hartanahub
Start free
Legal

Privacy Policy

Last updated: 10 June 2026. This policy is issued under the Malaysian Personal Data Protection Act 2010 (“PDPA”) and covers the Hartanahub web app, mobile PWA, and marketing site (collectively, the “Service”).

1. Who we are (Data Controller)

The data controller responsible for your personal data under the PDPA is:

  • Operating entity: Hartanahub [Sdn Bhd / Enterprise — SSM registration pending; see footer for live registration number once confirmed]
  • SSM business / company number: [to be inserted on SSM approval]
  • Registered office: [to be inserted on SSM approval]
  • Trading name: Hartanahub (the “Platform”).
  • Primary contact: privacy@hartanahub.com

For the purposes of the PDPA, Hartanahub is the “data user” in respect of personal data submitted to the Platform by registered users, and a “data processor” in respect of data we process strictly on behalf of partnering institutions (e.g. a bank instructing us to surface a specific auction listing).

2. Scope & consent

By creating an account, completing a contact form, opening a partner enquiry, or otherwise using the Service, you consent to your personal data being collected and processed in the manner described in this policy. If you do not agree, please do not use the Service.

This policy applies to (a) end-user buyers and watchlist subscribers, (b) registered real-estate negotiators and partner agents, (c) prospective and existing partner institutions (banks, financial-services firms, law firms, auctioneers), and (d) visitors to the marketing site.

3. Personal data we collect

3.1 Information you provide

  • Account details — email address, display name, password (stored only as a bcrypt hash, cost factor 12), subscription tier, and (for agents) Real Estate Negotiator (REN) number.
  • Identity & verification — for agent accounts, the proof-of-licence document you upload during registration. For prospective bank-partner contacts, the business email and contact details you provide.
  • Property activity — watchlist entries, search queries you submit, auction records you log, inquiry-form submissions, properties you self-register as an owner.
  • Documents you upload — receipts, tenancy agreements, Proclamation of Sale documents, and similar files you choose to store in your personal vault on Cloudflare R2.
  • Communications — emails to support@, privacy@, legal@, billing@, agents@; messages submitted through the in-app Property Assistant; contact-form submissions.
  • Payment data — for paid-tier subscribers, billing email and a Stripe customer reference. Card details are entered directly into Stripe and never reach Hartanahub servers (PCI-DSS handled end-to-end by Stripe).

3.2 Information collected automatically

  • Device data — IP address (used for rate-limiting, the “Near Me” geolocation fallback, and fraud prevention), browser type, operating system, session timestamps. Standard Vercel platform logs retained for up to 30 days.
  • Usage data — pages viewed, features used, watchlist alerts triggered. Stored against your account to power your dashboard.
  • Error telemetry — when the Service crashes, Sentry captures a stack trace. Session cookies, authorisation headers, and form values are stripped at the SDK boundary before the event leaves our infrastructure.

3.3 Sensitive personal data

Documents you choose to upload may contain “sensitive personal data” as defined in PDPA Section 4 (e.g. National Registration Identification Card numbers on a tenancy agreement). We do not require sensitive personal data to operate the Service, and we recommend you redact it before uploading. Where you do upload sensitive personal data, you provide express consent for us to store and process it solely to deliver the document-vault feature.

4. Purposes of processing & legal bases

We process personal data only for the purposes set out below and only on a lawful basis under the PDPA:

  • To deliver the Service (contract performance) — authentication, watchlist alerts, dashboards, search, comparables, Proclamation of Sale (POS) access, tenancy portals, document vault.
  • To process payments (contract performance) — billing, renewals, refunds, invoicing, SST compliance.
  • To send transactional email (contract performance) — verification, password reset, agent approval, billing receipts, watchlist alerts you opted into, important security and account notices.
  • To prevent fraud and abuse (legitimate interest) — rate-limiting, bot-protection, account-lockout, audit-trail logging, agent-licence verification.
  • To comply with law (legal obligation) — tax reporting (LHDN), responding to lawful requests from PDRM, MACC, the Inland Revenue Board, Bank Negara Malaysia, or a court of competent jurisdiction.
  • To improve the Service (legitimate interest) — aggregated, anonymised usage analysis. Aggregated data cannot identify you individually.
  • To send marketing communications (consent) — only where you have opted in. You can withdraw consent any time via the unsubscribe link in any marketing email or by emailing privacy@hartanahub.com.

5. What we do not do

  • We do not sell your personal data to third parties.
  • We do not share your watchlist, search history, or personal auction records with other users, agents, or the public.
  • We do not fingerprint your device for advertising or cross-site retargeting.
  • We do not run third-party advertising networks or analytics SDKs (no Google Analytics, no Meta Pixel, no TikTok Pixel).
  • We do not use your data to train large language models or to enrich third-party AI vendors.

