JoinLah
Get started

Legal

Privacy Policy

Effective 7 June 2026

JoinLah (“we”, “our”, or “us”) operates an event registration and check-in platform at joinlah.com. This policy explains how we collect, use, disclose, and protect personal data in accordance with the Personal Data Protection Act 2010 (Act 709) of Malaysia (“PDPA”).

This policy applies to personal data collected from event organizers who create accounts on our platform, and from event attendees who register for events through JoinLah.

1. Personal data we collect

Organizers (account holders)

  • Full name and email address, collected at registration
  • Password (stored as a one-way cryptographic hash; we never store it in plain text)
  • Profile information you choose to provide
  • Usage data: pages visited, features used, timestamps

Event attendees

  • Full name and email address, provided when registering for an event
  • Responses to custom fields set by the event organizer (for example: company, dietary requirement, T-shirt size)
  • A unique QR code identifier generated for check-in
  • Check-in timestamp and status, recorded when you scan in at the door
  • Push notification subscription token, if you opt in to browser notifications

We do not collect sensitive personal data as defined under the PDPA (such as health information, biometric data, or financial account numbers) unless an event organizer specifically adds such a field to their registration form. In that case, the organizer is responsible for ensuring they have the appropriate basis to collect that data.

2. How we use your personal data

Organizer data is used to:

  • Create and maintain your account
  • Provide platform features: event creation, RSVP management, QR check-in, announcements
  • Send transactional emails (registration confirmations, password resets, collaborator invitations)
  • Respond to support enquiries
  • Send product updates and service notices (you may opt out of non-essential communications)

Attendee data is used to:

  • Confirm your registration and send your QR code by email
  • Enable the event organizer to check you in at the door
  • Send event announcements and updates from the organizer
  • Send browser push notifications about the event, if you have opted in
  • Allow you to update your registration responses if new fields are added

We do not use your personal data for automated decision-making that produces legal or similarly significant effects, and we do not sell personal data to any third party.

3. Disclosure to third parties

Attendee personal data (name, email, custom field responses, and check-in status) is disclosed to the organizer of the specific event you registered for. The organizer acts as a data user in their own right for that data; JoinLah processes it on their behalf to deliver the platform's features.

We engage the following categories of service providers who may process personal data on our behalf:

  • Cloud infrastructure: servers and databases that host the platform
  • Email delivery: transactional email for registration confirmations and announcements
  • Browser push notification services: to deliver opt-in push notifications to your device

All service providers are bound by contractual obligations to process personal data only as instructed and to maintain appropriate security measures.

We do not transfer personal data outside Malaysia except to service providers operating under data protection standards equivalent to or exceeding Malaysia's PDPA requirements, and only to the extent necessary to deliver the platform services.

4. Consent and your choices

By registering for an event through JoinLah, you consent to the collection and use of your personal data for the purposes described in this policy. You may withdraw consent at any time by contacting us at hello@joinlah.com. Note that withdrawal of consent may affect our ability to provide services to you (for example, we will no longer be able to send your QR code or notify you of event changes).

Push notifications: Opt-in is explicit (you must click “Enable notifications” and grant browser permission). You can withdraw this consent at any time by revoking notification permission in your browser settings, or by contacting us so we can remove your subscription.

Marketing communications: If you have an organizer account, you may opt out of non-essential emails by following the unsubscribe link in any such email.

5. Data retention

We retain personal data for as long as it is necessary for the purposes for which it was collected:

  • Organizer account data is retained for the duration of the active account and for a reasonable period after account closure for legal and audit purposes.
  • Attendee registration data is retained for the duration of the event and for up to 12 months afterward, to support organizer reporting and any post-event correspondence.
  • Push notification tokens are deleted immediately when a subscription expires or is revoked.

After the applicable retention period, personal data is securely deleted or anonymised.

6. Data security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include:

  • Encryption of data in transit using TLS
  • Passwords hashed using industry-standard algorithms; never stored in recoverable form
  • Access to production data restricted to authorised personnel only
  • Regular review of security practices

No method of transmission over the internet is completely secure. We cannot guarantee absolute security, but we take all reasonable steps to protect your data.

7. Your rights under the PDPA

Under the Personal Data Protection Act 2010, you have the following rights:

  • Right of access (Section 30): You may request a copy of the personal data we hold about you.
  • Right of correction (Section 34): You may request that inaccurate or incomplete personal data be corrected.
  • Right to withdraw consent (Section 38): You may withdraw consent to processing at any time, subject to legal or contractual restrictions.
  • Right to prevent processing for marketing: You may instruct us to stop processing your personal data for direct marketing purposes.

To exercise any of these rights, contact us at hello@joinlah.com. We will respond within 21 days. We may need to verify your identity before processing the request.

8. Cookies and local storage

JoinLah uses browser local storage and session storage to maintain your login state and save registration information between pages. We do not use third-party advertising cookies.

If we introduce analytics or other tracking technologies in future, this policy will be updated before they are deployed.

9. Organizers: your responsibilities

When you create an event on JoinLah and collect registrations, you act as a data user under the PDPA for the personal data of your attendees. You are responsible for:

  • Informing attendees of the purpose for which you are collecting their data
  • Only collecting data that is necessary for your event
  • Not using attendee data for purposes beyond the event without separate consent
  • Complying with any data access or correction requests from attendees

JoinLah processes attendee data on your behalf. Our obligations as data processor complement, not replace, your obligations as data user.

10. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where appropriate, notify organizer account holders by email. Continued use of JoinLah after the effective date constitutes acceptance of the updated policy.

11. Contact us

For privacy enquiries, requests to access or correct your personal data, or complaints about how we handle personal data:

JoinLah

Email: hello@joinlah.com

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commissioner, Department of Personal Data Protection, Malaysia (pdp.gov.my).

This policy was last reviewed on 7 June 2026. Contact us if you have questions.