Privacy Policy
Last updated: 14 May 2025 · Effective date: 14 May 2025
1. Who We Are
FixNow (“we”, “us”, or “our”) operates the FixNow platform, a cloud-based workshop management and CRM service for automotive businesses in Malaysia and Southeast Asia.
In relation to personal data of our workshop account holders and their designated users, FixNow acts as the data controller. In relation to personal data of end customers entered into the Platform by workshop operators, FixNow acts as a data processor on behalf of the workshop operator (who is the data controller).
For any privacy-related enquiries, please contact us at: support@fixnow.my
2. Personal Data We Collect
We collect personal data in the following categories:
Collected when you create a FixNow account:
- Full name
- Email address
- Password (stored in encrypted form; FixNow staff cannot view plaintext passwords)
- Workshop name and contact number
- IP address and device information at registration
Data you input while using the Platform:
- Customer names, phone numbers, and email addresses
- Vehicle registration numbers, make, model, year, mileage, and VIN
- Service records, notes, costs, and dates
- Invoice data and payment records
- Appointment and scheduling information
Automatically collected during your use of the Platform:
- Log files including IP address, browser type, access times, and pages visited
- Device identifiers and operating system information
- Feature usage patterns and session duration
- Error logs and performance metrics
Payment transactions are processed by third-party payment providers. FixNow does not store full credit card or debit card numbers. We retain only transaction references, amounts, and dates for billing purposes.
3. Legal Basis and Purposes for Processing
Under the PDPA 2010, we process personal data on the following lawful bases and for the following purposes:
| Purpose | Lawful Basis |
|---|---|
| Providing and operating the Platform | Contractual necessity |
| Account management and authentication | Contractual necessity |
| Processing payments and issuing invoices | Contractual necessity; Legal obligation |
| Customer support and responding to enquiries | Contractual necessity; Legitimate interest |
| Sending service notifications and updates | Contractual necessity; Consent |
| Security monitoring and fraud prevention | Legitimate interest; Legal obligation |
| Improving Platform features and user experience | Legitimate interest |
| Compliance with Malaysian laws and regulations | Legal obligation |
| Marketing communications (with opt-in) | Consent |
| Analytics and aggregate reporting | Legitimate interest |
4. The Seven PDPA Principles
FixNow adheres to all seven principles of the PDPA 2010:
General Principle
We only process personal data with the consent of the data subject, or on a lawful basis as permitted under the PDPA.
Notice & Choice Principle
We inform data subjects of the purposes for processing through this Privacy Policy before or at the time of collection. You may withdraw consent for non-essential processing at any time.
Disclosure Principle
We do not disclose personal data to third parties without consent, except where required by law or as described in this Policy.
Security Principle
We implement technical and organisational measures to protect personal data against unauthorised access, loss, or destruction.
Retention Principle
We retain personal data only for as long as necessary for the stated purpose, or as required by Malaysian law.
Data Integrity Principle
We take reasonable steps to ensure personal data is accurate, complete, and up to date. You may correct your data at any time through your account settings.
Access Principle
Data subjects have the right to access and correct their personal data. Requests can be submitted to support@fixnow.my.
5. How We Share Your Data
We do not sell your personal data. We may share your data with:
Cloud Infrastructure Providers
FixNow uses Supabase (hosted on AWS) for database and storage services, and Vercel for application hosting. These providers process data solely on our instructions under data processing agreements.
Authentication Providers
We use Clerk.com to manage user authentication and session management. Clerk processes your email address and authentication credentials under strict security controls.
Payment Processors
Payment transactions are handled by third-party payment gateways. We share only the minimum data necessary to complete transactions.
Communication Services
We may use third-party email services (e.g. Resend) to deliver transactional emails including account verification, password resets, and service notifications.
Legal and Regulatory Authorities
We may disclose personal data to law enforcement, courts, or regulatory bodies when required by Malaysian law, court order, or to protect the rights and safety of FixNow or others.
Business Transfers
In the event of a merger, acquisition, or sale of all or part of FixNow's business assets, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections.
Cross-Border Transfers: Some of our service providers may process data outside of Malaysia. Where this occurs, we ensure equivalent levels of data protection are in place through contractual safeguards, in compliance with Section 129 of the PDPA 2010.
6. Data Security
We implement the following security measures to protect your personal data:
- Encryption in transit: All data transmitted between your browser/device and our servers is encrypted using TLS 1.2 or higher (HTTPS)
- Encryption at rest: Database storage is encrypted at rest using AES-256 encryption
- Access controls: Strict role-based access controls ensure that only authorised personnel can access production data
- Multi-tenancy isolation: Each workshop's data is logically isolated at the database level using row-level security policies
- Authentication security: Multi-factor authentication (MFA) is available for all accounts
- Audit logging: Access to sensitive data is logged and monitored
- Regular backups: Data is backed up regularly with retention according to our data lifecycle policy
- Incident response: We maintain an incident response plan. In the event of a data breach affecting your data, we will notify you and the relevant authorities as required by the PDPA
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account and profile data | Duration of active account + 90 days after termination |
| Workshop operational data (customers, vehicles, services) | Duration of active account + 90 days after termination |
| Billing and invoice records | 7 years (as required under Malaysian tax law) |
| Authentication logs | 90 days |
| Technical and error logs | 30 days |
| Marketing consent records | Until consent is withdrawn + 2 years |
| Backup copies | Up to 180 days in encrypted storage after deletion from active systems |
8. Your Rights Under the PDPA 2010
As a data subject under the PDPA 2010, you have the following rights:
Right to Access
Request a copy of the personal data we hold about you (Section 30, PDPA)
Right to Correction
Request that inaccurate, incomplete, or outdated personal data be corrected (Section 34, PDPA)
Right to Withdraw Consent
Withdraw consent for non-essential processing at any time, without affecting the lawfulness of prior processing
Right to Limit Processing
Request that we limit how we use your personal data in certain circumstances
Right to Data Portability
Request your data in a structured, machine-readable format
Right to Complain
Lodge a complaint with the Department of Personal Data Protection (JPDP) at www.pdp.gov.my if you believe your rights have been violated
To exercise any of these rights, email us at support@fixnow.my with your name, account email, and the specific right you wish to exercise. We will respond within 21 days as required by the PDPA.
9. Cookies and Tracking Technologies
FixNow uses the following types of cookies and similar technologies:
Essential Cookies
RequiredNecessary for the Platform to function, including authentication session tokens and security cookies. Cannot be disabled.
Functional Cookies
OptionalRemember your preferences such as language settings and display options to improve your experience.
Analytics Cookies
Optional (with consent)Help us understand how the Platform is used so we can improve it. We use privacy-preserving analytics tools and do not share individual-level data.
10. Children's Privacy
The FixNow Platform is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data without verifiable parental consent, we will take steps to delete such data promptly. If you believe a minor has registered on our Platform, please notify us at support@fixnow.my.
11. Links to Third-Party Services
The Platform may contain links to external websites or integrate with third-party services (such as WhatsApp, Google Maps, or payment gateways). FixNow is not responsible for the privacy practices of third-party services. We encourage you to read the privacy policies of any third-party service you interact with through the Platform.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the “Last updated” date at the top of this page;
- Send a notification to your registered email address at least 14 days before the changes take effect; and
- Display a prominent notice within the Platform.
Your continued use of the Platform after the effective date of the updated Policy constitutes your acceptance of the changes.
13. Contact and Complaints
For any privacy-related questions, requests, or complaints, please contact us: