Privacy Policy
This policy explains what information the TukLuy mobile application
(package com.tukluy.app, "the app", "we", "our") collects
from shop owners who use it, how we use that information, who we share it
with, and the rights you have over it. We try to write it in plain
language any shop owner can read.
1. Who we are
"TukLuy" is the trading name of the team that publishes the TukLuy app on Google Play and (in future) the Apple App Store. For privacy questions, TukLuy is the data controller for the account data we store about you (the shop owner). For the records you enter about your own customers, see section 2.
- App package name:
com.tukluy.app - Website: tukluy.com
- Privacy contact: privacy@tukluy.com
- Postal address: Address TBD (to be confirmed once the operating entity is registered)
2. What data we collect
2.1 Account information
If you sign in to back up your data, we receive from your sign-in provider one or more of the following:
- Email address (Firebase email/password sign-in or Google Sign-In)
- A profile picture and display name, if Google or Apple shares them
- An opaque identifier (for Apple Sign-In this is a "sub" string; for Google it is your Google account ID) that lets us recognise you next time
The app can be used without an account. Sign-in is optional and exists so you do not lose your records if you change phones.
2.2 Shop profile
- Shop name you chose
- Primary and secondary currency
- Time zone
- Language
2.3 Business records you enter
The app stores the business records you type or scan into it:
- Products, prices, stock levels, photos of products
- Sales orders, payments, refunds
- Customer records you create: name, phone number, optional photo, debt and repayment history
- Suppliers, restock orders
2.4 Device information
- A random device identifier we generate inside the app (not your IMEI, MAC address, or Android Advertising ID)
- App version, operating system version, model name
- Time zone and IANA locale (e.g.
Asia/Phnom_Penh,km-KH)
We do not collect: GPS or any location data, IMEI, SIM serial, MAC address, Android Advertising ID, contacts, call logs, SMS, microphone audio, or files outside the app's own folder.
2.5 Images
You can attach photos to products and customers. Photos are uploaded only when you choose to (e.g. taking a product photo). Once you sign in, photos sync to our object storage (see section 4).
2.6 Diagnostics
If the app crashes, an anonymised crash report (stack trace, app version, OS version) is recorded so we can fix the bug. Crash reports do not include your customers' personal details, photos, or sales amounts.
3. Why we collect it
| Purpose | What it covers |
|---|---|
| Account binding & cross-device recovery | Sign-in lets you reinstall the app or use a second phone without losing your shop records. |
| Running the core features | Recording sales, calculating debts, generating reports, attaching product photos. |
| Sync between your device and our servers | So your records are not lost if your phone breaks or is stolen. |
| App update prompts | The app pings /api/version so we can tell you when a new version is available. |
| Fixing bugs | Anonymous crash reports help us release stable updates. |
| Security & abuse prevention | Detecting and blocking attempts to abuse the app (e.g. credential stuffing, fraud rings). |
3.1 What we will not do with your data
- We do not sell your data to anyone.
- We do not use your records to show you advertising, and we do not allow third-party advertising SDKs inside the app.
- We do not build behavioural profiles of you or of your customers.
- We do not contact your shop's customers — not by SMS, email, push notification, or any other channel.
4. Third parties we share with
We use a small number of well-known service providers to run TukLuy. Each of them only sees the data described below, and each of them is bound by their own privacy obligations.
4.1 Firebase Authentication — Google LLC (United States)
Handles email/password sign-in and federates Google & Apple sign-in. Sees your email address, OAuth subject, and timestamps of sign-in events. See Firebase privacy and Google privacy policy.
4.2 Google Sign-In and Apple Sign-In
If you choose them as your sign-in method, your tokens are exchanged with Google LLC and Apple Inc. respectively. They tell us only the minimum needed to verify your identity (email, opaque user ID, and — if you allow it — name and avatar).
4.3 Cloudflare, Inc. (United States)
We use Cloudflare for our website's DNS and CDN, our API's WAF (web application firewall), and Cloudflare R2 for the object storage that holds your uploaded product and customer photos. Cloudflare R2 buckets we use are located in Asia-Pacific and the United States regions. See Cloudflare privacy.
