Privacy Policy

This Privacy Policy explains how YellowMint Technology (Malaysian company registration number CA0396372-K, registered in Ipoh, Perak, Malaysia) collects, uses, shares and protects personal data in connection with the YM POS service.

We are the data controller of the personal data described below. If you have any questions about this policy or want to exercise your rights, please use our contact form and select Privacy request as the topic.

1. Scope

This policy applies to:

  • The YM POS marketing website at this domain.
  • The shop-operator dashboard, accessible after sign-in.
  • Customer-facing storefronts at /{shop-slug}.

2. Personal data we collect

2.1 Shop operators and staff

When you create an account or are invited as staff, we collect:

  • Name and email address.
  • A hashed password (we never store the plaintext).
  • Your Google account identifier, if you sign in with Google.
  • Two-factor authentication secrets and passkeys, if you enable them.
  • The IP address and user-agent of each active session, for security.

2.2 Customers placing orders

When a customer orders through a storefront we collect:

  • Customer name, phone number, and email address (when provided at checkout).
  • Order history including items, modifiers, pricing, payment method, and timestamps.
  • Favourite items and reorder history, if signed in.
  • Loyalty programme data: point balances, stamp progress, coupon redemptions.
  • Web push subscription tokens, if the customer opts in to order-ready notifications.

2.3 Website visitors

When you visit our website we collect:

  • Your IP address, which we use to derive an approximate country (via the MaxMind GeoLite2 database) to set sensible defaults such as currency.
  • A locale preference cookie, if you change languages.
  • Analytics data — see Section 9.

3. Why we use your data

We process personal data on the following bases under the Personal Data Protection Act 2010 (Malaysia):

  • Performance of contract — to process orders, manage your account, run loyalty programmes.
  • Consent — for analytics, session replay, and web push notifications. You can withdraw consent at any time via our cookie settings or by uninstalling push.
  • Legitimate interests — security, fraud prevention, service operation and improvement.
  • Legal obligation — to retain transaction records where required by Malaysian tax or accounting law.

4. Who we share your data with

We use the following sub-processors:

  • Google — Google OAuth (sign-in) and Google Analytics 4 (website analytics, with consent).
  • Microsoft — Microsoft Clarity (session replay and heatmaps, with consent).
  • Our S3-compatible object storage provider — file storage (logos, payment QR images, item photos). The exact provider in production is identified in our security documentation.
  • Our transactional email provider — order receipts and operator notifications.
  • Web push services — your browser's web push endpoint (Google, Apple, Mozilla, or Microsoft depending on browser) is used to deliver order-ready notifications.

We do not sell personal data and we do not share it with marketing partners.

5. International transfers

The sub-processors above may process your data outside Malaysia (typically in the United States, European Union, or Singapore). We rely on the contractual safeguards each provider offers under their respective data processing agreements.

6. How long we keep your data

  • Order records: for as long as the shop is active, plus six years after deletion, in line with Malaysian tax record-keeping requirements.
  • Contact form submissions: 18 months from receipt.
  • Analytics data: per the default retention of Google Analytics 4 (14 months) and Microsoft Clarity (90 days for session recordings).
  • Web push tokens: until you revoke the subscription or the browser invalidates it.

7. Your rights

Under the Personal Data Protection Act 2010 (Malaysia) you have the right to:

  • Access a copy of the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Withdraw consent for any processing based on consent.
  • Lodge a complaint with the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi, JPDP) at https://www.pdp.gov.my.

To exercise any of these rights, use our contact form and select Privacy request. We aim to respond within 21 days.

8. Children

The YM POS service is not directed at children under 13. We do not knowingly collect personal data from children. If you believe we have done so, please contact us.

9. Cookies and analytics

We use the following cookies and trackers:

NamePurposeDurationCategory
laravel_sessionServer session (authentication, CSRF)Browser sessionEssential
XSRF-TOKENCSRF protectionBrowser sessionEssential
localeRemembers your language choice365 daysEssential
consent.v1 (localStorage)Stores your cookie consent decisionUntil clearedEssential
_ga, _ga_*Google Analytics 4Up to 2 yearsAnalytics (opt-in)
_clck, _clskMicrosoft Clarity session replay and heatmapsUp to 1 yearSession replay (opt-in)

Microsoft Clarity records session replays, meaning we can play back mouse movement, clicks, and scrolling on the pages you visit. Form-field values are masked by default — we do not see what you type into inputs. Clarity is only enabled if you opt in.

To change your preferences at any time, click Cookie settings in the page footer.

10. Changes to this policy

We will revise this policy from time to time. The _Last updated_ date below tracks the most recent change. For material changes we will notify signed-in operators with an in-app banner.

11. How to contact us

YellowMint Technology Ipoh, Perak, Malaysia Contact form — select Privacy request

Last updated: 2026-05-26

Last updated: 2026-05-26

YM POS

The simple F&B POS for café and kopitiam operators.

Legal

© 2026 YellowMint Technology (CA0396372-K). All rights reserved.

consent.banner.title

consent.banner.body