Tpay Platform Private Limited

1. Introduction

This Privacy and Data Protection Policy (“Policy”) sets out the principles and controls adopted by Tpay Platform Private Limited (“Tpay”, “Company”, “it”) in relation to the collection, use, storage, disclosure, transfer, retention, and deletion of personal data in the course of its business operations. This Policy is intended to reflect Tpay’s commitment to lawful, fair, and transparent processing of personal data and to support compliance with applicable data protection laws, including the Digital Personal Data Protection Act, 2023, as may be amended from time to time.

For the purposes of this Policy, references to “personal data” include personal information and personally identifiable information relating to an identified or identifiable natural person, whether collected directly or indirectly, and processed in digital form or subsequently digitised in the course of business operations.

Throughout this Policy, “Tpay” refers to Tpay Platform Private Limited and, where the context requires, includes its employees, personnel, and authorised representatives who process personal data on its behalf. Tpay recognises that responsible handling of personal data is essential to maintaining the trust of its employees, clients, business partners, applicants, vendors, and other individuals whose personal data may be shared with or processed by Tpay in the course of its activities.

2. Purpose

This Policy is intended to:

implement privacy-by-design principles in the design, development, operation, and review of Tpay’s systems, products, services, and internal processes ;

establish a common framework for the lawful collection, use, storage, transfer, retention, and deletion of personal data;

define internal responsibilities and controls for protecting personal data and responding to data principal requests, complaints, and grievances; and

support Tpay’s compliance with applicable legal, regulatory, and contractual obligations relating to privacy and data protection.

3. Scope

This Policy applies to:

Tpay’s information and records that contain personal data;

Tpay’s information systems, platforms, applications, devices, and storage environments used to process personal data;

all employees, directors, officers, interns, consultants, contractual personnel, temporary staff, and other individuals engaged by Tpay; and

third-party staff, service providers, contractors, or processors handling personal data on behalf of or in connection with Tpay.

This Policy applies to the collection, storage, processing, use, disclosure, transfer, retention, archival, and deletion of personal data relating to clients, prospective clients, business partners, employees, former employees, applicants for employment, third-party personnel, service providers, and other individuals whose personal data may be processed in connection with Tpay’s business operations.

Personal data may be collected through websites, mobile or web-based interfaces, account onboarding processes, service delivery processes, employment and recruitment processes, correspondence, contractual interactions, support channels, and other lawful business touchpoints.

4. Privacy and Data Protection Requirements

The collection, storage, processing, transfer, use, retention, and deletion of personal data by Tpay shall be governed by the following principles and controls.

4.1 Fair and Lawful Processing of Personal Data

Tpay shall process personal data in a lawful, fair, and transparent manner and in accordance with applicable law. In furtherance of this requirement, the following controls shall apply:

Notice

Tpay shall provide data principals with a timely, clear, and understandable privacy notice describing, to the extent applicable under law:

the categories or description of personal data being collected and processed;

the specific purposes for which such personal data is being processed;

the manner in which data principals may exercise their rights in relation to such personal data;

the manner in which consent may be withdrawn, where processing is based on consent;

the process for raising grievances or complaints; and

the contact details of the person or office authorised to respond to questions, requests, or complaints relating to personal data.

Choice

Except where otherwise permitted or required by applicable law, Tpay shall not disclose personal data to third parties for their independent use without providing the relevant data principal an appropriate opportunity to make an informed choice regarding such disclosure.

Consent

Where consent is required under applicable law, Tpay shall process personal data only on the basis of valid consent obtained from the data principal or a person lawfully authorised to provide such consent. Such consent shall, to the extent required by law, be free, specific, informed, unconditional, and unambiguous, and shall be evidenced through a clear affirmative action.

Where applicable, Tpay shall also provide data principals with a simple and accessible mechanism to withdraw consent. Withdrawal of consent shall be given effect in accordance with applicable law, subject to lawful grounds for continued retention or processing.

4.2 Limitations on Collection, Use, and Disclosure of Personal Data

The following controls shall govern purpose limitation, data minimisation, and onward disclosure or transfer of personal data.

Purpose Limitation

Tpay shall collect personal data only for specific, lawful, and legitimate business purposes [page:1]. Personal data collected by Tpay shall be relevant, proportionate, and not excessive in relation to the purposes for which it is collected and processed.

Tpay shall process personal data in a manner consistent with the purposes communicated to the data principal at the time of collection, unless otherwise permitted or required by applicable law or the data principal has subsequently consented to a new or additional use.

