Privacy Policy
This Privacy Policy explains how YellowMint Technology (Malaysian company registration number CA0396372-K, registered in Ipoh, Perak, Malaysia) collects, uses, shares and protects personal data in connection with the YM POS service.
We are the data controller of the personal data described below. If you have any questions about this policy or want to exercise your rights, please use our contact form and select Privacy request as the topic.
1. Scope
This policy applies to:
- The YM POS marketing website at this domain.
- The shop-operator dashboard, accessible after sign-in.
- Customer-facing storefronts at
/{shop-slug}.
2. Personal data we collect
2.1 Shop operators and staff
When you create an account or are invited as staff, we collect:
- Name and email address.
- A hashed password (we never store the plaintext).
- Your Google account identifier, if you sign in with Google.
- Two-factor authentication secrets and passkeys, if you enable them.
- The IP address and user-agent of each active session, for security.
2.2 Customers placing orders
When a customer orders through a storefront we collect:
- Customer name, phone number, and email address (when provided at checkout).
- Order history including items, modifiers, pricing, payment method, and timestamps.
- Favourite items and reorder history, if signed in.
- Loyalty programme data: point balances, stamp progress, coupon redemptions.
- Web push subscription tokens, if the customer opts in to order-ready notifications.
2.3 Website visitors
When you visit our website we collect:
- Your IP address, which we use to derive an approximate country (via the MaxMind GeoLite2 database) to set sensible defaults such as currency.
- A locale preference cookie, if you change languages.
- Analytics data — see Section 9.
3. Why we use your data
We process personal data on the following bases under the Personal Data Protection Act 2010 (Malaysia):
- Performance of contract — to process orders, manage your account, run loyalty programmes.
- Consent — for analytics, session replay, and web push notifications. You can withdraw consent at any time via our cookie settings or by uninstalling push.
- Legitimate interests — security, fraud prevention, service operation and improvement.
- Legal obligation — to retain transaction records where required by Malaysian tax or accounting law.
4. Who we share your data with
We use the following sub-processors:
- Google — Google OAuth (sign-in) and Google Analytics 4 (website analytics, with consent).
- Microsoft — Microsoft Clarity (session replay and heatmaps, with consent).
- Our S3-compatible object storage provider — file storage (logos, payment QR images, item photos). The exact provider in production is identified in our security documentation.
- Our transactional email provider — order receipts and operator notifications.
- Web push services — your browser's web push endpoint (Google, Apple, Mozilla, or Microsoft depending on browser) is used to deliver order-ready notifications.
We do not sell personal data and we do not share it with marketing partners.
5. International transfers
The sub-processors above may process your data outside Malaysia (typically in the United States, European Union, or Singapore). We rely on the contractual safeguards each provider offers under their respective data processing agreements.
6. How long we keep your data
- Order records: for as long as the shop is active, plus six years after deletion, in line with Malaysian tax record-keeping requirements.
- Contact form submissions: 18 months from receipt.
- Analytics data: per the default retention of Google Analytics 4 (14 months) and Microsoft Clarity (90 days for session recordings).
- Web push tokens: until you revoke the subscription or the browser invalidates it.
7. Your rights
Under the Personal Data Protection Act 2010 (Malaysia) you have the right to:
- Access a copy of the personal data we hold about you.
- Correct inaccurate or incomplete data.
- Withdraw consent for any processing based on consent.
- Lodge a complaint with the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi, JPDP) at https://www.pdp.gov.my.
To exercise any of these rights, use our contact form and select Privacy request. We aim to respond within 21 days.
8. Children
The YM POS service is not directed at children under 13. We do not knowingly collect personal data from children. If you believe we have done so, please contact us.
9. Cookies and analytics
We use the following cookies and trackers:
| Name | Purpose | Duration | Category |
|---|---|---|---|
laravel_session | Server session (authentication, CSRF) | Browser session | Essential |
XSRF-TOKEN | CSRF protection | Browser session | Essential |
locale | Remembers your language choice | 365 days | Essential |
consent.v1 (localStorage) | Stores your cookie consent decision | Until cleared | Essential |
_ga, _ga_* | Google Analytics 4 | Up to 2 years | Analytics (opt-in) |
_clck, _clsk | Microsoft Clarity session replay and heatmaps | Up to 1 year | Session replay (opt-in) |
Microsoft Clarity records session replays, meaning we can play back mouse movement, clicks, and scrolling on the pages you visit. Form-field values are masked by default — we do not see what you type into inputs. Clarity is only enabled if you opt in.
To change your preferences at any time, click Cookie settings in the page footer.
10. Changes to this policy
We will revise this policy from time to time. The _Last updated_ date below tracks the most recent change. For material changes we will notify signed-in operators with an in-app banner.
11. How to contact us
YellowMint Technology Ipoh, Perak, Malaysia Contact form — select Privacy request
Last updated: 2026-05-26