LEGAL

Privacy Policy

Effective Date: 18 March 2026
Version: 1.0
Jurisdiction of Primary Controller: Malaysia
Document Reference: ARM-PP-2026-001

1. Preliminary Matters, Definitions, and Interpretation

This Privacy Policy (hereinafter referred to as the “Policy”) is issued by Basic Insight (hereinafter referred to as the “Company”, “Controller”, “we”, “us”, or “our”), a company incorporated and operating under the laws of Malaysia, with its principal place of business in Kuala Lumpur, Malaysia. This Policy governs the collection, use, processing, storage, transfer, disclosure, and destruction of Personal Data in connection with the operation of the AI-powered research platform accessible at https://ai.research.my (hereinafter referred to as the “Platform” or “AI.RESEARCH.MY”).

This Policy is intended to be a legally operative instrument satisfying the notification and transparency obligations imposed upon the Company under the laws of multiple jurisdictions in which the Platform operates or in which Data Subjects may be located. This Policy is addressed to sophisticated commercial and institutional users and is written in precise legal language. It is not a consumer-facing simplified notice. Users who require a plain-language summary should contact the Company’s Data Protection Officer as identified in Section 16 of this Policy.

1.1 Defined Terms

Unless the context otherwise requires, the following definitions shall apply throughout this Policy:

“Adequacy Decision” means a decision issued by the European Commission pursuant to Article 45 of the EU GDPR finding that a third country ensures an adequate level of protection for personal data.
“AI Agent” means the artificial intelligence system embedded within the Platform that receives and processes natural language inputs from Users and generates responses, executes queries, analyzes files, and produces reports.
“Anonymisation” means the irreversible process of altering personal data such that the data subject cannot be identified directly or indirectly by any means reasonably likely to be used, in accordance with the interpretive guidance of the Article 29 Working Party Opinion 05/2014 on Anonymisation Techniques.
“Applicable Data Protection Law” means, collectively and severally, the Malaysia PDPA 2010, the Singapore PDPA 2012, the Thailand PDPA B.E. 2562, the Indonesia PDP Law No. 27 of 2022, the EU GDPR, the CCPA as amended by the CPRA, and all subordinate regulations, regulatory guidance, binding codes of practice, and orders issued thereunder.
“Bcrypt” means the adaptive cryptographic password hashing function based on the Blowfish cipher, as implemented in the Platform’s authentication subsystem with a minimum cost factor of 12.
“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (Proposition 24), together referred to as the “CPRA”.
“Consent” means any freely given, specific, informed, and unambiguous indication of a Data Subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them, consistent with Article 4(11) of the EU GDPR, Section 4 of the Malaysia PDPA, Section 13 of the Singapore PDPA, Section 19 of the Thailand PDPA, and Article 20 of the Indonesia PDP Law.
“Controller” or “Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, as defined in Article 4(7) of the EU GDPR; and shall include the equivalent definitions of “data user” under Section 4 of the Malaysia PDPA, “organisation” under Section 2 of the Singapore PDPA, “data controller” under Section 6 of the Thailand PDPA, and “personal data controller” under Article 1(4) of the Indonesia PDP Law.
“Conversation Log” means the persistent structured record of all messages exchanged between a User and the AI Agent within a Workspace session, stored in the Company’s MySQL database infrastructure.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed, as defined in Article 4(12) of the EU GDPR, and encompassing equivalent definitions in all Applicable Data Protection Laws.
“Data Processor” or “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller, as defined in Article 4(8) of the EU GDPR, and shall include the equivalent definitions under all Applicable Data Protection Laws.
“Data Protection Officer” or “DPO” means the individual designated pursuant to Article 37 of the EU GDPR and the equivalent requirements of other Applicable Data Protection Laws.
“Data Subject” means an identified or identifiable natural person to whom personal data relates, as defined in Article 4(1) of the EU GDPR, and shall include the equivalent definitions under all Applicable Data Protection Laws; and shall encompass “Users”, “Workspace Administrators”, and any natural persons whose data is processed via the Platform.
“EEA” means the European Economic Area, comprising the member states of the European Union together with Iceland, Liechtenstein, and Norway.
“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Indonesia PDP Law” means Law of the Republic of Indonesia Number 27 of 2022 concerning Personal Data Protection (Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi).
“Legitimate Interests” means a lawful basis for processing under Article 6(1)(f) of the EU GDPR, requiring a balancing test between the Controller’s interests and the Data Subject’s fundamental rights.
“Malaysia PDPA” means the Personal Data Protection Act 2010 (Act 709) of Malaysia, together with all subsidiary legislation made thereunder, including the Personal Data Protection Regulations 2013 and the Personal Data Protection (Class of Data Users) Order 2013.
“Personal Data” means any information that relates to an identified or identifiable natural person, as defined in Article 4(1) of the EU GDPR; “personal data” as defined in Section 4 of the Malaysia PDPA; “personal data” as defined in Section 2 of the Singapore PDPA; “personal data” as defined in Section 6 of the Thailand PDPA; and “personal data” as defined in Article 1(1) of the Indonesia PDP Law.
“Platform” means the AI.RESEARCH.MY multi-tenant artificial intelligence research platform operated by the Company, accessible at https://ai.research.my, including all associated web interfaces, APIs, backend services, databases, and ancillary systems.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements, as defined in Article 4(4) of the EU GDPR.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, as defined in Article 4(5) of the EU GDPR.
“Sensitive Personal Data” means personal data pertaining to, inter alia, physical or mental health or condition, political opinions, religious beliefs or other beliefs of a similar nature, the commission or alleged commission of any offence, financial information, and any other category designated as sensitive under applicable law, including “special categories of personal data” under Article 9 of the EU GDPR and “sensitive personal information” as defined in Section 4 of the Malaysia PDPA.
“Singapore PDPA” means the Personal Data Protection Act 2012 of Singapore (No. 26 of 2012), as amended by the Personal Data Protection (Amendment) Act 2020, together with all subsidiary legislation, advisory guidelines, and codes of practice issued by the Personal Data Protection Commission of Singapore.
“Standard Contractual Clauses” or “SCCs” means the standard data protection clauses adopted by the European Commission pursuant to Article 46(2)(c) and (d) of the EU GDPR, as updated by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“Sub-processor” means any Processor engaged by the Controller or by another Processor to carry out specific processing activities on behalf of the Controller.
“Thailand PDPA” means the Personal Data Protection Act B.E. 2562 (2019) of Thailand, together with all Ministerial Regulations, notifications, and guidelines issued thereunder by the Personal Data Protection Committee.
“Token Usage” means the quantitative metric tracking the volume of computational tokens consumed by a User in the course of interactions with the AI Agent, used for purposes of platform resource management, billing, and service level administration.
“Workspace” means the isolated multi-tenant environment provisioned for each organisational subscriber, within which Users conduct research activities, interact with the AI Agent, store files, and access generated reports.
“Workspace File” means any document, spreadsheet, data file, or other digital artefact uploaded to or generated within a Workspace, including but not limited to files in Microsoft Excel format (.xlsx, .xls), Microsoft Word format (.docx, .doc), comma-separated values format (.csv), HTML, JavaScript, and CSS files comprising interactive reports.

Words importing the singular shall include the plural and vice versa. References to statutes and statutory provisions shall be construed as references to those statutes and statutory provisions as amended, re-enacted, or replaced from time to time.

2. Identity and Contact Details of the Data Controller

The Data Controller in respect of personal data processed through the Platform is:

Entity Name: Basic Insight
Principal Place of Business: Kuala Lumpur, Malaysia
Platform URL: https://ai.research.my
General Enquiries Email: privacy@ai.research.my
Data Protection Officer: See Section 16

For purposes of the EU GDPR, Article 27 thereof requires controllers not established in the European Union but who offer goods or services to data subjects in the Union or who monitor the behaviour of data subjects in the Union to designate a representative in the Union. Where the Platform processes personal data of data subjects in the EEA in a manner engaging Article 3(2) of the EU GDPR, the Company shall maintain or appoint an EU Representative and shall publish the identity and contact details of such representative within a reasonable period. Until such time as a representative is formally designated and publicly notified, Data Subjects in the EEA should direct all inquiries to the Data Protection Officer identified in Section 16 of this Policy.

For purposes of the Singapore PDPA, the Company designates a Data Protection Officer pursuant to Section 11(3) of the Singapore PDPA, whose contact details are set out in Section 16.

For purposes of the Thailand PDPA, the Company designates a Data Protection Officer pursuant to Section 41 of the Thailand PDPA where such designation is mandated by the nature of the Company’s processing activities.

For purposes of the Indonesia PDP Law, the Company designates a Personal Data Protection Officer pursuant to Article 53 of the Indonesia PDP Law where the Company’s processing activities require such designation by reason of large-scale processing, processing of specific personal data, or activities involving systematic monitoring of data subjects.

3. Categories of Personal Data Collected and Processed

The Company collects, receives, generates, and otherwise processes the following categories of Personal Data in connection with the operation of the Platform. This enumeration is intended to be comprehensive but shall not be construed as exhaustive where incidental data is received as part of User-generated content.

