Customer Privacy Policy

Service: QueueIn — queue management platform.
Effective date: 3 May 2026. Last updated: 3 May 2026.

This Privacy Policy explains how QueueIn ("QueueIn", "we", "us") and the business (e.g. restaurant, clinic, café, or event organiser) that you are joining a queue with (the "Business") handle your personal data when you use QueueIn to join a queue, receive queue updates, or interact with related notifications including WhatsApp messages.

This policy is written for customers — the individuals who join queues. It is separate from any agreement that QueueIn has with the Business.

Quick summary We collect your name, phone number, and (optionally) party size only to manage your place in the queue and notify you when it is your turn. If you opt in, your phone number is shared with Meta Platforms, Inc. so we can send you messages on WhatsApp. Messages are kept generic — we do not include sensitive details such as the name of a doctor or treatment. Non-VIP data is deleted within 24 hours. You can opt out of WhatsApp notifications at any time by replying STOP.

1. Who is responsible for your data

QueueIn is a multi-tenant platform. Several parties may be involved in handling your data:

The Business you are queuing with is the primary data user / data controller under the Malaysian Personal Data Protection Act 2010 ("PDPA"). The Business decides what to do with your data, how long to keep VIP records, and who in their staff sees it.
QueueIn acts as a data processor for the Business. We host the software, store the data, and deliver notifications on the Business's behalf. For limited purposes (such as sharing your number with Meta to send WhatsApp messages, and operating the platform's security and audit logs), QueueIn acts as a controller in its own right.
Meta Platforms, Inc. ("Meta") delivers WhatsApp messages on our behalf via the WhatsApp Business Platform. Meta is an independent controller for the metadata it processes (delivery receipts, abuse signals, etc.) under Meta's WhatsApp Business Policy and WhatsApp's Privacy Policy .

2. Personal data we collect

Data	Source	Required?	Why
Name (or nickname)	You provide it on the join queue form.	Required	So staff can call you when it is your turn.
Mobile phone number (Malaysian +60 format)	You provide it on the join queue form.	Required	To send queue updates by push notification, in-app message, or WhatsApp.
Party size (number of people)	You provide it on the join queue form (if shown).	Optional / per outlet	So the Business can prepare the right capacity (e.g. table size).
Language preference (en / ms / zh)	Detected automatically from your browser; you can change it.	Automatic	To show the queue page and notifications in your language.
Consent records (timestamps, what you agreed to)	Recorded when you tick consent boxes.	Required where consent is collected	Evidence of your consent under PDPA.
Browser push token / device token (if granted)	Generated by your browser or device when you enable notifications.	Optional	To deliver in-browser queue updates.
Queue activity (queue number, join time, status)	Generated automatically as you use the queue.	Automatic	To run the queue and produce wait-time estimates.
Limited technical data (IP address, user agent, audit log entries)	Captured automatically by our servers.	Automatic	Security, abuse prevention, fraud detection, and PDPA audit obligations.

We do not ask you for your identity card number, full date of birth, payment details, or login credentials.

3. Sensitive personal data — what we do not collect or share

Some Businesses on QueueIn operate in healthcare-adjacent settings (such as clinics). Under PDPA Section 40 ("sensitive personal data") and Meta's WhatsApp Business Policy , certain categories of data must not be shared with Meta or processed without specific safeguards.

QueueIn therefore commits to the following:

We do not store the name of a specific doctor, dentist, therapist or practitioner you are visiting in any field that is sent to Meta or shown in queue notifications.
We do not ask you about, store, or transmit your medical condition, diagnosis, symptoms, treatment, medication, or the clinic department / specialty you are visiting.
We do not ask for your religion, ethnicity, political opinions, sexual orientation, or any other special-category data.
WhatsApp messages from QueueIn are intentionally generic — for example, "Your turn is coming up", "Please head over now", or "You have been removed from the queue". They will not reveal sensitive context about why you are in the queue.

4. Why we use your data (purposes)

To put you in the queue and show you your number, position and estimated wait.
To notify you about queue events: turn coming up, called, no-show, queue closed.
To deliver these notifications by your chosen channel: in-app status page, browser push notification, or (if you opt in) WhatsApp.
To allow the Business to manage its operations — e.g. seat you, mark you as served, or record a no-show.
If you choose to join the Business's VIP / loyalty list, to let the Business contact you again about future visits and offers.
To keep the platform secure: rate-limiting, abuse detection, audit logging.
To meet our legal obligations under PDPA, including responding to requests from regulators or law enforcement that have lawful authority.
In aggregated / de-identified form only, to improve QueueIn's wait-time estimates and overall service quality.

5. Lawful basis (PDPA 2010, Malaysia)

Our handling of your personal data relies on the following lawful bases under the Malaysian Personal Data Protection Act 2010:

Your consent — given when you tick the consent box on the join queue form, when you opt in to WhatsApp notifications, and when you opt in to a Business's VIP list.
Performance of a transaction with you — we cannot run the queue or notify you of your turn without your name and phone number.
Compliance with legal obligations — for example, retaining consent evidence, audit logs, and breach records as required by PDPA.
Legitimate interests — running platform security, fraud prevention, and producing aggregated statistics.

The Business that you are queuing with represents to QueueIn that it has the right under PDPA to collect your data for the purposes set out in this policy, and to share it with QueueIn and (with your opt-in) with Meta for messaging.

