PDPA Notice
Last updated: 24 June 2026
This notice is provided in support of compliance with the Personal Data Protection Act 2010 (PDPA) in Malaysia for personal data processed through the Collection application. It applies to school owners, administrators, staff, payers, parents, guardians, and students whose data is submitted through the platform.
1. Personal Data Processed
The system may process names, contact information, school-related profile data, student administrative records, payment details, uploaded files, session identifiers, IP addresses, user agent information, audit records, and support communications required to operate the service.
2. Purpose of Processing
Personal data is processed for account administration, school collection management, student allocation, payment tracking, receipt generation, export/report preparation, fraud prevention, security monitoring, support, and related operational functions.
3. Source of Data
Personal data is generally obtained directly from account users, school administrators, authorized staff, payers, guardians, or through records submitted within the normal use of the platform.
4. Disclosure
Personal data may be disclosed to authorized personnel within the relevant school account, technical service providers acting on operational instructions, email delivery providers, payment gateway providers selected by the school, or regulators and authorities where legally required.
5. Security and Retention
Reasonable steps are taken to protect personal data against loss, misuse, unauthorized access, modification, or disclosure. Sensitive runtime secrets are stored encrypted at rest. Current baseline retention periods are configured in the platform for payment records, receipts, audit logs, uploaded attachments, and data-subject requests, subject to legal holds or school obligations.
- Payment records: 2555 days
- Receipts: 2555 days
- Audit logs: 2555 days
- Data-subject requests: 1095 days
- Removed collection attachments: 30 days after removal
6. Access and Correction Requests
Individuals may request access to or correction of their personal data, subject to identity verification and any legal or administrative limitation that applies to the request. Requests may also include deletion, withdrawal of consent where applicable, or objections to specific uses.
Use the data-subject request form to submit a request. Requests are logged, notified to the system administrator contact, and tracked until fulfilled or rejected with a documented reason. Where the reviewer cannot confidently determine the correct outcome, the request should be escalated to the relevant school owner or a qualified legal/compliance adviser.
7. Choice and Limitation
Where lawful and practical, individuals may request limits on certain data processing. However, restricting required data may affect the ability of the school or platform to provide related services, including payment validation, student allocation, fraud checks, and receipt issuance.
8. Policy Revisions
This notice may be updated to reflect legal, operational, or service changes. The latest published version on the platform will apply.