3.1 Account and Identity Data

Display Name: The name or alias provided by the User or Workspace Administrator at the time of account registration or profile configuration.
Email Address: The primary electronic mail address associated with a User account, used for authentication, transactional communications, and service notifications transmitted via the SendGrid email delivery service.
Mobile Telephone Number: Where provided, the User’s mobile telephone number, which may be used for multi-factor authentication, account verification, and service communications.
Password Hash: A one-way cryptographic hash of the User’s chosen password, generated using the Bcrypt adaptive hashing function with a minimum cost factor of 12. The Company does not store plaintext passwords under any circumstances.
Account Creation Timestamp: The date and time at which a User account was created.
Account Status: Whether the account is active, suspended, or terminated.

3.2 Usage and Interaction Data

Conversation Logs: The complete verbatim content of all messages submitted by Users to the AI Agent and all responses generated by the AI Agent, persisted in the Company’s MySQL database infrastructure with per-record timestamps, user identifiers, session identifiers, and workspace identifiers.
Token Usage Records: Quantitative records of the volume of AI inference tokens consumed per interaction, per session, per day, and in aggregate per User account, maintained for purposes of resource allocation, billing, and service management.
Session Metadata: HTTP session identifiers, session creation timestamps, session expiry timestamps, IP addresses from which sessions were initiated, and User-Agent strings reported by the accessing browser or client application.
API Request Logs: Server-side logs of HTTP requests made to the Platform’s API endpoints, including endpoint path, HTTP method, response code, response latency, and the originating IP address. These logs are subject to rate-limiting controls as described in Section 9.
Feature Usage Telemetry: Aggregated and, where technically necessary, per-user records of Platform feature engagement, including which AI capabilities were invoked, file analysis operations performed, and report generation events.

3.3 Workspace and File Data

Workspace Files: Any documents, spreadsheets, data files, or other digital content uploaded by Users to their Workspace, including Microsoft Excel files (.xlsx, .xls), Microsoft Word documents (.docx, .doc), CSV files, and any other file format accepted by the Platform’s file ingestion system. The content of such files may contain Personal Data of third parties, the processing of which is addressed in Section 12.3.
Generated Reports: HTML, JavaScript, and CSS artefacts generated by the AI Agent in response to User queries, stored within the User’s Workspace and potentially containing data derived from or referencing the User’s source files or database connections.
Database Connection Credentials: Where a User configures the Platform to connect to an external relational database, the Platform stores the connection parameters including hostname, port, database name, username, and password. Such passwords are stored in encrypted form using AES-256 encryption at rest. The Platform enforces read-only (SELECT) query execution and does not permit data-modifying operations against connected databases.

3.4 Technical and Device Data

Internet Protocol (IP) Address: The public IP address of the device from which the User accesses the Platform.
Browser and Device Information: The User-Agent string, browser type and version, operating system type and version, and screen resolution where detectable.
Cookies and Session Tokens: As further described in Section 10 of this Policy.
Geolocation Data (Approximate): Country-level geolocation inferred from IP address for purposes of jurisdiction determination and fraud prevention. Precise geolocation is not collected.

3.5 Communications Data

Transactional Email Records: Records of emails transmitted to Users via the SendGrid platform, including delivery status, open events (where tracked by the email service), and bounce or complaint notifications.
Support Communications: The content of any communications submitted by Users through the Platform’s contact mechanisms or by direct email to the Company.

3.6 Data Not Intentionally Collected

The Company does not intentionally collect Sensitive Personal Data as defined in Article 9 of the EU GDPR (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a person’s sex life or sexual orientation) unless such data is incidentally present in User-generated content uploaded to the Platform. Where such data is identified in User-generated content, the Company shall treat it in accordance with heightened security measures as described in Section 9 and shall not use it for profiling or any purpose other than the immediate purpose for which the User submitted it.

4. Purposes of Processing

The Company processes Personal Data for the following specific, explicit, and legitimate purposes, as required by the principle of purpose limitation under Article 5(1)(b) of the EU GDPR, Section 6(2) of the Malaysia PDPA, Section 18 of the Singapore PDPA, Section 21 of the Thailand PDPA, and Article 16 of the Indonesia PDP Law:

Account Provisioning and Authentication: To create, maintain, and secure User accounts, including verifying User identity at login via session-based authentication and bcrypt-verified password comparison, managing session state, and enforcing access controls within the multi-tenant Workspace architecture.
Platform Service Delivery: To operate the AI Agent and associated Platform functionality, including receiving and processing User queries submitted via the instant messaging interface, executing authorised read-only queries against User-configured external databases, performing AI-powered analysis of User-uploaded files, and generating interactive research reports in HTML/JS/CSS format.
Conversation History Management: To persist Conversation Logs in the Company’s MySQL database for the purpose of enabling contextual continuity within and across User sessions, permitting Users to retrieve and review prior interactions, and supporting AI Agent performance optimisation.
Token Usage Accounting: To track and record per-User Token Usage for the purposes of platform resource management, enforcement of applicable usage limits or quotas, and, where applicable, billing and invoicing under the terms of the applicable subscription agreement.
Transactional Email Communications: To transmit account-related communications to Users via the SendGrid email delivery platform, including account registration confirmations, password reset instructions, security notifications, and material updates to the terms of service or this Policy.
Security, Integrity, and Fraud Prevention: To protect the Platform, its Users, and third parties against unauthorised access, data breaches, abuse, fraud, and other security threats, including through rate limiting of API endpoints, SSRF (Server-Side Request Forgery) protection on web fetch operations, file system sandboxing with path traversal prevention, and monitoring of anomalous usage patterns.
Legal Compliance and Regulatory Obligations: To comply with the Company’s obligations under Applicable Data Protection Laws and other applicable legislation, including responding to lawful requests from competent authorities, complying with court orders, and fulfilling mandatory data retention obligations.
Service Improvement and Quality Assurance: To analyse aggregated and, where technically necessary, pseudonymised usage data to identify platform issues, improve AI Agent performance, develop new features, and ensure service reliability and performance.
Dispute Resolution and Enforcement: To establish, exercise, or defend legal claims in connection with the Platform’s terms of service or any legal proceedings involving the Company.
Audit and Accountability: To maintain records of data processing activities as required by Article 30 of the EU GDPR and equivalent provisions of other Applicable Data Protection Laws.

The Company shall not process Personal Data for purposes that are incompatible with those listed above without providing prior notice to the relevant Data Subject and, where required by Applicable Data Protection Law, obtaining fresh consent or identifying a new lawful basis for the incompatible processing.

5. Legal Basis for Processing

The Company relies on the following legal bases for the processing of Personal Data, applying the relevant provisions of each Applicable Data Protection Law as set out below.

5.1 Under EU GDPR (Regulation (EU) 2016/679)

Pursuant to Article 6(1) of the EU GDPR, the Company relies on the following legal bases:

Article 6(1)(a) — Consent: For the processing of Personal Data where the Company has obtained freely given, specific, informed, and unambiguous consent from the Data Subject, including, without limitation, for the processing of certain categories of usage telemetry and for marketing communications where applicable.
Article 6(1)(b) — Performance of a Contract: For processing that is necessary for the performance of the contract between the Company and the User or Workspace subscriber (as evidenced by the Platform’s Terms of Service), including account creation, delivery of Platform services, Conversation Log persistence for service continuity, Token Usage accounting, and transactional email communications.
Article 6(1)(c) — Legal Obligation: For processing that is necessary for compliance with a legal obligation to which the Company is subject, including data retention obligations, responses to lawful authority requests, and obligations under applicable tax, anti-money laundering, and corporate laws of Malaysia and other jurisdictions.
Article 6(1)(f) — Legitimate Interests: For processing that is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, where such interests are not overridden by the interests or fundamental rights and freedoms of the Data Subject. Such legitimate interests include: (i) platform security and fraud prevention; (ii) improving AI Agent performance through analysis of aggregated usage data; (iii) maintaining the integrity and reliability of the Platform’s multi-tenant architecture; and (iv) establishing, exercising, or defending legal claims. The Company has conducted and maintains records of Legitimate Interests Assessments (LIAs) for each processing activity relying on this basis.

Where the Company relies on Article 6(1)(a) (Consent) as the legal basis for processing, the Data Subject has the right to withdraw such consent at any time pursuant to Article 7(3) of the EU GDPR, without affecting the lawfulness of processing based on consent before its withdrawal.

5.2 Under Malaysia PDPA 2010 (Act 709)

Pursuant to the Personal Data Protection Act 2010 of Malaysia, the Company processes Personal Data in accordance with the seven Data Protection Principles set out in Part II of Act 709:

General Principle (Section 6): Personal data is not processed unless the data subject has given consent to the processing of the personal data, or the processing is necessary for the performance of a contract, compliance with legal obligations, protection of the vital interests of the data subject, administration of justice, or for the legitimate interests of the data user or third party to whom the data is disclosed.
Notice and Choice Principle (Section 7): This Policy constitutes the written notice required under Section 7(1) of Act 709. Data subjects are informed of the processing purposes, classes of third parties to whom data may be disclosed, and their rights under the Act.
Disclosure Principle (Section 8): Personal data shall not be disclosed without the consent of the data subject except where such disclosure is required or permitted by applicable law.
Security Principle (Section 9): Practical steps are taken to protect Personal Data from loss, misuse, modification, unauthorised or accidental access, disclosure, alteration, or destruction, as described in Section 9 of this Policy.
Retention Principle (Section 10): Personal data shall not be kept longer than is necessary for the fulfilment of the purpose for which it was collected or is to be further processed. Retention periods are set out in Section 6 of this Policy.
Data Integrity Principle (Section 11): Reasonable steps are taken to ensure that Personal Data is accurate, complete, not misleading, and kept up-to-date.
Access Principle (Section 12): Data subjects have the right to access their Personal Data and to correct it where it is inaccurate, incomplete, misleading, or not up-to-date, as further described in Section 8 of this Policy.

