Effective date: 19th January 2026
Last updated: 19th January 2026
This Privacy Policy explains how Cartier Creative Sdn. Bhd. (operating the “Driwego” platform) (“Cartier Creative”, “we”, “us”, “our”) collects, uses, discloses, stores, and protects personal data when you use our mobile apps, website, vendor portals, and related services (collectively, the “Platform”).
We process personal data in accordance with Malaysia’s Personal Data Protection Act 2010 (PDPA) and its principles.
Trademark note: “Driwego” name and logo are registered trademarks owned by Cartier Creative Sdn. Bhd. (WIPO and MYIPO). This trademark status does not change how we handle personal data; it clarifies the legal entity responsible for the Platform.
1. Who is responsible for your personal data (Data Controller)
For personal data processed on the Platform, Cartier Creative Sdn. Bhd. is the data controller (i.e., we determine the purposes and means of processing).
Vendors/workshops as independent controllers: When you transact with a seller/vendor or a workshop, they may process your personal data to fulfil orders, provide warranties/after-sales support, keep business records, and comply with their legal obligations. In those cases, they may act as independent data controllers for their own processing.
2. What personal data we collect
I. Data you provide to us
Depending on whether you are a buyer, business vendor, workshop, or individual seller, we may collect:
Account and contact details
Name, phone number, email, password (stored in encrypted/hashed form), and profile information.
Identity verification / KYC (where required)
Full name (as per ID), MyKad/ID/passport number, date of birth, address, ID images, and verification outcomes.
Business verification (for business/vendor access)
Company name, SSM registration details, SST registration (if applicable), company address, and authorised person details.
Transaction and fulfilment
Order and invoice/receipt details, delivery address, items purchased, service selection (including “attached services”), return/warranty requests, dispute details, and communication records if conducted via in-platform channels.
Payments and payouts
Transaction references and payment status; payout bank details for sellers (where applicable).
We generally do not store full payment card numbers; payments are handled via payment service providers.
Support and communications
Support tickets, complaints, feedback, and operational communications with us.
II. Data collected automatically
Device information (model, OS, app version), identifiers, IP address, timestamps, logs, diagnostic/crash data, and usage analytics.
Cookies/SDKs and similar technologies (web/app), where applicable.
III. Data from third parties
Payment providers, KYC/verification providers, logistics partners, fraud/risk tools, and analytics providers (as applicable).
3. Why we collect and use your personal data
We collect and use personal data for lawful purposes directly related to our activities, and only where necessary and not excessive.
Key purposes include:
Platform operations
Create/manage accounts, enable buying/selling, process orders, provide customer support, and maintain platform security.
Verification and eligibility
Verify identity/KYC where required (e.g., seller onboarding) and verify business credentials for vendor access and marketplace controls.
Payments and payouts
Facilitate payment confirmation, refunds (if applicable), and seller payouts.
Fraud prevention, trust, and safety
Detect and prevent fraud, account compromise, prohibited activity, and abuse; enforce platform rules.
Disputes, returns, warranties
Facilitate dispute handling processes and platform enforcement actions where needed.
“Attached services” fulfilment
Where a buyer purchases a product and selects an attached workshop service, we process and share necessary transaction details so the relevant seller and workshop can fulfil their respective obligations.
Compliance and record-keeping (including marketplace operator duties)
Maintain records required under applicable laws, including consumer protection rules for online marketplaces. Under the Consumer Protection (Electronic Trade Transaction) Regulations 2024 (effective 25 December 2024), online marketplace operators must provide a complaints channel and keep/maintain certain supplier and transaction/advertising records for three years. (Malaysia Federal Legislation)
Communications
Send transactional messages (order confirmations, service updates, security alerts) and respond to enquiries.
Marketing (with choices)
Send promotions and campaigns where permitted, and provide opt-out options.
Analytics and improvements
Improve Platform features, performance, user experience, and reliability.
4. Notices, choice, and language
We provide notice about what we collect, why we collect it, who we disclose it to, and your rights — consistent with PDPA’s Notice and Choice requirements.
Where required, notices are provided in Bahasa Malaysia and English.
5. When providing data is mandatory vs optional
Some data is mandatory to use core Platform functions (e.g., account contact details, delivery address for delivery orders, or seller verification details). If you do not provide mandatory data, we may be unable to provide the relevant services.
