Privacy Policy

1. Who We Are

ITEA TECHNOLOGY (M) SDN. BHD. operates CARI NOW (cari-now.com), a beauty salon discovery platform serving the Klang Valley (KL) and Johor Bahru (JB) regions of Malaysia, along with a B2B salon claim and management system.

2. Information We Collect

Salon Owners (B2B)

When a salon owner submits a claim or registration through CARI, we may collect:

• Business name, address, operating hours, and service categories
• Owner name, WhatsApp number (E.164 format), email address, and phone number
• Salon photographs (interior, exterior, and catalogue images)
• Menu and pricing information
• Staff information (names, specialties) if voluntarily provided

End Users (Consumers)

When you browse cari-now.com, we may collect:

• Browser type, device type, and IP address (server logs)
• Session cookies and authentication tokens (if you log in)
• Search queries and filter selections you make on the platform
• Content you submit via contact or booking enquiry forms
• WhatsApp number and name if you use WhatsApp OTP login

WhatsApp Business (CARI ↔ Salon Owner Communication)

When we communicate with salon owners via the Meta WhatsApp Cloud API, we process:

• Sent and received message content
• Recipient phone number (E.164 format)
• WhatsApp display name (as set by the recipient)
• Message timestamps
• Delivery status (sent / delivered / read)

3. How We Use Your Information

• Publishing salon listings on cari-now.com so consumers can discover beauty services
• Sending outreach messages to salon owners via WhatsApp template messages (Meta Cloud API) or Instagram DM to invite them to claim their listing
• Authenticating salon owners who submit a claim form and verifying their identity
• Maintaining an audit trail of WhatsApp communications in our Supabase database (whatsapp_messages table)
• Improving our platform through aggregated, anonymised analytics (e.g., popular search terms, most-viewed salons)
• Responding to your enquiries or support requests submitted via email or contact form

We do not sell your personal data to third parties, and we do not use personal data for automated decision-making that produces legal effects.

4. WhatsApp Business Communications

CARI uses the Meta WhatsApp Business Cloud API to send and receive messages with salon owners. By providing your WhatsApp number to CARI (whether via our website form, Instagram DM, or other channel), you acknowledge the following:

• Messages are sent and received through Meta's WhatsApp Business Platform infrastructure. Meta's own privacy policy applies to data processed on their servers: whatsapp.com/legal/business-policy
• Marketing and utility template messages sent outside the 24-hour service window have been pre-approved by Meta before delivery
• Message logs (content, timestamps, delivery status) are stored in our Supabase database for operational and audit purposes
• To opt out of WhatsApp messages from CARI, reply "STOP" to any message we send. We will immediately cease further outbound messaging to your number
• Opting out does not automatically delete previously stored message records — please submit a Data Deletion Request (see Section 8) if you wish records to be removed

5. Third-Party Services

We use the following third-party services that may process personal data on our behalf:

6. Data Retention

• Approved salon owner information: Retained for the duration of the active business relationship, plus a reasonable archival period thereafter
• WhatsApp message logs: Retained for 18 monthsfrom the date of the message (in line with Meta's business messaging guidelines and our audit requirements), then deleted
• Instagram outreach logs: Retained for 12 months from the date of outreach
• Unapproved registration submissions: Retained for 90 days for follow-up, then deleted
• User account data: Retained while your account is active; deleted within 30 days of an account deletion request
• Server logs (IP, browser): Retained for up to 90 days for security purposes

Upon receiving a valid deletion request, we will process it within 30 days unless retention is required by law.

7. Your Rights (Malaysia PDPA)

Under the Malaysia Personal Data Protection Act 2010 (PDPA) and applicable data protection principles, you have the following rights regarding personal data we hold about you:

• Right of Access — Request a copy of the personal data we hold about you
• Right of Correction — Request correction of inaccurate or incomplete personal data
• Right to Withdraw Consent — Withdraw consent to processing where processing is based on consent, including opting out of marketing communications
• Right to Opt Out of WhatsApp — Reply "STOP" to any WhatsApp message from CARI to cease further messaging to your number
• Right to Limit Processing — Request that we restrict processing of your personal data in certain circumstances
• Right to Deletion — Request deletion of your personal data (subject to legal retention obligations) — see Section 8

To exercise any of these rights, please contact us at privacy@cari-now.com. We will respond within 21 days. We may need to verify your identity before processing requests.

8. Data Deletion Request

To request deletion of your personal data held by CARI, please:

1. Email privacy@cari-now.com with the subject line: "Data Deletion Request"
2. Include the information that identifies you (e.g., your WhatsApp number, email address, or salon name registered with CARI)
3. We will verify your identity and confirm the request within 7 business days
4. Deletion will be completed within 30 calendar days of verification

9. Cookies

cari-now.com uses a minimal set of cookies necessary for the platform to function:

• Session / authentication cookies — Required to maintain your login session when you use Google OAuth or WhatsApp OTP login. These are first-party, session-scoped cookies managed by Supabase Auth.
• Preference cookies— Small items stored in your browser's localStorage to remember your browsing history and favourites within the platform (e.g., cari_favorites, cari_history).

We do not use third-party advertising cookies or cross-site tracking cookies. A standalone Cookie Policy will be published separately in a future update.

10. Children's Privacy

CARI NOW is not directed at children under the age of 13. We do not knowingly collect personal data from anyone under 13 years old. If you are between 13 and 18 years of age, please obtain parental or guardian consent before providing personal data to us.

If we become aware that we have inadvertently collected personal data from a child under 13, we will delete it promptly. Please contact privacy@cari-now.com if you believe this has occurred.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or operational practices. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Where feasible, notify affected users via WhatsApp or email prior to the changes taking effect

Continued use of cari-now.com after the effective date of an updated policy constitutes acceptance of the revised terms.

12. Contact Us

For any privacy-related enquiries, requests, or complaints, please reach out to us:

This Privacy Policy is governed by the laws of Malaysia. Any disputes relating to this policy shall be subject to the jurisdiction of Malaysian courts. This policy has been drafted to comply with the Malaysia Personal Data Protection Act 2010 (PDPA) and the requirements of the Meta WhatsApp Business Cloud API Live Mode program.