Personal data collected from data principals in the course of business shall not be sold, rented, or leased by Tpay [page:1].

Data Minimisation

Tpay shall take all legally required and commercially reasonable steps to ensure that personal data processed by it is adequate, relevant, and limited to what is necessary for the purposes for which such data is processed.

Use and Disclosure Controls

Tpay shall use and disclose personal data only on a need-to-know basis and only where such use or disclosure is necessary for a lawful business purpose, required to perform contractual obligations, required by law, or otherwise permitted under applicable law.

Onward Transfer

Where personal data is disclosed to a third party, processed by a service provider, transferred across borders, or made accessible from another jurisdiction, Tpay shall implement appropriate safeguards, including contractual protections and such technical, organisational, or legal measures as may be reasonably necessary to ensure adequate protection of the personal data so transferred or disclosed.

4.3 Management of Personal Data

The following controls shall apply to the management, integrity, security, retention, and deletion of personal data.

Accuracy and Integrity

Tpay shall take all legally required and commercially reasonable steps to ensure that personal data is reliable for its intended use and, to the extent necessary for the relevant processing purpose, accurate, complete, and kept up to date.

Where personal data is found to be inaccurate, incomplete, or outdated, Tpay shall take appropriate steps to correct, complete, update, or erase such personal data, as applicable and in accordance with law.

Access, Correction, Completion, Updating, and Erasure

Tpay shall maintain reasonable processes and communication channels to enable data principals, subject to applicable law, to:

seek information regarding the personal data processed by Tpay;

request correction, completion, or updating of inaccurate or incomplete personal data; and

request erasure of personal data that is no longer necessary for the purpose for which it was processed, or where consent has been withdrawn, unless retention is required by law or otherwise permitted under applicable law.

Security Safeguards

Tpay shall implement legally required and commercially reasonable technical, organisational, physical, and administrative safeguards proportionate to the nature, volume, sensitivity, and risk associated with the personal data being processed, in order to protect such personal data against personal data breaches, loss, misuse, unauthorised access, unauthorised disclosure, alteration, destruction, or other unlawful processing.

Where personal data is sensitive or otherwise requires heightened protection under applicable law, Tpay shall ensure that enhanced safeguards are applied as appropriate.

Personal Data Breach Response

Tpay shall maintain internal procedures for identifying, assessing, escalating, containing, investigating, documenting, and responding to actual or suspected personal data breaches. Where required by applicable law, Tpay shall notify affected individuals and competent authorities or regulators in the prescribed manner and within applicable timelines.

Retention and Deletion

Tpay shall retain personal data in a form that permits identification of data principals only for as long as necessary to fulfil the purpose for which the personal data was collected and processed, or for such longer period as may be required under applicable law, regulation, court order, contractual obligation, or legitimate recordkeeping requirement.

Where the purpose for processing has been fulfilled and retention is no longer necessary, or where consent has been withdrawn and no other lawful basis for retention applies, Tpay shall delete or erase the relevant personal data in accordance with applicable law and its internal retention and deletion procedures.

Personal data may be retained for longer periods solely for lawful archival, research, statistical, or historical purposes where permitted by applicable law and subject to the implementation of appropriate safeguards.

4.4 Accountability, Compliance, Exceptions, and Violations

The following controls shall govern accountability for and enforcement of this Policy.

Accountability

The Director shall be responsible for overall oversight of compliance with this Policy and shall ensure that appropriate internal measures are implemented to demonstrate compliance with applicable privacy and data protection requirements. The Director may designate one or more individuals, officers, or functions within the organisation to support compliance, operational implementation, oversight, and response management under this Policy.

Where applicable law requires appointment of a Data Protection Officer or a designated point of contact, Tpay shall make such appointment and publish the relevant contact details in the manner required by law.

Data Principal Requests, Complaints, and Dispute Resolution

The Director, or the person designated for this purpose, shall establish appropriate points of contact and communication channels to:

receive and respond to access, correction, completion, updating, or erasure requests;

receive and investigate privacy or data protection-related grievances and complaints; and

provide a fair and reasonable process for the handling, tracking, and resolution of such requests and complaints.

Tpay shall communicate the progress and status of requests or complaints to the relevant data principal within a reasonable period. Where required by applicable law, Tpay shall inform the data principal of available escalation mechanisms, including the right to approach the appropriate statutory authority or board after exhausting the grievance process made available by Tpay.

Compliance

The Director shall be responsible for implementing and enforcing this Policy, issuing supplementary privacy-related standards, procedures, or guidelines where necessary, and coordinating privacy compliance functions, including any role to be discharged as a Data Protection Officer where mandated by law.

