Privacy Policy.
This notice explains how Zenara Jaya collects, uses, discloses, stores, and protects your personal data. It is written under Malaysia's Personal Data Protection Act 2010 ("PDPA") and applies to everyone who interacts with us — clients, marketplace developers, buyers, chat-widget visitors, and casual readers of this website.
What's in this notice
1. Who we are.
Zenara Jaya (registration MRI/BNR/637/2025) is the data controller. Our registered office is at 1st Floor, Lot 3513, Block 5 MCLD, Lorong Aster 1, 101 Commercial Centre, 98000 Miri, Sarawak, Malaysia. You can reach us at hello@zenarajaya.com or +60 18-914 1134.
If you have any question about this policy or your data, write to the address above with the subject line "PDPA — Data Subject Request" and we will respond within twenty-one (21) calendar days, as required by section 30 of the PDPA.
2. What personal data we collect.
The data we collect depends on which part of our service you use. We have grouped it below for clarity.
2.1 When you contact us or request a quote
- Your name, email address, phone number, and (optionally) WhatsApp ID;
- Your business name, industry, and the problem you are asking us to solve;
- Any files or screenshots you attach to a quote or message;
- Records of our correspondence — emails, WhatsApp messages, voice-call notes.
2.2 When you use our website chat widget
- The full text of your conversation with our AI sales agent, including any contact details you volunteer in the chat;
- Approximate location (city-level, derived from your IP address) for routing and language preference;
- Browser type, device type, and the page you arrived from.
2.3 When you sign an engagement (services client)
- Authorised signatory's full name, designation, IC or passport number (for the agreement only), email, and signature;
- Company registration number, billing address, and bank or payment details for invoicing;
- Project deliverables, source assets, credentials shared with us for the work, and post-launch support tickets.
2.4 When you join the marketplace as a developer
- Display name, email, country, optional GitHub and portfolio URLs;
- Submission content (code, demo links, walkthrough videos, screenshots, descriptions);
- Bank or transaction-service details when we collect payout information from you.
2.5 When you join the marketplace as a buyer (KYC)
For Tier 1 verification (basic) and Tier 2 verification (full), we collect:
- Full legal name, date of birth, nationality;
- Government ID type (MyKad, passport, MyTentera, or other) and ID number — the ID number is converted into a one-way cryptographic hash before storage; we never retain the plaintext;
- A photograph of the front of your ID;
- For Tier 2: a selfie holding the same ID, your residential address, and (optionally) a recent utility bill or bank statement;
- Records of your bid history.
2.6 Automatically when you visit the website
- IP address (truncated for analytics);
- Browser user-agent, screen size, and the pages you view;
- Referring URL, time spent on each page, and basic interaction events (clicks, scroll depth);
- Tamper-resistant authentication cookies, if you create an account — see our Data Collection & Cookie Notice for the categories we use.
3. Why we collect it (lawful purposes).
We process personal data only for the purposes you would reasonably expect when you engage with us. Specifically:
- Service delivery — to scope, build, deliver, invoice, and support the IT work you've engaged us for;
- Marketplace operations — to verify identities, prevent fraud, run auctions, settle payouts, and resolve disputes;
- Communication — to reply to enquiries, send quotes, agreements, project updates, and receipts;
- Legal and tax compliance — to keep records the law (Companies Act 2016, Income Tax Act 1967, PDPA) requires us to keep;
- Service improvement — to analyse usage patterns and improve the website and our offerings (only on aggregated, de-identified data wherever practical);
- Marketing — only with your explicit opt-in, and you can withdraw at any time.
We will not use your data for any purpose materially different from these without first asking you again.
4. Who we share it with.
We do not sell your personal data, ever. We do share limited data with carefully chosen third parties to make our service work:
| Recipient | What we share | Why |
|---|---|---|
| Our hosting and CDN provider | Anything you submit through the website (forms, chat, KYC), at the moment our servers receive it | Website and API delivery |
| An AI service provider (used for the chat assistant) | The text of your chat-widget conversations, for the duration of generating a reply | Drafting AI replies. We use a service tier where customer content is not retained for model training |
| Our domestic banking partner (Malaysia) | Your name and the amount, when you transfer funds to us | Receiving payments and issuing local payouts |
| Approved international transaction services | Your name and bank details, when we pay developers internationally | Cross-border payouts |
| Email service providers | Your email address and message content | Sending agreements, invoices, notifications |
| Professional advisors | Whatever the matter requires | Legal, accounting, audit — only when strictly necessary, under their professional duty of confidentiality |
| Lawful authorities | Whatever a valid order requires | If compelled by Malaysian law (court order, regulatory request) |
We do not transfer your data to any party outside this list without telling you first.
