Dasar Privasi

1. Introduction

This Privacy Policy explains how Words Connect PLT, LLP Registration No. 202204000391 (LLP0030660-LGN), of No.1 Blok Mawar Desa 288, Jalan Memanda 9, 68000 Ampang, Selangor ("Words Connect", "we", "us", or "our") collects, uses, discloses, and protects your personal data.

This Policy applies to all personal data we process, including via the AiOB platform (the "Service"), the Words Connect website, and any communications between you and us.

We comply with the Personal Data Protection Act 2010 of Malaysia ("PDPA"), as amended by the Personal Data Protection (Amendment) Act 2024. For the purposes of the PDPA, Words Connect is the data controller. Our Data Protection Officer is Ibrahim bin Mohamad (Baim), contactable at [email protected].

2. Information We Collect

We collect the following categories of personal data:

• (a) Account information: name, email address, phone number, business name, job title, NRIC or business registration number where required for billing or regulatory compliance.
• (b) Billing information: payment card details (processed by our payment processor, Stripe; we do not store full card numbers), billing address, transaction history.
• (c) Usage data: how you interact with the Service (features used, log files, time stamps), device information (IP address, browser type, operating system).
• (d) Customer Data: data you upload to the Service as part of your use of AiOB - for example, your customers' names, your employees' records, your invoices, inventory, and transactions. You are the controller of this data; we process it on your instructions.
• (e) Communications: messages you send us, support tickets, survey responses.
• (f) Marketing preferences: subscription status to our newsletters and marketing communications.

3. How We Collect Your Information

We collect personal data: (a) directly from you when you register, subscribe, or communicate with us; (b) automatically when you use the Service (via cookies, log files, analytics); (c) from third parties (e.g., Stripe provides billing confirmation).

4. Purposes and Legal Basis

We process your personal data for the following purposes:

• (a) To provide, operate, and maintain the Service (performance of contract);
• (b) To bill you and process payments (performance of contract, legal obligation);
• (c) To communicate with you about the Service, including support, updates, and important notices (performance of contract, legitimate interest);
• (d) To improve the Service, develop new features, and analyse usage patterns (legitimate interest);
• (e) To send marketing communications (with your consent, which you may withdraw at any time);
• (f) To comply with legal, regulatory, and tax obligations (legal obligation);
• (g) To detect, prevent, and respond to security incidents or fraud (legitimate interest).

5. Sharing and Disclosure

We may share your personal data with the following categories of recipients, subject to appropriate safeguards:

• Service providers: payment processor, hosting provider, email service provider, customer support tools.
• AI service providers: for AI-assisted features within the Service. Data sent to our AI service provider is processed under commercial terms that prohibit use of customer inputs for model training.
• Professional advisers: our lawyers, accountants, and auditors, bound by duty of confidence.
• Regulatory or law enforcement authorities: where required by law or valid legal process.
• A purchaser or successor in a merger, acquisition, or sale of assets.

A current list of subprocessors and the jurisdictions in which they operate is maintained in our Subprocessor List, available on request.

We do not sell your personal data to third parties for advertising.

6. Cross-Border Transfers

Some of our service providers process personal data outside Malaysia. Where we transfer personal data outside Malaysia, we do so on one or more of the following bases under Section 129 of the PDPA (as amended in 2024 and in force from 1 April 2025):

• (a) the recipient is located in a jurisdiction whose data protection laws are substantially similar to, or provide an adequate level of protection equivalent to, the PDPA;
• (b) the transfer is necessary for the performance of our contract with you, or for steps taken at your request to enter into such a contract;
• (c) the transfer is made with your express consent; or
• (d) any other ground permitted under Section 129(3) of the PDPA.

Where we rely on basis (a), we conduct a Transfer Impact Assessment (TIA) and implement appropriate contractual safeguards (such as Standard Contractual Clauses), consistent with the Personal Data Protection Department's Guidelines No. 03/2025 on Cross-Border Personal Data Transfer.

Further information about specific subprocessors and the jurisdictions in which they process data is available in our Subprocessor List on request.

7. Data Retention

We retain your personal data for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specifically:

• Account and billing data: retained for the duration of your subscription plus seven (7) years thereafter for tax and accounting record-keeping.
• Customer Data: retained for the duration of your subscription. You may export data via the Service. Upon termination, you have thirty (30) days to export Your Data; after that, we may delete it, subject to legal retention requirements.
• Marketing preferences and consent records: retained until you withdraw consent and for a reasonable period thereafter to demonstrate compliance.

8. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, logging, and regular security review. However, no system is fully secure; we cannot guarantee absolute security.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in significant harm to affected individuals, we will notify the Commissioner of Personal Data Protection within seventy-two (72) hours of becoming aware of the breach, and will notify affected data subjects without undue delay, in accordance with the 2024 amendments to the PDPA and the Personal Data Protection Guidelines on Data Breach Notification.

10. Your Rights

Under the PDPA (as amended in 2024), you have the right to:

• Request access to the personal data we hold about you;
• Request correction of inaccurate or incomplete data;
• Request data portability where applicable;
• Withdraw consent where processing is based on your consent (this does not affect the lawfulness of processing before withdrawal);
• Object to processing in certain circumstances;
• Lodge a complaint with the Personal Data Protection Commissioner if you believe your rights have been violated.

To exercise your rights, contact us at [email protected]. We will respond within twenty-one (21) days or such other period as required by the PDPA.

11. Cookies and Tracking

We use cookies and similar technologies to operate the Service, remember your preferences, analyse usage, and improve the Service. A cookie banner on first visit allows you to accept or decline non-essential cookies. You can manage cookie preferences through your browser settings or via the in-site cookie preferences link. Disabling certain cookies may affect functionality.

12. Children

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it.

13. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified by email or in-app notice. The "Last updated" date at the top reflects the current version.

14. Contact Us

• Data Protection Officer: Ibrahim bin Mohamad (Baim)
• Email: [email protected]
• General support: [email protected]
• Postal address: Words Connect PLT, No.1 Blok Mawar Desa 288, Jalan Memanda 9, 68000 Ampang, Selangor, Malaysia
• For the Personal Data Protection Commissioner's office: www.pdp.gov.my