6. Who we disclose personal data to
We disclose personal data on a need-to-know basis, consistent with PDPA’s Disclosure principle.
We may disclose data to:
I. Sellers/vendors and workshops (transactional sharing)
To fulfil orders, coordinate service fulfilment (including attached services), provide warranties/after-sales, and resolve disputes.
II. Payment and payout service providers
To process payments, confirm transaction status, handle refunds (if any), and execute seller payouts.
III. Logistics/delivery partners
To deliver goods and provide tracking updates (where applicable).
IV. Service providers (data processors)
Hosting, cloud infrastructure, analytics, customer support tools, communications tools, KYC providers, fraud/risk tools, and similar vendors who process data on our behalf. We require appropriate safeguards when using data processors.
V. Professional advisers
Lawyers, auditors, insurers, and consultants where necessary for compliance, risk management, or legal claims.
VI. Authorities
Where required by law, court order, or for protecting rights, safety, and Platform integrity.
We do not sell your personal data.
7. Messaging and communications outside the Platform
Some coordination — especially scheduling between customers and workshops — may occur via direct messaging channels (e.g., WhatsApp) when users choose to communicate that way. In such cases:
Your communications and any personal data shared via those third-party platforms are also subject to the third party’s privacy practices and terms.
Driwego does not control how third parties process data outside our Platform.
8. Security measures
We take practical steps to protect personal data from loss, misuse, unauthorised access/disclosure, alteration, or destruction, taking into account PDPA’s Security Principle and relevant standards.
Examples include access controls, least-privilege permissions, encryption in transit, monitoring/logging, staff access governance, and vendor risk management for processors.
9. Data retention
We do not keep personal data longer than necessary for the relevant purpose, and we take reasonable steps to destroy or permanently delete data when no longer required.
In addition:
As an online marketplace operator, we keep and maintain certain supplier and transaction/advertising records for three years where required under the Consumer Protection (Electronic Trade Transaction) Regulations 2024. (Malaysia Federal Legislation)
We may retain certain data longer where necessary for fraud prevention, dispute handling, audits, or establishing/defending legal claims.
10. Data accuracy
We take reasonable steps to ensure personal data is accurate, complete, not misleading, and kept up to date.
You should keep your account details updated and notify us of changes.
11. Your rights under PDPA
Subject to PDPA and applicable exceptions, you may:
Access and correction
Request access to personal data we hold about you and request correction where inaccurate/incomplete.
Withdraw consent
You may withdraw consent to processing by written notice; where withdrawal applies, we will cease processing, but this may affect your ability to use certain services (e.g., seller onboarding/KYC, payouts, transaction fulfilment).
To exercise these rights, contact us via Section 15.
12. Cookies and similar technologies
We may use cookies/SDKs and similar technologies (web/app) for:
authentication and security,
remembering preferences,
analytics and performance,
fraud prevention.
You can manage cookies through browser settings (web) or device/app settings (where available).
13. Cross-border transfers
We may transfer personal data outside Malaysia (e.g., to cloud or service providers). Where we do, we take steps to comply with PDPA cross-border transfer requirements, including providing notice and applying an applicable legal basis/condition for transfer, and maintaining appropriate records and safeguards.
14. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. We will publish the updated version on the Platform and update the “Last updated” date. Continued use of the Platform after updates means you acknowledge the updated policy.
15. Contact (Privacy / PDPA)
For questions, access/correction requests, withdrawal of consent, or complaints:
Cartier Creative Sdn. Bhd. (Driwego Privacy Contact)
Attn: Privacy Team / Data Protection Officer (if appointed)
Email: privacy@driwego.com
Address: 2-15, Jalan Puteri 4/6, Bandar Puteri, 47170 Puchong, Selangor
Phone: +603 8066 8485
16. Quick clarity on marketplace compliance context
As a marketplace operator, Driwego also implements consumer-protection related operational measures (e.g., supplier disclosure requirements in Bahasa Malaysia, a buyer complaints channel, and record maintenance obligations) as required by the Consumer Protection (Electronic Trade Transaction) Regulations 2024. (Malaysia Federal Legislation)
