Asterism

Privacy Policy

Last updated 9 June 2026

Operated by Gaebel Hwa (“Asterism”, “we”, “us”), 39, Jalan PJU 1A/1D, 47301 Petaling Jaya, Selangor, Malaysia.

Asterism is an event-management platform used by organisers (e.g. churches and ministries) to manage participants for camps, conferences, and similar events. This policy explains how we handle personal data, in line with the Personal Data Protection Act 2010 (Malaysia) (“PDPA”).

1. Our two roles

  • For organiser accounts (the people who sign up to run events), we are the data controller. This policy governs that data.
  • For participant data (campers/attendees that organisers add or collect via forms), the organiser is the data controller and we act as their data processor. We only process that data on the organiser’s instructions, under our Data Processing Agreement. Participants should refer to the organiser’s own privacy notice.

2. Personal data we handle

Organiser account data (we control): name, email, password (hashed), and activity logs.

Participant data (we process on the organiser’s behalf) — depending on the organiser’s form configuration, this can include:

  • Identity & basic: name, preferred name, gender, age, date of birth
  • Contact: phone, email, IC / passport number
  • Emergency: emergency contact name & number (data about a third party)
  • Logistics: church/small group, transport, pickup location/time, t-shirt size, accommodation type
  • Sensitive personal data: medical conditions, dietary requirements (which may reveal health or religious belief), and religious affiliation implied by ministry context
  • Payment status and any subsidy notes

3. Sensitive personal data & minors

Camps frequently involve minors and sensitive personal data (health, religious belief, national ID). Under the PDPA, sensitive personal data requires explicit consent, and minors’ data requires parent/guardian consent.

Because the organiser collects this data directly from participants, the organiser is responsible for obtaining the necessary consents (including guardian consent for minors and explicit consent for medical/dietary/sensitive fields). We provide a consent-notice template to help, but the legal obligation sits with the organiser as controller. We process such data only to provide the service and apply heightened care (access controls, audit logging, encryption in transit and at rest).

4. Why we process data

  • Provide the platform: registration, rooming, groups/teams, transport, check-in, exports for event day
  • Authenticate organiser accounts and secure the service
  • Maintain audit logs (who changed what) for security and accountability
  • Respond to support requests

We do not sell personal data, and we do not use participant data for our own marketing.

5. Where data is stored (data residency)

Personal data is hosted in Singapore:

  • Database: Supabase (AWS ap-southeast-1, Singapore)
  • Application: Vercel (region sin1, Singapore)

The PDPA permits cross-border transfer subject to safeguards; we keep data within the Asia-Pacific region and rely on the security commitments of these providers.

6. Sub-processors

Sub-processorPurposeLocation
SupabaseDatabase hostingSingapore
VercelApplication hostingSingapore
GitHubSource code (no participant data)USA

We will give notice of changes to this list.

7. Retention & deletion

  • Participant data is retained while the organiser’s account/event is active.
  • We use soft delete so organisers can recover accidentally removed records; data is permanently purged on request or after account closure.
  • Organisers can request export or deletion of their event data at any time.

8. Security

Encryption in transit (HTTPS) and at rest, role-based access controls per event, audit logging, and least-privilege access. No system is perfectly secure, but we take reasonable steps appropriate to the sensitivity of the data.

9. Your rights (PDPA)

Subject to the PDPA, you may request access to, correction of, or deletion of your personal data, and may withdraw consent. Participants should direct such requests to the organiser (the controller). Organisers and account holders can contact us at privacy@asterism.events.

10. Changes

We may update this policy; material changes will be notified to organiser accounts. Continued use after changes constitutes acceptance.

11. Contact

Data protection queries: privacy@asterism.events
Gaebel Hwa, 39, Jalan PJU 1A/1D, 47301 Petaling Jaya, Selangor, Malaysia.