In compliance with the Personal Data Protection Act 2010 ("PDPA") of Malaysia.
This Privacy Policy (this "Policy") sets out the basis upon which HR Sage (Company No. [To be registered]) ("Company", "we", "us", "our") collects, uses, discloses, transfers, stores, retains, and otherwise processes Personal Data (as defined below) in connection with the Human Resource Management Services application and/or website and all related services, features and functionalities (including file upload and storage functionalities) made available by Company (collectively, the "Platform"), including any features that use artificial intelligence or machine learning to help users manage human resources workflows (the "AI Features").
By accessing, using, registering for, or otherwise interacting with the Platform, you acknowledge that you have read and understood this Policy. Where required by applicable law, we will obtain your consent to the processing of your Personal Data. Where we rely on your consent (for example, for direct marketing where required), you may withdraw that consent as described in Section 11.
This Policy is to be read together with the Terms of Use governing use of the Platform and any privacy notice, data processing addendum, or similar instrument entered into between Company and a customer (if any). In the event of any inconsistency between the Terms of Use and this Policy, this Policy shall prevail to the extent of such inconsistency.
"Authorised User" means any person authorised by a corporate customer (including an employer) to access and use the Platform under that corporate customer's account.
"Customer Data" means any data, information, records, documents, files, and other materials (including human resources-related data and uploaded files) that are uploaded, submitted, stored, transmitted, generated, or otherwise made available through the Platform by or on behalf of a user or corporate customer.
"Personal Data" has the meaning ascribed to it under the Personal Data Protection Act 2010 ("PDPA"), and includes any information in our possession or control that relates directly or indirectly to an identified or identifiable individual.
"Process", "Processing" or "Processed" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, holding, storing, organising, adapting, altering, retrieving, using, disclosing, transmitting, transferring, disseminating, combining, erasing, and destroying.
"Sensitive Personal Data" has the meaning ascribed to it under the PDPA and may include, where applicable, information relating to physical or mental health conditions, political opinions, religious beliefs or other categories recognised under the PDPA.
This Policy applies to:
Where you access the Platform as an Authorised User, your employer or the relevant corporate customer may determine the purposes and means of Processing Customer Data uploaded to or generated within such corporate account and may administer access rights, permissions, and settings. Your employer or corporate customer may have its own policies and notices governing its Processing of Personal Data. Company is not responsible for the employer's or corporate customer's Processing of Personal Data outside the Platform or otherwise not carried out on Company's behalf.
This Section 2.3 is intended to provide notice under the PDPA (where applicable):
Subject to your use of the Platform and the information made available to us, Company may Process the following categories of Personal Data:
Name, email address, telephone number, login credentials (including encrypted and/or hashed password), organisation name, job title/role, and other account registration particulars.
Internet protocol (IP) address, device identifiers, browser type and version, operating system, language settings, access timestamps, session logs, pages/screens viewed, clickstream data, diagnostics, error logs, and performance data.
Requests, enquiries, feedback, and correspondence between you and Company (including records of communications).
Billing contact details, subscription plan information, invoice details, transaction identifiers, payment status and history. Payment card details are Processed by third-party payment processors. Company does not intentionally store full payment card numbers or card verification values (CVV).
Personal Data contained within Customer Data and/or uploaded files submitted by users or corporate customers, which may include human resources records and employment-related information (including, without limitation, employee particulars, employment records, leave and attendance records, performance records, and supporting documentation), to the extent uploaded to or generated in the Platform.
To the extent Customer Data includes Sensitive Personal Data, such data is Processed only as made available by the customer and for the purposes described in this Policy and/or the applicable Privacy Terms, and in accordance with the PDPA. The customer warrants that it has obtained explicit consent from the relevant individuals for such processing in accordance with the PDPA.
Where AI Features are used, we may Process (a) inputs provided by users (which may include Personal Data in Customer Data), (b) outputs generated by the AI Features (for example, summaries, classifications, recommendations, or draft content), and (c) technical metadata and logs relating to the operation of the AI Features. AI-generated outputs may be inaccurate and should be reviewed by a human before being used to make decisions about an individual.
Company may collect Personal Data:
Company Processes Personal Data for the following purposes:
Subject to applicable law and, where required, your consent, to send you marketing communications regarding Company products and services. You may opt out in accordance with Section 11. Where legally required, we will obtain your consent before sending direct marketing to you.
To provide AI Features requested by you (for example, generating summaries, drafts, insights, classifications, or recommendations within the Platform); to monitor and improve the quality, safety, and performance of the AI Features (including debugging, evaluation, and abuse detection); and where permitted by law and the applicable Privacy Terms, to use De-identified Data to improve our services and models.
We do not use Customer Data to train or improve our general AI models unless agreed in writing with the relevant customer/user.
We Process Personal Data only where permitted under the PDPA, including where (a) you have given consent (including explicit consent where required), (b) Processing is necessary for performance of a contract, (c) Processing is necessary to take steps at your request prior to entering into a contract, (d) Processing is necessary to comply with legal obligations, or (e) Processing is necessary for our legitimate interests and does not override your interests, rights, or freedoms (where applicable under the PDPA).
Company may disclose Personal Data as follows:
Company may disclose Personal Data to third-party vendors, contractors, and service providers engaged to perform functions on our behalf (including hosting, storage, communications, analytics, monitoring, support tooling, and payment processing). Such parties will be permitted to Process Personal Data only in accordance with our instructions and for the purposes of providing their services to Company, and will be subject to contractual obligations to protect confidentiality and security.