All persons covered by this Policy shall comply with its requirements and with any associated procedures, standards, or controls issued by Tpay. Failure to comply with this Policy may result in disciplinary action, including suspension, restriction or withdrawal of system access, reassignment of responsibilities, or more severe action up to and including termination of employment or engagement, subject to applicable law.

Exceptions

Any exception to this Policy must be documented and approved by the Director or such authorised person as may be designated by Tpay.

Violations

Any employee or individual subject to this Policy who knowingly violates or attempts to violate this Policy, circumvents applicable controls, or engages in unlawful processing of personal data shall be subject to disciplinary action, up to and including separation from Tpay, subject to applicable employment and other applicable laws. Where unlawful activity, fraud, security compromise, or deliberate bypass of controls is suspected, Tpay may report the matter to law enforcement agencies or other competent authorities, as appropriate and in accordance with law.

5. Waivers

At the time of issuance of this Policy, there are no authorised waivers or standing exceptions. Any request for waiver or exception shall be submitted to the Director for review and decision. Where a waiver or exception is approved, the Director may require corresponding updates to policy records, internal controls, or related documentation.

6. Grievance Redressal and Contact Information

Any grievance, complaint, query, request, or comment concerning this Policy or the processing of personal data by Tpay may be submitted in writing to the following contact email address:

privacy@techpay.ai

Tpay shall seek to acknowledge and address grievances and related queries as expeditiously as reasonably possible and in accordance with applicable law. If a data principal is not satisfied with the response provided through Tpay’s grievance process, the data principal may avail such statutory remedies as may be available under applicable law, including escalation to the competent authority or board where so provided.

7. Document Information

Document Version History

8. Internal Implementation Notes

This Policy will be read together with Tpay’s internal data retention schedule, information security policies, incident response procedures, employee confidentiality obligations, contractual data processing terms, and any privacy notice, consent wording, cookie notice, or product-specific data handling documentation issued by Tpay from time to time. Where any applicable law imposes additional or more specific obligations than those set out in this Policy, such legal requirements shall prevail to the extent of the inconsistency.

1. Introduction

This Privacy Policy applies to TECHPAYAI SDN BHD (Company No. 202501047647 (1649055-K)) and its affiliates (“TechPay AI”, “we”, “our”, “us”) and governs the collection, use, and disclosure of personal data in connection with our services, website (www.techpay.ai), and any other online or offline interaction with you (“you”, “your”). This policy is designed to comply with the PDPA and other applicable laws in Malaysia.

2. Scope

This Privacy Policy covers personal data collected from:

Visitors to our website and applications;

Customers, users, and prospective customers (including individuals representing corporate clients);

Persons who request information, engage in transactions, subscribe to newsletters, or otherwise engage with us.

The policy does not apply to personal data collected by third-party websites to which our services may link or by our business partners under separate policies.

3. What is “Personal Data”

For the purposes of this policy and under the PDPA, “personal data” means any information that relates directly or indirectly to an individual who is identified or identifiable. This may include, but is not limited to, name, email address, telephone number, national identity number, IP address, location data, and other demographic or usage data.

4. Information We Collect

a) Information you provide

We may ask you to provide personal data when you:

Use our website or application;

Request quotes, services or support;

Register an account;

Subscribe to newsletters or marketing communications;

Participate in surveys, webinars or promotional offers;

Contact us through forms, email or phone.

Such personal data may include your name, email address, billing/shipping address, telephone number, user ID, password, job title, company information, demographics (such as age, gender, interests), payment information (where applicable), national identity number (where required) and any other information you choose to provide.

b) Information we collect automatically

When you visit our websites or use our services we may automatically collect usage and behavioural data, such as:

IP address, device identifiers, browser type and language;

Access times, referring URL, pages viewed, links clicked;

Location data and other similar technical information;

Cookies and tracking technologies.

c) Information we obtain from third-party sources

We may supplement the personal data we collect from you with information from third parties such as business partners, public databases, social media platforms or marketing providers, in order to enhance our understanding of your preferences and deliver tailored services and communications.

5. How We Use Personal Data

We may use your personal data for the following purposes:

To deliver products, services and support you request;

To process transactions and manage accounts;

To send you communications relating to your transactions, services you use, updates, newsletters, promotional offers (where you have consented) and other information about our business;

To enable you to participate in features of our website and services (such as live chat, account management, downloads);

To personalise, analyse and improve our website, services, marketing campaigns, content, and user experience;

To profile interests (where permitted) and target advertising, subject to applicable consent and law;

To enforce our terms of service, prevent fraud or illegal activities, ensure security and integrity of our business and systems;

To fulfil legal or regulatory obligations or exercise legal rights.

