YOUR DATA

Privacy Notice

PDPA Act 709 compliant · Effective 2 June 2026 · Version 1.0

In short

We collect what we need to run your TWT account. We don't sell your data. You can delete it any time.

What we collect

  • Identity — name, email address
  • Travel preferences — your vibe (adventure, culture, etc.), squad type, destinations you save or wishlist
  • Savings activity — plans you create, amounts tracked, milestones hit
  • Squad activity— who you invited, kudos you've given, posts you've liked
  • Device info — browser type, IP address (for security and abuse prevention)

What we DON'T collect

  • Real-time location
  • Your phone contacts
  • Financial card details (Phase 2 payments are handled by a licensed e-money partner — we never see your card number)
  • Your browsing activity outside of TWT

Why we collect it

  • To create and run your TWT account
  • To sync your journey across devices when you're signed in
  • To show your squad your savings activity (only what you post)
  • To send weekly saving reminders — only if you opt in
  • To detect and prevent abuse and fraud

Who we share with

  • Supabase — our database and auth provider. Servers are in the Singapore region. This constitutes a cross-border data transfer under PDPA, which you consent to by using TWT.
  • Cloudflare — hosting and CDN. Global edge network.
  • Anthropic (Raya AI) — based in the US. When you message Raya, that message is sent to Anthropic to generate a response. We only send the message you type, not your account data.

No advertisers. No data brokers. Ever.

How long we keep it

While your account is active, plus 12 months after you close it. After that, automated deletion. You can manually delete sooner — see your rights below.

Your PDPA rights

Under Malaysia's Personal Data Protection Act 709, you have the right to:

  • Access — download a copy of your data
  • Correction — fix inaccurate data via /settings
  • Erasure — delete your account and all data
  • Withdraw consent— if you withdraw consent to data processing, we'll close your account (since processing is necessary to provide the service)
  • Complaint — lodge a complaint with the Personal Data Protection Commissioner of Malaysia

How to exercise your rights

In-app via /settings (download data, delete account), or email [email protected]. We respond within 14 days.

Cookies & local storage

  • localStorage — we use it to save your offline draft state (plans, preferences) on your device
  • Supabase auth cookies — to keep you signed in
  • No third-party tracking cookies. No Google Analytics, no Meta Pixel, nothing like that.

Children's data

TWT is for users 18 and above. We do not knowingly collect data from anyone under 18. If you believe we have, contact us at [email protected] and we'll delete it immediately.

Security

  • Supabase Row Level Security (RLS) — you only see your own data
  • Encrypted at rest and in transit (TLS)
  • Rate limiting and input sanitization on all endpoints
  • Regular security scans

Data breach notification

If a breach affecting your personal data occurs, we'll notify you within 72 hours of becoming aware of it.

Updates to this notice

We'll notify you in-app at least 14 days before any material changes take effect.

Data Protection contact

Email: [email protected]

Address: TWT, c/o WUV Pte. Ltd., Kuala Lumpur, Malaysia

← Back to TWT

About · Contact · Terms · Privacy · Impact

© 2026 TWT · Made with 💚 in KL · #TravelWithPurpose