Privacy Policy
Effective date: 12 July 2026 · Last updated: 12 July 2026
This Privacy Policy explains how [Operator Legal Name] (“we”, “us”) collects, uses, discloses and protects personal data when you use Impact365 (the “Service”). It should be read together with our PDPA Notice, which sets out your rights under the Malaysian Personal Data Protection Act 2010.
1. Our roles
- For data about our direct customers and their authorised users (account, billing, login data), we act as a data controller / data user.
- For data that a customer uploads about its own clients, employees, directors and shareholders, we act as a data processor on the customer’s instructions.
2. Personal data we collect
- Account & profile: name, email, phone, role, organisation, login and authentication data.
- Customer Data you submit: customer/supplier contacts, invoices and financial records, director and shareholder details (including identification numbers), and uploaded documents.
- HR/payroll data obtained via the GajiHub integration where you enable it: employee names, positions, payroll summaries and statutory contribution figures.
- Usage & technical data: IP address, browser/user agent, audit logs of sensitive actions, and cookies (see our Cookie Policy).
3. How we use personal data
- To provide, operate, secure and support the Service.
- To authenticate users and enforce role-based access and tenant isolation.
- To process payments and manage subscriptions.
- To maintain audit trails and meet legal, accounting and statutory obligations.
- To generate AI summaries and drafts at your request (grounded in your own tenant data).
- To communicate service notices and, where permitted, product updates.
4. Legal bases
We process personal data on the bases of contract performance, your consent (where required), compliance with legal obligations, and our legitimate interests in operating and securing the Service, consistent with the PDPA.
5. Disclosure
We do not sell personal data. We may disclose it to: (a) sub-processors and infrastructure providers that host or support the Service; (b) integrated services you enable (e.g. GajiHub, AI providers); (c) professional advisors; and (d) authorities where required by law. Sub-processors are bound by confidentiality and data-protection obligations.
6. International transfers
Where personal data is processed outside Malaysia, we take steps to ensure a comparable level of protection consistent with the PDPA before any such transfer.
7. Security
- Passwords are stored using strong one-way hashing; API tokens are stored hashed.
- Strict tenant isolation prevents one customer from accessing another customer’s data.
- Role-based access control and audit logging of sensitive actions.
- Encryption in transit; access restricted on a need-to-know basis.
8. Retention
We retain personal data for as long as your account is active and as required to meet legal, tax and accounting obligations (which for certain financial records may be up to seven (7) years), after which it is deleted or anonymised.
9. Your rights
Subject to the PDPA, you may request access to or correction of your personal data, withdraw consent, or limit certain processing. Where we act as a processor for a customer, requests from that customer’s data subjects should be directed to the relevant customer. See the PDPA Notice for details and how to exercise your rights.
10. Children
The Service is intended for business use and is not directed at individuals under 18.
11. Changes
We may update this Policy. Material changes will be notified through the Service or by email.
12. Contact
Privacy enquiries: support@slv.my.