Privacy Policy

Last updated: 1 June 2026

1. What we collect

Rojak collects only the data we need to run the Service. There is no analytics tracker, no ad pixel, and no third-party session replay tool.

1.1 Account data

• Email address, used as your account identifier and for transactional email (login links, credit pack receipts).
• Password, stored as a salted scrypt hash. We never see your plaintext password.
• IP address at signup, used for free-credit anti-abuse. Stored in plaintext alongside your account record.
• Credit balance and generation count, used to meter the Service.

1.2 Generation data

• Uploaded character image, treated as biometric data (see Terms section 5). Sent to fal.ai for processing. Source upload is deleted from our blob storage after the generation completes successfully.
• Uploaded reference video, sent to fal.ai for processing. Source upload is deleted from our blob storage after the generation completes successfully.
• Generated output video, stored in Vercel Blob (publicly accessible URL) for delivery to you. You can delete your generations from the Studio interface.
• Generation metadata, including timestamps, fal.ai request IDs, and credit cost. Stored in Vercel KV.

1.3 Payment data

Credit pack purchases are processed by Stripe. Stripe receives your card details directly, encrypted on their servers. We see only the Stripe customer ID, the pack purchased, the amount, and the verified email associated with the payment. We do not store card numbers.

1.4 Push notification data

If you enable push notifications, your browser provides us with a push subscription token (cryptographic endpoint, not personally identifying). We store this against your account so we can notify you when a generation completes. You can disable push notifications from your browser settings at any time, which invalidates the token.

2. How long we keep your data

• Account record, until you delete the account.
• Source uploads (character image, reference video), deleted after the generation completes (usually within 2 minutes).
• Generated output video, kept until you delete it, or until 90 days have passed with no account activity.
• Stripe payment records, retained as long as Malaysian tax law requires for record-keeping (currently 7 years).
• Server logs (IP, request URL), retained on Vercel for up to 30 days, then automatically purged.

3. Third-party processors

Rojak relies on the following processors. By using the Service you consent to data being shared with them for the purposes described.

• Vercel (US), hosting, edge functions, blob storage, KV. Privacy.
• fal.ai (US), AI motion sync generation. Uploaded images and videos are sent here for processing. Privacy.
• Stripe (US, with Malaysia entity), payment processing. Privacy.
• Resend (US), transactional email (login links, receipts). Privacy.
• Cloudflare (US), DNS and edge protection for rojak.app. Privacy.

4. Your rights under PDPA (Malaysia)

Under the Malaysian Personal Data Protection Act 2010, you have the right to:

• Access your personal data we hold, by emailing hello@rojak.app.
• Correct inaccurate data, by updating your account or emailing us.
• Delete all your data via the "Padam akaun" button on the Account page. This removes your user record, generation history, blob outputs, IP records, and push subscription tokens.
• Withdraw consent for processing, which means closing your account.
• Object to direct marketing, though we currently do not send marketing email at all.

5. Security

All connections to rojak.app use HTTPS. Passwords are stored as scrypt hashes with per-user salt. Session cookies are HMAC-signed, HttpOnly, Secure, SameSite=Lax. Generated video URLs are unguessable but publicly accessible (a 30+ character blob identifier). Do not share the URL of a generation you want kept private.

6. Cookies

We set one functional cookie, ms_session, the HMAC-signed login session. This is essential for the Service to work. We do not use tracking or advertising cookies. We do not embed third-party scripts that set cookies.

7. Children

Rojak is for users aged 18 and over. We do not knowingly collect data from anyone under 18. If we discover an account belongs to a minor, the account and all data will be deleted.

8. International transfers

Most of our processors are based in the United States (Vercel, fal.ai, Stripe, Resend, Cloudflare). When you use Rojak from outside the US, your data is transferred to and processed in the US. By using the Service, you consent to this transfer.

9. Changes to this Policy

Material changes will be announced via email. The "Last updated" date at the top of this page reflects the most recent revision.

10. Contact

For privacy questions, complaints, or data subject requests: hello@rojak.app

Operated by Andrew Tai (Malaysia).