Privacy Policy
Last updated: 16 May 2026
1. Introduction
Denomy Web Services (202603117150) ('Denomy', 'we', 'us', or 'our') operates DenoShop Platform and is committed to protecting personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data, and the rights available to individuals. We handle personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia and its principles, namely the General, Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access Principles. This Policy applies to Merchants who register and use the Platform and to visitors of our websites; it forms part of, and should be read together with, our Terms of Service.
2. Our Roles: Controller and Processor
Denomy acts in two distinct roles. (a) As a data controller (data user): for personal data relating to Merchant accounts and registration, such as a Merchant's name, contact details, and account activity, Denomy determines the purposes and means of processing and is responsible for that data under this Policy. (b) As a data processor: for personal data of a Merchant's End-Customers that is collected through the Merchant's Shop, the Merchant is the data controller (data user) and Denomy processes such data only on the Merchant's behalf and on its documented instructions, solely to host and provide the Platform. In that role, Denomy does not decide the purposes of processing End-Customer data and does not use it for its own purposes. Each Merchant is responsible for its own privacy notice and lawful basis toward its End-Customers.
3. Information We Collect
We collect the following categories of personal data: (a) Account data: information you provide when registering or using the Platform, such as name, email address, phone number, login credentials, shop details, and billing or invitation information. (b) Technical data: information collected automatically when you use the Platform, such as IP address, device and browser type, operating system, log files, access times, and usage activity. (c) Shop and transaction data: data generated by the operation of a Merchant's Shop, such as order records, transaction history, and analytics, which may include personal data of End-Customers processed on the Merchant's behalf. (d) Communications data: records of your correspondence with us, including support requests. We may also receive limited information about you from third-party service providers, such as payment processors, where you interact with them through the Platform.
4. Legal Basis for Processing
We process personal data where: (a) it is necessary to perform our contract with you and provide the Platform; (b) you have given consent, which you may withdraw at any time; (c) it is necessary to comply with a legal or regulatory obligation; or (d) it is necessary for our legitimate interests in operating, securing, and improving the Platform, provided these interests are not overridden by your rights. Where we rely on consent, we will obtain it in accordance with the PDPA's Notice and Choice Principle.
5. How We Use Your Data
We use personal data to: (a) create and administer your account and provide shop hosting and Platform features; (b) process Subscriptions, payments, and invoices; (c) communicate with you, including service announcements, security alerts, and support responses; (d) operate, maintain, secure, and improve the Platform, including troubleshooting and analytics; (e) detect, prevent, and address fraud, abuse, and security incidents; and (f) comply with legal obligations and enforce our Terms of Service. We do not sell personal data, and we do not sell or use End-Customer data of any Merchant's Shop for our own marketing.
6. Disclosure and Subprocessors
We do not sell personal data. We may disclose personal data to: (a) Service providers and subprocessors who process data on our behalf to operate the Platform, including hosting, email and communications, payment processing, and analytics providers; (b) Merchants, in respect of their own End-Customer data processed through their Shop; (c) professional advisers, auditors, or potential acquirers in connection with a corporate transaction, subject to confidentiality; and (d) law enforcement, regulators, or other authorities where required by law or to protect our rights, users, or the public. We require our subprocessors to handle personal data under appropriate confidentiality and security obligations and only for the purposes we specify.
7. Shop Owner Responsibilities
Where you operate a Shop, you are the data controller (data user) under the PDPA for the personal data of your End-Customers. You are responsible for: (a) providing your End-Customers with a clear and compliant privacy notice; (b) establishing a lawful basis and obtaining any required consent for collecting and using their data; (c) handling End-Customer rights requests, such as access, correction, and withdrawal of consent; (d) keeping End-Customer data accurate and secure within the controls available to you; and (e) complying with the PDPA and all other applicable data protection laws. Denomy processes End-Customer data only on your instructions to provide the Platform.
8. International Data Transfers
Personal data may be stored or processed on infrastructure or by service providers located outside Malaysia. Where personal data is transferred outside Malaysia, we take reasonable steps to ensure it receives a level of protection consistent with the PDPA, including through contractual safeguards with the receiving party. By using the Platform, you acknowledge that such transfers may occur for the purposes described in this Policy.
9. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Indicative retention periods are: (a) Account data: for the duration of your account and for a period after closure to handle legal, tax, and accounting obligations; (b) Transaction and billing records: for the period required under Malaysian tax and accounting law; (c) Technical and log data: for a limited period for security and troubleshooting; (d) Shop and End-Customer data: retained while the Merchant's account is active and, after account termination, deleted or anonymised within a defined period. When personal data is no longer required, we will securely delete or anonymise it.
10. Cookies and Tracking
We use cookies and similar technologies to operate the Platform. We use essential cookies that are necessary for core functionality, such as authentication and security, and we may use limited functional cookies to remember your preferences. You can control or delete cookies through your browser settings, although disabling essential cookies may affect the operation of the Platform.
11. Data Security
We implement reasonable technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure, in line with the PDPA's Security Principle. These measures include encryption of data in transit using HTTPS/TLS, access controls and role-based permissions, restricted administrative access, secure credential storage, and monitoring of our systems. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your login credentials confidential and for using strong, unique passwords.
12. Data Breach Notification
In the event of a personal data breach that is likely to affect your rights and interests, we will take steps to contain and assess the incident and, where required by applicable law, notify the relevant authority and affected individuals without undue delay. Where Denomy acts as a processor for a Merchant's End-Customer data, we will notify the affected Merchant of any relevant breach so that the Merchant can meet its own notification obligations.
13. Your Rights
Subject to the PDPA and applicable law, you have the right to: (a) access the personal data we hold about you; (b) request correction of inaccurate, incomplete, or outdated data; (c) withdraw consent where processing is based on consent; (d) limit or object to the processing of your data in certain circumstances; and (e) request deletion of your data where it is no longer required. We may need to verify your identity before acting on a request, and some data may be retained where the law requires or permits. To exercise these rights, contact us at contact@deno.my. If you are an End-Customer of a Merchant's Shop, please direct your request to the relevant Merchant, who is the controller of your data.
14. Marketing and Communications
We may send you service-related communications that are necessary to operate your account, such as security and billing notices, which you cannot opt out of while you have an active account. We will only send you promotional or marketing communications where permitted by law or where you have opted in. You can opt out of marketing communications at any time using the unsubscribe link in such messages or by contacting us at contact@deno.my; opting out of marketing does not affect service-related communications.
15. Children
The Platform is intended for use by businesses and individuals who are at least 18 years of age. We do not knowingly collect personal data from minors for the purpose of creating a Platform account. If we become aware that we have collected such data without appropriate authorisation, we will take reasonable steps to delete it.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated Policy on the Platform and revise the 'Last updated' date, and, where changes are material, we will provide reasonable notice. Your continued use of the Platform after the changes take effect indicates your acceptance of the updated Policy.
17. Contact
If you have any questions, concerns, or complaints about this Privacy Policy or how your personal data is handled, contact Denomy Web Services by email at contact@deno.my. You also have the right to lodge a complaint with the Personal Data Protection Commissioner of Malaysia.
18. Governing Language
This Privacy Policy is provided in English and may be made available in other languages, including Malay, for convenience only. In the event of any inconsistency, ambiguity, or conflict in interpretation between the English version and any translated version, the English version prevails.