Privacy Policy

Personal Data Protection Act 2010 (PDPA) Malaysia Compliant

Effective Date: 21 January 2026
Version: 1.1

1. Introduction

YBServe Solutions (SSM Registration No: 202603018067 (NS0318440-A)) ("YBServe", "we", "us", or "our"), a business registered in Malaysia, is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, disclose, and protect personal data in compliance with the Personal Data Protection Act 2010 (Act 709) of Malaysia ("PDPA") and its subsidiary legislation.

This Privacy Policy applies to all personal data processed through the YBServe platform (the "Service"), whether you are a Customer (elected representative's office), an Authorised User (staff member), or a Citizen (constituent who submits issues).

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Service.

2. Definitions

In this Privacy Policy, unless the context otherwise requires:

• "Customer" means the elected representative's office, political entity, or organisation that subscribes to the Service and acts as the Data Controller.
• "Authorised User" means any individual authorised by the Customer to access and use the Service.
• "Citizen" means any individual who submits an issue or interacts with the Customer through the Service.
• "Data Controller" means the Customer who determines the purposes and means of processing Personal Data.
• "Data Processor" means YBServe, which processes Personal Data on behalf of the Data Controller.
• "Personal Data" means any information that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in our possession.
• "Sensitive Personal Data" means personal data consisting of information as to physical or mental health, political opinions, religious beliefs, the commission of any offence, or any other personal data as determined by the Minister.
• "Processing" means any operation performed on Personal Data, including collection, recording, holding, storage, retrieval, use, disclosure, and destruction.

3. Data Controller and Processor Relationship

3.1 Roles

Under the PDPA framework:

• The Customer (elected representative's office) is the Data Controller who determines the purposes for which Personal Data is collected and processed;
• YBServe is the Data Processor who processes Personal Data on behalf of and under the instructions of the Customer;
• Citizens are Data Subjects whose Personal Data is processed through the Service.

3.2 Responsibilities

As Data Controller, the Customer is responsible for:

• Obtaining valid consent from Citizens before collecting their Personal Data;
• Providing appropriate privacy notices to Citizens;
• Responding to data subject access requests;
• Ensuring the lawful processing of Personal Data.

As Data Processor, YBServe is responsible for:

• Processing Personal Data only in accordance with the Customer's instructions;
• Implementing appropriate security measures;
• Assisting the Customer in responding to data subject requests;
• Maintaining records of processing activities.

3.3 Controller-Specific Privacy Obligations

Each Customer (elected representative's office) is solely responsible for:

• Issuing its own privacy notice to Citizens where required;
• Obtaining valid consent from Citizens under the PDPA;
• Determining the purposes and means of processing Personal Data;
• Responding to data subject access, correction, and withdrawal requests;
• Ensuring lawful basis for all data collected using the YBServe platform.

YBServe acts strictly as a Data Processor and shall not use, disclose, or process Personal Data for any purpose other than providing the Service and as instructed by the Customer.

3.4 No Ownership of Data

YBServe does not own, control, or claim any rights over Citizen Personal Data. All Personal Data processed through the Service remains under the control of the respective Customer at all times.

4. Personal Data We Collect

4.1 Categories of Personal Data

We collect and process the following categories of Personal Data:

4.1.1 Citizen Data (collected via issue submission forms)

• Full name
• Email address
• Phone number
• Partial identification number (last 4 digits of MyKad)
• Address (optional)
• Geographic identifiers (PDM, DUN, Parliamentary constituency)
• Issue descriptions and attachments
• Communication history

4.1.2 Authorised User Data

• Full name
• Email address
• Role and position
• Login credentials (encrypted)
• Activity logs and audit trails

4.1.3 Customer Data

• Organisation name and details
• Billing information
• Administrative contact details

4.1.4 Automatically Collected Data

• IP addresses
• Browser type and version
• Device information
• Usage data and analytics
• Cookies and similar technologies

4.2 Sensitive Personal Data

We generally do not intentionally collect Sensitive Personal Data. However, Citizens may voluntarily include such information in their issue descriptions. If Sensitive Personal Data is provided, the Customer (as Data Controller) must ensure appropriate consent has been obtained.

5. Purposes of Processing

5.1 Primary Purposes

We process Personal Data for the following primary purposes:

• Providing the Service to Customers, including issue management and tracking;
• AI-assisted classification, categorisation, and prioritisation of issues;
• Generating analytics, reports, and insights for Customers;
• Facilitating communication between Customers and Citizens;
• Maintaining audit trails for accountability and compliance;
• Processing payments and managing subscriptions.

5.2 Secondary Purposes

We may also process Personal Data for the following secondary purposes:

• Improving and developing the Service;
• Ensuring the security and integrity of the Service;
• Complying with legal obligations;
• Responding to lawful requests from authorities;
• Protecting our rights and interests.

6. Legal Basis for Processing

Under the PDPA, we process Personal Data based on the following legal grounds:

6.1 Consent

Where required, we obtain consent from data subjects before processing their Personal Data. Consent is obtained through clear and affirmative action, such as checking a consent box on our forms.

6.2 Contractual Necessity

We process Personal Data as necessary to perform our contractual obligations to Customers, including providing the Service.

6.3 Legal Obligation

We may process Personal Data to comply with legal obligations under Malaysian law.

