Privacy Policy
How we handle your data — written in plain English.
Last updated: 23 May 2026
Effective Date: 24 March 2026
This Privacy Policy is governed by the Personal Data Protection Act 2010 (PDPA) of Malaysia. We are committed to protecting your personal data in accordance with PDPA requirements.
Data Controller
The data controller for personal information collected through EkadInvite is {{BUSINESS_NAME}}, with registered address at {{BUSINESS_ADDRESS}}. For data-protection enquiries, contact us at hello@ekadinvite.my.
1. Information We Collect
We collect the following information: Name and email address during registration, event details (couple names, date, location), uploaded photos, guest RSVP responses, and guestbook messages.
2. Use of Information
Your information is used to: Create and display your digital invitation card, process guest RSVPs and messages, send confirmation and notification emails, and improve our services.
3. Data Storage
Your data is stored securely using Supabase (in the Southeast Asia region). Photos are stored on Cloudflare R2. We do not share your personal data with third parties for marketing purposes.
Cross-border Data Transfer
Some of your personal data is stored outside Malaysia. Specifically, Supabase (our database and authentication provider) hosts your account data in Singapore (ap-southeast-1). Cloudflare R2 stores your uploaded photos and assets across Cloudflare's global edge network. By using EkadInvite, you consent to this cross-border transfer under section 129 of the Personal Data Protection Act 2010 (PDPA).
4. Public Invitation Cards
Published invitation cards are publicly accessible via a unique link. Cards are not indexed by search engines. Guests accessing your card can view event details, photos, and leave RSVPs or messages.
5. User Rights (PDPA Section 7)
Under the PDPA 2010, you have the right to access, correct, and delete your personal data. You may delete your account and all associated data (cards, RSVPs, guestbook messages, orders) directly from your Profile page in the dashboard. Alternatively, contact us at hello@ekadinvite.my.
6. Data Retention
We retain your account and card data for as long as your account is active. If you delete your account, we permanently remove all your personal data within 30 days, except where we are legally required to retain certain records (for example, payment records under tax law). Backups are encrypted and rotated every 30 days.
Breach Notification
In the unlikely event of a personal data breach that may put your rights at risk, we will notify affected users within 72 hours of confirming the breach via the email on file. We will describe the nature of the breach, the data affected, and the steps you should take.