This document is a draft pending formal legal review. It does not constitute a binding privacy policy. The final version will be published before the platform enters production. For queries, contact privacy@minilorry.com.
Privacy Policy
Last updated: May 2026 (draft) Β· Effective date: To be announced
1. Who we are
Minilorry Sdn Bhd (βMinilorryβ, βweβ, βusβ, βourβ) is a Malaysian company operating the Minilorry platform β a fleet management SaaS and zero-commission logistics marketplace. Our registered office is in Kuala Lumpur, Malaysia.
This Privacy Policy explains how we collect, use, store, and share personal data when you use the Minilorry platform as a vendor, customer, agent, driver, or visitor. It is written in plain language, but it is a legally serious document β please read it.
This policy is governed by the Personal Data Protection Act 2010 (PDPA) of Malaysia.
2. What data we collect
2.1 Account data
- Name and email address from your Google account (via OAuth, all roles).
- Profile photo from your Google account (used for identification within the platform).
- Phone number (captured during onboarding for WhatsApp delivery notifications β not used for authentication).
- Preferred region and language settings.
2.2 Vendor-specific data
- Company name, SSM registration number, and registered business address.
- Fleet details: vehicle registration plates, lorry classes, sticker compliance photos.
- Driver roster: names, phone numbers, NRIC numbers (last 4 digits for compliance), GDL licence numbers.
- Subscription and billing history (payment reference IDs only β not card credentials).
- Bank account details for DuitNow marketplace earnings payouts.
- WhatsApp token usage logs.
2.3 Driver data (collected via the native app)
- Real-time GPS location during active shifts (60-second intervals). Location data is not collected when a driver is clocked out.
- Shift history: clock-in/out times, lorry assigned, starting and ending odometer readings.
- Delivery photos taken at each checkpoint (pickup, loading, each drop).
- COD collection entries and discrepancy records.
- Petrol receipt photos processed via OCR.
- Sticker spot-check photos (~3% of marketplace deliveries).
2.4 Customer data
- Delivery addresses (including raw pasted text and AI-parsed structured fields).
- Recipient names and phone numbers at each delivery stop.
- Booking history and delivery preferences.
- Payment method references (processed by Billplz β we do not store card numbers or bank credentials).
2.5 Agent data
- NRIC front and back photos, selfie with NRIC (required for KYC verification per Malaysian financial regulations).
- DuitNow-registered bank account details for commission payouts.
- Referral link usage statistics and downline vendor records.
- Commission history and tax documentation.
2.6 Usage and technical data
- IP address, browser type, operating system, and session duration (collected for security, fraud detection, and abuse prevention).
- Pages visited and features used within the platform.
- Error logs and crash reports from the driver native application.
3. How we use your data
We use personal data only for the purposes listed here. We do not sell your data to third parties.
- Platform operation: processing bookings, scheduling deliveries, matching marketplace gigs, and managing fleet shifts.
- Authentication: verifying your identity via Google OAuth on every sign-in.
- Customer notifications: sending delivery status updates via WhatsApp at vendor-configured checkpoints. WhatsApp is used for notifications only β not authentication.
- Compliance: verifying vendor business registration (SSM), reviewing sticker photos (AI-assisted, human-confirmed), and performing agent KYC under Malaysian financial regulations.
- Tax and invoicing: generating LHDN MyInvois-compliant e-invoices for every marketplace transaction.
- Fraud and abuse prevention: detecting cartel-pricing behaviour, fake GPS signals, COD discrepancies, and suspicious agent recruitment patterns.
- Platform improvement: analysing aggregate usage to improve features. AI address parsing is improved using historical parsed-address attempts with personally identifiable information removed.
- Payouts: calculating and disbursing marketplace earnings (vendors) and recruitment commissions (agents) via DuitNow.
- Legal obligations: maintaining records required by LHDN (7 years for tax records), Suruhanjaya Syarikat Malaysia, and other Malaysian regulatory bodies.