6. Legal Basis for Processing

Under the PDPA and as applicable in Malaysia, the legal basis for processing your personal data will depend on the context and may include:

Your consent (where required);

Performance of a contract with you or taking steps at your request prior to entering a contract;

Compliance with legal obligations;

Legitimate interests of TechPay AI or our partners, provided your rights and freedoms are not overridden by those interests.

7. Retention of Your Data

We will retain your personal data for as long as necessary to fulfil the purposes described above, unless a longer retention period is required or permitted by law. Once the data is no longer needed, we will securely destroy or anonymise it.

8. International Transfers

If we transfer your personal data outside Malaysia (for example to service providers or affiliates), we will ensure appropriate safeguards are in place, such as contractual protections, to protect your data consistent with the level of protection under Malaysian law.

9. How We May Share Your Personal Data

We may share your personal data with:

Our subsidiaries, affiliates and business partners for the purposes described above;

Service providers who perform functions on our behalf (e.g., payment processors, analytics providers, marketing, IT services) and who are contractually obligated to protect your data;

Sales and marketing chain participants (resellers, distributors, agents) if relevant to the product/service you use;

Legal or regulatory authorities if required by law or in connection with legal claims, fraud prevention or acquisition/sale transactions.

We will not sell or rent your personal data for third-party marketing purposes without your consent.

10. Your Rights

Under the PDPA you may have the following rights (subject to applicable conditions):

Access: Request details of the personal data we hold about you and a copy thereof;

Rectification: Request correction of inaccurate or incomplete personal data;

Erasure: Request deletion of your personal data, where applicable;

Restriction: Request limitation of processing of your personal data;

Objection: Object to our processing of your personal data (including for marketing profiling) where legitimate interests are the basis;

Data portability: Where technically feasible and applicable, request transfer of your personal data to another controller;

Withdraw consent: Where processing is based on your consent, you may withdraw it (without affecting processing prior to withdrawal).

To exercise these rights, please contact us (see Section 13). Please note we may refuse or charge a reasonable fee in line with applicable law if requests are manifestly unfounded or excessive.

11. Selection of Communication Preferences & Opt-Out

You can choose not to receive marketing communications from us by following the “unsubscribe” link in any marketing email, or by contacting us. Even if you opt-out of marketing, we may still send you service-related messages (e.g., about your account, transactions). You may also opt-out of profiling for marketing purposes.

12. How We Secure Your Personal Data

We take appropriate technical and organisational measures to protect your personal data from unauthorised or accidental access, loss, destruction, alteration or disclosure. These measures include encryption of sensitive data, limiting access to authorised personnel, physical access controls, contractual safeguards with our service providers, regular security assessments and internal processes. While we strive to ensure high security, no system is completely secure and we cannot guarantee absolute security.

13. Children’s Personal Data

We do not knowingly collect personal data from children (as defined under applicable laws) through our website or services without parental or guardian consent. If we become aware that we have inadvertently collected personal data from a child without proper consent, we will take steps to delete it.

14. Cookies and Similar Technologies

We use cookies and similar tracking technologies on our website to gather usage information, personalise content, remember your preferences and display targeted advertising (where permitted). You may disable or block cookies via your browser settings; however, note that some features of our website may not function correctly if cookies are disabled.

15. Links to Third-Party Websites and Services

Our services may contain links to third-party websites, applications or services. We are not responsible for the privacy practices or content of those third parties. We encourage you to read the privacy policy of every site you visit.

16. Changes to This Privacy Policy

We may periodically update this Privacy Policy. If we make material changes, we will update the “Effective Date” at the top of this policy and/or provide additional notice as required by law. Please review this policy periodically for updates.

17. Contacting Us

If you have questions or wish to exercise your rights under this policy, you may contact us at:

TECHPAYAI SDN BHD

Address: LOT 3A01A, LEVEL 3A, GLO DAMANSARA SHOPPING MALL 699, JLN DAMANSARA, TAMAN TUN DR ISMAIL, 60000 KUALA LUMPUR W.P. KUALA LUMPUR MALAYSIA

Email: Contact@techpay.ai

We will endeavour to respond to all queries within a reasonable timeframe.

18. Jurisdiction & Governing Law

This Policy and our handling of personal data shall be governed by the laws of Malaysia, including the PDPA. Any disputes arising out of this policy shall be subject to the exclusive jurisdiction of the courts of Malaysia.