Privacy Policy

Account information: name, email, phone, password (stored as a one-way hash), language preference.

Order information: items purchased, delivery address, payment status, order notes.

Usage data: pages visited, device type, IP address (collected via standard server logs).

To process and fulfil your orders.

To provide customer support and respond to enquiries.

To send order updates and, if you have opted in, promotional messages.

To improve our service, prevent fraud, and ensure platform security.

To comply with legal and accounting obligations in Malaysia.

Supabase: database and authentication (data hosted in Singapore).

Vercel: web hosting and global content delivery network.

Google OAuth: optional sign-in via your Google account (see section 4 for details).

Payment processors: where applicable, for secure payment handling.

We do not sell your personal data to third parties.

When you choose to sign in with Google, we receive the following information from your Google Account: your name, email address, profile picture (if available), and your Google account ID.

Access: We access this data only at the moment you click "Sign in with Google" and during the OAuth callback. We do not request continuous or background access to your Google account.

Use: We use Google user data solely to (a) create or link your ONNI account, (b) authenticate you on subsequent visits, and (c) send order-related notifications to your email.

Storage: Google user data is stored in our user database (Supabase, hosted in Singapore).

Security: Google user data is encrypted in transit using TLS/HTTPS, stored with row-level security in our database, and accessible only to authorised ONNI personnel with a legitimate operational need.

Sharing: We do not sell Google user data, and we do not share it with any third party for marketing, advertising, retargeting, credit assessment, or data brokerage purposes.

AI/ML: We do not use Google user data to develop, train, or improve generalised AI or machine learning models.

Retention & Deletion: Google user data is retained while your ONNI account is active. To delete the Google-derived portion of your account data, email contact@onni.my with your registered email and the request "Delete Google data"; we will action the request within 30 days.

Revocation: You may revoke ONNI's access to your Google account at any time at https://myaccount.google.com/permissions.

Limited Use: ONNI's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Session cookies are used to keep you signed in.

Local storage holds your shopping cart and language preference.

PWA service workers cache assets for offline access.

You can clear all of the above via your browser settings.

Right to access the personal data we hold about you.

Right to correct any inaccurate or incomplete data.

Right to withdraw consent for processing.

Right to request deletion (subject to legal retention requirements).

To exercise any of these rights, contact us at contact@onni.my.

Account data: retained while your account is active.

Order and payment records: retained for 7 years for tax and accounting compliance.

Server logs: retained for up to 90 days.

Upon account deletion, your personal data is anonymised within 30 days.

Email: contact@onni.my

For PDPA-related requests, please use the same email and include "Data Request" in the subject line.

We may update this Policy from time to time. Material changes will be announced on the website. The effective date above shows when the current version took effect.