Privacy notice · plain English
What we collect, what we don’t, and what’s outside our hands.
MoneyTakCukup exists because money stress already costs you enough. We don’t want it to cost you your privacy too. Here’s exactly what happens when you share a story, run a calculation, or write us a note — in the same plain language we use everywhere else.
What we collect
When you submit a story through the share form, we save the words you typed plus the rough metadata you chose to attach: a debt amount band, one or more debt types, an age range, a Malaysian state or territory, and the year things started. That’s it.
When you write to us through the contact form, we save your email (so we can reply), an optional name if you gave one, the subject you picked, and the body of your message.
What we don’t collect
- No real names, no nicknames stored against your story.
- No IC numbers, passport numbers, or any government ID.
- No phone numbers. No home address. No location beyond “state or territory.”
- No browser fingerprint, no device ID, no advertising ID.
- No behavioural tracking across pages or sessions.
- No social logins. There’s nothing to log into in the first place.
Rate limiting and IP addresses
To stop one person from spamming the submission form, we have to know — briefly — that two posts came from the same place. We do this without storing your IP.
When you submit a story, we hash your IP using SHA-256 with a private salt before it touches our database. We store only the hash, only briefly, only to enforce the rate-limit window. The raw IP never lands anywhere we can see it. The hash itself lives in a sealed table that no one can read directly — not even us through the regular database client.
In practice: the hash is what lets the system say “you already submitted recently, come back later.” It cannot be reversed back to your IP without the salt, which never leaves our server.
Cookies and analytics
We don’t set cookies for visitors. We don’t run Google Analytics, Plausible, PostHog, Vercel Analytics, or any other tracker. There are no third-party pixels embedded on this site.
The one exception is our own moderation tooling at /admin: it uses an HMAC-signed session cookie scoped to admin routes so a moderator can stay logged in. That cookie is for the moderator’s login — it’s not used to track readers or storytellers.
The debt calculator
The debt calculator never sends your numbers to us. Everything you type lives in your browser’s localStorage under a single key (mtc:debt-calc:input) so you can leave and come back without losing your work. Clear your browser data and it disappears. We never see your income, your debts, or your monthly payments.
Approved stories and Instagram
Once a moderator approves your story, it appears on the wall of stories and may be shared as an image card on our Instagram. Those cards only contain the story text and the same coarse metadata you chose — never anything that identifies you.
Changed your mind? Email hello@moneytakcukup.com with enough detail to point us at your story and we’ll take it down. No questions asked.
What we can’t promise
We want to be honest about the parts of the internet we don’t control:
- Vercel hosts this site. Their edge network logs HTTP request metadata — including IPs — for security and operational purposes, per their own retention policy. Our code does not access those logs.
- Supabase runs the Postgres database. Their infrastructure logs database connections per their own policies. Our code does not access those logs either.
- Namecheap handles DNS for the moneytakcukup.com domain. No application data flows through them — they only resolve the name to an IP.
If you need absolute anonymity for a submission — not just from us, but from the infrastructure we sit on top of — use Tor Browser or a trusted VPN before you load the form. We’d rather say this out loud than pretend the internet works any other way.
How to remove your story
Email hello@moneytakcukup.com with enough detail to identify which story is yours — a line you remember writing, the rough date you submitted, the tags you chose. We’ll remove it within a reasonable window. We don’t ask why, and we don’t require you to prove it’s yours; the worst case is we take down someone else’s story, which is a smaller harm than leaving a regretted one up.
Changes to this notice
When this notice changes, we’ll bump the “last updated” date at the top and add an entry to the changelog below. Material changes get called out in plain language — not buried in a diff.
- 28 May 2026
- First public version of the Privacy Notice, written by the operator before formal counsel review.
Who runs this
MoneyTakCukup is currently operated by an individual, not a registered business entity. A formal entity may be established later; if it is, this notice will be updated to name it. For anything related to your data, hello@moneytakcukup.com is the contact and the point of accountability.