PDPA Notice
Personal Data Protection Act 2010 (Malaysia) · Effective: 12 July 2026
This notice is issued pursuant to the Personal Data Protection Act 2010 (“PDPA”) and describes how [Operator Legal Name] (“we”, “us”) processes your personal data through Impact365. Where there is a Bahasa Malaysia version, it shall be read together with this English version. (A bilingual notice is recommended under the PDPA — please prepare a Bahasa Malaysia translation.)
1. Personal data we process
We may process your name, identification number (NRIC/passport), contact details, address, role and organisation, login and device data, and — for HR/payroll features — employment and payroll information. Some of this data is provided directly by you; some is provided by the organisation (our customer) that engaged the Service.
2. Purposes
- To create and administer your account and provide the Service.
- To process accounting, company-secretarial, HR/payroll and document workflows.
- To comply with statutory, tax, accounting and regulatory obligations.
- To maintain security, prevent fraud and keep audit records.
- To communicate with you regarding the Service.
3. Disclosure (Section 8)
Your personal data may be disclosed to: our service providers and sub-processors; integrated third-party services you enable (such as GajiHub and AI providers); your engaging organisation; professional advisors; and government or regulatory authorities where required by law.
4. Your obligations & consequences
Supplying accurate personal data is necessary to provide the Service. If you do not provide the required data, we may be unable to create your account or deliver certain features.
5. Your rights under the PDPA
| Access | Request access to the personal data we hold about you. |
| Correction | Request correction of inaccurate, incomplete or out-of-date data. |
| Withdraw consent | Withdraw consent to processing (this may limit use of the Service). |
| Limit processing | Request that we limit processing for direct marketing or specified purposes. |
An access or correction request may be subject to a prescribed fee and verification of identity, and may be refused in the limited circumstances permitted by the PDPA.
6. Data security & retention
We apply practical security measures (hashing of passwords and tokens, tenant isolation, role-based access, audit logging, encryption in transit) and retain personal data only for as long as necessary for the stated purposes or as required by law.
7. Processor relationship
Where we process personal data on behalf of a customer organisation (for example, data about that customer’s own employees, directors or clients), the customer is the data user and we act on its instructions as a data processor. Data subjects should direct requests to the relevant customer organisation; we will assist the customer in responding.
8. How to contact us / exercise your rights
To exercise any right or for questions about this notice, contact our data protection contact:
- [Operator Legal Name]
- Attn: Data Protection Officer
- Email: support@slv.my
- Address: [Registered Address]
This PDPA notice is a template and must be reviewed by a qualified legal advisor and, where appropriate, accompanied by a Bahasa Malaysia translation before publication.