5. How long we keep it.
- Lead and quote enquiries — up to 24 months after our last contact, then deleted;
- Active client records — for the duration of the engagement plus 7 years for tax and audit purposes (Income Tax Act 1967 s. 82(1));
- Marketplace KYC images — 12 months after KYC expiry, after which the image files are securely deleted; the one-way hash of the ID number is retained longer for anti-fraud (linked to your account, never re-identifying you);
- Auction and bid records — 7 years (financial record);
- Chat-widget transcripts — 90 days for sales follow-up, then anonymised and aggregated;
- Server logs — 30 days, then rotated.
6. How we protect it.
- Passwords are stored using industry-standard salted password hashing. We cannot read your password, even on request.
- KYC images are stored in a private storage area, isolated from the public website; only authenticated administrators can fetch them, through a guarded internal endpoint.
- Authentication cookies are tamper-resistant, restricted to HTTPS in production, not readable from page scripts, and not sent on cross-site requests.
- HTTPS is enforced site-wide.
- Strong security response headers are set on every page (Content-Security-Policy, X-Frame-Options, Referrer-Policy, and others).
- Access to production data is limited to named directors and a small set of role-scoped staff accounts; every access is logged.
- We notify the affected individuals within 72 hours of becoming aware of any data breach that materially affects their rights.
7. Your rights under the PDPA.
You have, at no charge or for the modest fee permitted by the Personal Data Protection (Fees) Regulations 2013, the following rights:
- Right of access — to ask for a copy of the personal data we hold on you;
- Right of correction — to ask us to correct inaccurate or incomplete data;
- Right to withdraw consent — to take back any consent you have given us, going forward;
- Right to prevent processing for direct marketing — to ask us to stop sending you marketing material at any time, in writing;
- Right to limit disclosure — to restrict who else we tell about your data, beyond the recipients listed above;
- Right to lodge a complaint — with the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi) if you believe we have mishandled your data.
To exercise any of these rights, email hello@zenarajaya.com with the subject line "PDPA Request — [your name]". We may need to verify your identity before acting, especially for access or deletion requests.
8. Cookies and tracking.
We use a small number of essential cookies (authentication, session) and basic first-party analytics. We do not use third-party advertising cookies and we do not sell or share data with ad networks. The full list, including their names, purposes, and lifetimes, is in our Data Collection & Cookie Notice.
9. AI assistants and your messages.
Our website chat widget uses a third-party AI service to draft replies. When you chat with the widget, the conversation text is transmitted to that service for the duration of the reply. We have configured the integration so that conversations are not used to train any AI model. We retain your conversation transcript on our own servers as described in section 5. The current AI service provider is disclosed in writing on request to hello@zenarajaya.com.
Please do not paste sensitive personal data — your IC number, bank PIN, passwords, medical history — into the chat widget. If you do, please tell us so we can redact it.
10. Data outside Malaysia.
Some of our service providers (notably our hosting/CDN partner and our AI service partner) operate servers outside Malaysia, including in the United States and the European Union. By using our service, you consent to your personal data being transferred to and processed in those locations under standard contractual clauses or equivalent safeguards. We have satisfied ourselves that those providers offer protection at least equivalent to the PDPA, and we will provide their identities and current safeguards in writing on request.
11. Children.
Our services are not directed at anyone under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has given us personal data, please contact us and we will delete it promptly.
12. Changes to this policy.
If we make material changes, we will post the updated version here, update the "Effective" date at the top, and email active account holders at least 14 days before the change takes effect. The version history is available on request.
13. Contact us.
For any privacy question, request, or concern:
Zenara Jaya
1st Floor, Lot 3513, Block 5 MCLD
Lorong Aster 1, 101 Commercial Centre
98000 Miri, Sarawak, Malaysia
Email: hello@zenarajaya.com
Phone / WhatsApp: +60 18-914 1134