Privacy Notice.

01Data Controller

The data controller is VPOS Group Sdn Bhd (Registration No. 201901024297 (1333626-V)), with registered address at No. 7, Jalan PJU 7/8B, Mutiara Damansara, 47800 Petaling Jaya, Selangor, Malaysia. For all data protection enquiries, including requests to exercise your rights under the PDPA, please contact our Data Protection Officer at: dpo@vkad.app or by post to the address above marked “Attn: Data Protection Officer”.

02Personal data we collect

We collect the following categories of personal data:

1. Account data — name, email, mobile number, password (hashed), company name, job title, business address, profile photograph, and any other information you choose to include on your vKad.
2. Transaction data — billing name, billing address, delivery address, transaction reference, plan selected, payment status, and SST particulars where applicable. Card payment details are not stored by us; they are processed by our payment gateway provider directly.
3. Device and usage data — IP address, browser type and version, operating system, device identifiers, referring URLs, pages visited, timestamps, and similar log information collected automatically when you use the Services.
4. Communications data — content of enquiries, support tickets, feedback, and correspondence.
5. Cookies and similar technologies — see Annexure 1 (Cookie Policy).
6. Lead Data — where you share your vKad with another person (whether by scan, tap, or link), we may collect their contact details (name, email, phone, company), the time and approximate location of the interaction, the device or channel used, and any data they choose to provide. This Lead Data is made available to you through your dashboard.
7. AI Inputs and Outputs — if you enable AI-assisted features (currently called “The Answers”), we process the FAQ content, prompts, instructions, and other inputs you provide (“AI Inputs”) and the responses generated from them (“AI Outputs”). For the avoidance of doubt, we do not collect or process voice recordings, voice prints, fingerprints, facial-recognition data, or any other biometric data (which, under the PDPA as amended in 2024, is classified as sensitive personal data) for these features.
8. Messaging metadata — if you use WhatsApp eCatalogue auto-send or similar messaging features, we process the recipient details you provide and the delivery metadata (sent, delivered, read receipts where available, opt-out status) to operate the feature.

We do not knowingly collect sensitive personal data (as defined in s.4 PDPA, as amended) and ask that you do not submit any.

03Purposes of processing

We process personal data for the following purposes:

1. creating and administering your account, authenticating you, and providing the Services (including hosting and serving your vKad URL);
2. processing orders, payments, and delivery of physical NFC cards;
3. issuing tax invoices, billing, debt recovery, and accounting;
4. communicating with you, including responding to enquiries, sending service notices, and providing support;
5. sending direct marketing communications about our products and services where you have consented (you may opt out at any time — see clause 7);
6. operating, securing, monitoring, troubleshooting, and improving the Services and our infrastructure;
7. providing AI-assisted features and processing AI Inputs to generate AI Outputs for your review and use;
8. collecting and presenting Lead Data to you through your dashboard;
9. preventing, detecting, and investigating fraud, unauthorised access, and other unlawful activities; and
10. complying with applicable laws, regulations, and lawful requests of competent authorities.

04Lawful basis

We process personal data on the basis of your consent, the necessity of performance of the contract for the Services, our legitimate interests in operating and securing the Services, and where we are required or permitted to do so by law.

05Disclosure of personal data

We may disclose your personal data to the following classes of third parties, each under appropriate contractual data-protection terms:

1. cloud and hosting service providers;
2. payment gateway and acquiring banks;
3. delivery and logistics providers (for physical NFC cards);
4. email, SMS, customer-support, and analytics providers;
5. AI service providers (for AI Features);
6. messaging platform providers (including Meta Platforms, Inc. for WhatsApp Business);
7. professional advisers (lawyers, accountants, auditors);
8. governmental, regulatory, or law-enforcement authorities, where required by law or to protect our rights, property, or safety, or those of others; and
9. acquirers, investors, and their advisers, in connection with any actual or proposed corporate transaction.

