Privacy Policy
This Privacy Policy explains how Calvin Yap, an individual residing in Malaysia, operating under the brand name "DeepTalk" ("DeepTalk", "we", "us", "our") collects, uses, shares, and protects personal data when you use the DeepTalk mobile application (the "App") and any related services.
DeepTalk is operated from Malaysia. This Policy is written to comply with the Malaysian Personal Data Protection Act 2010 ("PDPA"). It also addresses requirements that apply when you reach us from outside Malaysia.
By using the App, you consent to the collection and use of your personal data as described in this Policy. If you do not agree, please do not use the App.
1. Who We Are
For the purpose of the PDPA, the data user responsible for your personal data is:
Calvin Yap (operating under the brand name DeepTalk)
Country: Malaysia
Email: [email protected]
2. Information We Collect
We aim to collect only the personal data we need to run DeepTalk for you. The categories of data we may collect are:
2.1 Account information
- Email address — when you sign up with email and password, or sign in with Google.
- Password — stored only as a one-way salted hash by our authentication provider; we never see your plaintext password.
- Google account identifier — if you choose Google Sign-In, we receive a Google user ID and your email through OAuth.
- Account flags — whether you signed up via password, Google, or as a guest; whether you have set a password.
2.2 Content you create in the App
- Custom deck names and descriptions you create.
- Custom questions you write.
- Personal notes you attach to cards.
- Lists of cards you have marked as favourited, hidden, or seen ("checked").
2.3 Settings and preferences
- Dark mode preference.
- App interface language.
- Question text language.
- Remembered email (stored locally on your device) if you tick "Remember Me" on the Sign In screen.
2.4 Purchase data
- The product you purchased (for example, 1 Themed Deck, Complete Bundle) and the resulting entitlement on your account.
- The store you purchased from (Apple App Store or Google Play) and the store transaction reference, used to validate your purchase and restore entitlements on new devices.
We do not see or store your full credit card number, billing address, or other payment-method details. All payment information is handled by Apple or Google.
2.5 Communications and support
- If you submit feedback through the in-app Send a Suggestion form, we receive the suggestion text together with your email address so we can follow up if needed.
- If you tap Contact us, your device opens its email client pre-filled with a diagnostic body (app version, build number, device model, OS version) so we can help troubleshoot. You can edit or remove anything before you send it.
- Any other emails you send us (for example to the address in Section 1) are stored as part of our support correspondence.
2.6 Device and technical information
When you use the App, we (and our service providers) may automatically collect limited technical information, including:
- Approximate device model, operating system and version, and platform API level.
- App version and build number.
- Crash reports and error diagnostics (if you experience a crash).
- Anonymous or pseudonymous identifiers used by our authentication, analytics, or push-notification providers.
2.7 Push notification tokens
If you allow push notifications, we store the device push token issued by your device's push-notification service (operated by Google on Android and by Apple on iOS) so we can send you notifications related to your account or features of the App. You can turn off notifications at any time in your device settings.
2.8 Connect Code (synced multiplayer)
When you host or join a Connect Code session, the App opens a real-time channel for that single session. We relay the currently displayed card and basic playback state (such as deck name, position, and whether the card is marked checked) between the host and joiners only while the session is live.
- Connect sessions are ephemeral. We do not persistently store the content of a session, the list of joiners, or session history on our servers.
- For decks the joiner does not own, the deck content is never written to the joiner's library unless the host explicitly enables "Save this deck" for that session.
- Joiners' personal notes, favourites, and hidden lists for the joined session are not shared with the host.
2.9 What we do not collect
- We do not collect your real name (unless you put it in a note, custom question, or feedback message).
- We do not collect your physical address, phone number, government ID, or any biometric data.
- We do not access your contacts, photos, microphone, or precise location.
- The App requests camera permission only to scan Connect Code QR codes; the camera feed stays on your device and is not uploaded.
- We do not knowingly process special categories of personal data (such as health data, racial or ethnic origin, religious beliefs, political opinions, or sexual orientation). Please do not include such information in custom questions, notes, or feedback you send us.
