This Privacy Policy explains how Big Jpresso Sdn Bhd ("Bloom Daily", "we", "us", or "our") collects, uses, discloses, stores, and protects your personal data when you use the Bloom Daily marketplace at bloomdaily.io and any related services (the "Platform").
This Policy is issued in compliance with the Personal Data Protection Act 2010 of Malaysia ("PDPA") and forms part of our Terms & Conditions. By using the Platform, you consent to the practices described below.
1. Who We Are
Big Jpresso Sdn Bhd is a Malaysian-incorporated specialty coffee company operating Bloom Daily as a multi-vendor marketplace. We act as the data controller for personal data collected through the Platform. For data shared with our partner Sellers (Jpresso, Cloud Catcher, LewisGene, Richman, Beansology, and other approved partners), we act as a joint controller solely for the purpose of fulfilling Orders.
2. Personal Data We Collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, phone number, password (hashed) | Provided by you at registration |
| Order & delivery data | Shipping address, billing address, order history, product preferences | Provided at checkout |
| Payment data | Last 4 digits of card, payment method type, transaction reference (full card details are processed and stored by Stripe, not by us) | Stripe |
| Seller data (if applicable) | Business name, SSM registration, bank details for payouts, tax ID | Provided by Sellers via Stripe Connect onboarding |
| Communications | Emails, support messages, chatbot transcripts (Sophia) | Provided by you |
| Technical data | IP address, browser type, device identifiers, timestamps, pages visited | Automatically collected via cookies and server logs |
| Marketing preferences | Opt-in status for newsletters, promotions, subscription nudges | Provided by you / inferred |
3. How We Use Your Personal Data
We use your personal data for the following purposes:
- Order fulfilment — processing payments via Stripe, sharing delivery details with the relevant Seller, coordinating courier dispatch.
- Account management — authentication, password recovery, order history, customer support.
- Subscriptions — managing recurring billing, dispatch schedules, and renewal notifications.
- Communications — sending order confirmations, shipping updates, service announcements, and (with your consent) marketing emails.
- Platform improvement — analysing usage patterns, debugging errors, and improving the user experience.
- Fraud prevention & security — detecting suspicious activity, preventing payment fraud, enforcing our Terms.
- Legal compliance — meeting tax, accounting, consumer protection, and regulatory obligations under Malaysian law.
4. Legal Basis for Processing
Under the PDPA, we process your personal data on the basis of:
- Performance of a contract — to deliver the Products and services you order.
- Consent — for marketing communications and optional features (you may withdraw consent at any time).
- Legitimate interests — for fraud prevention, network security, and improving our Platform, balanced against your privacy rights.
- Legal obligation — where we are required to retain or disclose data by Malaysian law.
5. Sharing & Disclosure
We do not sell your personal data. We share it only with the following categories of recipients, and only to the extent necessary:
5.1 Sellers
When you place an Order, we share the necessary delivery details (name, shipping address, phone number, items ordered) with the relevant Seller so they can dispatch your Order. Sellers are contractually required to use this data only for fulfilment and post-sale support.
5.2 Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe (Stripe Payments Malaysia Sdn Bhd / Stripe Inc.) | Payment processing, Stripe Connect payouts, fraud detection | Name, email, billing address, payment details |
| Supabase (Supabase Inc.) | Database hosting with Row Level Security | Account, order, and seller data |
| Render (Render Services Inc.) | Application hosting | Server logs, IP addresses |
| Google (Gemini API) | AI chatbot responses (Sophia) | Chat messages you send to Sophia |
| Anthropic (Claude API) | AI agent assistance (selected internal flows) | Limited prompt content as required |
| Couriers | Parcel delivery | Name, delivery address, phone number |
5.3 Legal & Regulatory
We may disclose your data when required by law, court order, or to protect our legal rights, prevent fraud, or respond to a regulator's lawful request.
5.4 Business Transfers
If Big Jpresso Sdn Bhd is involved in a merger, acquisition, or asset sale, your personal data may be transferred to the acquiring entity, subject to equivalent privacy protections.
6. International Transfers
Some of our service providers (Stripe, Supabase, Render, Anthropic, Google) may process data outside Malaysia, including in the United States, European Union, and Singapore. Where data is transferred outside Malaysia, we take reasonable steps to ensure it receives a level of protection comparable to that under the PDPA, including by relying on the providers' standard contractual safeguards and security certifications.
7. Cookies & Tracking
We use cookies and similar technologies to:
- Keep you logged in (session cookies).
- Remember your cart and preferences.
- Measure traffic and improve the Platform (analytics cookies).
- Deliver and measure marketing campaigns (only where you have consented).
You can disable cookies through your browser settings, but some features of the Platform may not function properly without them.
8. Data Retention
- Account data — retained for as long as your account is active. You may request deletion at any time (see Section 10).
- Order & transaction records — retained for at least 7 years to comply with Malaysian tax and accounting laws.
- Marketing data — retained until you unsubscribe or withdraw consent.
- Server & security logs — typically retained for up to 12 months.
9. Security
We implement reasonable technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (HTTPS/TLS).
- Hashed passwords — we never store passwords in plain text.
- Supabase Row Level Security (RLS) policies on all sensitive tables.
- Restricted administrative access via authenticated dashboards.
- PCI-DSS compliance through Stripe — full card details are never handled by our servers.
While we strive to protect your data, no system is fully immune to risk. You are responsible for keeping your account credentials confidential.
10. Your Rights Under the PDPA
You have the following rights in relation to your personal data:
- Right of access — request a copy of the personal data we hold about you.
- Right of correction — request correction of inaccurate or incomplete data.
- Right to withdraw consent — withdraw consent for marketing or other consent-based processing at any time.
- Right to limit processing — request that we limit how your data is processed in certain circumstances.
- Right to data deletion — request deletion of your account and associated data, subject to legal retention obligations.
To exercise any of these rights, email us at hello@jpressocoffee.com. We will respond within 21 days as required by the PDPA. We may need to verify your identity before processing your request.
11. Children's Privacy
The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a minor has provided us with personal data, please contact us so we can delete it.
12. Marketing Communications
With your consent, we may send you newsletters, product updates, and promotional offers about Bloom Daily, Jpresso, and our partner Sellers. You can unsubscribe at any time using the link in any marketing email or by contacting us directly. Transactional emails (order confirmations, shipping notices, account security) are not optional as they are necessary to provide the service.
13. Third-Party Links
The Platform may link to external sites (such as Seller social media or Stripe). We are not responsible for the privacy practices of those sites. We recommend reviewing their privacy policies before sharing any personal data.
14. Changes to This Policy
We may update this Privacy Policy from time to time. The latest version will always be posted on this page with a revised effective date. Material changes will be communicated via email or a prominent notice on the Platform. Continued use after changes take effect constitutes acceptance.
15. Contact Us
For any questions, requests, or complaints regarding this Privacy Policy or our handling of your personal data, please contact us:
Big Jpresso Sdn Bhd — Data Protection
Bandar Sri Damansara, Kuala Lumpur, Malaysia
Email: hello@jpressocoffee.com
Website: bloomdaily.io
If you are unsatisfied with our response, you may lodge a complaint with the Personal Data Protection Department of Malaysia (JPDP) at www.pdp.gov.my.