5ALead Data — your role and ours

Where you collect Lead Data through the Services, you are the data controller of that Lead Data and we act as your data processor (within the meaning given to those terms by the PDPA). We will:

1. process Lead Data only in accordance with the Terms of Service and your reasonable instructions;
2. implement security measures consistent with clause 9;
3. assist you in responding to data subject requests received from Leads;
4. notify you of any personal data breach affecting Lead Data without undue delay; and
5. on termination of your account, return or delete Lead Data in accordance with clause 10.

You are responsible for the lawfulness of your collection and use of Lead Data, including providing any privacy notices and obtaining any consents required from Leads.

5BAI sub-processors

AI Inputs may be processed by third-party AI service providers, which may be located outside Malaysia. We use only providers that are bound by contracts (i) restricting use of AI Inputs to the provision of the Services and (ii) prohibiting use of AI Inputs to train the providers’ general-purpose models. The list of AI sub-processors is available on request.

06Cross-border transfer

Some of our service providers (including hosting, analytics, AI, and messaging providers) are located outside Malaysia. Where personal data is transferred outside Malaysia, we will only do so on one or more of the bases permitted by section 129 of the PDPA (as amended), including with your consent, where transfer is necessary for the performance of the contract with you, or where we have taken reasonable steps and exercised due diligence to ensure that the recipient applies a level of protection comparable to the PDPA. The list of jurisdictions to which transfers are made is available on request.

07Your rights

Subject to the PDPA, you have the right to:

1. request access to your personal data (s.30);
2. request correction of inaccurate, incomplete, misleading, or out-of-date data (s.34);
3. withdraw your consent to processing (s.38), noting that withdrawal may prevent us from continuing to provide the Services;
4. require us to cease processing your personal data for direct marketing (s.43); and
5. lodge a complaint with the Commissioner of Personal Data Protection (https://www.pdp.gov.my).

To exercise any of these rights, contact our Data Protection Officer (clause 1). We may charge a prescribed fee for data access requests as permitted by the PDPA. We will respond within 21 days, or such other period as required by law.

7AData portability

Subject to the PDPA, any subsidiary legislation, and any guidance issued from time to time by the Commissioner of Personal Data Protection on data portability, you have the right to request that we provide your personal data in a structured, commonly used, and machine-readable format, and, where technically feasible, to transmit such personal data directly to another data controller of your choice. We will use reasonable efforts to comply with portability requests as the operational scope of this right develops. To the extent that the right is not yet fully operational across all components of the Services, we will inform you of the position at the time of your request.

08Cookies and similar technologies

We use cookies and similar technologies to operate the Site and improve your experience. The categories of cookies we use, the third-party cookies set on the Site, their duration, and how you can manage them are set out in Annexure 1 (Cookie Policy), which forms part of this Notice.

09Security

We apply organisational, administrative, physical, and technical measures consistent with the Personal Data Protection Standard 2015 (as updated from time to time) to protect personal data, including encrypted transmission for sensitive flows, role-based access control, hosting on data centres with appropriate certifications, and routine security reviews. No system is wholly secure; we do not warrant absolute security but undertake to apply reasonable measures.

10Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, tax, and regulatory requirements. As a guide:

1. Account data — for the duration of your subscription, plus 12 months after termination, after which data is deleted or anonymised;
2. Transaction and accounting records — seven (7) years (Income Tax Act 1967 s.82(9); Companies Act 2016 s.245);
3. Lead Data — for the duration of your subscription; on termination, you may export your Lead Data within thirty (30) days, after which it is deleted or anonymised;
4. AI Inputs and AI Outputs — retained for as long as needed to provide the AI Features and for a reasonable period thereafter for service-improvement and security purposes (subject to the restrictions in clause 5B);
5. Marketing data — until you withdraw consent.

11Data breach notification

In accordance with the PDPA (as amended) and any prescribed notification standard, where a personal data breach occurs that is likely to result in significant harm or affects a significant scale of data subjects (presently, 500 or more individuals), we will notify the Commissioner of Personal Data Protection without undue delay and within 72 hours of becoming aware of the breach. We will also notify affected data subjects without undue delay where required. Where Lead Data is affected, we will also notify you (as data controller) without undue delay so that you can comply with your own notification obligations.