The Company notes that the Malaysia PDPA applies to any person who processes Personal Data in respect of commercial transactions, pursuant to Section 3 of Act 709. Insofar as the Platform constitutes a commercial transaction within the meaning of the Act, these obligations apply to all Personal Data processed in connection with the Platform by Users resident in Malaysia.

5.3 Under Singapore PDPA 2012 (No. 26 of 2012)

Pursuant to the Personal Data Protection Act 2012 of Singapore, as amended by the Personal Data Protection (Amendment) Act 2020, the Company processes Personal Data in accordance with the following obligations:

Consent Obligation (Sections 13–17): The Company collects, uses, or discloses Personal Data of individuals in Singapore only with their knowledge and consent, except where collection, use, or disclosure without consent is permitted under the Second Schedule, Third Schedule, or Fourth Schedule of the Singapore PDPA respectively.
Purpose Limitation Obligation (Section 18): Personal data is collected only for purposes that a reasonable person would consider appropriate in the circumstances, and is not used or disclosed for purposes other than those for which consent was given, or as otherwise permitted by the Singapore PDPA.
Notification Obligation (Section 20): Prior to or upon collection of Personal Data, the Company notifies individuals of the purposes for which their Personal Data is collected, used, or disclosed, as set out in Section 4 of this Policy.
Access and Correction Obligation (Sections 21–22): The Company provides individuals with access to their Personal Data and the right to correct inaccurate Personal Data, subject to the exceptions in the Sixth and Seventh Schedules of the Singapore PDPA.
Accuracy Obligation (Section 23): Reasonable efforts are made to ensure that Personal Data is accurate and complete where it is used to make decisions that affect the individual or is disclosed to another organisation.
Protection Obligation (Section 24): Reasonable security arrangements are made to protect Personal Data in the Company’s possession or control from unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.
Retention Limitation Obligation (Section 25): Personal Data is not retained any longer than is necessary for the fulfilment of the purposes for which it was collected, or any other legal or business purpose.
Transfer Limitation Obligation (Section 26): Personal data of Singapore residents is not transferred outside Singapore except in accordance with the requirements of the Singapore PDPA and the Personal Data Protection (Transfer of Personal Data Abroad) Regulations 2021.
Data Breach Notification (Part VIA, Sections 26C–26H): In the event of a notifiable data breach as defined in Section 26C of the Singapore PDPA, the Company shall notify the Personal Data Protection Commission and affected individuals in accordance with the timelines prescribed by the Commission.

5.4 Under Thailand PDPA (B.E. 2562, 2019)

Pursuant to the Personal Data Protection Act B.E. 2562 (2019) of Thailand, as supplemented by Ministerial Regulations and Personal Data Protection Committee notifications issued thereunder, the Company processes Personal Data of data subjects in Thailand in accordance with the following provisions:

Lawful Basis (Section 24): Personal data is processed based on one or more of the following lawful bases: (i) consent of the data subject pursuant to Section 19; (ii) necessity for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract; (iii) necessity for compliance with a legal obligation; (iv) necessity for the vital interests of the data subject or another person; (v) necessity for the performance of a task carried out in the public interest; or (vi) necessity for the purposes of the legitimate interests pursued by the controller or a third party.
Consent Requirements (Sections 19–20): Where the Company relies on consent as the lawful basis for processing, such consent is obtained in writing or through an electronic system, and the request for consent is presented in a manner clearly distinguishable from other matters.
Sensitive Personal Data (Section 26): Where Sensitive Personal Data as defined under Section 26 of the Thailand PDPA (including data relating to race, ethnicity, political opinions, cult or religious beliefs, sexual behaviour, criminal records, health data, disability, trade union information, genetic data, or biometric data) is incidentally present in User-generated content, the Company processes such data only on the basis of explicit consent or another permitted ground under Section 26.
Data Subject Rights (Sections 30–43): Data subjects in Thailand are entitled to exercise the rights described in Section 8.4 of this Policy.

5.5 Under Indonesia PDP Law (Law No. 27 of 2022)

Pursuant to Law Number 27 of 2022 of the Republic of Indonesia concerning Personal Data Protection, the Company processes Personal Data of data subjects in Indonesia in accordance with the following provisions:

Lawful Basis (Article 20): Personal data is processed based on one or more of the following lawful bases: (i) valid and explicit consent of the personal data subject; (ii) fulfilment of contractual obligations with the personal data subject; (iii) fulfilment of legal obligations of the personal data controller; (iv) fulfilment of vital interests of the personal data subject; (v) implementation of duties in the public interest; or (vi) fulfilment of other legitimate interests by observing the balance between the interests of the personal data controller and the rights of the personal data subject.
Specific Personal Data (Article 4(2)): The Indonesia PDP Law distinguishes between general personal data and specific personal data. Specific personal data (including health and medical data, biometric data, genetic data, sexual life or orientation, political views, criminal records, child personal data, and personal financial data) is subject to heightened protection. Where specific personal data is incidentally present in User-generated content, the Company applies the security measures described in Section 9 of this Policy.
Obligations of Personal Data Controller (Articles 20–49): The Company, as a personal data controller, complies with the obligations set forth in Chapter IV of the Indonesia PDP Law, including obligations relating to lawfulness, accuracy, purpose limitation, storage limitation, security, and accountability.
Extraterritorial Application (Article 2(2)): The Indonesia PDP Law applies to any person, whether public or private, inside or outside Indonesia, that performs legal actions with legal consequences in Indonesia or for Indonesian citizens. The Company acknowledges the extraterritorial reach of the Indonesia PDP Law and commits to compliance in respect of Personal Data of Indonesian data subjects.

5.6 Under CCPA/CPRA (Cal. Civ. Code §§ 1798.100 et seq.)

Pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, the Company may constitute a “business” within the meaning of Cal. Civ. Code § 1798.140(d) in respect of its processing of Personal Information of California residents. The Company commits to the following obligations under the CCPA/CPRA:

Right to Know: California residents have the right to request disclosure of the categories and specific pieces of Personal Information collected, the categories of sources from which it was collected, the business or commercial purposes for collection, and the categories of third parties with whom it is shared.
Right to Delete: California residents have the right to request deletion of their Personal Information, subject to the exceptions in Cal. Civ. Code § 1798.105(d).
Right to Correct: California residents have the right to request correction of inaccurate Personal Information maintained by the Company, pursuant to Cal. Civ. Code § 1798.106 as added by the CPRA.
Right to Opt-Out of Sale or Sharing: The Company does not sell or share (as defined by the CCPA/CPRA) Personal Information of California residents for cross-context behavioural advertising purposes. California residents may nonetheless submit an opt-out request to the DPO contact details in Section 16.
Non-Discrimination: The Company shall not discriminate against California residents for exercising their rights under the CCPA/CPRA, pursuant to Cal. Civ. Code § 1798.125.
Sensitive Personal Information (Cal. Civ. Code § 1798.140(ae)): The Company does not use Sensitive Personal Information (as defined by the CPRA) for purposes other than those specified in Cal. Civ. Code § 1798.121(a).

6. Data Retention Periods

The Company retains Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or as required or permitted by Applicable Data Protection Law, or as necessary to establish, exercise, or defend legal claims. The following retention periods apply, subject to the overriding principles of storage limitation under Article 5(1)(e) of the EU GDPR, Section 10 of the Malaysia PDPA, Section 25 of the Singapore PDPA, Section 37 of the Thailand PDPA, and Article 39 of the Indonesia PDP Law:

Account and Identity Data: Retained for the duration of the active account relationship plus a period of seven (7) years following account closure, to satisfy statutory limitation periods applicable in Malaysia under the Limitation Act 1953 (Act 254) and to comply with potential audit, tax, and regulatory obligations.
Conversation Logs: Retained for a period of three (3) years from the date of each conversation session, or for the duration of the active account relationship, whichever is longer, subject to User requests for earlier deletion as described in Section 8.
Token Usage Records: Retained for a period of seven (7) years from the date of the transaction for billing reconciliation and audit purposes.
Session Metadata and API Request Logs: Retained for a period of ninety (90) days in active storage for security monitoring and incident investigation, and for a further period of one (1) year in archival storage, following which they are permanently deleted.
Workspace Files and Generated Reports: Retained for the duration of the active account relationship and for a period of thirty (30) days following account closure or User deletion request, to permit recovery in the event of accidental deletion, following which they are permanently and securely destroyed.
Database Connection Credentials: Retained only for as long as the associated Workspace project is active. Upon project deletion, encrypted credentials are purged from the production database within forty-eight (48) hours and from backup systems within ninety (90) days in accordance with the applicable backup rotation schedule.
Security and Audit Logs: Retained for a period of two (2) years to support incident investigation, security auditing, and regulatory compliance.
Transactional Email Records: Retained in accordance with the data retention policies of SendGrid as a Sub-processor, which currently provide for retention of delivery and event data for a period of thirty (30) days in the standard service tier, subject to any extended retention configuration applied by the Company.
Support Communications: Retained for a period of five (5) years from the date of the last communication in a given support matter.
Legal Hold: Notwithstanding the foregoing retention periods, where Personal Data is the subject of a legal hold, regulatory investigation, or actual or reasonably anticipated litigation, such data shall be retained for the duration of such hold, investigation, or proceeding, regardless of the applicable standard retention period.

