Privacy Policy

1. Introduction

Dourr ("Platform", "we", "us", or "our") is committed to protecting the privacy and personal data of all users ("User", "you", or "your"). This Privacy Policy explains what personal data we collect, how we use and protect it, who we share it with, and what rights you have under the Personal Data Protection Act 2010 (PDPA) of Malaysia. This Privacy Policy forms an integral part of our Terms of Service and User Agreement. By accessing or using the Platform, you consent to the collection, use, and processing of your personal data as described herein.

2. Data Controller

The data controller responsible for your personal data is Dourr, contactable at [email protected]. All data protection enquiries, access requests, and complaints should be directed to this address.

3. Personal Data We Collect

• Account registration data: First name, last name, email address, phone number, and password (stored in hashed form only; we never store or have access to your plaintext password).
• Profile data: Date of birth, NRIC or passport number (encrypted at rest; never exposed via APIs or visible to other users), nationality, gender, address (line 1, line 2, country, state, city, postcode), and profile photographs (avatar).
• Lister-specific data: Lister type (individual, agent, or property manager), company name, business licence number, operating regions, biography, years of experience, preferred contact method, business email, public contact information, and lister media (logo, banner images).
• Property listing data: Property title, description, type, furnishing, square footage, bedrooms, bathrooms, parking, monthly rent, deposit terms, address, GPS coordinates (latitude and longitude), available date, lease terms, contact method and phone, amenities, and property photographs (up to 20 images per listing).
• Communication data: Inquiry messages, conversation messages between Listers and Renters, and property reports (including report reason and description).
• Contact form submissions: Name, email, phone (optional), subject, and message body. These are transmitted to our support email and are not stored in a database.
• Technical and device data: IP address, browser user agent, session identifiers, and device information, collected automatically when you access the Platform.
• Activity and audit data: Login events, property creation and modification actions, inquiry activity, and associated IP addresses and user agents, logged for security, fraud detection, and Platform integrity.

4. Data We Do Not Collect

• Payment or financial data: Dourr does not process, hold, or facilitate any financial transactions. We do not collect credit card numbers, bank account details, or payment credentials. All financial arrangements are made directly between Listers and Renters outside the Platform.
• Biometric data: We do not collect fingerprints, facial recognition data, or any other biometric identifiers.
• Location tracking: We do not track your real-time geographic location. GPS coordinates are collected only for property listings (to display the property on a map) and are provided voluntarily by the Lister.

5. How We Use Your Data

• Providing the Platform: To create and manage your account, display property listings, facilitate inquiries and messaging between users, and deliver the core functionality of the Platform.
• Verification and trust: To verify user identity, maintain lister accountability, calculate trust metrics (response time, rating), and display verification status to other users.
• Safety and fraud prevention: To detect and block attempts to share personal contact information in listings and messages (automated contact detection), monitor for fraudulent activity, review flagged content, and enforce our Terms of Service and Listing Guidelines.
• Communications: To send email notifications including verification emails, password reset links, inquiry notifications, new message alerts, inquiry reminders, auto-close notifications, and welcome emails.
• Moderation and enforcement: To review reported listings, investigate policy violations, suspend or ban accounts, and maintain administrative audit trails.
• Analytics and improvement: To understand how users interact with the Platform, identify usability issues, and improve features and performance. See Section 8 (Analytics and Tracking) for details.
• Legal compliance: To comply with applicable Malaysian laws, respond to lawful requests from authorities, and enforce our legal rights.

6. Legal Basis for Processing (PDPA)

• Under the Personal Data Protection Act 2010 (PDPA), we process your personal data based on the following legal grounds:
• Consent: By registering an account and using the Platform, you consent to the processing of your personal data as described in this Policy. You may withdraw consent at any time by emailing [email protected] with the subject line "Consent Withdrawal". Upon withdrawal, we will cease processing your data except where required by law, contractual obligation, or legitimate interest (such as fraud prevention). Withdrawal may result in account suspension or termination, as the Platform cannot function without processing certain essential data.
• Contractual necessity: Processing necessary to perform our obligations under the Terms of Service and User Agreement, including account creation, listing publication, and inquiry facilitation.
• Legitimate interests: Processing necessary for fraud prevention, Platform security, safety monitoring, and enforcement of Platform policies, where such interests are not overridden by your fundamental rights and freedoms.
• Legal obligation: Processing required to comply with Malaysian law, including cooperation with law enforcement and regulatory authorities in the investigation of fraud or illegal activity.

