SUPERSTRING SDN. BHD. (202401016432 (1562282-H)) ("Kong", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information when you use the Kong booking software and channel management platform (the "Platform").
This Privacy Policy applies to:
Operators: Tour and activity operators who use the Platform to manage their business
Guests: End customers who book tours and activities through the Platform
By using the Platform, you consent to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Platform.
1. Information We Collect
1.1 Information from Operators
When you register and use the Platform as an operator, we collect:
Account Information:
Business name and registration details
Contact person name and title
Email address and phone number
Business address
Payment gateway account information (for integration purposes)
Bank account details (if applicable for settlements)
Business Information:
Tour and activity descriptions
Pricing and availability data
Photos, videos, and marketing content
Cancellation and refund policies
Operating licenses and permits (if provided)
Booking and Transaction Data:
Booking details and guest information (collected on your behalf)
Transaction records and payment information
Refund and cancellation records
Communication with guests
Usage Information:
Platform access logs and activity
Feature usage and preferences
IP addresses and device information
Browser type and operating system
1.2 Information from Guests
When guests book through the Platform, we collect on behalf of operators:
Booking Information:
Full name
Email address and phone number
Nationality and country of residence
Number of participants and participant details
Special requirements or requests
Payment Information:
Payment method details (processed through payment gateways)
Billing address
Transaction records
Communication Data:
Messages between guests and operators
Booking confirmations and notifications
Feedback and reviews (if provided)
Technical Information:
IP address and device information
Browser type and language preferences
Booking flow interactions
1.3 Information from Other Sources
We may receive information about you from:
Third-party channels and OTAs where your tours are distributed
Payment gateway providers
Social media platforms (if you connect your accounts)
Public sources such as business registries
Identity verification services
1.4 Cookies and Tracking Technologies
We use cookies and similar technologies to:
Maintain your login session
Remember your preferences
Analyze Platform usage and performance
Improve user experience
Provide security features
You can control cookies through your browser settings, but disabling cookies may affect Platform functionality.
2. How We Use Your Information
2.1 To Provide Platform Services
For Operators:
Create and manage your Account
Process and facilitate bookings
Enable payment processing through your payment gateway
Distribute your inventory to connected channels
Provide reporting and analytics
Communicate important Platform updates
For Guests:
Process booking requests
Facilitate communication with operators
Send booking confirmations and reminders
Process payments through payment gateways
Provide customer support
2.2 To Improve and Develop the Platform
We use aggregated and anonymized data to:
Analyze Platform performance and usage patterns
Develop new features and services
Identify and fix technical issues
Conduct research and analytics
Improve user experience
2.3 For Security and Fraud Prevention
We process information to:
Verify identity and prevent fraud
Detect and prevent unauthorized access
Protect against security threats
Comply with legal obligations
Enforce our Terms and Conditions
2.4 For Marketing and Communication
For Operators (with consent):
Send Platform updates and new feature announcements
Provide educational content and best practices
Share industry insights and benchmarks
Conduct surveys and request feedback
For Guests (with operator permission):
Send booking-related communications on behalf of operators
Deliver post-booking follow-ups as configured by operators
You can opt out of marketing communications at any time by clicking "unsubscribe" in emails or contacting us directly.
2.5 For Legal Compliance
We may process information to:
Comply with applicable laws and regulations
Respond to legal requests and court orders
Protect our legal rights and interests
Resolve disputes and enforce agreements
3. How We Share Your Information
3.1 With Operators and Guests
Operator Access to Guest Data:
Operators receive guest booking information necessary to deliver their services
Operators are responsible for protecting guest data in their possession
Operators must comply with applicable data protection laws
Guest Access to Operator Data:
Guests receive operator contact information and tour details
Guests can access booking confirmations and receipts
3.2 With Third-Party Service Providers
We share information with trusted service providers who assist us:
Payment Gateway Providers (Stripe, Xendit, etc.):
Payment processing and transaction facilitation
Fraud detection and prevention
Payment gateway integration and split payment functionality
Channel Partners and OTAs:
Inventory distribution as authorized by operators
Booking synchronization across channels
Availability and pricing updates
Technology Service Providers:
Cloud hosting and infrastructure (AWS, Google Cloud, etc.)
Email delivery services
Analytics and monitoring tools
Customer support platforms
Professional Services:
Legal and accounting services
Security and compliance auditing
Business consulting
All third-party service providers are contractually obligated to protect your information and use it only for specified purposes.