4. Who we share data with
We share data with third parties only where necessary to operate the platform:
| Third party | Purpose | Data shared |
|---|---|---|
| Supabase (Singapore) | Database hosting, authentication, file storage | All platform data, hosted on Singapore servers |
| Vercel (Edge Network) | Web hosting and CDN | Web request logs, no personal data stored |
| Google (OAuth only) | Authentication | We receive your name and email from Google. We do not share data back to Google for advertising purposes. |
| Billplz (Malaysia) | Payment processing β FPX, DuitNow QR, card | Booking amounts. No card credentials pass through our servers. |
| LHDN MyInvois (Malaysia) | e-Invoice submission β mandatory by law | Invoice details: buyer name, amount, transaction ID, SSM number |
| WhatsApp Business (Meta) | Customer delivery notifications | Customer phone number and delivery status messages. Vendor-consumed tokens only. |
| Cloudflare R2 | Sticker and delivery photo storage | Encrypted photo files. R2 stores in their global network. |
| Google Gemini Vision (API) | AI sticker verification and petrol receipt OCR | Photo content only. Images are not used by Google for model training under the API terms. |
| DeepSeek (API) | Address parsing for customer bookings | Raw address text only. No name, phone, or personal identifiers are included in parsing requests. |
We may also share data with law enforcement or regulatory authorities where required by Malaysian law, or to protect the rights and safety of platform users.
5. Data retention
| Data type | Retention period |
|---|---|
| Active account data | Duration of your subscription |
| Account data after cancellation | 90 days, then deleted on request or automatically |
| Delivery records (MyInvois compliance) | 7 years from transaction date β required by LHDN |
| GPS location data | 90 days from date of delivery, then aggregated or deleted |
| Delivery photos | 2 years from delivery date, or until vendor deletes them |
| Agent KYC documents (NRIC, selfie) | 5 years from date of verification, or as required by law |
| Payment references | 7 years (tax compliance) |
| Fraud and abuse signals | 2 years from last incident, or until resolved |
6. Your rights under the PDPA 2010
As a data subject under the Personal Data Protection Act 2010 (Malaysia), you have the following rights:
- Access: You may request a copy of the personal data we hold about you.
- Correction: You may request that inaccurate or incomplete data be corrected.
- Withdrawal of consent: You may withdraw consent for processing where consent is the legal basis. This may require account deletion.
- Restriction: You may request restriction of processing in certain circumstances (for example, while a dispute is pending).
- Deletion: You may request deletion of your account and associated data. Data required for legal compliance (e.g., MyInvois records) cannot be deleted before the statutory retention period expires.
- Portability: You may request an export of your personal data in a machine-readable format.
To exercise any of these rights, email privacy@minilorry.com with your registered email address and a description of your request. We will respond within 21 days.
7. Security
We take reasonable technical and organisational measures to protect your data:
- All data is transmitted over HTTPS (TLS 1.2+).
- Database access is protected by Supabase Row Level Security policies β each user can only access their own data.
- Admin access requires Google OAuth plus TOTP two-factor authentication (mandatory for Super Admin and Finance roles).
- Cloudflare R2 storage buckets are private by default β photo access requires authenticated signed URLs.
- Payment credentials are never stored on our servers β Billplz handles all card and banking data.
- Driver GPS data is transmitted over encrypted connections and stored in the platform database, accessible only to the vendor company that employs them.
No system is completely secure. If you believe your account has been compromised, contact us immediately at security@minilorry.com.
8. Children
The Minilorry platform is intended for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us at privacy@minilorry.com and we will delete it promptly.
9. Changes to this policy
We may update this policy from time to time to reflect changes in our practices or applicable law. Material changes will be notified via the email address on your account at least 14 days before they take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
10. Contact
Privacy and data protection enquiries:
Data Protection Officer
Minilorry Sdn Bhd
Kuala Lumpur, Malaysia
privacy@minilorry.com