Privacy Policy.
Last updated: April 21, 2026
This policy explains what information we collect, why we collect it, and what we do with it. We've kept it simple and specific to how Rekakita Studio actually operates.
The short version.
When you become a Rekakita Studio client, we collect the minimum we need to design your posters and process your payments. We don't sell data. We don't use your product photos for anything other than your project. We use Google Analytics to understand traffic patterns — with IP anonymization enabled, so we never see your personal IP.
Who we are.
Rekakita Studio is a design service operated by CM, based in Penang, Malaysia.
Contact for privacy questions:
Email: [email protected]
WhatsApp: +60 11-2331 4344
What we collect.
When you visit our website
- Standard request logs: IP address, browser type, pages visited, timestamps. Kept for 30 days for security and debugging.
- Analytics cookies: We use Google Analytics 4 to understand how visitors use our site — which pages get read, which CTAs get clicked, which regions our visitors come from. GA4 sets first-party cookies (
_ga,_ga_*) that persist up to 2 years. We run GA4 with IP anonymization enabled, so your full IP is never stored. We don't use this data for advertising, we don't sell it, and we don't share it outside of Google's analytics processing. - Security cookies: Our site is served through Cloudflare, which may set its own security-related cookies.
When you become a client
- Contact information: Your WhatsApp number, your name, your business name
- Business context: What you sell, which designer style you picked, what campaigns you're running
- Product photos: Images you send us for each design brief
- Payment information: Processed by PayEx — we don't store your card details. We keep a record that you paid.
When you message us on WhatsApp
- Conversation history: Kept so we can reference past briefs, remember your brand kit, and respond to you properly
Why we collect it.
- To do the design work you paid for — we can't design your poster without your product photo and brief
- To process payments — PayEx needs your information to charge your card
- To communicate with you — we respond on WhatsApp, we may email you receipts or service updates
- To build your brand kit over time — so we don't ask you for the same logo, palette, or brand voice every month
- To improve our service — we occasionally look at our own work patterns (not your content) to get faster or better
Who we share it with.
We share your information only when needed to deliver the service:
| Who | What | Why |
|---|---|---|
| PayEx | Your payment information | To process your subscription |
| Cloudflare | Your website request data | To protect and serve our site |
| Google Analytics | Anonymized pageview and CTA click events | To understand our traffic |
| Google Workspace | Your email correspondence | Our email is hosted by Google |
| WhatsApp (Meta) | Your WhatsApp messages | Our conversations happen on their platform |
We don't sell your data. Ever.
We don't share your designs with other clients — your work is confidential to you.
Your product photos.
Product photos deserve a specific callout because they're sensitive for brand owners.
- We use your product photos only for your designs. Nothing else.
- We don't use your product photos to train anyone's models.
- We may use a delivered poster in our portfolio (the finished design, not your raw product photo) with client brand names anonymized unless you permit crediting. See Terms of Service.
- We keep your product photos for 90 days after delivery in case you need a reissue or variation. After 90 days, we delete them unless you're still actively using them for a recurring campaign.
How long we keep your data.
| Data | Retention |
|---|---|
| Website request logs | 30 days |
| WhatsApp conversation history | Duration of your subscription + 12 months |
| Client contact information | Duration of your subscription + 24 months (for reactivation) |
| Product photos and briefs | 90 days after delivery (or longer if active campaign) |
| Payment records | 7 years (Malaysian tax law requirement) |
| Delivered posters | Kept indefinitely in our portfolio archive (anonymized if no permission to credit) |
Your rights.
Under the Malaysian Personal Data Protection Act 2010 (PDPA), you have the right to:
- Access: Ask us what information we hold about you
- Correct: Ask us to fix wrong information
- Delete: Ask us to delete your information (some exceptions apply — see retention above)
- Withdraw consent: Stop us from using your information for marketing (we don't do marketing outreach anyway, but the right stands)
- Opt out of analytics: You can install the Google Analytics Opt-Out Browser Add-on to prevent GA4 from tracking any site you visit, including ours.
How to exercise these rights: Email [email protected] with your request. We respond within 14 days.
Security.
We take reasonable steps to protect your data:
- Our VPS is hardened (SSH key only, firewall enabled, no password login)
- Our website runs on HTTPS everywhere with modern TLS
- Secrets (API tokens, passwords) are stored in restricted files, not in our code
- Your payment data is handled by PayEx, not stored on our servers
We're a small studio. We can't promise bank-grade security. We can promise we won't be careless.
Children.
Our service is not intended for anyone under 18. We don't knowingly collect information from children. If you're a parent and believe your child has contacted us, email [email protected] and we'll remove their data.
International users.
Rekakita Studio serves Malaysian SMEs primarily, but our website is accessible globally. If you're accessing us from outside Malaysia, your information may be processed in Malaysia and in the countries where our service providers operate (typically Singapore, the US, and elsewhere).
Changes to this policy.
We may update this policy as our practices evolve or regulations change. When we update materially, we'll notify active clients. The "Last updated" date at the top always reflects the current version.
Contact.
Questions about your data, privacy concerns, or requests under PDPA:
Email: [email protected]
WhatsApp: +60 11-2331 4344
We read everything. We respond within the day.
Privacy Policy v1.1 — updated April 21, 2026 to reflect Google Analytics 4 integration.
Note: This is a plain-language working draft appropriate for a solo-founder studio at launch. It covers the core PDPA 2010 requirements (notice, consent, access, correction) in plain language. Before scaling to 100+ clients or running paid marketing, get a formal legal review and implement a proper consent banner.