3.3 For Business Transfers
If Kong undergoes a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.
3.4 For Legal Reasons
We may disclose information when required by law or when we believe disclosure is necessary to:
Comply with legal obligations, court orders, or regulatory requirements
Protect our rights, property, or safety
Protect the rights, property, or safety of others
Investigate fraud or security issues
Enforce our Terms and Conditions
3.5 With Your Consent
We may share information for other purposes with your explicit consent.
4. Data Retention
4.1 Retention Periods
Operator Data:
Account information: Retained while your Account is active and for 7 years after termination for legal and accounting purposes
Booking and transaction records: Retained for 7 years for tax and legal compliance
Communication records: Retained for 3 years
Usage logs: Retained for 12 months
Guest Data:
Booking information: Retained for 7 years for legal and accounting purposes
Communication records: Retained for 3 years
Payment information: Not stored by Kong (processed and stored by payment gateways)
4.2 Deletion Requests
You may request deletion of your personal information, subject to:
Legal obligations to retain certain records
Legitimate business purposes
Outstanding financial obligations
Pending disputes or legal proceedings
After Account deletion, we will anonymize or delete your information within 30 days, except where retention is required by law.
5. Data Security
5.1 Security Measures
We implement appropriate technical and organizational measures to protect personal information:
Technical Safeguards:
Encryption of data in transit (TLS/SSL)
Encryption of sensitive data at rest
Secure authentication and access controls
Regular security testing and vulnerability assessments
Firewall and intrusion detection systems
Organizational Safeguards:
Limited access to personal information on a need-to-know basis
Employee training on data protection and security
Confidentiality agreements with employees and contractors
Incident response and breach notification procedures
Regular security audits and compliance reviews
5.2 Your Security Responsibilities
You are responsible for:
Maintaining the confidentiality of your login credentials
Using strong, unique passwords
Enabling two-factor authentication (if available)
Securing devices used to access the Platform
Reporting suspected security breaches immediately
5.3 Payment Security
Kong does not store payment card information. All payment data is collected and stored by PCI-DSS compliant payment gateway providers. Kong receives only transaction references and confirmation details necessary for booking management.
5.4 No Absolute Security
While we implement robust security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your information.
6. Your Rights Under Malaysian PDPA
Under the Malaysia Personal Data Protection Act 2010 (PDPA), you have the following rights:
6.1 Right to Access
You have the right to request access to your personal information held by us. We will provide:
Confirmation of whether we hold your personal information
A copy of your personal information
Information about how we use and disclose your data
6.2 Right to Correction
You have the right to request correction of inaccurate or incomplete personal information. You can update most information directly through your Account settings.
6.3 Right to Withdraw Consent
Where we process your information based on consent, you have the right to withdraw that consent at any time. This may affect our ability to provide certain services.
6.4 Right to Limit Processing
You have the right to request that we limit processing of your personal information in certain circumstances, such as:
When you contest the accuracy of the data
When processing is unlawful but you prefer limitation over deletion
When we no longer need the data but you need it for legal claims
6.5 Right to Data Portability (where applicable)
You may request a copy of your personal information in a structured, commonly used format for transfer to another service provider.
6.6 Right to Complain
If you believe we have not handled your personal information in accordance with the PDPA, you have the right to lodge a complaint with:
Personal Data Protection Department
Ministry of Communications and Digital
Level 4-7, Menara MCMC, Off Persiaran Multimedia
63000 Cyberjaya, Selangor Darul Ehsan, Malaysia
Email: pdp@pmo.gov.my
Website: www.pdp.gov.my
6.7 Exercising Your Rights
To exercise any of these rights, please contact us at:
Email: blake@bookwithkong.com
Subject line: "Data Privacy Request"
We will respond to your request within 21 days as required under the PDPA. We may require proof of identity before processing your request.
7. International Data Transfers
Kong operates primarily in Malaysia and Southeast Asia. Your information may be transferred to and processed in countries where our service providers operate, including:
Singapore (AWS, cloud infrastructure)
United States (certain technology service providers)
Other countries where our channel partners operate
When transferring data internationally, we ensure appropriate safeguards are in place through:
Standard contractual clauses
Service provider security certifications
Data processing agreements
Compliance with applicable data protection laws
8. Children's Privacy
The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately so we can delete it.