6.4 Legitimate Interests

We may process Personal Data based on our legitimate business interests, provided such interests are not overridden by the data subject's rights and interests.

7. Artificial Intelligence and Automated Processing

7.1 AI Features

The Service uses artificial intelligence to:

• Automatically classify and categorise issues;
• Perform sentiment analysis;
• Generate summaries and insights;
• Prioritise issues based on urgency.

7.2 Third-Party AI Providers

We engage the following third-party AI providers to deliver AI Features:

• OpenAI, LLC (United States) - for text classification;
• Anthropic PBC (United States) - for image and text classification.

7.3 AI Data Handling

Our AI providers are contractually bound to:

• Process data only as necessary to provide the AI functionality;
• Not use data to train their general AI models;
• Delete data after processing is complete;
• Implement appropriate security measures.

7.4 Human Oversight

AI outputs are advisory only. All final decisions regarding citizen issues remain with the Customer's authorised personnel.

8. Disclosure of Personal Data

8.1 Service Providers

We may disclose Personal Data to third-party service providers who assist us in operating the Service:

8.2 Legal Disclosure

We may disclose Personal Data if required to do so by law or in response to valid requests by public authorities (e.g., court orders, government requests).

8.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, Personal Data may be transferred to the acquiring entity, subject to the same privacy protections.

9. Cross-Border Data Transfers

9.1 Transfer Outside Malaysia

Some of our service providers are located outside Malaysia. When Personal Data is transferred outside Malaysia, we ensure that:

• The transfer is made with appropriate consent where required;
• Appropriate safeguards are in place to protect Personal Data;
• The recipient provides a standard of protection comparable to Malaysian law.

9.2 Safeguards

We implement the following safeguards for cross-border transfers:

• Data processing agreements with all third-party providers;
• Contractual obligations requiring data protection standards;
• Technical measures such as encryption during transfer.

10. Data Security

10.1 Security Measures

We implement appropriate technical and organisational measures to protect Personal Data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
• Multi-tenant architecture with strict data isolation using Row Level Security;
• Role-based access controls;
• Regular security assessments and updates;
• Employee training on data protection;
• Incident response procedures.

10.2 Data Breach Notification

In the event of a Personal Data breach that is likely to result in serious harm, we will:

• Notify the affected Customer within 48 hours of becoming aware;
• Assist the Customer in notifying the Personal Data Protection Commissioner if required;
• Take immediate steps to contain and remediate the breach.

10.3 Personal Data Breach Liability

Where a Personal Data Breach is attributable to a Customer's misuse, unauthorised access, or improper handling of data, the Customer shall remain the responsible Data Controller under the PDPA.

YBServe shall only be responsible for breaches arising directly from failures of its platform security or processing systems.

10.4 Multi-Tenant Political Separation

The Service uses a strict multi-tenant architecture with logical and cryptographic separation between Customers. No Customer may access another Customer's data.

Each elected representative's office operates within a completely isolated data environment. This ensures political neutrality and prevents any cross-party or cross-constituency data exposure.

11. Data Retention

11.1 Retention Periods

We retain Personal Data for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required by law. Typical retention periods are:

• Active Customer Data: For the duration of the subscription plus 30 days;
• Audit logs: 7 years (as required for compliance);
• Billing records: 7 years (as required by tax law);
• Marketing preferences: Until consent is withdrawn.

11.2 Deletion

Upon termination of a subscription or upon request, we will securely delete or anonymise Personal Data within 30 days, except where retention is required by law.

12. Your Rights Under the PDPA

Under the PDPA, data subjects have the following rights:

12.1 Right of Access

You have the right to request access to your Personal Data that we hold. We will provide a copy of your Personal Data within 21 days of receiving your request.

12.2 Right of Correction

You have the right to request correction of any Personal Data that is inaccurate, incomplete, misleading, or not up-to-date.

12.3 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing before the withdrawal.

12.4 Right to Restrict Processing

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your Personal Data.

12.5 Right to Prevent Processing

You have the right to prevent processing of your Personal Data that is likely to cause damage or distress.

12.6 How to Exercise Your Rights

To exercise any of these rights:

• Citizens should contact the relevant Customer (elected representative's office) directly;
• Customers and Authorised Users may contact us at privacy@ybserve.com;
• We may require verification of your identity before processing your request;
• We will respond to requests within the timeframes required by the PDPA.

13. Cookies and Tracking Technologies

13.1 What Are Cookies

Cookies are small text files that are placed on your device when you visit our website. We use cookies and similar technologies to enhance your experience.

13.2 Types of Cookies We Use

• Essential cookies: Required for the Service to function properly;
• Analytical cookies: Help us understand how users interact with the Service;
• Preference cookies: Remember your settings and preferences.

13.3 Managing Cookies

You can control cookies through your browser settings. However, disabling certain cookies may affect the functionality of the Service.

14. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect Personal Data from children. If you become aware that a child has provided us with Personal Data, please contact us and we will take steps to delete such information.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, by email. Your continued use of the Service after such notice constitutes your acceptance of the updated policy.

16. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

You may also lodge a complaint with the Personal Data Protection Commissioner if you believe your rights under the PDPA have been violated:

Jabatan Perlindungan Data Peribadi (JPDP)
Website: https://www.pdp.gov.my

— END OF PRIVACY POLICY —