At the expiry of applicable retention periods, Personal Data is permanently deleted using secure deletion procedures that render the data irrecoverable, or is anonymised such that it can no longer be attributed to an identifiable individual. Backup copies of data are subject to the same deletion schedules and are overwritten in accordance with the Company’s backup rotation policy.

7. Cross-Border Data Transfers

The Company, headquartered in Malaysia, may transfer Personal Data to, or permit access to Personal Data by processors and sub-processors located in, countries other than Malaysia. Such transfers may include transfers to Singapore, the United States of America (where certain Sub-processors are located), the European Economic Area, and other jurisdictions. The Company takes the following steps to ensure that such transfers comply with Applicable Data Protection Law:

7.1 Transfers under EU GDPR

Transfers of Personal Data of EEA data subjects to third countries (i.e., countries not benefiting from an Adequacy Decision issued by the European Commission under Article 45 of the EU GDPR) are effected using one or more of the transfer mechanisms specified in Article 46 of the EU GDPR, including, without limitation:

Standard Contractual Clauses (SCCs) as adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, supplemented where required by a Transfer Impact Assessment (TIA) conducted pursuant to the guidance of the European Data Protection Board (EDPB) Recommendations 01/2020 on measures that supplement transfer tools;
Binding Corporate Rules where applicable;
Adequacy Decisions where available.

7.2 Transfers under Malaysia PDPA

Pursuant to Section 129 of the Malaysia PDPA, Personal Data of Malaysian data subjects shall not be transferred to a place outside Malaysia except to places specified in the Personal Data Protection (Place of Data Transfer) Order, or where the data subject has consented to the transfer, or where the transfer is necessary for the performance of a contract between the data subject and the data user, or where the transfer is necessary for reasons of substantial public interest, or where appropriate safeguards have been implemented. The Company maintains Data Processing Agreements incorporating appropriate safeguards with all Sub-processors receiving transfers of Personal Data of Malaysian data subjects.

7.3 Transfers under Singapore PDPA

Pursuant to Section 26 of the Singapore PDPA and the Personal Data Protection (Transfer of Personal Data Abroad) Regulations 2021, transfers of Personal Data of Singapore data subjects outside Singapore are effected only where the recipient country provides a standard of protection for Personal Data that is at least comparable to that under the Singapore PDPA, or where the Company has obtained the data subject’s consent to the transfer, or where the transfer is necessary for performance of a contract, or where appropriate contractual arrangements binding the recipient to equivalent data protection standards have been executed.

7.4 Transfers under Thailand PDPA

Pursuant to Section 28 of the Thailand PDPA, transfers of Personal Data of Thai data subjects to foreign countries shall be made only where the destination country has adequate personal data protection standards as announced by the Personal Data Protection Committee, or with the explicit consent of the data subject, or where the transfer is necessary for performance of a contract with the data subject, or for the vital interests of the data subject, or where appropriate safeguards are in place.

7.5 Transfers under Indonesia PDP Law

Pursuant to Article 56 of the Indonesia PDP Law, transfers of Personal Data of Indonesian data subjects outside Indonesia are permitted only where the destination country has equivalent personal data protection provisions as determined by the relevant government authority, or where appropriate agreements binding the recipient are executed. The Company executes binding data processing agreements with all Sub-processors receiving Personal Data of Indonesian data subjects, incorporating the obligations set forth in Article 56 of the Indonesia PDP Law.

7.6 Sub-processors Located Outside Malaysia

The Company currently relies on the following Sub-processors who may receive or access Personal Data outside of Malaysia:

SendGrid (Twilio Inc.), United States: For transactional email delivery. Personal Data transferred includes User email addresses and, to the extent embedded in email content, display names.
AI Inference Providers: The AI Agent may utilise cloud-based AI inference infrastructure. Details of any AI infrastructure sub-processors are disclosed to Users at the point of Workspace subscription and are updated in Section 11 of this Policy.
Hosting and Infrastructure Providers: The Platform’s server infrastructure may be hosted in data centres located in Malaysia, Singapore, or other jurisdictions. Details of the primary hosting provider are available upon written request to the DPO.

8. Rights of Data Subjects

Data Subjects are entitled to exercise the following rights in respect of their Personal Data, subject to the conditions, limitations, and exceptions prescribed by Applicable Data Protection Law. Requests to exercise any of these rights should be submitted to the Data Protection Officer as described in Section 16 of this Policy. The Company will respond to all valid requests within the timeframes prescribed by the relevant Applicable Data Protection Law.

8.1 Rights under EU GDPR

Right of Access (Article 15): The right to obtain confirmation as to whether personal data concerning the data subject is being processed, and, where that is the case, access to the personal data and supplementary information specified in Article 15(1). Requests will be responded to within one (1) month of receipt, extendable by a further two (2) months in complex cases pursuant to Article 12(3).
Right to Rectification (Article 16): The right to obtain without undue delay the rectification of inaccurate personal data, and the right to have incomplete personal data completed.
Right to Erasure / Right to Be Forgotten (Article 17): The right to obtain the erasure of personal data where one of the grounds specified in Article 17(1) applies, subject to the exceptions in Article 17(3).
Right to Restriction of Processing (Article 18): The right to obtain restriction of processing where one of the conditions in Article 18(1) applies.
Right to Data Portability (Article 20): The right to receive personal data in a structured, commonly used, and machine-readable format and the right to transmit that data to another controller, where the processing is based on consent or contract and is carried out by automated means.
Right to Object (Article 21): The right to object, on grounds relating to the data subject’s particular situation, to processing based on legitimate interests (Article 6(1)(f)) or public interest (Article 6(1)(e)), and the absolute right to object to processing for direct marketing purposes.
Rights related to Automated Decision-Making (Article 22): The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects the data subject. See further Section 13 of this Policy.
Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
Right to Lodge a Complaint (Article 77): The right to lodge a complaint with a supervisory authority, in particular in the Member State of the data subject’s habitual residence, place of work, or place of the alleged infringement.

8.2 Rights under Malaysia PDPA (Act 709)

Right of Access (Section 30): The right to be informed by the data user whether personal data of which they are the data subject is being processed by or on behalf of the data user, and if so, to receive a description of the personal data, the purposes for which it is processed, and details of recipients.
Right to Correction (Section 34): The right to request correction of personal data that is inaccurate, incomplete, misleading, or not up-to-date, to erase personal data where it is not necessary for the purpose for which it was collected, and to prevent processing likely to cause unwarranted damage or distress.
Right to Withdraw Consent (Section 38): The right to withdraw consent to the processing of personal data at any time, subject to certain conditions.
Right to Prevent Processing for Direct Marketing (Section 43): The right to require the data user to cease or not to begin processing personal data for direct marketing purposes.

8.3 Rights under Singapore PDPA

Right of Access (Section 21): The right to request access to personal data in the possession or under the control of the organisation, and information about the ways in which it has been or may have been used or disclosed within the preceding year. Response within thirty (30) days unless extended pursuant to Schedule 6.
Right of Correction (Section 22): The right to request correction of an error or omission in personal data in the possession or under the control of the organisation, as soon as practicable.
Right to Withdraw Consent (Section 16): The right to withdraw consent to the collection, use, or disclosure of personal data at any time.
Right to Data Portability (Section 26H): As introduced by the Personal Data Protection (Amendment) Act 2020, the right to request transmission of personal data to another organisation in a commonly used machine-readable format, where technically feasible and as prescribed by the Personal Data Protection (Portability of Personal Data) Regulations.

8.4 Rights under Thailand PDPA

Right of Access (Section 30): The right to access and obtain a copy of personal data relating to the data subject.
Right to Data Portability (Section 31): The right to receive personal data in a structured, commonly used, and readable format, and to request transmission to another data controller.
Right to Object (Section 32): The right to object to the collection, use, or disclosure of personal data at any time in cases where legitimate interests form the basis for processing.
Right to Erasure (Section 33): The right to request deletion or destruction of personal data, or anonymisation of personal data, in circumstances prescribed by Section 33.
Right to Restriction of Processing (Section 34): The right to request suspension of use of personal data.
Right to Rectification (Section 35): The right to request correction of personal data to make it accurate, current, complete, and not misleading.
Right to Withdraw Consent (Section 19): The right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.

8.5 Rights under Indonesia PDP Law

Right to Obtain Information (Article 8): The right to obtain clear and accurate information regarding the identity of the personal data controller, the legal basis for processing, the purpose and method of use, and the rights of the personal data subject.
Right to Supplement, Update, and Correct (Article 9): The right to supplement, update, and/or correct errors and/or inaccuracies in personal data concerning the data subject.
Right to Access and Obtain a Copy (Article 10): The right to access and obtain a copy of personal data concerning the data subject.
Right to Terminate Processing (Article 11): The right to end processing, delete, and/or destroy personal data concerning the data subject.
Right to Withdraw Consent (Article 12): The right to withdraw consent that has been given for the processing of personal data concerning the data subject.
Right to Object to Automated Processing (Article 13): The right to object to decisions based solely on automated processing that produce legal effects or significantly affect the personal data subject.
Right to Sue and Receive Compensation (Article 14): The right to file a lawsuit and receive compensation for violations of the processing of personal data concerning the data subject.