Booking information may include details about minor participants in tours, but such bookings must be made by adults who have authority to provide that information.
9. Data Controller and Processor Relationships
9.1 Kong as Data Controller
Kong acts as a data controller for:
Operator account information and Platform usage data
Booking fee transaction records
Aggregated analytics and platform performance data
Marketing and communication preferences
9.2 Kong as Data Processor
Kong acts as a data processor on behalf of operators for:
Guest booking information collected through operator booking forms
Communication between operators and guests
Guest personal information required for tour delivery
Operator Responsibilities:
When you use Kong to collect guest information, you act as the data controller and are responsible for:
Obtaining necessary consents from guests
Providing guests with appropriate privacy notices
Ensuring your data practices comply with applicable laws
Determining retention periods for guest data
Responding to guest data subject requests
Kong will assist you in meeting your data protection obligations through Platform features and support.
9.3 Payment Gateway Providers as Data Controllers
Payment gateway providers (Stripe, Xendit, etc.) act as independent data controllers for payment card information and transaction data. Their processing is governed by their own privacy policies and terms of service.
10. Third-Party Links and Services
The Platform may contain links to third-party websites, channels, and services. This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices of:
OTA channels where your inventory is distributed
Payment gateway providers
Social media platforms
Other third-party services
We encourage you to review the privacy policies of any third-party services you use.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect:
Changes in our data practices
New features or services
Changes in applicable laws
Feedback from users or regulators
Notification of Changes:
Material changes will be communicated via email at least 30 days before taking effect
The "Last Updated" date at the top will be revised
Continued use of the Platform after changes take effect constitutes acceptance
We encourage you to review this Privacy Policy periodically.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Data Protection Contact:
SUPERSTRING SDN. BHD.
202401016432 (1562282-H)
Waldorf Tower Jalan Sri Hartamas 17, 50480 Sri Hartamas, Kuala Lumpur, Malaysia
Email: blake@bookwithkong.com
Subject: Privacy Policy Inquiry
Website: www.bookwithkong.com
Response Time:
We will respond to privacy inquiries within 21 days as required under Malaysian PDPA.
13. Cookie Policy
13.1 What Are Cookies
Cookies are small text files stored on your device when you visit the Platform. They help us provide a better user experience and understand how the Platform is used.
13.2 Types of Cookies We Use
Essential Cookies:
Authentication and session management
Security and fraud prevention
Platform functionality
Performance Cookies:
Analytics and usage tracking (Google Analytics, etc.)
Error monitoring and debugging
Performance optimization
Functional Cookies:
User preferences and settings
Language and region selection
Feature personalization
Marketing Cookies (with consent):
Advertising and remarketing
Campaign tracking
User engagement measurement
13.3 Third-Party Cookies
Some cookies are set by third-party services we use:
Google Analytics (analytics)
Payment gateway providers (fraud prevention)
Channel integration partners (session management)
13.4 Managing Cookies
Browser Settings: You can control cookies through your browser settings:
Block all cookies
Block third-party cookies
Delete existing cookies
Receive notifications when cookies are set
Impact of Blocking Cookies: Disabling certain cookies may affect Platform functionality, including:
Inability to stay logged in
Loss of preferences and settings
Impaired booking functionality
Reduced analytics capabilities
Cookie Consent: When you first visit the Platform, we will ask for your consent to use non-essential cookies. You can change your preferences at any time through your Account settings or browser configuration.
14. Specific Regional Provisions
14.1 Malaysia
This Privacy Policy complies with the Malaysia Personal Data Protection Act 2010. Malaysian users have specific rights as outlined in Section 6.
14.2 Other Southeast Asian Jurisdictions
We aim to comply with data protection regulations in all jurisdictions where we operate, including:
Singapore Personal Data Protection Act (PDPA)
Thailand Personal Data Protection Act (PDPA)
Vietnam Law on Cybersecurity
Philippines Data Privacy Act
Indonesia Personal Data Protection Law
If you are located in these jurisdictions, you may have additional rights under local laws.
14.3 European Economic Area (EEA) / UK
If you are located in the EEA or UK, you have additional rights under GDPR/UK GDPR, including:
Right to erasure ("right to be forgotten")
Right to object to processing
Right to lodge complaints with supervisory authorities
Enhanced data portability rights
By using the Kong Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.