6. Who has access to your data

6.1 You

You retain full control of your account data via the Profile and Settings pages: edit your details, export your data, change your email, change your password, or delete your account.

6.2 Hartanahub team (internal)

A small number of authorised personnel have read-only access for support, fraud prevention, and data-quality investigation. Every administrator action against a user account writes to an immutable audit log. Administrators are bound by written confidentiality undertakings.

6.3 Partnering institutions (banks, law firms, auctioneers, REN agents)

Where you submit an enquiry through the Platform's “Talk to an auction agent”, “Request POS”, “Register interest”, or future bank-partner integration flows, we share only the data required to action that enquiry — typically your name, contact details, and the specific property in question — with the partnering institution you have selected. Each partnering institution is bound by a written data-sharing agreement and is contractually prohibited from re-using your data for unrelated marketing.

When you are matched with a partnering bank (for example, to obtain a loan indication on an auction property), we will surface the bank's identity to you in-product before sharing your enquiry. You can decline at that point.

6.4 Sub-processors (platform providers)

Each sub-processor below is bound by a written data-processing agreement, processes data only on our instructions, and never receives your files in cleartext beyond transit:

  • Vercel Inc. (United States; primary serving region Singapore sin1) — application hosting, edge-network delivery, build artefacts, runtime logs.
  • Neon Inc. (United States; data hosted on AWS ap-southeast-1, Singapore) — managed Postgres database for auction listings, your watchlist, account data.
  • Cloudflare, Inc. (United States; R2 buckets located in Asia-Pacific) — encrypted-at-rest object storage for documents you upload and Proclamation of Sale PDFs.
  • Cloudflare Turnstile (United States) — bot-protection challenge on registration, login, and forgot-password forms. No tracking; no cookie beyond the challenge session.
  • Resend, Inc. (United States) — transactional email delivery (verification, password reset, agent approval, watchlist alerts you opted into).
  • Stripe Payments Malaysia Sdn. Bhd. (with Stripe, Inc., United States) — payment processing for paid-tier subscribers. We never store your card details; Stripe holds them under PCI-DSS Level 1.
  • Sentry / Functional Software, Inc. (United States; EU data residency available on request) — error monitoring. Session cookies and authorisation headers are stripped at the SDK boundary before events leave our servers.
  • Google LLC (United States; Maps Platform) — geocoding addresses for the map view. We send the address only; we do not send your account identity along with it.
  • Apify Technologies s.r.o. (Czech Republic, European Union) — public-data collection infrastructure used internally to refresh public auction listings. Does not process your personal data.

7. Cross-border transfers (PDPA Section 129)

Some of our sub-processors are located outside Malaysia (United States, European Union). By using the Service you give your express consent under PDPA Section 129 to your personal data being transferred to, and processed in, those jurisdictions, strictly for the purposes set out in Section 4 and subject to written data-processing agreements that impose protections substantially equivalent to the PDPA.

We do not transfer personal data to any jurisdiction that has been gazetted by the Personal Data Protection Commissioner as failing to provide an adequate level of protection without first putting in place additional contractual or technical safeguards (such as encryption at rest and standard contractual clauses).

8. Storage, security & data residency

  • In transit: every connection to Hartanahub uses TLS 1.2+ enforced by HTTP Strict Transport Security (HSTS) with a 1-year max-age. Browsers will refuse any non-HTTPS request to hartanahub.com.
  • At rest: the Postgres database (Neon) and uploaded documents (Cloudflare R2) are encrypted at rest by the platform providers using AES-256. Passwords are hashed with bcrypt (cost factor 12) and never stored in cleartext.
  • Primary region: application hosting is in Singapore (Vercel sin1); the production database is hosted on AWS infrastructure in Singapore (ap-southeast-1) managed by Neon. Routine processing remains within the Asia-Pacific region.
  • Backups: the database has automated daily backups retained for 7 days (Neon platform default). Documents you delete are removed from Cloudflare R2 within 24 hours.
  • Access controls: production database and object storage access is restricted to named personnel, gated by multi-factor authentication, and rotated on personnel changes.
  • Audit trail: sensitive administrator actions (changing your tier, viewing your account, agent approvals, document access) write to an immutable audit log retained for at least 12 months.
  • Application-level controls: Content Security Policy with per-request nonce, brute-force lockout on login, server-side rate limits, server-side authorisation for every API route, separation of admin and end-user surfaces.
  • Vulnerability management: dependency-scanning on every release, monthly security review, responsible-disclosure programme at security@hartanahub.com.