7. Cookies and Client-Side Storage

• Authentication token: When you log in, we store an authentication token in your browser's local storage (dourr:auth-token). This token is required for the Platform to authenticate your requests. Tokens expire after 24 hours by default, or 30 days if you select "remember me" during login. This data remains on your device and is only sent as an authorization header with API requests.
• Local storage (browser): We store non-sensitive UI preferences in your browser's local storage, including: sidebar state, announcement banner dismissal, search filter preferences, saved property lists, and recently viewed property history. This data remains on your device and is not transmitted to our servers.
• Session storage: Temporary form data (such as an in-progress inquiry) may be stored in session storage, which is automatically cleared when you close the browser tab.

8. Analytics and Tracking

• We use the following third-party analytics services to understand how the Platform is used and to improve user experience:
• Google Analytics (Measurement ID: G-7KBGQGTECR): Collects anonymised usage data including page views, navigation patterns, device type, and general geographic region. Data is processed by Google LLC under their Privacy Policy. Google Analytics uses cookies to distinguish unique users. You may opt out by installing the Google Analytics Opt-out Browser Add-on.
• ContentSquare: Collects user experience analytics including interaction patterns, scroll behaviour, and click heatmaps to help us identify usability issues. Data is processed by ContentSquare SAS under their privacy policy. ContentSquare does not record personal form inputs, passwords, or sensitive data.
• These analytics scripts are loaded after page interaction (not on initial page load) to minimise performance impact. We do not use advertising pixels, retargeting scripts, or cross-site tracking for marketing purposes.

9. Third-Party Services and Data Sharing

• We share your personal data with third parties only as described below. We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes.
• Email delivery (Resend): Email notifications are transmitted through Resend, our email delivery service. Resend processes your email address, name, and notification content solely for delivery purposes.
• Geocoding services (Nominatim and Photon): When a Lister enters a property address, we use OpenStreetMap's Nominatim and Komoot's Photon APIs to resolve addresses to GPS coordinates. These are public, open-source services that do not require authentication and do not store query data.
• Cloudflare: Our Platform is served through Cloudflare's CDN and security network. Cloudflare processes your IP address and request headers for DDoS protection, SSL termination, and content delivery.
• Analytics providers: Google Analytics and ContentSquare receive anonymised usage data as described in Section 8.
• Law enforcement: We may disclose personal data to Malaysian law enforcement or regulatory authorities where required by law, court order, or where we reasonably believe disclosure is necessary to prevent fraud, protect safety, or enforce our Terms of Service.
• Between users: Certain profile information (name, avatar, lister details, trust metrics) is visible to other users as part of the Platform's normal operation. Listing data is publicly visible. Communication data (messages) is visible only to the parties in the conversation and to Platform administrators for moderation purposes.

10. Data Storage and Security

• Your personal data is stored on servers located in Malaysia and protected by industry-standard security measures including:
• Encryption: All data transmitted between your browser and the Platform is encrypted using TLS/SSL (HTTPS). Passwords are hashed using bcrypt and are never stored in plaintext. Sensitive identity documents (NRIC/passport numbers) are encrypted at rest using AES-256 and are never exposed through APIs or visible to other users.
• Access controls: Administrative access to personal data is restricted to authorised personnel (Super Admins) who require access for Platform operation, moderation, and support purposes.
• Token security: Authentication tokens are scoped to your account and expire automatically (24 hours or 30 days with "remember me"). Tokens are revoked immediately upon logout. All API requests are authenticated via Bearer token authorization headers.
• Automated monitoring: Our contact detection system automatically scans listings and messages for personal contact information (phone numbers, email addresses, social media handles), preventing inadvertent or intentional data exposure.
• While we implement reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security, and you acknowledge this inherent risk.
• Data breach notification: In the event of a data breach that is reasonably likely to result in serious harm to affected users, Dourr will notify affected users via email and/or a prominent notice on the Platform as soon as practicable. We will also notify the Department of Personal Data Protection (JPDP) where required or appropriate.