8.6 Response Procedures

All requests to exercise Data Subject rights shall be submitted in writing to the Data Protection Officer at the contact details provided in Section 16. The Company shall verify the identity of the requestor before processing any access, correction, erasure, or portability request, and may request additional information reasonably necessary for identity verification. The Company shall not charge a fee for responding to rights requests except where permitted by Applicable Data Protection Law (e.g., where requests are manifestly unfounded or excessive pursuant to Article 12(5) of the EU GDPR). Response timelines shall comply with the requirements of the relevant Applicable Data Protection Law applicable to the data subject’s jurisdiction, defaulting to thirty (30) days where no specific period is prescribed.

9. Security Measures: Technical and Organisational

Pursuant to Article 32 of the EU GDPR, Section 9 of the Malaysia PDPA, Section 24 of the Singapore PDPA, Section 37 of the Thailand PDPA, Article 35 of the Indonesia PDP Law, and the security requirements applicable under the CCPA/CPRA, the Company implements a comprehensive regime of technical and organisational security measures appropriate to the risk presented by the processing activities conducted through the Platform. These measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons.

9.1 Cryptographic Controls

Password Hashing: All User passwords are hashed using the Bcrypt adaptive cryptographic hashing function with a minimum work factor (cost parameter) of 12, rendering brute-force and rainbow table attacks computationally infeasible. No plaintext passwords are stored at any point in the system.
Encryption at Rest: Database connection credentials stored per-project within the Platform are encrypted at rest using AES-256 symmetric encryption. Encryption keys are managed separately from the encrypted data and are stored in a dedicated key management system.
Transport Layer Security: All communications between User clients and the Platform are transmitted over HTTPS using TLS 1.2 or TLS 1.3, with HTTP Strict Transport Security (HSTS) headers enforced. Unencrypted HTTP connections are rejected or redirected to HTTPS.

9.2 Access Control and Authentication

Session-Based Authentication: The Platform employs cryptographically signed, server-side session management. Session tokens are transmitted only via HTTPS and are subject to configurable expiry periods and absolute session timeouts to mitigate session hijacking risks.
Multi-Tenant Workspace Isolation: The Platform’s multi-tenant architecture implements strict logical isolation between Workspaces at the database query level, ensuring that Users of one Workspace cannot access data belonging to another Workspace. Workspace isolation is enforced through parameterised queries and workspace-scoped access control checks on every data retrieval operation.
Role-Based Access Control: Access to Platform administrative functions is restricted to authorised personnel on a need-to-know basis, with access privileges commensurate with the individual’s role and responsibilities.
Principle of Least Privilege: Database query operations executed on behalf of Users are strictly limited to read-only SELECT operations. The Platform does not execute data-modifying SQL statements (INSERT, UPDATE, DELETE, DROP, TRUNCATE) against User-configured external databases, eliminating the risk of accidental or malicious data modification through the Platform’s query interface.

9.3 Application Security Controls

SSRF Protection: The Platform implements Server-Side Request Forgery (SSRF) protection on all web fetch operations executed by the AI Agent, including allowlist-based URL validation, blocking of requests to internal network ranges (RFC 1918 addresses), loopback addresses, link-local addresses, and cloud metadata endpoints (including but not limited to the AWS EC2 instance metadata service at 169.254.169.254).
File System Sandboxing: User-uploaded files are processed within a sandboxed file system environment that enforces strict path traversal prevention, blocking access to any file path outside the designated User Workspace storage directory. All file path inputs are canonicalised and validated before any file system operation is performed.
Rate Limiting: API endpoints are subject to rate limiting controls that restrict the number of requests permissible from a given source IP address and/or authenticated session within defined time windows, mitigating the risk of denial-of-service attacks, credential stuffing, and brute-force authentication attempts.
SQL Injection Prevention: All database queries executed through the Platform, whether against the Platform’s own MySQL database or against User-configured external databases, are constructed using parameterised queries or prepared statements. String interpolation of User-supplied input into SQL query strings is prohibited at the application level.
Input Validation and Output Encoding: All User-supplied inputs are subject to server-side validation and sanitisation. Dynamic content rendered in HTML reports generated by the AI Agent is subject to output encoding to prevent cross-site scripting (XSS) vulnerabilities.
Content Security Policy: HTTP response headers implement Content Security Policy (CSP) directives to mitigate the risk of cross-site scripting and data injection attacks in User-facing web interfaces.

9.4 Infrastructure Security

Network Security: The Platform’s server infrastructure is protected by network firewalls, intrusion detection systems, and access controls restricting administrative access to authorised IP ranges using SSH key-based authentication.
Backup and Recovery: The Platform’s MySQL database is subject to regular automated backups with encryption at rest. Backup restoration procedures are tested periodically to verify the integrity and recoverability of backup data.
Patch Management: The Company maintains a patch management programme ensuring that the operating system, database server, web application server, and all third-party dependencies are updated with security patches within a commercially reasonable time following their release.
Vulnerability Management: The Company conducts periodic vulnerability assessments of the Platform’s application and infrastructure components and remediates identified vulnerabilities in accordance with their severity classification.

9.5 Organisational Security Measures

Personnel Training: All personnel with access to Personal Data are subject to data protection awareness training and are bound by confidentiality obligations.
Data Processing Agreements: All Sub-processors and third-party service providers who process Personal Data on behalf of the Company are subject to written data processing agreements imposing data protection obligations no less restrictive than those binding the Company under Applicable Data Protection Law.
Incident Response Procedures: The Company maintains documented incident response procedures governing the detection, containment, investigation, notification, and remediation of Data Breaches, as further described in Section 14 of this Policy.
Records of Processing Activities: The Company maintains a Record of Processing Activities (RoPA) pursuant to Article 30 of the EU GDPR, documenting the name and contact details of the controller, the purposes of processing, categories of data subjects and personal data, categories of recipients, details of third-country transfers, retention periods, and a general description of security measures.

10. Cookies and Tracking Technologies

The Platform utilises session cookies and certain technical tracking technologies for the purposes described below. The Company does not engage in cross-context behavioural advertising or sell User data to third-party advertising networks.

10.1 Strictly Necessary Cookies

The Platform sets the following strictly necessary cookies that are essential for the operation of the Platform and cannot be disabled without impairing Platform functionality:

Session Cookie: A server-set HTTP cookie containing a cryptographically signed session identifier, used to maintain authenticated session state between the User’s browser and the Platform server. This cookie is set with the HttpOnly, Secure, and SameSite=Lax attributes to mitigate cross-site request forgery (CSRF) and session hijacking risks. It expires at the end of the browser session or upon the configured session timeout, whichever is earlier.
CSRF Token Cookie: A synchronised token used to validate the authenticity of state-changing HTTP requests and prevent cross-site request forgery attacks.

10.2 Analytical and Performance Cookies

Where the Company employs analytical or performance tracking technologies, consent will be obtained from Users in jurisdictions where such consent is required (including EEA and UK users pursuant to the ePrivacy Directive 2002/58/EC as implemented in national law, and California users pursuant to the CCPA/CPRA). Any such analytical processing will be disclosed in a cookie consent notice presented at the time of the User’s first visit to the Platform.

10.3 Third-Party Cookies

The Platform does not embed third-party advertising networks, social media plugins, or other third-party tracking technologies that would result in the placement of third-party cookies on Users’ devices without consent. Where third-party scripts are embedded for operational purposes (for example, authentication flows), such scripts are described in Section 11 of this Policy.

10.4 Cookie Management

Users may manage or delete cookies through their browser settings. Disabling strictly necessary cookies may prevent the Platform from functioning correctly. A cookie preference centre, where required by applicable law, will be made available within the Platform interface.

11. Third-Party Processors and Sub-Processors

Pursuant to Article 28 of the EU GDPR and equivalent provisions of other Applicable Data Protection Laws, the Company engages Sub-processors to perform specific processing activities on its behalf. The Company has entered into Data Processing Agreements with each Sub-processor imposing obligations in respect of data security, confidentiality, purpose limitation, and data subject rights equivalent to those applicable to the Company under Applicable Data Protection Law.

The Company maintains a current list of its Sub-processors and makes this available upon written request to the DPO. The following Sub-processors are currently engaged:

Twilio Inc. (SendGrid), 375 Beale Street, Suite 300, San Francisco, CA 94105, USA: Provides transactional email delivery services. Personal data processed: User email addresses, email content (which may include display names and account-related information). Transfer mechanism for EEA data: Standard Contractual Clauses. Transfer mechanism for Singapore data: Binding contractual obligations. Processing location: United States.
AI Inference Infrastructure Provider(s): The Company utilises cloud-based artificial intelligence infrastructure for the operation of the AI Agent. The identity of AI inference Sub-processors and applicable transfer safeguards are disclosed in the Workspace subscription terms and are updated as Sub-processors change. Users who require current Sub-processor disclosure may contact the DPO.
Hosting and Cloud Infrastructure Provider: The Company’s Platform infrastructure, MySQL database, and file storage systems are hosted on cloud or dedicated server infrastructure. The identity of the hosting provider and applicable data centre locations are disclosed to Users upon written request and are updated in this Policy upon material changes.

