Overview
Waiova ("we", "us", or "our") is a product of Akean Capsule PLT, a limited liability
partnership registered in Malaysia. We provide a fascia-informed daily movement application
accessible via waiova.com and our mobile applications.
This Privacy Policy explains how we collect, use, store, and protect your personal data
when you use Waiova. It applies to all users globally, including those in the European
Union (EU), United Kingdom (UK), and California, United States.
Our commitment: We collect only what we need, we don't sell your data,
and we give you clear controls over what you share with us.
By using Waiova, you agree to the collection and use of information in accordance with
this policy. Our primary legal basis for data processing is compliance with the
Personal Data Protection Act 2010 (PDPA) of Malaysia. For users in the
EU/UK, we additionally comply with the
General Data Protection Regulation (GDPR). For California residents, we
comply with the California Consumer Privacy Act (CCPA).
Data We Collect
Account & Identity Data
- Name and email address (provided at registration)
- Password (stored as a one-way hash — we never store plaintext passwords)
- Account creation date and last login timestamp
Health & Movement Data
- Body region check-in scores (e.g. Back Relief score, Neck Relief score) entered before and after sessions
- Routine completion history and session timestamps
- Self-reported pain or stiffness levels
- Body map selections indicating areas of concern
Important: Health and movement data you enter is used solely to
personalise your Waiova experience and track your progress. It is never shared with
third parties for marketing, insurance, or employment purposes.
Payment Data
- We do not store your payment card details. All payments are processed by a PCI-DSS compliant third-party provider (Stripe or equivalent).
- We retain a record of your transaction amount, date, and plan type for billing and accounting purposes.
Technical & Usage Data
- IP address and approximate geographic location (country/region level)
- Device type, operating system, and browser
- Pages visited, features used, and session duration
- Error logs and crash reports
Communications Data
- Emails you send to our support address
- Responses to any optional in-app surveys or feedback prompts
How We Use Your Data
We use the data we collect for the following purposes:
- Delivering the service — providing personalised routines, tracking your progress scores, and displaying your body map history
- Account management — creating and maintaining your account, processing payments, and sending receipts
- Product improvement — understanding how features are used in aggregate (anonymised) to improve the product
- Customer support — responding to your questions, refund requests, and technical issues
- Security — detecting fraud, abuse, and unauthorised access
- Legal compliance — meeting our obligations under Malaysian law and applicable international regulations
- Transactional communications — sending account-related emails such as payment confirmations, password resets, and important service notices
We do not use your data for automated decision-making or profiling that produces legal
or similarly significant effects.
Data Sharing
We do not sell, rent, or trade your personal data. We share it only in the following
limited circumstances:
Service Providers
We use trusted third-party providers to operate Waiova. Each is bound by a data
processing agreement and may only use your data to provide services to us:
- Supabase — database and authentication hosting
- Vercel / Cloudflare — web application and marketing site hosting
- Stripe — payment processing
- Email provider (e.g. Resend / Postmark) — transactional email delivery
Legal Requirements
We may disclose your data if required by Malaysian law, court order, or government
authority, or where we believe disclosure is necessary to protect the rights, property,
or safety of Waiova, our users, or the public.
Business Transfer
If Waiova is acquired, merged, or sold, your data may be transferred as part of that
transaction. We will notify you via email before your data is transferred and becomes
subject to a different privacy policy.
Storage & Security
Your data is stored on servers provided by Supabase, which operates infrastructure in
the United States and/or European Union. Where data is transferred outside Malaysia, we
ensure adequate protections are in place consistent with the PDPA 2010.
We implement the following security measures:
- All data transmitted between your device and our servers is encrypted via TLS/HTTPS
- Passwords are hashed using bcrypt — we never store plaintext credentials
- Database access is restricted by role-based permissions
- API keys and secrets are stored in environment variables, never in source code
- Regular dependency audits and security reviews
No method of transmission over the internet is 100% secure. While we take reasonable
steps to protect your data, we cannot guarantee absolute security.
Data Retention
We retain your data for as long as your account is active or as needed to provide you
with our services.
- Active account data — retained for the duration of your subscription or lifetime access
- Deleted account data — permanently deleted within 30 days of account deletion, except where required for legal or accounting purposes (typically up to 7 years for financial records, per Malaysian law)
- Support communications — retained for up to 2 years
- Anonymised analytics data — may be retained indefinitely as it cannot be linked back to you
Your Rights
Depending on your location, you have the following rights regarding your personal data:
All Users (under Malaysian PDPA 2010)
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate or incomplete data
- Withdrawal of consent — withdraw consent for data processing where consent is the legal basis
EU / UK Users (under GDPR)
- Erasure ("right to be forgotten") — request deletion of your personal data
- Portability — receive your data in a structured, machine-readable format
- Restriction — request that we limit processing of your data
- Objection — object to processing based on legitimate interests
- Complaint — lodge a complaint with your local supervisory authority
California Residents (under CCPA)
- Right to know what personal information is collected, used, shared, or sold
- Right to delete personal information
- Right to opt out of the sale of personal information (we do not sell data)
- Right to non-discrimination for exercising your privacy rights
To exercise any of these rights, contact us at
privacy@waiova.com. We will respond within
30 days.
Cookies
Waiova uses cookies and similar technologies to operate the service and understand how
it is used.
Essential Cookies
Required for the service to function. These include authentication session tokens and
security cookies. You cannot opt out of these without logging out.
Analytics Cookies
Used to understand how users interact with Waiova in aggregate. We use
privacy-respecting analytics (no cross-site tracking). You can opt out via your browser
settings or a cookie preference banner on first visit.
We do not use advertising cookies or share cookie data with ad networks.
Children
Waiova is intended for adults aged 18 and over. We do not knowingly collect personal
data from anyone under the age of 18. If you believe a minor has provided us with
personal data, please contact us at
privacy@waiova.com and we will delete it
promptly.
Policy Changes
We may update this Privacy Policy from time to time. When we do, we will revise the
"Last updated" date at the top of this page and, for material changes, notify you by
email at least 14 days before the changes take effect. Your continued use of Waiova
after that date constitutes acceptance of the updated policy.