Privacy Policy

1. Introduction

Herographers ("we", "us", or "our") is committed to protecting your personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal data when you use our platform at www.herographers.com.

By using our Platform, you consent to the data practices described in this policy. If you do not agree, please discontinue use of the Platform.

2. Data Controller

Herographers is the data controller responsible for your personal data. For questions or concerns about this policy, contact our Data Protection Officer at support@herographers.com.

3. Personal Data We Collect

We collect the following categories of personal data:

3.1 Information You Provide

• Account information: Name, email address, phone number, password.
• Booking information: Session date, time, location (including GPS coordinates), category preferences, special instructions.
• Payment information: Payment method details are processed by our third-party payment providers. We do not store your full card numbers or bank credentials on our servers.
• Creator application data: IC/passport number, date of birth, gender, nationality, portfolio samples, equipment details, social media profiles, bank account details for payouts.
• Communications: Messages exchanged through the Platform, support inquiries, feedback, and reviews.

3.2 Information Collected Automatically

• Device information: Browser type, operating system, device identifiers.
• Usage data: Pages visited, features used, session duration, referral URLs.
• Location data: Approximate location derived from IP address; precise location when you use our location-based search features (with your consent).
• Cookies and similar technologies: See Section 10 below.

3.3 Information from Third Parties

• Authentication providers: If you sign in via third-party services, we receive your name and email as authorized by you.
• Payment providers: Transaction status, payment confirmation, and refund status.

4. Purpose of Processing

Under Section 6 of the PDPA, we process your personal data for the following purposes:

• Service delivery: To process bookings, assign creators, facilitate sessions, and deliver photos/videos.
• Account management: To create and maintain your account, verify identity, and provide customer support.
• Payment processing: To process payments, issue refunds, calculate creator payouts, and generate financial records.
• Communication: To send booking confirmations, session reminders, delivery notifications, and respond to inquiries.
• Platform improvement: To analyze usage patterns, fix bugs, develop new features, and improve user experience.
• Safety and security: To detect fraud, prevent abuse, enforce our Terms of Service, and protect platform integrity.
• Legal compliance: To comply with applicable Malaysian laws, regulations, and legal proceedings.
• Marketing: To send promotional offers, newsletters, and platform updates (only with your explicit consent; you may opt out at any time).

5. Consent

In accordance with Section 6 of the PDPA, your consent is obtained at the point of data collection (account registration, booking creation, or creator application). You may withdraw your consent at any time by contacting us, though this may affect our ability to provide services to you.

For marketing communications, we rely on your explicit opt-in consent. You can unsubscribe at any time using the link provided in our emails or by updating your account preferences.

6. Disclosure of Personal Data

We may share your personal data with the following parties:

• Assigned creators: When a booking is confirmed, your name, session date/time, and location are shared with the assigned creator so they can fulfill the service. Your email and phone number are shared only as needed for session coordination.
• Payment processors: To process transactions securely. Our payment partners are contractually bound to protect your data.
• Cloud service providers: We use Supabase (database), Vercel (hosting), and Resend (email) to operate the Platform. These providers process data on our behalf under strict data processing agreements.
• Google: We use Google Maps/Places API for location services. Google's privacy policy applies to this data.
• Legal authorities: When required by law, court order, or government directive under Malaysian law.

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

7. Cross-Border Data Transfers

Some of our service providers operate outside Malaysia. In accordance with Section 129 of the PDPA, we ensure that any cross-border transfer of personal data is made to jurisdictions that provide an adequate level of data protection or under appropriate contractual safeguards.

Our primary data infrastructure is hosted on cloud servers that may be located outside Malaysia. By using our Platform, you consent to such transfers as necessary for the provision of our services.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption of data in transit (TLS/SSL) and at rest.
• Secure authentication with hashed passwords and token-based sessions.
• Row-level security policies on our database to prevent unauthorized access.
• Role-based access controls limiting employee access to personal data on a need-to-know basis.
• Regular security reviews and code audits.
• HMAC-SHA256 webhook verification for payment callbacks.

While we strive to protect your data, no system is 100% secure. In the event of a data breach, we will notify affected individuals and the relevant authorities as required under Malaysian law.

9. Data Retention

• Account data: Retained for as long as your account is active. Upon account deletion request, we will delete or anonymize your data within 30 days, except where retention is required by law.
• Booking and transaction records: Retained for 7 years from the date of the transaction to comply with Malaysian tax and accounting requirements.
• Creator application data: If your application is rejected, data is retained for 6 months for reapplication purposes, then deleted.
• Photos and deliverables: Stored in your private album for up to 12 months after delivery. After this period, files may be archived or deleted. Clients are encouraged to download their photos promptly.
• Usage logs: Retained for up to 12 months for analytics and security purposes, then aggregated or deleted.

10. Cookies

We use cookies and similar technologies for the following purposes:

• Essential cookies: Required for authentication, session management, and security. These cannot be disabled.
• Functional cookies: Remember your preferences (e.g., last searched location, selected tier).
• Analytics cookies: Help us understand how visitors use the Platform so we can improve it.

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using certain features of the Platform.

11. Your Rights Under the PDPA

Under the Personal Data Protection Act 2010, you have the following rights:

• Right of Access (Section 12): You may request access to your personal data held by us. We will respond within 21 days of receiving your request.
• Right of Correction (Section 34): You may request correction of any inaccurate, incomplete, or misleading personal data.
• Right to Withdraw Consent: You may withdraw your consent for processing at any time by contacting us. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
• Right to Prevent Processing for Marketing: You may opt out of receiving marketing communications at any time.
• Right to Prevent Processing Causing Damage: You may request that we stop processing your data if it is causing or is likely to cause unwarranted damage or distress.

To exercise any of these rights, please email us at support@herographers.com with the subject line "Data Rights Request". We may require identity verification before processing your request.

12. Sensitive Personal Data

We do not intentionally collect sensitive personal data as defined under the PDPA (e.g., physical/mental health, political opinions, religious beliefs). If such data is inadvertently collected (e.g., visible in photographs), it will be treated with the highest level of protection.

Creator IC/passport numbers collected during the application process are classified as personal data (not sensitive data under the PDPA) and are stored securely with restricted access for identity verification purposes only.

13. Children's Privacy

Our Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete it promptly.

Photography sessions involving minors (e.g., family or newborn photography) are booked by their parent or legal guardian, who provides consent on their behalf.

14. Photos and Intellectual Property

Photographs and videos produced through our Platform may contain your likeness. By booking a session, you grant Herographers and the assigned creator a non-exclusive right to use the Deliverables for portfolio and marketing purposes, unless you opt out in writing before the session (see our Terms of Service for full details).

Your photos are stored in private albums accessible only to you and authorized Herographers staff. We do not publicly share your photos without your consent.

15. Third-Party Links

Our Platform may contain links to third-party websites or services (e.g., Google Maps, payment providers, social media). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal data.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Material changes will be notified via email or a prominent notice on the Platform. Continued use of the Platform after such changes constitutes acceptance of the updated policy.

17. Complaints

If you believe that we have mishandled your personal data, you may lodge a complaint with us at support@herographers.com. We will investigate and respond within 14 business days.

If you are not satisfied with our response, you may lodge a complaint with the Jabatan Perlindungan Data Peribadi (JPDP) — the Department of Personal Data Protection Malaysia:

• Website: www.pdp.gov.my
• Email: aduan@pdp.gov.my

18. Contact Us

For questions about this Privacy Policy or your personal data, please contact us:

• Email: support@herographers.com
• Website: www.herographers.com/support