Privacy Policy
Last updated: March 5, 2026
1. Introduction
Tropilo ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit tropilo.com. This policy complies with the Malaysian Personal Data Protection Act 2010 (PDPA) and its 2024 amendments.
2. Information We Collect
We collect minimal personal information necessary to operate and improve the platform: • Browsing data: Pages visited, stories viewed, time spent on pages, and device/browser information (collected automatically via server logs and analytics). • Merchant applications: Business name, category, location, description, WhatsApp contact number, and optional profile photo — submitted voluntarily through our partner application form. • Story submissions: Content, photos, and associated metadata submitted by users through the publish page. • View tracking: Anonymous page view counts for stories, used to display popularity metrics. No personally identifiable information is collected for view tracking. We do not require user registration or login. We do not collect email addresses, passwords, or identity documents from general visitors.
3. How We Use Your Information
We use the information we collect to: • Operate and maintain the platform • Display content in your preferred language • Show relevant travel stories and recommendations • Process merchant partnership applications • Analyze usage patterns to improve content and user experience • Generate anonymous aggregate statistics (e.g., popular destinations, story view counts) • Comply with legal obligations under Malaysian law
4. Cookies & Local Storage
Tropilo uses minimal cookies and local storage: • Locale preference: We store your language preference (en/zh/bm) to provide content in your chosen language. • Essential cookies: Session management and security cookies required for the platform to function. We do not use advertising cookies or third-party tracking cookies for behavioral advertising. We do not use Google Analytics or similar third-party analytics platforms that create individual user profiles.
5. Third-Party Services
We use the following third-party services to operate Tropilo: • Vercel (hosting): Our platform is hosted on Vercel. Vercel may collect server logs including IP addresses. See Vercel's Privacy Policy. • Supabase (database): User-submitted data (merchant applications, stories) is stored in Supabase's cloud database hosted in Singapore. See Supabase's Privacy Policy. • Cloudflare R2 (image storage): Uploaded images are stored on Cloudflare's infrastructure. See Cloudflare's Privacy Policy. • Klook & Agoda (affiliate partners): If you click affiliate links, these services will process your data under their own privacy policies. We only receive anonymous commission data. • OpenAI & Google (AI generation): We use AI services for content generation only. No user personal data is sent to these services. We do not sell, rent, or trade your personal information to any third party.
6. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including: • Encrypted data transmission (HTTPS/TLS) • Secure database access controls with role-based permissions • Server-side authentication for administrative functions • Regular security reviews of our infrastructure While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
7. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected: • Merchant applications: Retained while the partnership is active. Rejected applications are deleted within 90 days. • Story submissions: Retained while published on the platform. Deleted stories are removed from our database. • Browsing data: Anonymous aggregate data is retained indefinitely. Server logs are automatically purged according to our hosting provider's retention policy.
8. Your Rights Under PDPA
Under the Malaysian Personal Data Protection Act 2010 (as amended in 2024), you have the right to: • Access: Request a copy of the personal data we hold about you. • Correction: Request correction of inaccurate or incomplete personal data. • Withdrawal of consent: Withdraw your consent for processing at any time (this may affect our ability to provide services). • Data portability: Request transfer of your personal data in a structured, commonly used format (effective June 2025). • Complaint: Lodge a complaint with the Department of Personal Data Protection Malaysia (www.pdp.gov.my). To exercise any of these rights, please contact us at [email protected]. We will respond within 21 days as required by law.
9. Children's Privacy
Tropilo is not directed at children under the age of 13. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 13, we will take steps to delete such information promptly.
10. International Data Transfers
Your data may be processed and stored on servers located outside Malaysia (including Singapore and the United States) through our third-party service providers. In accordance with the PDPA's cross-border data transfer requirements, we ensure that adequate safeguards are in place to protect your data, including contractual obligations requiring our service providers to maintain data protection standards substantially similar to those under Malaysian law.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically. Your continued use of Tropilo after any changes constitutes acceptance of the updated policy.
12. Data Protection Officer
In compliance with the PDPA 2024 amendments, our Data Protection Officer can be reached at: Email: [email protected] Website: tropilo.com/privacy For general inquiries: [email protected]