The Company shall notify Workspace Administrators of any intended changes to the list of Sub-processors (additions or replacements) within a commercially reasonable period prior to such changes taking effect, in accordance with the notice provisions of the applicable Data Processing Agreement, and shall afford Workspace Administrators an opportunity to object to such changes as prescribed by Article 28(2) of the EU GDPR.

The Company does not sell or disclose Personal Data to third parties for their own independent commercial purposes. Disclosures to third parties are limited to: (i) Sub-processors acting on the Company’s instructions; (ii) professional advisers (lawyers, accountants, auditors) acting under obligations of confidentiality; (iii) competent governmental, regulatory, or law enforcement authorities pursuant to lawful requests; and (iv) parties in connection with a merger, acquisition, or sale of all or substantially all of the Company’s assets, subject to the transferee assuming obligations equivalent to those in this Policy.

12. Children’s Data

The Platform is not directed at, nor designed for, use by children. For the purposes of this Policy, “children” means natural persons below the age of majority in the relevant jurisdiction, being:

Persons below eighteen (18) years of age under the laws of Malaysia (Age of Majority Act 1971, Act 21);
Persons below thirteen (13) years of age for purposes of the Children’s Online Privacy Protection Act (COPPA) in the United States, and persons below sixteen (16) years of age for purposes of EU GDPR Article 8(1) (digital services consent age, subject to Member State variation);
Persons below twenty (20) years of age for certain purposes under the laws of Thailand;
Persons below eighteen (18) years of age under the laws of Indonesia (Law No. 35 of 2014 on Child Protection) and the Indonesia PDP Law;
Persons below sixteen (16) years of age under the laws of Singapore (Guardianship of Infants Act, Cap. 122).

The Company does not knowingly collect Personal Data from children as defined above. Access to the Platform requires registration and the provision of a valid business or institutional email address, which serves as a practical barrier to access by minors. The Company’s Terms of Service prohibit use of the Platform by persons who have not attained the applicable age of legal capacity to enter into binding contracts.

If the Company becomes aware that it has collected Personal Data from a child, it shall take prompt steps to delete such data from its systems. If you believe that the Company may have inadvertently collected Personal Data from a child, please notify the Data Protection Officer immediately at the contact details provided in Section 16.

Where a Workspace Administrator submits data files (such as datasets or survey data) that may contain personal data of children in the context of institutional research, the Workspace Administrator is solely responsible for ensuring that such data was collected in compliance with applicable laws governing the collection of children’s data, including obtaining appropriate parental or guardian consent where required. The Company processes such data only as a Data Processor acting on the Workspace Administrator’s instructions and does not independently use or analyse children’s personal data for any purpose other than service delivery.

13. Automated Decision-Making and Profiling

Pursuant to Article 22 of the EU GDPR, Section 45 of the Thailand PDPA, Article 13 of the Indonesia PDP Law, and analogous provisions of other Applicable Data Protection Laws, this section describes the extent to which the Platform engages in automated decision-making and profiling as defined in those provisions.

13.1 Nature of AI-Assisted Processing

The Platform’s core function involves the processing of User-submitted queries and data by the AI Agent, which generates responses, executes database queries, analyses files, and produces reports. This processing is AI-assisted but does not, in the ordinary operation of the Platform, constitute automated decision-making within the meaning of Article 22(1) of the EU GDPR — that is, processing that produces legal effects concerning the data subject or similarly significantly affects the data subject — because:

The AI Agent’s outputs (responses, query results, reports) are research tools provided to the User for the User’s own analytical and decision-making purposes. The AI Agent does not make binding decisions on behalf of the Company in respect of any individual data subject.
The AI Agent does not evaluate individual natural persons’ creditworthiness, performance, reliability, behaviour, location, or similar attributes in a manner that produces legal effects or similarly significantly affects them.
All material decisions made in connection with the Platform (including subscription management, account suspension, and access control) are made with human involvement.

13.2 Token Usage-Based Access Controls

The Platform tracks per-User Token Usage and may automatically restrict or suspend access to AI Agent functionality upon a User reaching prescribed usage thresholds. Such automated enforcement of usage limits is necessary for the performance of the contract between the Company and the User and constitutes a legitimate operational control. The Company shall notify affected Users of any access restriction resulting from usage threshold enforcement and shall provide an opportunity to seek human review of such decisions by contacting the Company’s support team.

13.3 No Behavioural Profiling

The Company does not create behavioural profiles of individual Users for the purpose of targeted advertising, scoring, or other purposes beyond the legitimate operational uses described in Section 4 of this Policy. Conversation Logs and usage data are not used to build individual psychological or preference profiles that are applied to decisions affecting the data subject.

13.4 AI-Generated Reports Containing Third-Party Data

Where a User directs the AI Agent to analyse data files or database query results that contain personal data of third-party natural persons, and the AI Agent produces analytical outputs, summaries, or reports concerning such individuals, the User (as the controller of such third-party data) bears responsibility for ensuring that such automated analytical processing complies with the Applicable Data Protection Laws governing the processing of that third-party data. The Company’s role in such circumstances is that of a Data Processor acting on the User’s instructions, and the Company makes no representations as to the lawfulness of the User’s analytical processing purposes.

14. Data Breach Notification Procedures

The Company maintains documented incident response and data breach notification procedures in compliance with the notification obligations imposed by Applicable Data Protection Laws. The following procedures apply in the event of a confirmed or reasonably suspected Data Breach:

14.1 Internal Detection and Assessment

Upon detection of a potential security incident that may constitute a Data Breach, the Company’s incident response team shall conduct a preliminary assessment within twenty-four (24) hours of detection to determine: (i) the nature and scope of the incident; (ii) the categories and approximate volume of Personal Data affected; (iii) the categories and approximate number of Data Subjects likely to be affected; (iv) the likely consequences of the breach; and (v) whether the breach meets the notification thresholds prescribed by applicable law.

14.2 Notification under EU GDPR

Pursuant to Article 33 of the EU GDPR, where a Personal Data Breach is likely to result in a risk to the rights and freedoms of natural persons, the Company shall notify the competent supervisory authority without undue delay and, where feasible, not later than seventy-two (72) hours after having become aware of the breach. Where notification cannot be made within seventy-two (72) hours, it shall be accompanied by reasons for the delay pursuant to Article 33(1). Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall also notify the affected data subjects without undue delay pursuant to Article 34, unless one of the derogations in Article 34(3) applies.

14.3 Notification under Malaysia PDPA

Pursuant to Section 12C of the Malaysia PDPA (as amended), where a Personal Data Breach involves the personal data of data subjects in Malaysia and is likely to result in significant harm or is significant in scale, the Company shall notify the Personal Data Protection Commissioner within the timeframe prescribed by the Commissioner’s guidelines. Where required, affected Data Subjects shall also be notified.

14.4 Notification under Singapore PDPA

Pursuant to Part VIA of the Singapore PDPA (Sections 26C–26H), where a data breach is a “notifiable data breach” — being a data breach that results in or is likely to result in significant harm to the affected individual, or is of a significant scale — the Company shall notify the Personal Data Protection Commission no later than three (3) calendar days after the Company has assessed or ought reasonably to have assessed that the breach is a notifiable data breach. Where required, affected individuals shall also be notified.

14.5 Notification under Thailand PDPA

Pursuant to Section 37(4) of the Thailand PDPA, in the event of a data breach, the data controller shall notify the Personal Data Protection Committee without delay and, where possible, not later than seventy-two (72) hours after becoming aware of the breach. Where the breach is likely to result in high risk to the rights and freedoms of data subjects, the data controller shall also notify the affected data subjects without delay.

14.6 Notification under Indonesia PDP Law

Pursuant to Article 46 of the Indonesia PDP Law, in the event of a failure of personal data protection (terjadinya kegagalan pelindungan data pribadi), the personal data controller shall notify in writing to the Personal Data Protection Committee (Komisi) and to the personal data subject as soon as possible and not later than fourteen (14) working days after becoming aware of the failure. The notification shall describe the type of data involved, when and how the failure occurred, and the efforts undertaken to address it.

14.7 Sub-processor Breach Notification

All Data Processing Agreements entered into by the Company with Sub-processors require Sub-processors to notify the Company of any confirmed or reasonably suspected Data Breach affecting Personal Data processed on behalf of the Company without undue delay, and in any event within twenty-four (24) hours of the Sub-processor becoming aware of the breach, to enable the Company to fulfil its own notification obligations under Applicable Data Protection Law.

14.8 Documentation

Pursuant to Article 33(5) of the EU GDPR, the Company documents all Personal Data Breaches, including those which do not require notification to a supervisory authority, comprising the facts relating to the breach, its effects, and the remedial action taken. Such documentation is maintained in the Company’s incident register and made available to supervisory authorities upon request.

15. Changes to This Policy

The Company reserves the right to modify, update, or revise this Policy at any time to reflect changes in the Company’s processing activities, the introduction of new Platform features, changes in Applicable Data Protection Law, regulatory guidance, or for any other legitimate operational reason. Any changes to this Policy shall take effect upon the posting of the revised Policy at https://ai.research.my/privacy or such other URL as the Company may designate.

Where changes to this Policy are material — being changes that affect the legal basis for processing, introduce new categories of Personal Data, add new processing purposes, change data retention periods, or otherwise materially alter the rights or obligations of Data Subjects — the Company shall provide advance notice to affected Data Subjects by one or more of the following means:

Email notification to the registered email address of each User Account;
A prominent notice displayed within the Platform’s Workspace interface upon the User’s next login following the effective date of the revised Policy;
Such other means of notification as may be required by Applicable Data Protection Law.

