EzFlow
EzFlow

PDPA Compliance

Version: 1.0.0

Effective Date: June 13, 2026

Last Updated: June 13, 2026

Changes: Initial release

EZ FLOW LABZ SDN. BHD. (Company No. 202201026529 (1472226-H)) ("Company", "we", "us", or "our") is committed to full compliance with the Personal Data Protection Act 2010 ("PDPA") of Malaysia. This statement explains how we apply the seven principles of the PDPA across our platform, EzFlow, and in all our data processing activities.

This PDPA Compliance Statement should be read together with our Privacy Policy and End User License Agreement, both of which form part of our overall data governance framework.

1. Introduction to PDPA Compliance

The Personal Data Protection Act 2010 (Act 709) is the primary legislation in Malaysia governing the processing of personal data in commercial transactions. It establishes seven core principles that all data processors and data users must observe. EzFlow, as a software platform used by Malaysian businesses to manage their operations, handles personal data in two distinct capacities:

  • As a Data User — when we collect and process personal data of our subscribers (business owners and their authorised staff) for the purpose of providing the EzFlow platform.
  • As a Data Processor — when our subscribers use EzFlow to store and manage personal data of their own customers and employees. In this capacity, we act on the instructions of the subscriber (who is the Data User) and are bound by the PDPA's requirements for data processors.

Our compliance obligations are comprehensive and apply to both capacities. The Company has designated a Data Protection Officer to oversee PDPA compliance and handle data-related inquiries.

2. The Seven PDPA Principles

We structure our data processing practices around the seven principles set out in the PDPA. Below we describe how each principle is applied within EzFlow.

2.1 General Principle

Personal data shall not be processed unless the data subject has given consent, or processing is necessary for a contractual obligation, legal obligation, vital interest, administration of justice, or the exercise of functions conferred by any written law.

EzFlow collects personal data only when a user creates an account and explicitly agrees to our Privacy Policy and EULA. We do not process personal data for any purpose that a subscriber has not consented to or that is not required for the lawful delivery of our services.

2.2 Notice and Choice Principle

A data subject must be informed of the purposes for which their personal data is collected and processed. They must be given a choice whether to provide that personal data.

We fulfil this principle by:

  • Presenting our Privacy Policy and EULA before account creation — no account may be created without acknowledgement
  • Clearly stating the purposes of data collection at each point of collection
  • Providing opt-in consent mechanisms for non-essential data processing (e.g., marketing emails)
  • Allowing subscribers to manage their communication preferences at any time within their account settings

2.3 Disclosure Principle

Personal data shall not be disclosed to any third party without the consent of the data subject, except where disclosure is permitted by the PDPA or required by law.

We never sell, rent, or trade personal data. We disclose personal data only to:

  • Authorised sub-processors (Supabase for database hosting, Stripe for payment processing, Twilio for SMS OTP, Meta/WhatsApp for automation features) who are contractually bound to PDPA-equivalent standards
  • Legal and regulatory authorities where required by Malaysian law or a valid court order
  • The data subject themselves, upon a valid access request

All third-party sub-processors are listed in our Privacy Policy with the nature of data disclosed and processing locations.

2.4 Security Principle

Practical steps must be taken to protect personal data from any loss, misuse, modification, unauthorised or accidental access, disclosure, alteration, or destruction.

Our security measures include:

  • Encryption of all data in transit using TLS/SSL and encryption at rest via Supabase's AES-256 infrastructure
  • Row-Level Security (RLS) policies ensuring that each subscriber can only access their own data, and subscribers' customer data is logically isolated
  • Multi-factor authentication and role-based access controls for internal systems
  • Regular security audits and vulnerability assessments
  • Incident response procedures with defined breach notification timelines (within 72 hours of becoming aware)
  • Passwords are never stored in plain text — industry-standard cryptographic hashing is applied via Supabase Auth

2.5 Retention Principle

Personal data shall not be kept longer than is necessary for the fulfilment of the purpose for which it was collected.

Our retention schedule:

  • Active accounts: Data is retained for the duration of the active subscription to support service continuity
  • Post-termination: Data is retained for 30 days to allow the subscriber to export their business records, after which it is permanently deleted
  • Financial records: Invoice and transaction records may be retained for up to 7 years as required by Malaysian tax law (Income Tax Act 1967 and related regulations)
  • Deleted data: Upon a valid deletion request, personal data is removed from active systems and from backups within 90 days

2.6 Data Integrity Principle

Personal data shall be accurate, complete, not misleading, and kept up to date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.

