PRIVACY POLICY

SPANA ("we", "us", "our") operates a motorcycle roadside assistance platform through our web application and mobile applications (collectively, the "Platform"). We are committed to protecting your personal data and respecting your privacy in accordance with the Malaysia Personal Data Protection Act 2010 ("PDPA Malaysia") and the Singapore Personal Data Protection Act 2012 ("PDPA Singapore").

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you use our Platform, whether as a member (Ahli SPANA), non-member, service technician, or workshop partner.

By using our Platform, you consent to the collection, use, and disclosure of your personal data as described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not use our Platform.

The data controller responsible for your personal data is:

We collect and process the following categories of personal data:

We collect and process your personal data for the following purposes:

We may disclose your personal data to the following categories of recipients:

As we operate in both Malaysia and Singapore, and use international service providers, your personal data may be transferred to, stored, and processed in countries outside of Malaysia or Singapore.

When transferring personal data internationally, we ensure that:

• The receiving country has laws substantially similar to the PDPA or provides an adequate level of protection
• Appropriate contractual safeguards are in place with the receiving party
• You have consented to the transfer
• The transfer is necessary for the performance of our services to you

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable laws. Our retention periods are as follows:

When personal data is no longer required, we will securely delete or anonymise it in accordance with our data retention policies.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest using industry-standard protocols
• Secure authentication mechanisms including multi-factor authentication
• Regular security assessments and penetration testing
• Access controls limiting data access to authorised personnel
• Employee training on data protection and security best practices
• Secure data centres with physical security controls
• Incident response and data breach notification procedures

Under the PDPA Malaysia and PDPA Singapore, you have the following rights regarding your personal data:

To exercise any of these rights, please contact our Data Protection Officer using the contact details provided in Section 14 of this Privacy Policy. We will respond to your request within 21 days (Malaysia) or 30 days (Singapore) of receiving your request.

Sensitive personal data includes information relating to physical or mental health, religious beliefs, political opinions, and biometric data. We collect the following sensitive personal data with your explicit consent:

• Biometric data: Facial recognition data collected during eKYC verification for identity authentication purposes
• Health information: If voluntarily provided by technicians for health and safety purposes

We will only process sensitive personal data where we have obtained your explicit consent, or where processing is necessary to protect your vital interests or for legal claims.

In the event of a personal data breach that is likely to cause significant harm to affected individuals, we will:

• Notify the Personal Data Protection Commissioner as soon as practicable
• Notify affected individuals if the breach is likely to result in significant harm
• Take immediate steps to contain and assess the breach
• Implement measures to prevent future breaches

Our web application uses cookies and similar tracking technologies to enhance your browsing experience and analyse usage patterns. Types of cookies we use include:

• Essential cookies: Required for the Platform to function properly
• Performance cookies: Help us understand how visitors interact with our Platform
• Functionality cookies: Remember your preferences and settings
• Analytics cookies: Help us improve our services through usage analysis

You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of our Platform.

Our Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected personal data from a child, please contact us immediately, and we will take steps to delete such information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact our Data Protection Officer:

You may also lodge a complaint with the relevant data protection authority:

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable laws. We will notify you of any material changes by:

• Posting the updated Privacy Policy on our Platform
• Sending you a notification through the mobile application
• Sending you an email notification (for material changes)

Your continued use of the Platform after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

This Privacy Policy shall be governed by and construed in accordance with the laws of Malaysia. For users in Singapore, the relevant provisions of the PDPA Singapore shall apply to the extent required by law.

By using the SPANA Platform, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your personal data as described in this Privacy Policy.

For sensitive personal data, including biometric data collected during eKYC verification, your explicit consent will be obtained separately during the registration process.