Privacy Policy

Websumo Solutions (Co. Reg. No. 201803015504) ("WhatsMenu", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the WhatsMenu platform and services. Please read this policy carefully.

This policy applies to two groups of data subjects:

  • Merchants β€” business owners and staff who register for and operate a WhatsMenu account.
  • End-customers β€” individuals who interact with a merchant's storefront, place orders, or otherwise engage with a merchant through WhatsMenu (e.g., via WhatsApp, QR code menus, or the online ordering page).

For merchant data, WhatsMenu acts as the data user (controller). For end-customer data entered or collected through a merchant's WhatsMenu storefront, WhatsMenu acts as a data processor on behalf of the merchant, who remains the data user.

1. INFORMATION WE COLLECT

1.1 Information Provided by Merchants

  • Account Information: Name, email address, phone number, and business details
  • Payment Information: Billing address, subscription plan details, and payment history. WhatsMenu does not store payment card information β€” card payments are handled securely by Stripe. For manual bank transfer payments, we receive and retain bank transfer receipts or transaction references submitted by the merchant as proof of payment.
  • Business Information: Business name, address, operating hours, menu items, product catalogs, images, and business documents
  • End-Customer Data uploaded by the merchant: Any information merchants input, import, or upload into our platform about their own customers
  • Communications: Messages, feedback, and support requests sent to us

1.2 Information Collected from End-Customers (via Merchant Storefronts) When an end-customer interacts with a merchant's WhatsMenu storefront or ordering flow, we may process on the merchant's behalf:

  • Name, phone number, and delivery or pickup address
  • Order details, order history, and special instructions
  • WhatsApp messages sent to the merchant's business number through our ordering flow
  • Loyalty or points balance, where the merchant uses the loyalty feature
  • Payment confirmation details (actual payment processing is handled by the merchant's chosen payment provider)

1.3 Information Collected Automatically

  • Usage Data: How users interact with our platform, pages visited, features used
  • Device Information: IP address, browser type, operating system, device identifiers
  • Log Data: Server logs, access times, pages viewed, and other technical information
  • Cookies and Similar Technologies: To enhance your experience and analyze platform usage (see Section 8)

1.4 Information from Third Parties

  • Payment Processors: Stripe provides us with payment confirmation and transaction details
  • Analytics and Marketing Services: Usage statistics, platform performance data, and advertising attribution data (e.g., Meta/Facebook Pixel)
  • Business Partners: Information shared through integrations and partnerships

2. HOW WE USE INFORMATION

2.1 Service Provision

  • Process account registration and manage subscriptions
  • Provide customer support and technical assistance
  • Process payments (Stripe) and manage manual bank transfer billing
  • Deliver platform features, including WhatsApp-based ordering, QR code menus, loyalty programs, stock tracking, and analytics
  • Send important service updates and notifications

2.2 Business Operations

  • Improve our platform and develop new features
  • Analyze usage patterns to enhance user experience
  • Conduct research and analytics for service improvement
  • Ensure platform security and prevent fraud or abuse
  • Comply with legal obligations and regulatory requirements

2.3 Communication

  • Respond to inquiries and support requests
  • Send service-related announcements and updates
  • Provide marketing communications (with your consent, which can be withdrawn at any time)
  • Share important legal and policy updates

2.4 Use of End-Customer Data End-customer data processed through a merchant's storefront is used solely to provide the ordering and platform services to that merchant. We do not use end-customer data for our own marketing purposes, nor do we sell or rent it to third parties.

3. INFORMATION SHARING

3.1 With Your Consent We may share your information with third parties when you explicitly consent to such sharing.

3.2 Service Providers We work with trusted third-party service providers who assist us in:

  • Payment processing (Stripe)
  • Cloud hosting and infrastructure
  • Analytics and performance monitoring (e.g., Google Analytics, Meta Pixel)
  • Customer support services
  • Email and communication services
  • WhatsApp Business API providers, where applicable

These providers are bound by contractual obligations to handle data consistently with this policy and applicable law.

3.3 Between Merchants and End-Customers Information entered by end-customers on a merchant's storefront (e.g., name, phone, address, order details) is shared with that specific merchant for the purpose of fulfilling the order. WhatsMenu does not share this data with other merchants on the platform.