3. How We Use Your Information
We process your personal data for the following purposes:
| Purpose | Legal basis under the PDPA |
|---|---|
| To create and manage your account and let you sign in. | Performance of our agreement with you; your consent. |
| To sync your custom decks, custom questions, notes, favourites, hidden cards, and settings across your devices. | Performance of our agreement with you. |
| To validate your purchases with Apple or Google and restore entitlements on new devices. | Performance of our agreement with you; legitimate interests in preventing fraud. |
| To send transactional emails (e.g. email-OTP for sign up, sign in, password reset, account deletion, "add password"). | Performance of our agreement; your consent. |
| To deliver push notifications related to your account, if you have enabled them. | Your consent. |
| To operate the Connect Code real-time multiplayer feature when you choose to use it. | Performance of our agreement; your consent. |
| To diagnose problems, fix bugs, and improve the App (including aggregated, non-identifying usage analytics). | Our legitimate interests in maintaining and improving the App. |
| To respond to your support requests, suggestions and complaints. | Performance of our agreement; legitimate interests; legal compliance. |
| To comply with our legal obligations (for example, responding to lawful requests). | Compliance with a legal obligation. |
4. How We Share Your Information
We do not sell your personal data. We share it only as described below.
4.1 Service providers (data processors)
We rely on trusted third-party providers to run the App. They access personal data only to provide services to us and are contractually required to protect it. The categories of provider we use are:
| Category of recipient | What it is used for |
|---|---|
| Google (Google LLC) | Google Sign-In, if you choose to sign in with Google; and delivery of push notifications to Android devices, if you have enabled them. |
| Apple App Store / Google Play | In-app purchase processing and receipt verification when you make a Purchase. |
| Our backend hosting and authentication provider | Account authentication, database hosting, real-time messaging for the Connect Code feature, and serverless functions that run on our behalf (for example, account deletion). |
| Our transactional email provider | Delivery of authentication emails (one-time codes for sign up, sign in, password reset, account deletion) and internal forwarding of in-app suggestion submissions to us. |
| Our product-analytics provider | Anonymous or pseudonymous product analytics (which screens are used, which features are tapped). Used only to improve the App. |
| Our crash and error-reporting provider | Crash and error reports so we can diagnose and fix bugs. |
The specific companies we use within each category may change over time. We may add, replace, or remove providers from time to time, and will continue to choose providers that protect your personal data to a standard comparable with this Policy. You may contact us at [email protected] if you would like to know which specific company we are currently using in any of the categories above.
4.2 Other DeepTalk users (Connect Code only)
If you host a Connect session, the question text of the single card you are currently playing, the deck name, and your current position are relayed in real time to participants who have joined with your code. If you are the host of a custom deck and you turn on "Save this deck", joiners can copy a snapshot of your custom deck content to their own library. We do not share your email, real name, account information, or your other decks/notes/favourites with anyone you have not explicitly invited.
4.3 Legal disclosures
We may disclose personal data when we believe in good faith that disclosure is necessary to:
- Comply with applicable law, a court order, or other lawful request from public authorities.
- Enforce our Terms of Use or investigate potential breaches.
- Detect, prevent, or address fraud, security or technical issues.
- Protect the rights, property, or safety of DeepTalk, our users, or the public.
4.4 Business transfers
If DeepTalk is ever transferred to a new owner (for example, if Calvin Yap incorporates a Malaysian company and transfers the brand and account base to it, or if the App is acquired), your personal data may be transferred along with the business. We will let you know in the App or by email before any such transfer takes effect, and the new owner will be bound by a privacy policy at least as protective as this one.
5. International Transfers
DeepTalk is operated from Malaysia, but some of our service providers (including those listed in Section 4.1) store and process personal data on servers outside Malaysia, including in the United States, the European Union, Singapore, and other locations they may operate from.
Under Section 129 of the PDPA, your personal data may be transferred outside Malaysia where:
- You have consented to the transfer (by accepting this Policy when you use the App); or
- The transfer is necessary to perform our contract with you or take steps at your request before entering into a contract; or
- One of the other exceptions in Section 129 applies.
We take reasonable steps to ensure that our service providers protect your personal data to a standard at least comparable to the PDPA.
6. How Long We Keep Your Information
We keep your personal data only for as long as it is needed for the purposes set out in this Policy, or as long as the law requires us to keep it. In practice:
- Account data — kept for as long as your account is active.
