Back to Home

Data Retention Policy

Last Updated: January 2025
Version: 1.0

1. Overview

This Data Retention Policy outlines how CariRumah collects, stores, retains, and deletes user data in compliance with applicable laws and regulations. This policy applies to all users of the CariRumah platform, including property owners and guests (clients).

2. Scope

This policy covers all data collected through the CariRumah platform, including:

  • User account information
  • Property listings
  • Booking and transaction records
  • Payment information
  • Reviews and ratings
  • Property images and media
  • Communication records
  • Location data

3. Legal Basis

CariRumah operates in compliance with:

  • Malaysian Personal Data Protection Act 2010 (PDPA)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Accounting and tax regulations requiring financial record retention
  • General Data Protection Regulation (GDPR) principles for international users

4. Data Categories and Retention Periods

4.1 User Account Data

Data Type: Name, email, phone number, Clerk authentication ID, role (Owner/Client)

Retention Period:

  • Active Accounts: Retained indefinitely while account is active
  • Inactive Accounts (No login for 3+ years): Anonymized after 3 years of inactivity
  • Deleted Accounts: PII deleted within 30 days of deletion request

Exceptions: Accounts with financial transactions retained for 7 years from last transaction for tax/audit purposes.

4.2 Property Listing Data

Data Type: Property details, location (address, coordinates), amenities, pricing, images, check-in instructions

Retention Period:

  • Active Listings: Retained indefinitely while listing is active
  • Deactivated Listings: Retained for 2 years after deactivation, then archived
  • Deleted Listings: Property details deleted within 90 days if no associated bookings
  • Images: Deleted within 90 days from Minio storage

4.3 Booking Records

Data Type: Check-in/out dates, number of guests, booking status, total price, billcode, transaction ID

Retention Period:

⏰ All Bookings: Retained for 7 years from booking date

Required for tax compliance, financial auditing, and dispute resolution

  • After 7 Years: Booking records anonymized (remove guest PII, retain statistical data)
  • Cancelled bookings with no financial transaction: 2 years retention

4.4 Payment and Financial Data

Data Type: Transaction IDs, payment status, invoices, billcodes, amounts

Retention Period:

🔒 Financial Records: 7 years from transaction date

Mandatory for tax compliance

  • Credit Card Information: NEVER stored on CariRumah servers (handled by ToyyibPay)
  • Payment Gateway Data: Subject to ToyyibPay's retention policy

4.5 Reviews and Ratings

Data Type: Review text, rating (1-5 stars), reviewer name, date

Retention Period:

  • Published Reviews: Retained indefinitely while listing is active
  • After Listing Deletion: Reviews retained for 2 years, then anonymized
  • User Account Deletion: Reviews remain with "Former Guest" attribution

4.6 Property Images and Media

Data Type: Photos uploaded to Minio object storage

Retention Period:

  • Active Listings: Retained while listing is active
  • After Listing Deletion: 90 days, then permanently deleted from Minio storage

5. User Rights

Users have the following rights regarding their personal data:

✓ Right to Access

Request a copy of all personal data held by CariRumah. Response within 30 days.

✓ Right to Rectification

Correct inaccurate or incomplete data through account settings.

✓ Right to Deletion

Request account deletion at any time (subject to legal compliance exceptions).

✓ Right to Data Portability

Receive personal data in machine-readable format (JSON/CSV).

6. Third-Party Data Processing

CariRumah shares data with the following third parties:

ServiceData SharedRetention Policy
ClerkAuthentication data (email, user ID)Subject to Clerk's privacy policy
ToyyibPayPayment transaction dataSubject to ToyyibPay's policy (not stored by CariRumah)
BrevoEmail addresses, booking details for notifications30 days email logs
MinioProperty imagesControlled by CariRumah (see section 4.6)
Google MapsProperty coordinates for location servicesQuery data not stored

7. Data Security During Retention

All retained data is protected by:

  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Access Controls: Role-based access with principle of least privilege
  • Authentication: Clerk-managed authentication with MFA support
  • Database Security: PostgreSQL with connection security and SQL injection prevention
  • Regular Audits: Quarterly security assessments
  • Monitoring: Real-time alerts for unauthorized access attempts

8. Contact Information

For questions about this policy or to exercise your data rights:

Email: admin@customermaestro.com

Subject Line: Data Retention Inquiry - CariRumah

9. Policy Review and Updates

This policy is reviewed annually and upon significant platform changes, regulatory updates, or security incidents. Users will be notified of material changes via email or platform notification.

Acknowledgment

By using CariRumah, you acknowledge and agree to this Data Retention Policy. Continued use of the platform constitutes acceptance of any updates to this policy.