Where a material change requires the establishment of a new legal basis under Applicable Data Protection Law (for example, where a new processing purpose requires fresh consent), the Company shall obtain such consent or identify and document the applicable lawful basis prior to commencing the new processing activity.

The effective date of the current version of this Policy is set out at the top of this document. Users are encouraged to review this Policy periodically. Continued use of the Platform following notification of material changes to this Policy shall, to the extent permissible under Applicable Data Protection Law, constitute acknowledgement of the revised Policy, without prejudice to the right of any Data Subject to withdraw consent or exercise other rights as described in Section 8.

The Company shall maintain an archive of prior versions of this Policy, which shall be made available upon written request to the Data Protection Officer.

16. Contact Information and Data Protection Officer

The Company designates a Data Protection Officer (DPO) pursuant to Article 37 of the EU GDPR, Section 11(3) of the Singapore PDPA, Section 41 of the Thailand PDPA, and Article 53 of the Indonesia PDP Law. The DPO may be contacted for all matters relating to personal data processing, the exercise of Data Subject rights, and data protection compliance inquiries.

Data Controller: Basic Insight
Address: Kuala Lumpur, Malaysia
DPO Email: dpo@ai.research.my
General Privacy Email: privacy@ai.research.my
Platform URL: https://ai.research.my

The DPO operates independently and is not subject to instructions by the Company as regards the exercise of DPO tasks pursuant to Article 38(3) of the EU GDPR. The DPO shall not be penalised or dismissed for performing DPO tasks in accordance with Applicable Data Protection Law.

All Data Subject rights requests, complaints, and privacy-related inquiries should be submitted in writing (including by email) to the DPO. The Company will acknowledge receipt of all requests within five (5) business days and will provide a substantive response within the timeframes prescribed by the relevant Applicable Data Protection Law.

Data Subjects who are not satisfied with the Company’s response to a rights request or complaint have the right to lodge a complaint with the competent data protection supervisory authority for their jurisdiction, including but not limited to:

Malaysia: Personal Data Protection Department (Jabatan Perlindungan Data Peribadi), Ministry of Communications and Digital, Malaysia — https://www.pdp.gov.my
Singapore: Personal Data Protection Commission (PDPC) — https://www.pdpc.gov.sg
Thailand: Personal Data Protection Committee (PDPC Thailand), Office of the National Broadcasting and Telecommunications Commission — https://www.pdpc.or.th
Indonesia: The ministerial authority responsible for Personal Data Protection pursuant to the Indonesia PDP Law (currently the Ministry of Communication and Information Technology / Kementerian Komunikasi dan Informatika).
European Union: The competent supervisory authority of the EEA Member State of the data subject’s habitual residence, place of work, or the place of the alleged infringement, pursuant to Article 77 of the EU GDPR.
California, United States: The California Privacy Protection Agency (CPPA), established pursuant to Cal. Civ. Code § 1798.199.10.

17. Governing Law and Jurisdiction

This Policy shall be governed by and construed in accordance with the laws of Malaysia, including in particular the Personal Data Protection Act 2010 (Act 709) and all subsidiary legislation made thereunder. Nothing in this governing law provision shall be construed to limit the application of any Applicable Data Protection Law that applies mandatorily to the processing of Personal Data of data subjects located in the relevant jurisdiction, including the EU GDPR, the Singapore PDPA, the Thailand PDPA, and the Indonesia PDP Law, in their respective spheres of mandatory application.

Any dispute arising out of or in connection with this Policy, including any question regarding its existence, validity, or termination, shall, subject to the mandatory jurisdiction of competent data protection supervisory authorities, be submitted to the exclusive jurisdiction of the courts of Malaysia, in particular the courts of Kuala Lumpur, without prejudice to the right of Data Subjects in other jurisdictions to bring claims before their local courts where such jurisdiction is mandated by applicable law.

For data subjects in the European Union and European Economic Area, the Company acknowledges that the EU GDPR confers a right to bring claims before the courts of the Member State in which the data subject has habitual residence pursuant to Article 79(2) of the EU GDPR, and nothing in this governing law clause shall be construed to derogate from that right.

18. Jurisdiction-Specific Supplementary Provisions

18.1 Malaysia — Supplementary Provisions

The following supplementary provisions apply specifically to the processing of Personal Data of data subjects in Malaysia, in addition to the general provisions of this Policy:

The Company is a data user within the meaning of Section 4 of Act 709, insofar as the Platform constitutes a commercial transaction under the Act. The Company is registered with the Personal Data Protection Department where such registration is required under the Personal Data Protection (Class of Data Users) Order 2013.
Personal data of Malaysian data subjects is processed in accordance with all seven data protection principles set out in Part II of Act 709, as described in Section 5.2 of this Policy.
Pursuant to Section 7(1) of Act 709, this Policy serves as the written notice of the Company’s data processing activities required to be provided to data subjects in connection with commercial transactions.
The transfer of Personal Data of Malaysian data subjects outside Malaysia is conducted in accordance with Section 129 of Act 709 and the Personal Data Protection (Place of Data Transfer) Order.
Data subjects in Malaysia who wish to withdraw consent, exercise access or correction rights, or make a complaint regarding the processing of their personal data may do so by contacting the DPO as specified in Section 16, or by lodging a complaint with the Personal Data Protection Department at https://www.pdp.gov.my.
The Company’s privacy notices for specific processing activities involving special classes of personal data (as defined under Act 709) are provided separately at the relevant point of data collection and should be read together with this Policy.

18.2 Singapore — Supplementary Provisions

The following supplementary provisions apply specifically to the processing of Personal Data of data subjects in Singapore, in addition to the general provisions of this Policy:

The Company is an organisation within the meaning of Section 2 of the Singapore PDPA. The Company’s DPO for purposes of the Singapore PDPA is the individual identified in Section 16 of this Policy.
The Company has appointed a Data Protection Officer pursuant to Section 11(3) of the Singapore PDPA. The DPO’s business contact information is published at https://ai.research.my/privacy or is available upon request.
Pursuant to the Personal Data Protection (Amendment) Act 2020, the mandatory data breach notification regime under Part VIA of the Singapore PDPA applies to the Company’s processing of personal data of Singapore data subjects. Notifiable data breaches will be reported to the PDPC within three (3) calendar days as required by Section 26D of the Singapore PDPA.
The Company’s right to collect, use, and disclose personal data of Singapore data subjects without consent is limited to the purposes prescribed in the Second, Third, and Fourth Schedules of the Singapore PDPA, as applicable.
Data portability requests by Singapore data subjects will be processed in accordance with the Personal Data Protection (Portability of Personal Data) Regulations where applicable.
The Company complies with the Advisory Guidelines on the Personal Data Protection Act issued by the PDPC, including the Advisory Guidelines on the PDPA for Selected Topics and any sector-specific guidelines applicable to the Company’s operations.

18.3 Thailand — Supplementary Provisions

The following supplementary provisions apply specifically to the processing of Personal Data of data subjects in Thailand, in addition to the general provisions of this Policy:

The Company processes personal data of data subjects in Thailand in accordance with the Personal Data Protection Act B.E. 2562 (2019) and all Ministerial Regulations and notifications issued by the Personal Data Protection Committee thereunder.
The legal bases for processing personal data of Thai data subjects are as described in Section 5.4 of this Policy, with specific reference to Sections 24 and 26 of the Thailand PDPA.
Consent of Thai data subjects is obtained in writing or through an electronic system, and the consent request clearly specifies the purposes for which personal data will be collected, used, or disclosed pursuant to Section 19 of the Thailand PDPA.
Where the Company appoints a data processor to process personal data of Thai data subjects, a written data processing agreement is executed requiring the processor to process such data only upon the Company’s instructions pursuant to Section 40 of the Thailand PDPA.
The Company designates a Data Protection Officer for processing activities involving personal data of Thai data subjects where such designation is required under Section 41 of the Thailand PDPA — including where large-scale processing of sensitive personal data or systematic monitoring is undertaken.
Data subjects in Thailand may exercise their rights under Sections 30–43 of the Thailand PDPA by contacting the DPO as specified in Section 16 of this Policy.
In the event of a Personal Data Breach affecting personal data of Thai data subjects, notification to the Personal Data Protection Committee will be provided within seventy-two (72) hours where the breach is likely to result in risk to data subjects’ rights and freedoms, pursuant to Section 37(4) of the Thailand PDPA.

