Legal

Privacy Policy

Last updated: 27 May 2026

Pacak is a Malaysian hiking-log mobile application that helps you plan climbs, track summits, save Strava activities, and share your trail story. This Privacy Policy describes how we collect, use, store, and protect your personal data when you use the Pacak app (bundle id my.pacak.app) and this website. It is written to align with Malaysia's Personal Data Protection Act 2010 ("PDPA").

Who we are

Pacak ("Pacak", "we", "us") is the data user responsible for processing the personal data described in this policy. For any privacy-related question or request, contact us at hello@pacak.com.my.

Information we collect

We only collect the data we need to make Pacak work. Most of it is information you create yourself by using the app.

Account data

  • Email address (used for sign-in via Supabase Auth or Google Sign-In).
  • Display name and unique username (handle), and an optional profile icon you select from a preset library.
  • Whether you have completed onboarding, your preferred language (English or Bahasa Malaysia), profile card style, and theme mode.

Hike logs

  • The mountain, date, duration, trip type (day / overnight / multi-day), outcome (completed summit or did-not-finish), notes, and companions you record for each hike.
  • If you mark a hike as DNF, the turnaround point and reason you provide.
  • An optional hike photo (uploaded to Supabase Storage, capped at 50 MB per file).
  • Per-hike sharing toggles that control whether your photo and notes are visible to other users.
  • An optional link to a Strava activity and the activity stats snapshot you choose to attach (distance, moving time, elevation gain/loss, heart-rate zones, route, device name).

Upcoming hikes and bookmarks

  • Planned future hikes (mountain and date) you add to the planner.
  • Mountains you bookmark for later.

Strava integration

  • If you connect Strava, we receive your Strava athlete ID and the OAuth access and refresh tokens issued by Strava.
  • These tokens are stored on our server (inside the Supabase database) and are never returned to the device. All Strava API calls go through a server-side proxy that handles token refresh and keeps the Strava client secret on the server only.
  • We only request the Strava scopes needed to read your activities and attach them to hike logs.

Push notification token

On native builds running on a physical device, we register an Expo push notification token and store it in your user record so that we can send you and our admin team operational notifications (for example, when a community photo is uploaded). No push token is registered when you use Expo Go or a simulator.

Emergency contact and guide certification

If you choose to provide them, we store your emergency contact (name and phone number) and guide certification details. Both fields are optional and you can clear them at any time from your profile.

Device sensors

On the profile screen, Pacak reads the accelerometer to drive a parallax tilt effect on your profile card. The accelerometer stream is consumed on-device only — it is never transmitted off the device and never stored.

Community contributions

Photos and reviews you submit to a mountain page are stored alongside that mountain. Reviews are shown anonymously. Photos go through a moderation queue before they appear publicly.

How we use your data

  • To operate Pacak — display your logbook, calculate stats, render your profile card, power the mountain catalogue, and sync your data across devices.
  • To automatically evaluate achievement badges and XP each time you save a hike.
  • To send operational push notifications (for example, alerting moderators when a community photo is uploaded).
  • To respond to your questions and support requests when you contact us.

We do not run third-party advertising trackers and we do not embed third-party analytics SDKs in the Pacak app.

Sharing and disclosure

  • Other users. Completed hikes can be shown on your public profile. DNF hikes default to private and are only visible to you. Per-hike toggles let you keep any individual log private, even if it is a completed summit.
  • Service providers. We use Supabase (database, authentication, file storage, edge functions), Expo (push notifications), and Strava (only if you connect your Strava account). These providers process data on our instructions to deliver the service.
  • Legal requests. We may disclose data when required by Malaysian law or to protect the safety of users.
  • No sale of data. We do not sell or rent your personal data to anyone.

How we protect your data

  • Your Supabase authentication session (JWT and refresh token) is stored using Expo SecureStore, which is backed by the iOS Keychain or the Android Keystore on native builds. In Expo Go and on the web — used for development — non-sensitive session state falls back to AsyncStorage.
  • Row-Level Security (RLS) is enabled on every database table. You can only read and write your own records; other users cannot see your private hikes, bookmarks, planned trips, or account fields.
  • The Strava client secret never reaches the device — token exchange and refresh happen entirely inside server-side Supabase Edge Functions.
  • All traffic between the app and our servers uses HTTPS.

Data retention

We keep your data for as long as your Pacak account is active. You can delete individual hikes, photos, bookmarks, upcoming plans, or disconnect Strava at any time from inside the app. When you delete your account, your personal data and associated records are removed from our active systems. Limited records may remain in encrypted backups for a short period before they are overwritten, and we may keep aggregated, de-identified statistics that cannot be linked back to you. For full deletion instructions, see our account deletion page.

Your rights under the PDPA

Under Malaysia's Personal Data Protection Act 2010, you have the right to:

  • Access the personal data we hold about you.
  • Correct data that is inaccurate or incomplete. Most fields are editable directly in the app; for the rest, email us.
  • Withdraw your consent to our processing of your data — for example, by disconnecting Strava, disabling push notifications, or deleting your account.
  • Lodge a complaint with the Personal Data Protection Commissioner Malaysia (Jabatan Perlindungan Data Peribadi).

To exercise any of these rights, email hello@pacak.com.my. We will respond within the timeframe required by law.

Children

Pacak is not directed to children under 13. We do not knowingly collect personal data from anyone under that age. If you believe a child has created a Pacak account, please contact us and we will delete the account.

International transfers

Our infrastructure providers (Supabase, Expo, and Strava if you connect it) operate data centres outside Malaysia. By using Pacak, you consent to your personal data being transferred to and processed in those jurisdictions, in line with the safeguards required under section 129 of the PDPA.

Changes to this policy

We will update this page and the "Last updated" date above whenever we make material changes. If a change meaningfully affects how we handle your data, we will surface a notice inside the app before the change takes effect.

Contact

Privacy questions, data requests, and complaints: hello@pacak.com.my.