If you are an Authorised User, Personal Data contained in Customer Data and generated within the relevant corporate account may be accessible to, and controlled by, the relevant corporate customer and its administrators in accordance with account settings and permissions.
Company may disclose Personal Data where we reasonably consider such disclosure necessary or appropriate to:
In the event of any actual or proposed merger, acquisition, restructuring, reorganisation, financing, sale of assets, or similar transaction involving Company, Personal Data may be disclosed and transferred as part of such transaction, subject to appropriate confidentiality and security safeguards.
Company may disclose Personal Data to our professional advisers (including lawyers, accountants, auditors, and insurers) where necessary for us to obtain professional advice or protect our legitimate interests.
For the avoidance of doubt, Company does not sell Personal Data to third parties.
Company may transfer, store, and/or Process Personal Data within and outside Malaysia, including in jurisdictions where our service providers operate or maintain facilities. Where applicable, Company will take reasonable steps to ensure that any such transfer is effected in accordance with the PDPA and that the recipient affords a standard of protection that is comparable to that under the PDPA and/or that appropriate safeguards are implemented. Such safeguards may include contractual requirements imposed on relevant recipients/service providers and appropriate technical and organisational security measures.
8.1 Company implements reasonable administrative, technical and organisational measures designed to protect Personal Data against unauthorised or unlawful Processing, and against accidental loss, destruction, or damage.
8.2 Notwithstanding Section 8.1, you acknowledge that no system is capable of being completely secure. Transmission of information via the internet and electronic storage involve inherent security risks. Accordingly, Company does not warrant or guarantee the absolute security of Personal Data.
8.3 You are responsible for maintaining the confidentiality of your login credentials and for taking reasonable precautions to secure your devices, networks, and access to the Platform.
8.4 In the event of a suspected or confirmed security incident affecting Personal Data, Company may take reasonable steps to investigate, mitigate, and remediate the incident. Where required by applicable law, Company may provide notifications to affected individuals and/or competent authorities.
9.1 Company will retain Personal Data for such period as is necessary to fulfil the purposes set out in this Policy, including for the provision of the Platform, compliance with legal obligations, resolution of disputes, and enforcement of agreements.
9.2 Customer Data (including uploaded files) is retained in accordance with:
9.3 Upon termination or expiry of an account or subscription, Customer Data may be deleted in accordance with Company's retention practices and the applicable Terms of Use and/or Privacy Terms, subject always to applicable law and any lawful retention requirements.
9.4 Customer Data and certain system logs may remain in encrypted or access-restricted backups for a limited period as part of our backup and disaster recovery processes, after which they will be overwritten or deleted in accordance with our backup cycles, unless retention is required by applicable law.
10.1 Company may use cookies, pixels, SDKs, local storage, and similar technologies to:
10.2 You may configure your browser or device settings to manage cookies. Disabling cookies may affect the availability or functionality of certain parts of the Platform.
10.3 Third-party technologies: Some cookies or similar technologies may be provided by third parties (for example, analytics or performance monitoring providers) to help us understand how the Platform is used and to improve it.
11.1 Subject to the PDPA and other applicable law, you may request access to, or correction of, Personal Data held by Company.
11.2 Where Processing is based on consent, you may withdraw your consent by written notice to Company. Withdrawal of consent may result in Company being unable to provide some or all of the Platform features and/or services to you.
11.3 If you are an Authorised User, requests relating to Personal Data contained in Customer Data may need to be directed to, or actioned by, the relevant corporate customer that controls such Customer Data. Company may refer your request to the corporate customer where appropriate.
11.4 Company may request additional information to verify your identity before processing any request and may refuse requests where permitted under applicable law.
11.5 Requests under this Section 11 should be submitted using the contact details in Section 13 with the subject line "PDPA Request". We will use reasonable efforts to respond within a reasonable time and may charge a fee where permitted under applicable law.
11.6 You may opt out of receiving marketing communications at any time by (i) using the unsubscribe mechanism in the relevant message (if provided), or (ii) contacting us using the details in Section 13. Administrative or service-related messages (for example, security, billing, and support communications) may still be sent where necessary.
11.7 We take reasonable steps to ensure Personal Data we Process is accurate, complete, not misleading, and kept up to date where reasonably practicable. You are responsible for ensuring that information you submit through the Platform is accurate and for updating account information where applicable.
The Platform is not intended for individuals under eighteen (18) years of age. Company does not knowingly Process Personal Data of children under eighteen (18). If you believe a child has provided Personal Data to Company, please contact us.
All notices, queries, requests, or complaints in relation to this Policy shall be directed to:
Company reserves the right to amend, update, or modify this Policy from time to time by posting the amended Policy on the Platform and updating the "Last Updated" date. Where we consider amendments to be material, we may provide additional notice (including by email or in-Platform notification). Your continued access to or use of the Platform after the effective date of any amendment constitutes your acknowledgement and acceptance of the amended Policy.
In accordance with the PDPA, this Policy is issued in both English and Bahasa Malaysia. In the event of any inconsistency, conflict, or discrepancy between the English version and the Bahasa Malaysia version of this Policy, the English version shall prevail to the extent of such inconsistency, conflict, or discrepancy.
Effective Date: January 5, 2026
Last Updated: January 5, 2026