6. WhatsApp notifications — data sharing with Meta

You are in control WhatsApp notifications are off by default. We will only share your phone number with Meta if you explicitly opt in — for example by ticking the WhatsApp opt-in box on the join queue page, scanning a QR code, or sending us a starting message such as "What's my queue number?" on WhatsApp.

What we share with Meta

Your mobile phone number, so Meta can deliver our message to you on WhatsApp.
The generic content of the message itself (e.g. "Your turn is coming up").
The QueueIn message template identifier, language, and the technical metadata that WhatsApp requires to route the message.

What we do not share with Meta

Your medical condition, treatment, or department.
The name of any specific doctor, practitioner or staff member you are seeing.
Your full identity card number, payment details, or login credentials.
Sensitive personal data of any kind as defined in PDPA Section 40.

How Meta uses the data

Meta uses the shared data to deliver the message, to operate and secure the WhatsApp Business Platform, to measure delivery (e.g. delivered / read receipts), and to detect abuse. Meta may process this data outside Malaysia, including in the United States, Ireland, and other jurisdictions where Meta operates. Meta's processing is governed by Meta's own terms and policies, including the WhatsApp Privacy Policy .

Your right to opt out of WhatsApp notifications

At any time, you can stop receiving WhatsApp notifications from QueueIn by doing any of the following:

Reply STOP (or UNSUBSCRIBE, CANCEL, BERHENTI) to any WhatsApp message we send you. We will not send you further queue updates on WhatsApp from that point.
Block the QueueIn WhatsApp number from your phone.
Contact us using the details in section 12. We will remove your WhatsApp opt-in record.

Opting out of WhatsApp does not remove you from a queue you have already joined — you will still see your queue status on the QueueIn web page or in-app notifications. To remove your queue records as well, see the Data Deletion Instructions.

7. Other people who may see your data

Staff of the Business you are queuing with — they see your name, phone number, party size, queue number, and queue status, so they can serve you.
QueueIn personnel — only authorised staff with a need to know, for support, debugging, and security investigations. Access is logged.
Sub-processors we use to run the platform, under written contracts that require them to protect your data:
- Cloud hosting and database providers (for storage and computation).
- Authentication providers (for the Business's staff login — not for customers).
- Push notification providers (e.g. Firebase Cloud Messaging) for browser notifications, if you grant permission.
- Meta Platforms, Inc., for WhatsApp message delivery, only if you opt in.
Regulators or law enforcement, where we are required to disclose data by a valid legal request under Malaysian law.

We do not sell your personal data, and we do not share it with advertisers for advertising purposes.

8. Cross-border transfers

Some of our sub-processors (for example Meta and our cloud hosting providers) may store or process your data outside Malaysia. Where this happens, we rely on contractual safeguards with those sub-processors that require them to protect your data to a standard equivalent to PDPA. By opting in to WhatsApp notifications, you consent to your phone number being transmitted internationally for the purpose of delivering those messages.

9. How long we keep your data

Data	Retention
Non-VIP queue customer data (name, phone, party size)	Automatically deleted or de-identified within 24 hours after the queue ends.
VIP / loyalty list customer data (only if you explicitly opted in to that Business's list)	Retained while the Business's QueueIn account is active and you remain on the list, or until you ask to be removed.
Browser push / device tokens	Deleted shortly after the relevant queue item becomes inactive.
WhatsApp opt-in record	Kept while you remain opted in. Deleted shortly after you opt out, except where we must keep proof of your opt-out for compliance.
Consent records (proof of what you agreed to and when)	Retained for as long as required to demonstrate compliance with PDPA.
Audit logs and security records	Routine logs are deleted after a short period (typically 30 days). Records connected to a security incident may be retained longer.

10. Your rights under PDPA

You have the following rights with respect to your personal data:

Right of access — ask what data we hold about you.
Right to correct — ask us to fix inaccurate data.
Right to withdraw consent — for example, opt out of WhatsApp, leave a VIP list, or revoke consent for further processing.
Right to limit processing — ask us to stop using your data for specific purposes such as marketing.
Right to delete — ask us to delete your data, subject to legal obligations that may require us to keep some records (such as proof of consent).
Right to lodge a complaint — with the Personal Data Protection Commissioner of Malaysia.

To exercise any of these rights, contact the Business directly (they hold your active queue data) or contact QueueIn using the details in section 12. For step-by-step deletion instructions, see the Data Deletion Instructions. We will respond within the timeframe required by PDPA.

11. Security

We protect your data with measures including:

TLS encryption for all data in transit between your device, QueueIn, and Meta.
Encryption at rest for personal data in our database, plus blind-indexed lookup columns so we can match records (e.g. find your queue by phone number) without storing readable copies.
Role-based access control for Business staff, with audit logging of sensitive actions.
Automatic deletion of non-VIP customer data within 24 hours after the queue ends.
A documented breach response procedure, including notifying the Business and, where required, affected customers and regulators.

12. Contact us

For privacy questions, requests under PDPA, or to opt out of any communication channel:

QueueIn: dk.queuein@gmail.com
Or contact the Business you joined directly — their staff can also relay your request to QueueIn.

13. Children

QueueIn is intended for use by adults and by minors with the involvement of a parent or guardian. If you believe a child has provided personal data to QueueIn without appropriate consent, contact us and we will delete the relevant data.

14. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page always reflects the current version. If a change is material (for example, a new category of data sharing), we will provide additional notice on the QueueIn join queue page or by direct notification before the change takes effect.