Privacy Policy

We may collect the following categories of personal data when you use our website or book our services:

• Identification Data: Full name, nationality, identification or passport number.
• Contact Data: Email address, phone number, hotel or accommodation details.
• Booking & Travel Data: Itinerary details, transportation preferences, ticket history, and travel dates.
• Payment Data: Payment method information processed securely through third-party payment gateways (FPX, credit/debit card). We do not store full card details.
• Technical Data: IP address, browser type and version, device information, and usage data collected via cookies and analytics.
• Communication Data: Records of emails, WhatsApp messages, phone calls, and feedback or reviews you provide.

We use your personal data only for the following purposes:

• To process and manage your bookings, ticketing, and transportation services.
• To communicate important updates — such as schedule changes, delays, or departure reminders.
• To improve our customer service, website functionality, and operational efficiency.
• To comply with regulatory requirements and tourism authority obligations in Malaysia.
• To send marketing communications or promotions (only if you have given explicit consent).

If you are a resident of the European Economic Area (EEA), we process your personal data under the following legal bases:

• Contractual necessity: Processing your booking and delivering the services you requested.
• Legitimate interests: Improving our services, fraud prevention, and operational analytics.
• Consent: Sending marketing communications and non-essential cookies.
• Legal obligation: Complying with Malaysian tourism and tax regulations.

We may share your personal data with the following categories of recipients:

• Boat operators & transport partners: To fulfill your booking and ensure smooth service delivery.
• Payment processors: FPX service providers and card payment gateways to handle secure transactions.
• Regulatory authorities: When required by Malaysian law or tourism compliance audits.
• IT service providers: Website hosting, email delivery, and analytics providers under strict data processing agreements.

We retain your personal data only as long as necessary to fulfill the purposes outlined in this policy. Specifically:

• Booking records are retained for 7 years to comply with Malaysian tax and financial regulations.
• Customer communication records are retained for 2 years after the last interaction.
• Analytics and technical data are retained for 26 months (per Google Analytics recommendation).

After the retention period ends, your data is securely deleted or anonymized.

You have the following rights regarding your personal data:

• Right to access: Request a copy of the personal data we hold about you.
• Right to rectification: Correct any inaccurate or incomplete information.
• Right to erasure: Request deletion of your personal data, subject to legal retention requirements.
• Right to restrict processing: Limit how we use your data in certain circumstances.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Withdraw consent for marketing communications at any time.

Our website uses cookies and similar tracking technologies to enhance your experience and gather analytics. We use:

• Essential cookies: Required for the website to function (booking flow, session management).
• Analytics cookies: To understand how visitors use our site (Google Analytics 4).
• Marketing cookies: For Google Ads conversion tracking and retargeting (only with consent).

You can control or disable cookies through your browser settings. Essential cookies cannot be disabled as they are necessary for booking functionality.

We also use a Cookie Consent banner that records your preferences before any non-essential cookies are loaded.

We implement reasonable technical and organizational measures to protect your personal data, including:

• SSL/TLS encryption on all data transmitted through our website.
• Secure Firebase backend with role-based access controls.
• PCI-DSS compliant payment processing via third-party gateways (we never store full card numbers).
• Regular security reviews and access audits.

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We encourage you to take precautions when sharing personal data online.

Your data may be transferred to and processed in countries outside Malaysia (e.g., Google Cloud servers, payment gateway servers). When transferring data from the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions.

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us: