Privacy Policy

Effective Date: January 1, 2023 Last Updated: December 11, 2025

1. Introduction

Sarabyte Digital Solution ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our HeyGrats platform and related services (the "Service").

Important Notice on Data Roles: For the purpose of the General Data Protection Regulation (GDPR) and other applicable laws:

Data Controller: We are the Data Controller for your account information (e.g., your registration details, billing info).
Data Processor: For photos, media, and guest data uploaded to an event ("Event Content"), we act as a Data Processor on behalf of the Event Organizer (the "Controller"). If you are an event guest and wish to remove a photo, please contact the Event Organizer directly.

By using our Service, you consent to the data practices described in this policy. If you do not agree with the practices described in this policy, please do not use our Service.

2. Information We Collect

2.1 Personal Information

We may collect personal information that you voluntarily provide to us, including:

Name and contact information (email address, phone number)
Account credentials (username, password)
Profile information and preferences
Payment and billing information (processed securely by third-party providers)
Event details and media uploads

2.2 Automatically Collected Information

When you use our Service, we automatically collect certain information:

Device information (IP address, browser type, operating system)
Usage data (pages visited, time spent, features used)
Cookies and similar tracking technologies (See our Cookie Policy)

3. How We Use Your Information

We use the information we collect for various purposes, including:

Providing, maintaining, and improving our Service
Processing transactions and managing your account
Contractual Necessity: To fulfill our contract with you (e.g., hosting your event photos).
Legitimate Interests: To analyze usage patterns, prevent fraud, and ensure security.
Complying with legal obligations.

4. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following circumstances:

Service Providers: With trusted third-party vendors who assist in operating our Service, such as:
- Cloud Hosting & Storage: Vercel (Frontend/API) and DigitalOcean (File Storage)
- Payment Processors: Stripe
- Analytics: Vercel Analytics
Legal Requirements: When required by law or to protect our rights and safety.
Event Participants: Photos and content may be visible to other event participants as intended by the Service.

5. Data Security

We implement appropriate technical and organizational security measures to protect your personal information:

Encryption of data in transit (SSL/TLS) and at rest.
Regular security assessments and updates.
Access controls and authentication measures.
Secure data centers and infrastructure.

Data Breach Notification: In the unlikely event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with applicable laws (PDPA/GDPR).

6. Your Rights and Choices

Depending on your location, you may have specific rights regarding your personal information:

6.1 General Rights (Global)

Access: Request access to your personal information.
Correction: Request correction of inaccurate information.
Deletion: Request deletion of your personal information.
Withdraw Consent: Withdraw consent for marketing communications.

6.2 GDPR Rights (European Economic Area)

If you are located in the EEA, you also have the right to:

Data Portability: Request a copy of your data in a portable format.
Restriction: Request restriction of processing.
Lodge a Complaint: File a complaint with a supervisory authority in your country.

6.3 CCPA Notice (California Residents)

Do Not Sell: We do not sell your personal information.
Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, please contact us at [support@heygrats.com].

7. Data Retention

We retain your personal information for as long as necessary to provide our services and comply with legal obligations.

Account Data: Retained as long as your account is active.
Event Media: Retained for the duration of the subscription plan plus a grace period of 30 days after expiry, after which it is permanently deleted.

8. International Data Transfers

Your information may be transferred to, stored, and processed in Malaysia or on cloud servers located in Singapore where our third-party service providers (Vercel/DigitalOcean) are located.

By using the Service, you consent to the transfer of information to countries outside of your country of residence, which may have data protection rules that are different from those of your country. We ensure appropriate safeguards are in place to protect your information.

9. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.

10. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of Malaysia, without regard to its conflict of law provisions. Any dispute arising from this Policy shall be subject to the exclusive jurisdiction of the courts of Malaysia.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Sarabyte Digital Solution

Email: support@heygrats.com
Address: Third Floor, Suite 7.3, Lot 1984 (New Lot 3338), Block 10, KCLD, Jalan Laksamana Cheng Ho, 93350 Kuching, Sarawak, Malaysia.