Privacy Policy
Rankup Digital Services (Company No. 003759071-W) ("we", "us", "Rankup Digital Services", "GBPAuditLab") operates the gbpauditlab.com platform (the "Service"). This Privacy Policy describes how we collect, use, store, and protect your personal data, in accordance with Malaysia's Personal Data Protection Act 2010 (PDPA), as amended by the Personal Data Protection (Amendment) Act 2024. By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.
1. Data Protection Officer (DPO)
We have appointed a Data Protection Officer to ensure PDPA compliance:
- Name: Salmi (Founder, Rankup Digital Services)
- Email: privacy@gbpauditlab.com
Any questions about your personal data, or requests for access, correction, or deletion, can be sent to the email above.
2. Personal Data We Collect
2.1 Data you provide directly
- Email address (during registration / audit request)
- Business name and Google Business Profile information (name, address, category, etc.)
- Payment information (processed by Curlec (Razorpay) — see Section 5; we never store your credit card numbers)
2.2 Data collected automatically
- Usage data (pages visited, features used, access date/time)
- IP address and device information (for security and analytics)
- Analytics cookies (Google Analytics 4, PostHog) — see Section 7
2.3 Data generated by the Service
- GBP audit reports (score, recommendations, heatmap data if purchased)
- Payment transaction records (not card data, only status/amount records)
3. Purposes of Data Processing
We process your personal data to:
- Generate and deliver your GBP audit report
- Process payments and manage your subscription/add-on purchases
- Send service-related emails (confirmations, reports, drip campaign notifications)
- Improve the Service through usage analytics
- Comply with legal obligations (tax, financial records)
Legal basis: your consent (at registration) and contractual necessity (to provide the Service you requested).
4. Third-Party Data Sharing
We use the following third-party service providers to operate the Service. Each provider is bound by their own terms of service and privacy policy:
| Provider | Purpose | Processing location |
|---|---|---|
| Supabase | Database & user authentication | Singapore (ap-southeast-1 region) |
| Vercel | Application hosting | Global network (CDN) |
| Curlec (Razorpay) | Payment processing | Malaysia |
| Resend | Email delivery | United States |
| DataForSEO | SEO/GBP data for audits | Multiple locations |
| Anthropic (Claude API) | AI content generation | United States |
| OpenAI | Blog image generation | United States |
| Google (Places, PageSpeed API) | Location & website performance data | United States |
| Google Analytics / PostHog / Sentry | Analytics & error monitoring | United States |
Cross-border data transfers
Some of your data is processed outside Malaysia (as listed above). In accordance with Section 129 of the PDPA (as amended 2024), we only use providers that maintain adequate security measures or operate in jurisdictions with a comparable standard of data protection. We do not sell your personal data to third parties for marketing purposes.
5. Payment Processing
Payments are processed entirely by Curlec (Razorpay Malaysia). We do not store your credit/debit card details on our servers. Please refer to Curlec's Privacy Policy for more information on how they handle payment data.
6. Data Retention Period
- Account data (email, business information) is retained for as long as your account is active, and up to 6 years after for tax/financial record purposes (LHDN requirement)
- Free audit reports are retained for 12 months from the date of generation
- Paid audit reports (Starter) are retained for the subscription period (6 months) and 6 months after expiry for reference
- Transaction records are retained for 7 years as required by the Income Tax Act 1967
After these periods, data is automatically deleted or anonymised.
7. Cookies
Our website uses cookies for:
- Essential cookies: login session authentication (required for the Service to function)
- Analytics cookies: Google Analytics 4, PostHog — to understand usage patterns for product improvement
You can manage cookie preferences through your browser settings, although this may affect the functionality of some features.
8. Your Rights Under PDPA
As a data subject, you have the right to:
- Access your personal data that we hold
- Correct inaccurate data
- Withdraw consent for data processing (subject to any contractual/legal obligations still in effect)
- Request deletion of your data ("right to be forgotten," subject to legal record-keeping requirements in Section 6)
- Data portability — request that your data be transferred to another data controller, subject to technical feasibility
- Lodge a complaint with the Personal Data Protection Commissioner (PDPC) at www.pdp.gov.my
To exercise any of the above rights, contact our DPO at privacy@gbpauditlab.com. We will respond within a reasonable time (typically 21 days).
9. Data Security
We implement the following security measures to protect your personal data:
- Row Level Security (RLS) on all database tables
- Encryption of data in transit (HTTPS/TLS) and at rest
- Token-based access controls and user authentication
- Continuous security monitoring (Sentry, Better Stack)
While we take reasonable measures, no system is 100% secure. In the event of a data breach that risks causing significant harm, we will notify the PDPC within 72 hours and notify affected users without undue delay, in accordance with Section 12B of the PDPA.
10. Children's Privacy
The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Any material changes will be communicated via email or a notice on the website. The "Last updated" date above reflects the current version.
12. Contact Us
For any privacy-related questions, data access requests, or to exercise your PDPA rights:
Rankup Digital Services
Company No. 003759071-W
Email: privacy@gbpauditlab.com
Website: gbpauditlab.com