11. Data Retention

• Account data: Retained for as long as your account is active. You may request account deletion by contacting us at [email protected] with the subject line "Account Deletion". Upon processing of a deletion request, personal data is removed except where retention is required by law or for legitimate business purposes (such as resolving active disputes or enforcing agreements). We will process deletion requests within thirty (30) days.
• Activity and audit logs: IP addresses, user agents, and action logs are retained for security and fraud investigation purposes. These logs are automatically deleted when the associated user account is deleted.
• Session data: Session records expire after 120 minutes of inactivity and are periodically purged by the system.
• Password reset tokens: Expire after 60 minutes and are deleted upon successful password reset.
• Property listings and media: Listing data and associated photographs are retained while the listing is active. When a listing is deleted, associated media files are also deleted. When a user account is deleted, all associated listings and media are deleted.
• Inquiries and messages: Inquiry conversations are retained for the lifetime of the associated user accounts. Inquiries are automatically closed (but not deleted) after three (3) consecutive days without a Lister response.
• Property reports: Report data is retained for moderation and enforcement purposes. When a reporter's account is deleted, associated reports are also deleted.
• Contact form submissions: Not stored in a database. Sent via email to our support team and subject to the email service provider's retention policies.

12. Your Rights Under the PDPA

• Under the Personal Data Protection Act 2010, you have the following rights regarding your personal data:
• Right of access: You may request a copy of the personal data we hold about you. We will respond within twenty-one (21) days of receiving your request.
• Right to correction: You may request correction of any inaccurate or incomplete personal data. You can update most profile information directly through your account settings.
• Right to withdraw consent: You may withdraw your consent to the processing of your personal data at any time by emailing [email protected] with the subject line "Consent Withdrawal". Withdrawal may result in our inability to provide certain Platform services and may lead to account suspension or termination. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to prevent processing for direct marketing: You may object to the processing of your personal data for direct marketing purposes. We do not currently engage in direct marketing beyond transactional notifications related to your use of the Platform.
• Right to prevent processing likely to cause damage or distress: You may object to processing that causes or is likely to cause substantial damage or distress.
• To exercise any of these rights, contact us at [email protected] with the subject line "PDPA Request". We may require identity verification before processing your request to protect your data from unauthorised access.

13. Data of Minors

The Platform is not intended for individuals under eighteen (18) years of age. We do not knowingly collect personal data from minors. If we become aware that we have inadvertently collected data from a minor, we will take immediate steps to delete such data. If you believe a minor has provided personal data to us, please contact us at [email protected].

14. International Data Transfers

Your personal data is primarily stored and processed in Malaysia. However, certain third-party services (Google Analytics, ContentSquare, Cloudflare, Resend) may process data in jurisdictions outside Malaysia. Where personal data is transferred internationally, we ensure that such transfers comply with the PDPA and that adequate safeguards are in place, including the service provider's own data protection policies and any applicable contractual protections.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, applicable laws, or Platform features. Where changes are material, we will notify registered users via email or a prominent notice on the Platform at least fourteen (14) days prior to the changes taking effect. Your continued use of the Platform after the revised Policy takes effect constitutes your acceptance of the changes. We encourage you to review this Policy periodically.

16. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of Malaysia, including the Personal Data Protection Act 2010 (PDPA). Any dispute arising from this Policy shall be subject to the exclusive jurisdiction of the courts of Malaysia and the governing law and dispute resolution provisions of the Terms of Service.

17. Contact and Complaints

• For all privacy-related enquiries, data access requests, or complaints, contact us at: Dourr, [email protected].
• Please use the subject line "PDPA Request" for data access, correction, or deletion requests to ensure prompt handling.
• We endeavour to respond to all privacy enquiries within five (5) business days and to fulfil data access requests within twenty-one (21) days as required by the PDPA.
• If you are unsatisfied with our response, you have the right to lodge a complaint with the Department of Personal Data Protection (JPDP), Ministry of Communications and Digital, Malaysia.