- Content you create (custom decks, custom questions, notes, favourites, hidden cards) — kept as long as your account is active, so it can sync across your devices.
- Purchase records — kept for as long as you have an entitlement on your account, plus a reasonable period afterwards for tax, accounting, and dispute-resolution purposes.
- Email and support correspondence — kept for as long as we may reasonably need to respond to follow-ups, generally up to 24 months.
- Crash and analytics data — typically retained in pseudonymous form for a limited window (commonly up to 90 days for raw events, longer for aggregated metrics) depending on each provider's retention defaults.
- Connect Code session data — not persistently stored; deleted as soon as the session ends.
When you delete your account (see Section 8), we delete or anonymise your personal data within a reasonable time, except where we are required to keep certain records by law.
7. How We Protect Your Information
We take reasonable technical and organisational steps to protect your personal data, including:
- Encrypted transport (HTTPS / TLS) for all communication between the App and our backend.
- Encryption at rest on the managed databases used to store your data.
- Access controls that restrict each user's data to their own account.
- Privileged credentials and administrative keys kept on the server side only, and never shipped inside the App.
- Access controls on the developer accounts we use to run DeepTalk.
No system is perfectly secure. We cannot guarantee absolute security, and you use the App at your own risk to that extent. If we become aware of a personal-data breach that affects you, we will notify you as required by applicable law.
8. Your Rights Under the PDPA
Subject to the PDPA, you have the following rights in relation to the personal data we hold about you:
- Right of access — you may ask us for a copy of the personal data we hold about you.
- Right to correct — you may ask us to correct personal data that is inaccurate, incomplete, misleading or out of date.
- Right to withdraw consent — you may withdraw any consent you have given us, although this does not affect the lawfulness of processing carried out before the withdrawal.
- Right to limit processing — you may ask us to limit how we process your personal data for specific purposes (for example, to stop sending you a particular type of notification).
- Right to delete your account — you may delete your account at any time (see below).
You can exercise most of these rights directly in the App:
- Update your email or password — Settings → Account.
- Manage your content — favourites, hidden, notes, and custom decks can all be edited or removed inside the App.
- Delete your account — Settings → Account → Delete Account. This permanently deletes your account and the personal data linked to it. Some records may remain in encrypted backups for a limited period before they roll off automatically.
- Turn off notifications — your device's system settings.
For other requests, please contact us at [email protected]. We aim to respond within 21 days, as required by the PDPA. We may ask you to verify your identity before responding to a request.
9. Children
DeepTalk is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you are between 13 and 18, please use the App only with a parent or legal guardian's consent and supervision.
The Married Couples deck contains mature questions and is intended only for users aged 18 or older.
If you are a parent or guardian and you believe your child has provided us with personal data without your consent, please contact us at [email protected] and we will take reasonable steps to delete it.
10. Guest Mode and Local-Only Data
You can use DeepTalk without creating an account by tapping "Continue as guest". In guest mode:
- Your notes, favourites, hidden cards, custom decks, and named play sessions are stored only on your device.
- Guest accounts use anonymous authentication on our backend, which receives a randomly generated identifier but no personal information about you.
- If you delete the App, clear app data, or switch devices, your guest content is permanently lost.
- Guests cannot make in-app purchases.
Even for users with accounts, certain data is stored only on the device by design — including session history and per-session resume state for each deck. This data does not sync across devices and is not uploaded to our servers.
11. Do-Not-Track Signals
The App is a mobile app, not a web browser, so most "Do Not Track" browser signals do not apply. We do not currently respond to any specific automated signal of this kind. If you want to limit analytics on your device, you can use your device's system-level "Limit Ad Tracking" / "Opt out of Ads Personalisation" setting.
12. Changes to This Policy
We may update this Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. If we make material changes — for example, if we begin to collect new categories of personal data or share data with new providers — we will provide a more prominent notice in the App, and where required by law, we will seek your fresh consent.
13. Contact Us
If you have any questions, requests, or complaints about this Policy or about how we handle your personal data, please contact us:
Calvin Yap (operating under the brand name DeepTalk)
Email: [email protected]
Website: deeptalk.bridgely.link
If you are not satisfied with our response, you may lodge a complaint with the Department of Personal Data Protection, Malaysia (www.pdp.gov.my).