3.4 Legal Requirements We may disclose information when required by law, including:

  • Compliance with Malaysian laws and regulations
  • Response to valid legal process or government requests
  • Protection of our rights, property, or safety, or that of our users
  • Investigation of potential violations of our Terms of Service

3.5 Business Transfers In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify affected users where required by law.

4. DATA RETENTION AND DELETION

4.1 Retention Period We retain information for as long as necessary to:

  • Provide our services
  • Comply with legal and tax obligations (including record-keeping requirements under Malaysian law, typically 7 years for financial records)
  • Resolve disputes and enforce agreements
  • Maintain reasonable business records

4.2 Merchant Account Deletion Upon merchant account termination, we will delete or anonymize the merchant's personal data and the end-customer data stored within that merchant's account within 90 days, except where retention is required by law (e.g., tax records) or for legitimate business purposes (e.g., fraud prevention, unresolved disputes).

4.3 End-Customer Deletion Requests End-customers who wish to have their data removed from a merchant's WhatsMenu storefront should contact the merchant directly, as the merchant is the data user. Where we receive such requests directly, we will forward them to the relevant merchant and assist where reasonably possible.

5. PDPA RIGHTS

As a Malaysian company, we comply with the Personal Data Protection Act 2010 (PDPA) and its subsequent amendments. You have the following rights:

5.1 Access and Correction

  • Request access to your personal data
  • Request correction of inaccurate or incomplete data
  • Request information about how your data is processed

5.2 Withdrawal of Consent

  • Withdraw consent for data processing at any time
  • Opt-out of marketing communications
  • Request deletion of your account and associated data

5.3 Data Portability

  • Request a copy of your data in a commonly used, machine-readable format
  • Where technically feasible, request transfer to another service provider

5.4 Response Timeline We will respond to verified data subject requests within 21 days of receipt, in line with PDPA requirements. In complex cases requiring extension, we will notify you in writing.

5.5 Complaints

  • Lodge complaints with our privacy team in the first instance
  • Contact the Personal Data Protection Commissioner of Malaysia if your concern is not resolved

6. SECURITY MEASURES

6.1 Technical and Organisational Measures We implement appropriate measures to protect information:

  • Encryption of data in transit (TLS/HTTPS) and at rest where applicable
  • Regular security assessments and updates
  • Access controls, role-based permissions, and authentication systems
  • Employee training on data protection
  • Secure handling of manual bank transfer receipts and financial documents

6.2 Incident Response In the event of a data breach likely to cause significant harm:

  • We will notify affected users as soon as reasonably practicable, and in any case aim to do so within 72 hours of becoming aware of the breach
  • We will report to the Personal Data Protection Commissioner and other relevant Malaysian authorities as required by law
  • We will take immediate steps to contain and remediate the breach
  • We will provide guidance on protective measures users can take

7. INTERNATIONAL TRANSFERS

7.1 Cross-Border Transfers Your data may be processed and stored in countries outside Malaysia, including where our cloud infrastructure and service providers (e.g., Stripe, hosting providers) operate. Primary processing regions currently include Malaysia, Singapore, and the United States.

7.2 Safeguards We ensure adequate protection through:

  • Contractual safeguards with international service providers
  • Selection of providers in jurisdictions with recognized data protection frameworks
  • Other appropriate safeguards as required by PDPA

7.3 Third-Party Services When data is processed by third-party services (e.g., Stripe, Meta, Google), those providers' privacy policies also apply. We encourage you to review them.

8. COOKIES AND TRACKING

8.1 Types of Cookies and Trackers We use:

  • Essential Cookies: Required for platform functionality, login sessions, and security
  • Analytics Cookies: Help us understand platform usage (e.g., Google Analytics)
  • Marketing and Advertising Cookies: Used for measuring ad performance and retargeting, including the Meta (Facebook) Pixel

8.2 Cookie Management You can control cookie settings through your browser preferences or through any cookie consent tool provided on our website. Disabling certain cookies may affect platform functionality. Withdrawing consent to non-essential cookies will not affect the lawfulness of processing carried out before withdrawal.

9. CHILDREN'S PRIVACY

The WhatsMenu platform is intended for business use by merchants and adult end-customers. We do not knowingly collect personal information from individuals under the age of 18 without parental or guardian consent, as required under Malaysian law. If you believe a minor's data has been collected without appropriate consent, please contact us and we will take steps to remove it.

10. POLICY CHANGES

10.1 Policy Updates We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the updated policy on our platform
  • Sending email notifications to registered merchants
  • Updating the "Last updated" date

10.2 Continued Use Your continued use of our platform after policy changes constitutes acceptance of the updated policy.

11. CONTACT INFORMATION

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, including PDPA access, correction, or withdrawal requests, please contact us:

Websumo Solutions (Co. Reg. No. 201803015504) G-09, Jalan Pandan Prima 1, Dataran Pandan Prima, 55100 Kuala Lumpur, Malaysia Email: support@whatsmenu.my

Last updated on: 15 March 2026

English πŸ‡ΊπŸ‡ΈπŸ‡¬πŸ‡§