9. Data breach notification

Hartanahub maintains a written security-incident response procedure. In the event of a personal-data breach that is reasonably likely to result in a risk of harm to affected individuals, we will:

  • Notify affected users without undue delay, and in any event within 72 hours of confirming the scope of the breach;
  • Describe the nature of the breach, the categories of data involved, the likely consequences, and the steps we have taken or propose to take;
  • Cooperate with the Personal Data Protection Commissioner of Malaysia and any other regulator with jurisdiction (including Bank Negara Malaysia where a partnering financial institution is affected).

We voluntarily adopt this 72-hour notification standard in advance of the Personal Data Protection (Amendment) Bill's formal commencement.

10. Your rights under the PDPA

You have the following rights in respect of your personal data:

  • Access (Section 30) — request a copy of the personal data we hold about you.
  • Correction (Section 34) — request that inaccurate or incomplete data be corrected.
  • Withdraw consent (Section 38) — withdraw consent to processing (where consent is the legal basis); note that withdrawal may prevent us from delivering parts of the Service.
  • Object to direct marketing (Section 43) — opt out of marketing emails at any time.
  • Limit processing (Section 42) — request that we limit processing in specified circumstances.
  • Deletion — request closure of your account and erasure of associated personal data, subject to retention required by law (Section 12).

Submit any of the above requests to privacy@hartanahub.com. We will acknowledge within 7 working days and provide a substantive response within 21 calendar days, free of charge for the first request in any 6-month period. We may require proof of identity before actioning a request.

11. Cookies & local storage

We use a minimal set of cookies and local-storage entries:

  • Session cookie (strictly necessary) — authenticates your account; httpOnly, secure, SameSite=Lax. Persists until you sign out or 30 days, whichever comes first.
  • Cloudflare Turnstile (strictly necessary) — a single bot-protection cookie on registration, login, and password-reset pages. Cleared at the end of the challenge.
  • Local storage (functional) — interface preferences such as theme (light/dark), dismissed banners, last-viewed tab. Lives on your device only; never sent to our servers.
  • No analytics or advertising cookies. We do not run Google Analytics, Meta Pixel, TikTok Pixel, LinkedIn Insight, or any other third-party tracker.

You can clear cookies and local storage at any time from your browser. Doing so will sign you out and reset your interface preferences but will not affect your account data.

12. Retention

  • Active account data — retained for as long as your account is open.
  • Closed accounts — personal data is purged within 30 days of account closure.
  • Anonymised usage data — may persist in aggregate analytics indefinitely (it cannot identify you).
  • Transactional records (invoices, tax receipts) — retained for 7 years as required by the Income Tax Act 1967 and the Service Tax Regulations 2018.
  • Audit and security logs — retained for at least 12 months for fraud-prevention and regulatory purposes.
  • Backups — purged on the rolling 7-day cycle described above; deletion requests cascade through backup expiry.

13. Children & minors

The Service is intended for individuals aged 18 and over. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided personal data to us, please contact privacy@hartanahub.com and we will delete the account.

14. Automated decision-making & profiling

The Service surfaces comparables, suggested properties, and an in-app Property Assistant powered by large language models. These features are informational aids; they do not make decisions that produce legal effects on you (such as approving credit, denying service, or determining a price you must pay). Where you interact with the Property Assistant, your message is processed solely to generate the reply and is not retained beyond a rolling conversation history limited to your own account.

15. Direct marketing

We send marketing emails (product updates, new-feature announcements, partnership news) only to users who have opted in. Every marketing email contains an unsubscribe link; clicking it withdraws consent immediately. Transactional emails (security, billing, watchlist alerts you have opted into) are not marketing and cannot be opted out of without closing the account.

16. Data Protection Officer

Hartanahub's designated Data Protection Officer can be reached at privacy@hartanahub.com. The DPO is responsible for monitoring PDPA compliance, handling data-subject requests, and acting as the contact point for the Personal Data Protection Commissioner.

17. Complaints & regulator escalation

If you believe we have mishandled your personal data, please contact our DPO first at privacy@hartanahub.com. If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Commissioner of Malaysia:

  • Jabatan Perlindungan Data Peribadi (JPDP)
  • Aras 6, Kompleks Kementerian Komunikasi dan Multimedia, Lot 4G9, Persiaran Perdana, Presint 4, 62100 Putrajaya, Malaysia
  • Tel: +603-8911 7000 · Web: www.pdp.gov.my

18. Changes to this policy

We post material changes on this page and notify registered users by email when a change materially affects their data. The “Last updated” date at the top of the policy reflects the current version. Version history is maintained in our internal change-log and is available on request.

19. Contact

Privacy questions and PDPA requests: privacy@hartanahub.com.
Security and responsible-disclosure: security@hartanahub.com.
Anything else: the Contact page.