Privacy Policy

Last updated: 4 July 2026

This notice is provided in accordance with Section 7 of the Personal Data Protection Act 2010, and is available in Bahasa Malaysia and English. The Chinese version is provided for convenience only.

1. Information we collect

  • Account information — your name, email address, password (stored as a bcrypt hash, never in plain text), and profile photo.
  • Household data — household name, location, house rules, room listings, and invite codes for households you create or join.
  • Occupancy and billing data — your weekly schedule, daily schedule overrides, bills, and payment status within your household.
  • Chores — tasks you create, are assigned, or complete.
  • Messages — conversations and announcements within your household.
  • Reviews — star ratings and comments you give or receive from housemates.
  • Preferences — your language and theme (light/dark) settings.

2. How we use your information

We use the information above to:

  • Operate the Service — split bills, track chores, calculate occupancy, and deliver messages.
  • Show your household members the information you share within that household.
  • Show public households on the Discover page, if the household owner has opened their listing.
  • Keep your account secure and enforce our Terms and Conditions.

3. Cookies and local storage

We use a small number of cookies:

  • auth-token — an httpOnly session cookie that keeps you signed in, valid for 7 days.
  • theme and locale — remember your display and language preference.

We don't use third-party advertising or tracking cookies.

4. How we protect your data

Passwords are hashed with bcrypt before storage — we never store or have access to your plain-text password. Session cookies are httpOnly, so they can't be read by client-side scripts. Data is stored in a PostgreSQL database. No system is completely secure, but we take reasonable technical measures to protect your information.

5. Who sees your information

Information you add to a household — your schedule, chores, bill status, messages, and reviews — is visible to the other members of that household. Public household listings are visible to anyone browsing Discover, but never your private schedule or billing details. We don't sell your information, and we don't share it with third parties except the infrastructure providers (such as our hosting and database provider) necessary to run the Service.

6. Data retention

We retain your account and household data for as long as your account is active. If you delete your account, we remove your personal information within a reasonable period, except where we need to retain it to comply with a legal obligation or resolve a dispute.

7. Your rights under Malaysian data protection law

Under Malaysia's Personal Data Protection Act 2010, you have the right to:

  • Access the personal data we hold about you (Section 30).
  • Request correction of personal data that's inaccurate, incomplete, or outdated (Section 34).
  • Withdraw your consent to our processing of your personal data at any time (Section 38).
  • Object to processing that's likely to cause you or another person unwarranted damage or distress (Section 42).
  • Object to your personal data being processed for direct marketing (Section 43).

You can exercise most of these rights directly from Settings, or by contacting us below.

8. Data Protection Officer

We've appointed a Data Protection Officer responsible for our compliance with the Personal Data Protection Act 2010. You can reach them using the contact details at the end of this policy.

9. Data breach notification

If we become aware of a personal data breach, we'll notify the Personal Data Protection Commissioner as soon as practicable. Where a breach is likely to cause significant harm to you, we'll also notify you directly without unnecessary delay.

10. International data transfers

Some of our infrastructure providers (such as hosting and database services) may process your data outside Malaysia. Where this happens, we take reasonable steps — such as choosing providers in jurisdictions with comparable data protection standards or relying on contractual safeguards — consistent with the Personal Data Protection Act's requirements for transferring data outside Malaysia.

11. Children's privacy

The Service isn't directed at children under 13, and we don't knowingly collect information from them.

12. Changes to this policy

We may update this policy from time to time. If we make material changes, we'll do our best to let you know before they take effect.

13. Contact

Questions about this policy, or want to access or delete your data? Reach out at hello@gengrumah.com.

Privacy Policy — gengrumah