MALA
Features
Multi-venue dashboardLabour analyticsFood cost & purchasingStaff operations & kioskFoot trafficEquipment LedgerInvoice captureAll features
IntegrationsPricing
Log inStart free trial

Privacy Policy

Last updated: 1 May 2026

MALA is an analytics dashboard that consolidates point-of-sale, rostering, accounting, supplier, and review data for hospitality venues. This policy explains what data we collect, how we use it, how we protect it, and your rights under Australian privacy law. It applies to mala.solutions, dashboard.mala.solutions, gear.mala.solutions, and any other service offered by Aegis Mala Pty Ltd under the MALA brand.

1. Who we are

MALA is operated by Aegis Mala Pty Ltd (ACN 694 092 772, ABN 66 694 092 772), an Australian proprietary limited company based at 12/130-138 Megalong Street, Leura NSW 2780, Australia.

We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). For any privacy matter — questions, access requests, complaints — contact us at hello@mala.solutions.

2. What data we collect

  • Account data — your name, email address, hashed password, multi-factor-authentication enrolment status, and the tenants and venues you've been granted access to.
  • Operational data from third-party integrations you connect — sales, payments, order line items, customers, rosters, timesheets, supplier invoices, accounting transactions, and the related metadata we need to render the dashboards you've enabled. We only fetch what's required for the features in use.
  • Google user data — when you connect a Google Business Profile we receive your reviews, your location metadata, and the OAuth tokens needed to read those reviews and post your replies on your behalf.
  • Equipment & sensor data — if you use MALA Gear, we collect equipment records, service history, work-order attachments you upload (photos, invoices), and temperature-probe readings from sensors you connect.
  • Billing data — when you subscribe, our payment processor (Stripe) collects card or bank-debit details on our behalf. We don't store full card numbers; we receive the transaction reference, last four digits, and amount.
  • AI inputs and outputs — when a feature uses a language model (for example, suggested review replies, anomaly summaries, or forecasting), we send the minimum data needed for that feature to function and store the result for display in the dashboard. See section 5 for details.
  • Operational logs — request IDs, error traces, performance metrics, and admin-action audit logs. Used for debugging, security investigations, and reliability.
  • Cookies — a single first-party HTTP-only cookie for your sign-in session. We may also use limited first-party analytics to understand how the product is used; if and when we do, this section will be updated to name the tools and the data collected. We don't use third-party advertising cookies or cross-site tracking.

3. How we use your data

We use the data above to render the dashboards, run scheduled syncs, generate the reports you've subscribed to, deliver alerts and notifications, process payments, respond to support enquiries, and meet legal and tax obligations. We do not sell your data, do not use it for advertising, and do not use it to train generalised machine-learning models.

4. Google API Services User Data Policy — Limited Use

MALA's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Google user data obtained via the business.manage scope is:

  • used solely to display reviews and post replies inside your MALA dashboard;
  • never transferred to third parties, except as necessary to provide or improve the user-facing features (e.g. our hosting and database providers, listed below);
  • never used for advertising, including retargeting, personalised, or interest-based advertising;
  • never used to develop, improve, or train generalised AI/ML models;
  • not accessed by humans, except (a) with your explicit consent for support, (b) for security investigations or to comply with applicable law, or (c) where the data has been aggregated and anonymised for internal operations.

5. AI and machine-assisted features

Some MALA features rely on third-party language-model providers (currently Anthropic and Google). When you use one of these features we send only the minimum data needed for that feature to function — typically aggregated metrics, specific text you've chosen to act on (such as a review), or numeric series for forecasting.

Our agreements with these providers prohibit them from using your data to train their general models. Where data is processed outside Australia, that processing is governed by the providers' standard data-protection terms. The output of these models is displayed in your dashboard for you to review and accept; we treat AI output as decision-support, not as authoritative advice.

6. Where data is stored

MALA's primary database and application servers are located in Australia. Backups are encrypted and retained for 30 days. Some sub-processors (listed in section 8) may process data in other regions on our behalf — we describe each one's role and location in that section.

7. How we protect your data

  • Encryption — your data is encrypted in transit and at rest, and sensitive credentials such as the tokens for your connected accounts are encrypted with keys kept separately from the database (backups included).
  • Access — only authorised personnel can reach production systems, on a least-privilege basis, with admin actions logged. Two-factor authentication is available on every account.
  • Network — all traffic passes through a DDoS-protected edge, and internal services aren't exposed to the public internet.

8. Sub-processors

We use the following categories of sub-processor:

  • Application hosting and database — an Australian-region cloud provider.
  • Edge network and DDoS protection — Cloudflare.
  • Transactional and report email delivery — Google Workspace (Gmail).
  • Payments — Stripe (card and bank-debit processing).
  • AI / language-model processing — Anthropic (Claude) and Google (Gemini), for the features described in section 5.
  • SMS delivery — the SMS gateway you authorise per campaign (used only when you run review-request or notification campaigns).

We publish this list and update it as it changes. We'll notify active customers by email of material changes — for example, adding a new category of sub-processor, or changing where customer data is processed.

We do not use any third-party advertising, behavioural, or cross-site tracking services.

9. How long we retain data

We retain operational data for as long as your account is active. On disconnection of an integration we delete the OAuth tokens for that integration immediately. On termination of your account we delete your tenant data within 90 days, except where law requires longer retention — for example, tax records under the Income Tax Assessment Act 1997 (Cth).

10. Your rights

You have the right under Australian law to:

  • request a copy of the personal information we hold about you;
  • request correction of any inaccurate information;
  • request deletion of your personal information;
  • opt out of any direct-marketing email (we'll provide an unsubscribe link in any such email);
  • complain to us, and if you're dissatisfied with our response, escalate to the Office of the Australian Information Commissioner (oaic.gov.au).

Email hello@mala.solutions for any of these requests; we'll respond within 30 days. We may ask you to verify your identity before acting on a request.

You can revoke MALA's access to your Google Account at any time at myaccount.google.com/permissions.

11. Notifiable data breaches

If we become aware of an eligible data breach under Part IIIC of the Privacy Act 1988 (Cth), we'll notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable, in accordance with the Notifiable Data Breaches scheme.

12. Beta features

From time to time we make new features available as Beta. Beta features carry a limited warranty (see our Terms of Service). The handling of data submitted to a Beta feature may differ from the general handling described above; where it does, we'll describe it at the point where the Beta feature is offered. Where a Beta feature involves types of data we don't otherwise collect (for example, sensor imagery or video), the handling for that data type will be set out alongside the feature.

13. Children

MALA is a B2B product designed for adults running businesses. We don't direct the service at children and don't knowingly collect personal information from anyone under 18.

14. Changes to this policy

When we change this policy materially we'll update the date at the top and notify active account holders by email. Continued use of MALA after a change means you accept the updated policy.

15. Contact

Questions, concerns, or requests: hello@mala.solutions.

Aegis Mala Pty Ltd
ACN 694 092 772 · ABN 66 694 092 772
12/130-138 Megalong Street, Leura NSW 2780, Australia

MALA · Built in Sydney·Features·Integrations·Pricing·Log in·Privacy·Terms