18.4 Indonesia — Supplementary Provisions

The following supplementary provisions apply specifically to the processing of Personal Data of data subjects in Indonesia, in addition to the general provisions of this Policy:

The Company processes personal data of data subjects in Indonesia in accordance with Law No. 27 of 2022 on Personal Data Protection (Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi) and all implementing regulations issued thereunder by the Government of Indonesia.
The Company, as a personal data controller pursuant to Article 1(4) of the Indonesia PDP Law, fulfils the obligations set forth in Chapter IV (Articles 20–49) of the Indonesia PDP Law, including obligations to: (i) maintain a legal basis for processing; (ii) guarantee the accuracy, completeness, and consistency of personal data; (iii) fulfil the rights of personal data subjects; (iv) protect personal data from unauthorised processing; and (v) demonstrate compliance with personal data protection provisions.
The Company designates a Personal Data Protection Officer for processing activities meeting the designation criteria under Article 53 of the Indonesia PDP Law.
In the event of a failure of personal data protection (kegagalan pelindungan data pribadi) affecting personal data of Indonesian data subjects, the Company shall provide written notification to the relevant authority and to affected personal data subjects within fourteen (14) working days pursuant to Article 46 of the Indonesia PDP Law.
Cross-border transfers of personal data of Indonesian data subjects are conducted in accordance with Article 56 of the Indonesia PDP Law, which requires that the receiving country have personal data protection provisions equivalent to those under the Indonesia PDP Law, or that adequate safeguards be implemented.
The Company does not process the personal data of Indonesian data subjects for purposes other than those disclosed in this Policy and in the applicable terms of service. Any change in processing purpose shall be communicated to affected data subjects and, where required, fresh consent shall be obtained.
Indonesian personal data subjects may exercise their rights under Articles 8–14 of the Indonesia PDP Law by contacting the DPO as specified in Section 16 of this Policy.

18.5 European Union / EEA — Supplementary Provisions

The following supplementary provisions apply specifically to the processing of Personal Data of data subjects in the European Economic Area, in addition to the general provisions of this Policy:

The Company processes personal data of EEA data subjects in compliance with Regulation (EU) 2016/679 (the EU GDPR), including all obligations relating to lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability as set out in Article 5 of the EU GDPR.
The Company has conducted and maintains records of Data Protection Impact Assessments (DPIAs) pursuant to Article 35 of the EU GDPR for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons.
The Company maintains a Record of Processing Activities (RoPA) pursuant to Article 30 of the EU GDPR, documenting all processing activities involving personal data of EEA data subjects.
Where required by Article 27 of the EU GDPR, the Company shall designate and publish the contact details of its representative in the EU. Until such designation is made, EEA data subjects should contact the DPO as specified in Section 16.
Transfers of personal data of EEA data subjects to third countries are effected using appropriate safeguards under Article 46 of the EU GDPR, as described in Section 7.1 of this Policy.
EEA data subjects may lodge complaints with their national data protection supervisory authority pursuant to Article 77 of the EU GDPR. A list of EU supervisory authorities is maintained by the European Data Protection Board at https://www.edpb.europa.eu.
The Company’s Legitimate Interests Assessments (LIAs) for processing based on Article 6(1)(f) of the EU GDPR are available upon written request to the DPO.
The Company complies with the ePrivacy Directive (2002/58/EC) as implemented in national law in relevant EEA Member States with respect to the use of cookies and electronic communications, as described in Section 10 of this Policy.

18.6 California, United States — Supplementary Provisions

The following supplementary provisions apply specifically to California residents, in addition to the general provisions of this Policy, pursuant to the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 et seq.) as amended by the California Privacy Rights Act:

In the twelve (12) months prior to the effective date of this Policy, the Company has collected the following categories of Personal Information from consumers (as those categories are defined in Cal. Civ. Code § 1798.140): (i) Identifiers (real name, email address, account name, IP address); (ii) Internet or other electronic network activity information (browsing history within the Platform, search queries submitted to the AI Agent, session data); (iii) Commercial information (records of subscription or service transactions); and (iv) Inferences drawn from the above to create a profile about a consumer reflecting the consumer’s preferences or behavior within the Platform.
The Company does not sell Personal Information as defined by Cal. Civ. Code § 1798.140(ad), nor does it share Personal Information for purposes of cross-context behavioural advertising as defined by Cal. Civ. Code § 1798.140(ah).
The Company does not use or disclose Sensitive Personal Information (as defined by Cal. Civ. Code § 1798.140(ae)) for purposes other than those listed in Cal. Civ. Code § 1798.121(a), and therefore does not offer a “Limit the Use of My Sensitive Personal Information” opt-out right pursuant to Cal. Civ. Code § 1798.121.
California residents may submit requests to know, delete, or correct their personal information by contacting the DPO at the details provided in Section 16. The Company will verify the identity of the requestor using commercially reasonable verification measures commensurate with the sensitivity of the personal information sought.
The Company will not discriminate against California residents for exercising their rights under the CCPA/CPRA pursuant to Cal. Civ. Code § 1798.125.
Where an authorised agent submits a rights request on behalf of a California resident, the Company may require written proof of the agent’s authority and direct verification with the California resident to confirm the request.
The Company shall respond to verified consumer requests within forty-five (45) calendar days of receipt, which may be extended by a further forty-five (45) days where reasonably necessary, with notice to the consumer pursuant to Cal. Civ. Code § 1798.130.
California residents may contact the California Privacy Protection Agency at https://cppa.ca.gov for information about their rights under California law.

19. APEC Privacy Framework and OECD Guidelines

In addition to the mandatory legal frameworks described above, the Company is guided by the principles of the following voluntary and quasi-regulatory international frameworks:

19.1 APEC Privacy Framework (2015 revision)

The Asia-Pacific Economic Cooperation (APEC) Privacy Framework (2015) sets out nine information privacy principles applicable to the collection, use, and disclosure of personal information by organisations in the APEC region. The Company’s practices are consistent with the APEC Privacy Framework principles of: (i) Preventing Harm; (ii) Notice; (iii) Collection Limitation; (iv) Uses of Personal Information; (v) Choice; (vi) Integrity of Personal Information; (vii) Security Safeguards; (viii) Access and Correction; and (ix) Accountability. The Company supports the objectives of the APEC Cross-Border Privacy Rules (CBPR) System and the Privacy Recognition for Processors (PRP) System as frameworks promoting interoperability between privacy regimes in the APEC region.

19.2 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (2013 revision)

The Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (2013) establish foundational principles for data protection that have influenced the design of data protection laws across the world. The Company’s processing practices are consistent with the OECD Guidelines’ eight basic principles: (i) Collection Limitation Principle; (ii) Data Quality Principle; (iii) Purpose Specification Principle; (iv) Use Limitation Principle; (v) Security Safeguards Principle; (vi) Openness Principle; (vii) Individual Participation Principle; and (viii) Accountability Principle.

19.3 ISO/IEC 27001 and Related Standards

The Company’s information security management practices are informed by the requirements of the ISO/IEC 27001:2022 Information Security Management Systems standard and the supplementary guidance in ISO/IEC 27701:2019 (Privacy Information Management System), which provides an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management, establishing requirements and guidance for controllers and processors responsible for the processing of personally identifiable information (PII).

20. Data Minimisation and Privacy by Design

Pursuant to the principle of data minimisation under Article 5(1)(c) of the EU GDPR, and the concept of privacy by design and by default under Article 25 of the EU GDPR, and consistent with the equivalent principles in other Applicable Data Protection Laws, the Company implements the following measures to ensure that only Personal Data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed is collected and retained:

The Platform collects only those categories of Personal Data enumerated in Section 3 of this Policy and does not permit the collection of additional categories without prior Policy revision and, where required, Data Subject notification.
Database queries executed on behalf of Users are strictly limited to SELECT operations, ensuring that the Platform cannot be used as a vector for the extraction of Personal Data beyond what is necessary for the User’s legitimate research purpose.
File system sandboxing and path traversal prevention controls limit the exposure of file system contents to only those files within the User’s designated Workspace directory.
Session token expiry and mandatory re-authentication after configurable idle periods limit the window of exposure in the event of unattended authenticated sessions.
Log data collected for security monitoring purposes is subject to automated retention limits and is purged upon expiry of the retention periods specified in Section 6.
The Company conducts periodic reviews of data processing activities to identify and eliminate unnecessary data collection and retention.

21. Accountability and Compliance Programme

Pursuant to the accountability principle under Article 5(2) of the EU GDPR, Section 12 of the Singapore PDPA (as amended), and the equivalent accountability provisions of other Applicable Data Protection Laws, the Company maintains a structured data protection compliance programme comprising the following elements:

Data Protection Officer: The appointment and maintenance of a DPO as described in Section 16, responsible for monitoring compliance with Applicable Data Protection Laws, advising on Data Protection Impact Assessments, and serving as the contact point for Data Subjects and supervisory authorities.
Record of Processing Activities: Maintenance of a RoPA pursuant to Article 30 of the EU GDPR, documenting all processing activities conducted by the Company as controller and, where applicable, as processor.
Data Protection Impact Assessments: Conducting DPIAs for processing operations likely to result in high risk to Data Subjects, pursuant to Article 35 of the EU GDPR and equivalent requirements under other Applicable Data Protection Laws.
Data Processing Agreements: Execution of written DPAs with all Sub-processors and third-party processors as required by Article 28 of the EU GDPR and equivalent provisions.
Privacy by Design Reviews: Incorporating data protection considerations into the design and development of new Platform features and changes to existing processing activities.
Staff Training: Regular data protection awareness training for all personnel involved in the processing of Personal Data.
Internal Audit: Periodic internal audits of data processing activities, security measures, and compliance with this Policy and Applicable Data Protection Laws.
Incident Response: Maintenance of documented incident response procedures as described in Section 14, including regular testing and updates.
Legitimate Interests Assessments: Documentation of LIAs for all processing activities based on Article 6(1)(f) of the EU GDPR.

This Privacy Policy was last reviewed and updated on 18 March 2026. The Company maintains records of all prior versions of this Policy, which are available upon written request to the Data Protection Officer.