Privacy Policy

Last updated: 2026-04-26 · W Insight Sdn Bhd

This Privacy Policy explains how W Insight Sdn Bhd ("we", "us") collects, uses, and protects your personal data when you use our TikTok ad management service at winsight.com.my. We process personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia.

1. Data we collect

Category	Examples	Why
Account	Name, email, username, password (hashed), phone	Account creation, login, support
Company / billing	Company name, SSM, TIN, SST, IC, business address, billing contact	Subscription billing, LHDN e-invoicing
Payment	Card details (collected and stored by Stripe, not us)	Process payments
TikTok integration	OAuth access token, advertiser ID, store ID, campaign data, ad spend metrics	Manage your ad campaigns on your behalf
Employee records (only if you use HR features)	Employee names, emails, IC / passport numbers, dates of birth, addresses, phone numbers, salary, profile photos, hire / termination dates, leave records	Provide org chart, leave management, birthday wishes, and other HR features that your account is granted
Technical	IP address, browser user agent, login timestamps	Security, audit log, fraud prevention

2. How we use your data

To provide and operate the W Insight service (the core purpose)
To process subscription payments and issue tax invoices
To send transactional emails (billing receipts, cap alerts, seat-utilisation alerts, security notifications, password resets, and team-invite onboarding emails)
To send automated monthly birthday wishes to employees of customers who have enabled this feature on their company settings — only when the customer has explicitly turned the toggle ON
To send marketing emails — only if you've explicitly opted in at registration or in account settings
To investigate and prevent fraud, abuse, or unauthorised access
To comply with legal obligations (e.g. LHDN e-invoicing, court orders)

2a. Employee data — your role vs ours

If you use HR features (org chart, leave management, etc.), you upload personal data about your employees. You are the data controller for your employee data; we are the processor — we hold and operate on it on your instructions. You're responsible for collecting consent from your own employees where required under the PDPA. We don't use your employee data for any purpose other than running the features you've configured (e.g. sending birthday emails only because you turned that on).

3. Third parties we share data with

Stripe — payment processing. Stripe stores card numbers; we do not. Stripe data may be transferred to and stored in the United States.
TikTok For Business — ad campaign management. Your TikTok credentials and campaign data are sent to TikTok APIs for the actions you authorise.
Exabytes — our hosting provider (servers in Malaysia).

We do not sell your personal data to anyone, ever.

4. Cross-border data transfer (PDPA Section 129)

Some processors above (Stripe, TikTok APIs) may store or process data outside Malaysia. By using the service, you consent to this transfer. We only work with providers who maintain at least equivalent data protection standards.

5. How long we keep your data

We retain account and billing data for the lifetime of your subscription plus 7 years afterwards (to comply with Malaysian tax record-keeping requirements). Marketing consent records are retained as long as you remain subscribed to our marketing list. You can request earlier deletion in writing — see Section 7.

6. Security

We protect your data with industry-standard measures: passwords are hashed with bcrypt (cost factor 12), payment data is handled by PCI-compliant Stripe, and database access is restricted to authorised W Insight personnel. No system is perfectly secure, but we treat your data with the seriousness it deserves.

7. Your rights under the PDPA

You have the right to:

Access the personal data we hold about you
Correct inaccurate or outdated data
Withdraw consent for marketing emails at any time (one-click unsubscribe in every marketing email, or change in account settings)
Request deletion of your account and associated data, subject to legal retention requirements

To exercise any of these, email winsightmarketing@winsight.com.my. We will respond within 21 days.

8. Cookies

We use session cookies for login, "remember me" tokens for convenience, and trusted-device tokens for security. We don't use third-party advertising or analytics cookies. See our Cookie Policy for details.

9. Changes to this policy

We may update this policy as our service evolves. The "Last updated" date at the top reflects the current version. Material changes will trigger a re-acceptance prompt at next login.

10. Contact

Questions, complaints, or requests under the PDPA? Email winsightmarketing@winsight.com.my. If you're unsatisfied with our response, you have the right to escalate to the Personal Data Protection Department of Malaysia (JPDP).

← Back to login