1. Applicable Laws

This Privacy Policy is formulated in accordance with the laws and regulations of Malaysia governing data protection and privacy, including but not limited to the Personal Data Protection Act 2010 and its Amendment Act 2024, effective in phases starting January through June 2025 – including mandatory DPO appointment, breach notification, data portability and cross-border transfer provisions.

2. Information We Collect

2.1 Personal Information

Personal information refers to any information or opinion, whether true or not, and whether recorded in a material form or not, that pertains to an identifiable individual. The types of personal information we may collect about you include:

• Identity Data: Such as your full name, date of birth, national identification number, and other identification details.
• Contact Data: Your residential address, email address, and phone number.
• Account Data: Username, password, security questions and answers for your Sator.ai account.
• Transaction Data: Details of transactions you conduct with us, including payment information (processed through secure third-party payment gateways), purchase history, and order details.
• Technical and Usage Data: When you access our website or application, we may collect information about your device (such as device type, operating system, browser type), IP address, login times, session duration, page views, search queries, and other usage patterns.
• Profile Data: Information you provide in your user profile, such as profile picture, bio, preferences, and any content you create or upload on our platform.
• Interaction Data: Data generated from your interactions with our features, such as participation in surveys, contests, comments, likes, and shares.

2.2 Sensitive Information

Sensitive information is a subset of personal information that requires a higher level of protection. We do not actively solicit sensitive information. However, if we need to collect sensitive information such as your health information, religious beliefs, or political opinions for a specific and legitimate purpose permitted by law, we will first obtain your explicit consent and ensure its proper handling and protection.

3. How We Collect Personal Information

• Directly from You: When you register for an account, fill out forms, update your profile, or communicate with us via email, phone, or our online platforms.
• Automated Technologies: When you use our website or application, we may use cookies, web beacons, and other similar technologies to collect Technical and Usage Data. You can manage your cookie preferences through your browser settings.
• Third Parties: We may receive personal information from third parties, such as our business partners, service providers, or publicly available sources, but only if you have given your consent or as permitted by law.

4. Purposes of Collecting, Holding, Using, and Disclosing Personal Information

We use and disclose your personal information for the following purposes:

5. Disclosures of Personal Information to Third Parties

We will only disclose your personal information to third parties in the following circumstances:

• With Your Consent: When you have explicitly authorized us to share your information with specific third parties for a particular purpose.
• Service Providers: We may share your information with our trusted service providers who perform functions on our behalf, such as IT support, payment processing, data storage, and marketing agencies. These providers are bound by contractual agreements to protect your information and use it only for the purposes we specify.
• Business Partners: In the course of our business operations, we may share limited information with our business partners for joint marketing activities, strategic collaborations, or other legitimate business purposes, provided that appropriate safeguards are in place.
• Legal Requirements: We will disclose your information if required by law, such as in response to a subpoena, court order, or regulatory investigation.
• Corporate Transactions: In the event of a merger, acquisition, sale of assets, or other corporate restructuring, your personal information may be transferred to the successor entity or third parties involved in the transaction, subject to appropriate safeguards and notice to you where required by law.

6. Your Rights and Controlling Your Personal Information

• 6.1 Right to Access: You have the right to request access to the personal information we hold about you. We will respond to your request within a reasonable time and provide you with the information in a suitable format, subject to any legal exemptions or restrictions.
• 6.2 Right to Correction: If you believe that the personal information, we hold about you is inaccurate, incomplete, or out of date, you may request us to correct it. We will take reasonable steps to verify the accuracy of the information and make the necessary corrections promptly.
• 6.3 Right to Withdrawal of Consent: If you have given us your consent to collect, use, or disclose your personal information for a specific purpose, you may withdraw your consent at any time. However, please note that the withdrawal of consent may affect your ability to use certain features or services of our platform.
• 6.4 Right to Object: You have the right to object to the processing of your personal information for certain purposes, such as direct marketing. We will respect your objection and cease the processing of your information for that purpose, unless we have a legitimate overriding reason to continue.
• 6.5 Right to Lodge a Complaint: If you believe that we have violated your rights under this Privacy Policy or applicable laws, you have the right to lodge a complaint with the relevant regulatory authority in Malaysia. We encourage you to contact us first to attempt to resolve any issues amicably.
• 6.6 Right to Data Portability: Subject to technical feasibility and data compatibility, you may request that we transfer your personal data to another data controller of your choice. We will process such requests within a reasonable timeframe, in compliance with PDPA 2024.

7. Storage and Security

We take the security of your personal information seriously. We have implemented appropriate physical, technical, and administrative measures to protect your information from unauthorized access, disclosure, alteration, or destruction. These measures include but are not limited to:

• Secure data centers with restricted access.
• Encryption of sensitive data in transit and at rest.
• Regular security audits and vulnerability assessments.
• Employee training on data protection and privacy.

However, please note that no method of data transmission or storage is completely secure, and we cannot guarantee absolute security of your information.

7.1 Data Retention

We retain personal data only as long as necessary to fulfil the purposes described in this Policy, or as required by law. Unless legally required otherwise, personal information will be deleted or anonymized no later than three years after the relevant service concludes.

8. Cookies and Similar Technologies

We use cookies and similar technologies on our website and application to enhance your user experience, personalize content, and analyze user behavior. You can control the use of cookies through your browser settings. By using our platform, you consent to the use of cookies in accordance with this Privacy Policy.

9. Links to Other Websites

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of these third-party websites. When you click on a link to a third-party website, we encourage you to review their privacy policies before providing any personal information.

10. Data Protection Officer (DPO)

We have appointed an internal Data Protection Officer, contactable at [email protected]. The DPO is responsible for overseeing our data protection compliance as required under PDPA 2024.

11. Data Breach Notification

In accordance with PDPA Amendment Act effective 1 June 2025, we will notify the Malaysian Personal Data Protection Commissioner “as soon as practicable” and affected individuals “without unnecessary delay” if a personal data breach occurs that may cause significant harm. We will also maintain a data breach register for at least two years and, if required, provide remediation steps.

12. Cross-Border Transfer of Personal Data

We may transfer personal data outside Malaysia to jurisdictions with laws substantially similar to the PDPA, or upon obtaining your explicit consent, or where required to perform a contract. We will conduct a Transfer Impact Assessment every three years to evaluate the destination country’s safeguards, and will rely on Standard Contractual Clauses or Binding Corporate Rules where applicable.

13. Amendments

This Privacy Policy may be updated to reflect the latest “Guidelines” issued by the Commissioner (e.g., Data portability, Data protection by design, Automated decision-making) or changes in law. We will post a notice on our website or notify users through other appropriate channels. Continued use after the new effective date indicates acceptance.