Privacy Policy
Effective date: 1 March 2026
1. Introduction
Front of House (operated by Levelheads, accessible at audit.levelheads.net) is a digital marketing audit platform for restaurants, bars, and cafes. We are committed to protecting your personal data in accordance with the Malaysia Personal Data Protection Act 2010 (PDPA) and its regulations.
This Privacy Policy explains what information we collect, how we use and protect it, who we share it with, and your rights as a data subject. By using our platform, you agree to the practices described below.
2. Data We Collect
2.1 Account Information
- Name and email address, provided when you sign in via magic link or Google OAuth.
2.2 Venue Details
- Venue name, type (restaurant, bar, cafe, etc.)
- Address and city
- Website URL and Google Maps URL
2.3 Audit and Crawl Data
- Digital presence audit results, including scores, identified issues, positive findings, and recommendations across dimensions such as website/SEO, Google Business Profile, reviews, social media, third-party listings, delivery platforms, and digital engagement.
- Publicly available venue information gathered from third-party platforms during audits.
2.4 Usage Data
- Session cookies to maintain your authenticated session.
- Server logs containing page views, request timestamps, and IP addresses.
3. How We Use Your Data
Under Section 6 of the PDPA, we process your personal data for the following purposes:
- Providing the service: running digital presence audits, generating reports, and delivering recommendations.
- Account management: authenticating your identity, managing sessions, and communicating service updates.
- Platform improvement: analysing usage patterns to improve features and fix issues.
- Error monitoring: identifying and resolving technical problems.
We do not sell your personal data. We do not use your data for automated decision-making or profiling that produces legal effects.
4. Third-Party Data Processors
We share data with the following third-party services solely to operate the platform. Each processor is contractually bound to handle data in accordance with applicable data protection requirements.
| Service | Purpose | Data Shared |
|---|---|---|
| Google Places API | Venue data, reviews, and competitor information | Venue name, location, Google Maps URL |
| SerpAPI | Optional deep review analysis | Venue name and location |
| Brave Search API | Public web discovery for social, delivery, and listing profiles | Venue name and location |
| Google Programmable Search | Public web discovery fallback for social, delivery, and listing profiles | Venue name and location |
| Resend | Email delivery (sign-in links, notifications) | Email address |
| Sentry | Error tracking and diagnostics (optional) | Error context, IP address, browser metadata |
5. Cookies
We use strictly necessary cookies to maintain your authenticated session. We do not use advertising or analytics cookies.
- Session cookie: expires on logout or after 30 days of inactivity.
- CSRF token cookie: used to protect against cross-site request forgery attacks; expires with the session.
6. Data Retention
We retain your data only as long as necessary for the purposes outlined above.
- Audit data (venue details, crawl results, reports): retained for 24 months from the date of creation, after which it is permanently deleted.
- Server logs: retained for 6 months.
- Session cookies: expire on logout or after 30 days.
- Account data: retained while your account is active. Upon account deletion, personal data is removed within 30 days.
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit via TLS 1.3 with HSTS preloading.
- CSRF protection using double-submit cookie pattern with HMAC-SHA256 signing.
- Rate limiting on authentication and audit creation endpoints.
- Database access restricted to authenticated and authorised users.
- Environment secrets managed securely and never committed to source control.
8. Your Rights Under the PDPA
Under the Malaysia Personal Data Protection Act 2010, you have the following rights:
- Right of access: request a copy of the personal data we hold about you.
- Right of correction: request correction of any inaccurate or incomplete personal data.
- Right to withdraw consent: withdraw your consent to data processing at any time (this may affect your ability to use the platform).
- Right to deletion: request deletion of your personal data, subject to any legal obligations requiring retention.
- Right to prevent processing: request that we stop processing your data for direct marketing purposes.
To exercise any of these rights, contact us at privacy@levelheads.net. We will respond to your request within 21 days, as required by the PDPA.
9. Cross-Border Data Transfers
Some of our third-party processors (Section 4) operate servers outside Malaysia. In accordance with Section 129 of the PDPA, we ensure that any cross-border transfer of personal data is made only to jurisdictions that provide an adequate level of protection, or under contractual safeguards that meet PDPA requirements.
10. Children's Privacy
Our platform is designed for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a notice on the platform. The "Effective date" at the top of this page indicates when the policy was last revised.
12. Contact
If you have questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact: