Mini Games — Privacy Policy
This notice explains what personal data the Zenara Jaya Mini Games platform collects when you create an account or play, how we use it, who we share it with, and the rights you have under Malaysia's Personal Data Protection Act 2010 ("PDPA").
1. Who we are
The data controller for the mini-games platform is Zenara Jaya, operating from Miri, Sarawak, Malaysia, accessible via zenarajaya.com. Where this policy refers to "we", "us", or "our", that's us.
2. What we collect
| Data | When | Why |
|---|---|---|
| Email address | Account sign-up | Login identifier & account recovery |
| Display name | Account sign-up | Shown in lobbies, leaderboards, and match recaps |
| Password (salted hash, never plaintext) | Account sign-up | Authenticate you at sign-in. We use PBKDF2-SHA256 with per-account salt; the original password is not stored or recoverable |
| Optional profile fields (scarf, accessory, skill loadout) | While playing | Persist your cosmetic loadout across sessions and devices |
| Match results (deliveries, rescues, wins, perfect runs, timestamp) | End of each match | Populate individual + team leaderboards |
| Cumulative donation total ("supporter" counter) | When you complete a donation | Show your supporter status on your own profile (not exposed to other Players) |
| IP fingerprint (last 12 hex chars only) + user agent | When you submit an in-game report or sign in | Anti-abuse, rate-limiting, debugging fraudulent sign-ups |
| WebSocket presence (which lobby you're in, when you connected) | While the lobby/match is live | Match-making and live lobby panels. Discarded when you disconnect |
We do not collect: government ID numbers, payment card numbers (handled by our payment processor when we add real billing — we never see the card), precise location, contacts, microphone or camera data, browsing history outside zenarajaya.com.
3. How we use your data
- Operate the games. Authenticate sign-in, run lobbies, persist your loadout and scores.
- Show leaderboards. Your display name + score + match summary appears on public boards visible to other Players.
- Prevent abuse. Detect cheats, bots, duplicate accounts, and harassment. Investigate Player reports.
- Service improvement. Analyse aggregate gameplay metrics (e.g. average match length) to balance and tune. Aggregate data is not personally identifiable.
- Legal compliance. Respond to lawful requests, enforce these terms, defend legal claims.
We do not use your personal data for behavioural advertising or sell it to third parties.
4. Cookies & local storage
We use:
- A first-party session cookie for sign-in (httpOnly, sameSite=Lax). This is the only cookie required to use the Platform.
- Local storage on your device for your loadout, leaderboard cache, and donation total. This data lives in your browser and can be cleared at any time via your browser's privacy settings.
- No third-party analytics or advertising trackers.
5. Sharing & disclosure
We disclose data only:
- Publicly on leaderboards (your display name + score; never your email).
- To our infrastructure providers (hosting, DNS, future payment processor) strictly as required to operate the service, under their published privacy commitments.
- To comply with law, court orders, or legitimate requests from authorities under Malaysian law.
- To defend our rights, prevent fraud, or protect the safety of Players.
We do not sell, rent, or trade your personal data to anyone.
6. Storage & retention
Account records live on our servers (in or near Singapore / Malaysia) for as long as you maintain the account. Match-result entries are kept for up to 24 months from the date of the match, then trimmed. Bug-report logs are kept for up to 12 months. IP-fingerprint records for anti-abuse are kept for up to 90 days.
7. Your rights under the PDPA
Under Malaysia's Personal Data Protection Act 2010, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Withdraw consent for further processing, subject to legitimate retention obligations.
- Request deletion of your account and associated personal data. (Aggregate, anonymised stats may be retained as they no longer identify you.)
- Limit processing in specific circumstances, e.g. while a dispute is being resolved.
To exercise any of these rights, contact us via the address listed in section 10. We aim to respond within 21 days.
8. Children
The Platform is not directed at children under 13 and we do not knowingly collect data from anyone under 13. If you believe a child under 13 has registered, please contact us and we will delete the account.
9. Security
We use industry-standard safeguards (TLS in transit, salted password hashes, server-side input validation, rate-limiting, principle of least privilege for staff access). No internet service is perfectly secure; if a breach affecting your account ever occurs, we will notify affected Players via the email address on file within 72 hours of becoming aware and advise on protective steps.
10. Contact
For privacy questions, access requests, deletion requests, or to report a suspected breach, contact us through the channels at zenarajaya.com. Please include the email address associated with your Mini Games account so we can verify the request.
11. Changes to this notice
We may update this notice when the service changes or to reflect legal or operational developments. The "Last updated" date below is authoritative. For material changes that affect your rights, we will post a banner on /mini-game.html for at least 14 days before the change takes effect.
Last updated: 14 May 2026.