12Children

The Services are not directed to persons under the age of 18 (the age of majority under the Age of Majority Act 1971), and we do not knowingly collect personal data from such persons. If you believe we have collected such data, please contact our Data Protection Officer and we will delete it.

12AAgency Plan and sub-users

If your account is an Agency Plan, the entity that opens the account (the “Account Holder”) is the principal data controller for the account and for all Lead Data collected through any seat under the account. Each Agent occupying a seat is a separate data subject with respect to their own personal data. On termination of an Agent’s seat, the Agent’s personal vKad data may be deactivated; Lead Data collected through any seat remains with the Account Holder. This clause governs the platform record only and does not (i) limit the rights of Lead data subjects under the PDPA, or (ii) regulate any separate non-solicit, non-compete, or confidentiality obligations between the Account Holder and the Agent, which must be addressed by separate agreement between them.

13Third-party links

The Site may link to third-party websites and services. This Notice does not apply to those third parties; please review their privacy notices.

14Changes to this Notice

We may update this Notice (including Annexure 1) from time to time. The current version is published at https://www.vkad.app/privacy-policy with the effective date. Material changes will be notified to you by email or via the Site.

15Contact us

For all data protection enquiries: dpo@vkad.app or VPOS Group Sdn Bhd, No. 7, Jalan PJU 7/8B, Mutiara Damansara, 47800 Petaling Jaya, Selangor, Malaysia, Attn: Data Protection Officer.

A1What cookies are

Cookies are small text files that a website places on your device when you visit it. They allow the website to recognise your device on subsequent visits, remember your preferences, keep you signed in, and collect information about how the Site is used. We also use similar technologies, including web beacons, pixels, local storage, and SDKs, which we refer to collectively in this Annexure as “cookies”.

A2Categories of cookies we use

1. Strictly necessary cookies — required for the Site to function. These include cookies that authenticate you, maintain your session, balance load across our servers, and protect against cross-site request forgery. These cookies cannot be disabled through our cookie banner because the Site cannot operate without them.
2. Functional cookies — remember choices you make to enhance functionality. Examples include language preference and dashboard settings. Disabling these may degrade functionality.
3. Analytics cookies — help us understand how Users interact with the Site so we can improve performance and design. Examples include cookies set by Google Analytics or similar tools. These cookies are loaded only with your consent.
4. Marketing / advertising cookies — used (where applicable) to deliver content relevant to you and to measure the effectiveness of our marketing. These cookies are loaded only with your consent.

A3Cookies we set

The cookies currently set on the Site are listed below. We update this list periodically as the Services evolve.

A4Third-party cookies

Some of the cookies on the Site are set by third parties whose services we use (such as analytics or messaging providers). We do not control these cookies. Please refer to the privacy and cookie policies of those third parties for information on how they use cookies. The principal third parties are listed in clause 3.

A5Duration

1. Session cookies are deleted when you close your browser.
2. Persistent cookies remain for a defined period (set out in the table in clause 3) or until you delete them.

A6Your choices

1. Cookie banner — when you first visit the Site, a cookie banner allows you to accept or reject non-essential cookies. Strictly necessary cookies cannot be disabled through the banner.
2. Preference centre — you can change your cookie choices at any time through the cookie preference link in the footer of the Site.
3. Browser controls — most browsers allow you to view, manage, and delete cookies through their settings. Refer to your browser’s help section for instructions. Disabling strictly necessary cookies may prevent the Site from functioning.
4. Withdrawal — withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

A7Do Not Track signals

Some browsers transmit “Do Not Track” signals. There is no industry-standard interpretation of these signals. We respond to user choices made through our cookie banner and preference centre rather than browser-level signals.

A8Updates to this Annexure

We may update this Annexure from time to time, including when we add or remove cookies. Updates take effect when posted at https://www.vkad.app/privacy-policy.

A9Contact

For questions about this Annexure or our use of cookies, contact our Data Protection Officer at dpo@vkad.app.