Privacy Policy
Last updated: 22 April 2026
RiderTag is committed to protecting your personal data in accordance with the Malaysia Personal Data Protection Act 2010 (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR). This policy explains what we collect, why we collect it, and your rights.
1. Who We Are
RiderTag operates the ridertag.app platform, a digital rider identity service that allows motorcycle riders to create an emergency ID card accessible via QR code. References to "we", "us", or "RiderTag" in this policy mean the platform operator.
2. Data We Collect
When you create an account and use RiderTag, we collect the following personal data:
| Data | Purpose | Visibility |
|---|---|---|
| Email address | Account authentication, password reset | Private |
| Username | Your public profile URL | Public |
| Password | Stored as a one-way hash (bcrypt) — never readable | Private |
| Full name | Displayed on your rider card and sticker | Public |
| Blood type | Critical emergency information for first responders | Public |
| Country | Displayed on your rider card | Public |
| Emergency contacts (name, phone, relationship) | Accessible via QR scan in an emergency | Name & relationship public; phone revealed on request |
| Profile photo & banner image | Displayed on your rider card and sticker | Public |
Blood type is considered sensitive personal data under PDPA and a special category under GDPR. You provide this voluntarily for emergency safety purposes.
3. Legal Basis for Processing
- Contract performance — processing your data is necessary to provide the RiderTag service you signed up for.
- Consent — you voluntarily provide sensitive data (blood type, emergency contacts) for the explicit purpose of emergency identification.
- Legitimate interest — we process minimal technical data (session tokens, logs) to operate the platform securely.
4. How We Use Your Data
- To create and display your digital rider ID card at your public URL.
- To generate and serve your QR code sticker.
- To send password reset emails when you request them.
- To maintain a secure login session.
- We do not sell, rent, or share your data with third parties for marketing purposes.
5. Public Data & QR Code
Your rider card is publicly accessible to anyone who scans your QR code — no account required. This is by design: in an emergency, first responders need instant access to your information without barriers.
Emergency contact phone numbers are not displayed directly. They require a deliberate tap to reveal, reducing the risk of accidental exposure.
You control what appears on your card. You may leave any field blank.
6. Data Retention
- Your account data is retained for as long as your account is active.
- Password reset tokens expire after 1 hour and are deleted upon use.
- Session data expires after 7 days of inactivity.
- When you delete your account, all personal data is permanently removed from our database.
7. Cookies & Session Data
We use a single session cookie strictly necessary for authentication and security (CSRF protection). We do not use tracking cookies, advertising cookies, or third-party analytics.
Google Fonts are loaded from Google's CDN. Google may collect basic request data (IP address) per their own privacy policy.
8. Your Rights
Under the Malaysia PDPA 2010 and GDPR (where applicable), you have the right to:
- Access — request a copy of your personal data.
- Correction — update or correct your data at any time via your Dashboard.
- Erasure — request deletion of your account and all associated data.
- Restriction — request we stop processing your data in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
To exercise any of these rights, contact us at privacy@ridertag.app. We will respond within 21 days as required by Malaysian PDPA.
9. Data Security
- Passwords are hashed with bcrypt (cost factor 12) — we cannot read your password.
- All connections are encrypted via HTTPS in production.
- CSRF tokens protect all form submissions.
- File uploads are validated by magic bytes, not just file extension.
- Rate limiting protects against brute-force and abuse.
10. Changes to This Policy
We may update this policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of RiderTag after changes constitutes acceptance of the updated policy.
11. Contact
For privacy-related enquiries, data access requests, or complaints, contact us at:
If you are an EU resident and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.