4.4 Linode / Akamai Technologies, Inc. (United States parent)
Our backend (the Laravel API and the MySQL database it talks to) runs on Linode virtual servers in the Singapore region. Linode sees only the encrypted database files and the network traffic that hits our servers. See Linode / Akamai privacy.
4.5 Firebase Cloud Messaging (push notifications)
Not currently enabled. If we add push notifications in a future version, we will update this policy first and the app will ask for the standard notification permission at runtime.
We do not share your data with anyone outside this list, and we do not allow any advertising network, data broker, or analytics network to collect personal data through the app.
5. Where your data is stored
- Your phone. The primary, authoritative copy lives in the app's own private storage on your device.
- Backend database. Linode Singapore region — the encrypted mirror of your shop records.
- Object storage. Cloudflare R2 — photos you uploaded; served back to your device via Cloudflare's global edge network.
- Authentication. Firebase Authentication — primarily United States data centres.
This means your data may be transferred to and processed in countries other than where you live, including the United States and Singapore.
6. How long we keep it
- Active accounts. While your account is active we keep your shop records so they are available the next time you sign in.
- Deleted accounts. When you ask us to delete your account, the server marks your data as soft-deleted immediately, then physically deletes it within 30 days. Backup snapshots that contain your data naturally expire within a further 60 days, after which no copy remains on our systems.
- Backups. Object-storage backup buckets are retained for 30 days on a rolling window.
- Server access logs. Web-server (nginx) logs are retained for up to 14 days for security and debugging, then rotated out.
- Crash reports. Up to 90 days.
- Legal holds. If we are legally required to keep specific records longer (for example to respond to a court order), we will keep only those records and only for as long as the law requires.
7. Your rights
Depending on where you live, data-protection laws give you the rights below. We honour them for every TukLuy user regardless of country.
7.1 Right to know and to access
You can email privacy@tukluy.com and ask for a copy of the data we hold about you. We will respond within 30 days with an export in a structured, machine-readable format (JSON or CSV).
7.2 Right to correction
Most records (products, customers, sales) can be edited inside the app. For account information (such as the email tied to your sign-in), email us and we will fix it.
7.3 Right to deletion (right to be forgotten)
You can ask us to delete your account and all the shop records linked to it by emailing privacy@tukluy.com from the email address registered to the account. After we verify the request, the timeline is:
- Day 0. Account locked, data soft-deleted, no longer visible to the app or to anyone else.
- By day 30. Physical deletion from primary database and object storage.
- By day 90. Rolling backup snapshots that contained the data have expired.
7.4 Right to data portability
The export described in 7.1 is provided in a portable JSON format so that, in principle, you can re-import or migrate it to another tool.
7.5 Right to withdraw consent
You can sign out of the app at any time and clear its local storage from the device settings. Signing out stops further sync from your device. To also delete the cloud copy, see 7.3.
7.6 Right to lodge a complaint
If you believe we are mishandling your data, please email us first so we have a chance to fix it. You also have the right to complain to your local data-protection authority — for example, the European data-protection authority of the country you live in, the Personal Data Protection Commission (PDPC) in Singapore, the Ministry of Information and Communications (MIC) in Vietnam, or the Cyberspace Administration of China (CAC) in mainland China.
8. Children
TukLuy is a business tool for adult shop owners. It is not directed at children under 13 (or under the equivalent age of digital consent where you live). If you believe a child has created a TukLuy account, please email privacy@tukluy.com and we will delete the account.
9. Security
- All traffic between the app and our servers uses TLS (HTTPS).
- Database storage and object storage are encrypted at rest by the hosting provider.
- Access to production systems is restricted to named operators and logged.
- Passwords for email/password sign-in are handled by Firebase Authentication; we never see them in plain text.
No system is perfectly secure. If we discover a breach that affects your personal data, we will notify affected users and the appropriate authorities as required by law.
10. Changes to this policy
We may update this policy as the app evolves. If we make a material change (for example, adding a new third-party provider, or starting to collect a new category of data), we will:
- Update the "Effective" date and version number at the top.
- Show an in-app notice on next launch.
- Where the law requires it, ask you to accept the new policy again.
11. How to contact us
- Email: privacy@tukluy.com
- Website: tukluy.com
- Postal address: Address TBD
For general support, please use hello@tukluy.com.