDPR-compliant or provide adequate protection

16.5 EU Representative

For GDPR-related inquiries from EU residents:

Contact: support@tamuhq.com (subject line: "GDPR Inquiry") Response Time: Within 30 days

16.6 Data Retention for EU Guests

  • Active booking data: Duration of stay + 1 year
  • Financial records: 7 years (tax compliance)
  • Marketing data: Until consent is withdrawn
  • Guest can request earlier deletion (subject to legal obligations)

---

17. Data Protection Officer

Tamu has designated a Data Protection Officer (DPO) to oversee compliance. For privacy inquiries:

Data Protection Officer Email: support@tamuhq.com Address: Tamu offices, [Address - To be added when registered]

---

18. Changes to This Privacy Policy

  • Tamu may update this Privacy Policy periodically
  • Material changes will require your explicit consent
  • Minor updates may be effective immediately
  • Continued use after changes constitutes acceptance

We will notify you via email of material changes 30 days in advance.

---

19. Complaint Resolution

19.1 Contact Us First

If you have privacy concerns:

  1. Contact us directly: support@tamuhq.com
  2. We will investigate and respond within 30 days
  3. We will make reasonable efforts to resolve issues

19.2 Escalation

If unresolved after 30 days, you may lodge a complaint with:

Personal Data Protection Commissioner (PDPC) Suruhanjaya Khas Menangani Hal Ehwal Perlindungan Data Peribadi Malaysia Website: www.pdpc.gov.my

---

20. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual
  • Processing: Any operation performed on data (collection, use, disclosure, deletion)
  • Data Controller: The entity determining the purposes and means of processing
  • Data Processor: The entity processing data on behalf of the controller
  • PDPA: Personal Data Protection Act 2010 (Malaysia)
  • Sensitive Data: Data about race, religion, politics, medical conditions, biometrics, etc.

---

21. Contact Information

For questions about our privacy practices:

Tamu Support - Privacy Inquiries Email: support@tamuhq.com WhatsApp: [Support Number] Hours: Monday-Friday, 9am-6pm Malaysia Time

---

Version 1.0 | February 11, 2026

This Privacy Policy complies with Malaysia's Personal Data Protection Act 2010 (PDPA) and reflects best practices for personal data protection in hospitality SaaS platforms.

PDPA Malaysia Compliance

This Privacy Policy has been drafted in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia. We comply with all requirements for data collection, processing, storage, and subject rights.

Data Protection Contact: support@tamuhq.com

If you have concerns about how we handle your personal data or would like to exercise your rights, please contact support@tamuhq.com