We maintain data integrity by:

  • Providing subscribers with the ability to review, update, and correct their own account information at any time within their account settings
  • Applying database-level validation and constraints to prevent malformed or corrupt records
  • Offering a correction request process via [email protected] for data that cannot be self-corrected
  • Logging data modification events for auditability

2.7 Access Principle

A data subject shall be given access to their personal data and be able to correct that personal data where it is inaccurate, incomplete, misleading, or not up-to-date.

We honour access rights by:

  • Providing an in-platform data export feature allowing subscribers to download their own business data at any time
  • Processing formal access requests submitted to [email protected] within 21 calendar days as required by the PDPA
  • Responding to correction requests within 21 calendar days
  • Providing a written explanation if an access or correction request is refused, including the grounds for refusal

3. What Personal Data We Collect

The categories of personal data we collect and process depend on the relationship between the data subject and EzFlow.

3.1 Subscriber Data (Business Owners and Staff)

  • Full name of the authorised business representative
  • Business name and Malaysian SSM registration number
  • Email address and Malaysian mobile phone number
  • Password (cryptographically hashed — never in plain text)
  • Subscription and billing information (processed by Stripe — EzFlow does not receive raw card data)
  • Platform usage and activity logs
  • IP address, device type, and browser information

3.2 Customer Data (Processed on Behalf of Subscribers)

When subscribers use EzFlow to manage their own customers, the following categories of data may be stored. The subscriber is the Data User for this data; EzFlow is the Data Processor.

  • Customer names and contact information (mobile number, email)
  • Appointment and booking history
  • Invoice and transaction records
  • WhatsApp message logs (where the subscriber uses the WhatsApp automation feature)
  • Google review data linked to the subscriber's business

4. How We Use Personal Data

All processing is limited to purposes disclosed at the time of collection. We do not process personal data for any undisclosed secondary purpose.

4.1 Primary Purposes

  • Account creation, authentication, and management
  • Delivery of all subscribed platform features (appointments, scheduling, invoicing, WhatsApp automation, Google review management, analytics)
  • Processing subscription payments via Stripe
  • Sending transactional notifications (booking confirmations, payment receipts, one-time passwords)
  • Providing customer support and responding to inquiries

4.2 Secondary Purposes (Consent Required)

  • Sending marketing communications about EzFlow features, promotions, or updates — only with explicit opt-in consent
  • Conducting user research and feedback surveys

4.3 What We Will Never Do

  • Sell, rent, or trade personal data to any third party for their own commercial purposes
  • Use subscriber data or subscriber customer data for profiling unrelated to service delivery
  • Process personal data for any purpose not disclosed in this statement or our Privacy Policy without obtaining fresh explicit consent

5. Your Rights as a Data Subject

Under the PDPA, every data subject has enforceable rights with respect to their personal data. All requests should be submitted to [email protected]. We will acknowledge receipt within 5 business days and respond substantively within 21 calendar days unless the PDPA permits a longer period.

5.1 Right of Access

You may request a copy of all personal data we hold about you, together with a description of the purposes for which it is processed, the categories of data held, and the third parties to whom it may have been disclosed. We may charge a reasonable administrative fee as permitted by the PDPA.

5.2 Right to Correction

You may request correction of any personal data that is inaccurate, incomplete, misleading, or out of date. Subscribers can update most account data directly within the EzFlow platform. For data that cannot be self-corrected, submit a request to our Data Protection Officer.

5.3 Right to Withdraw Consent

Where processing is based on your consent, you may withdraw it at any time by contacting [email protected]. Please note that withdrawal of consent for processing that is necessary for the delivery of our services will result in the termination of those services. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

5.4 Right to Request Deletion

You may request that we delete your personal data. We will comply within 30 days, subject to any legal retention obligations (e.g., financial records required under Malaysian tax law). We will notify you of any data we are legally required to retain and the basis for retention.

5.5 Right to Lodge a Complaint

If you are not satisfied with how we have handled your personal data, you may lodge a complaint with the Personal Data Protection Commissioner of Malaysia:

Personal Data Protection Department

Ministry of Communications and Digital

Level 4-7, Menara MCMC, Off Persiaran Multimedia

63000 Cyberjaya, Selangor, Malaysia

Email: [email protected]

Tel: +603 8688 8333

Website: www.pdp.gov.my

6. Cross-Border Data Transfers

The PDPA restricts the transfer of personal data outside Malaysia unless the destination country provides a level of data protection substantially similar to that under the PDPA, or unless the data subject has consented to the transfer.

EzFlow uses the following infrastructure and services that involve cross-border transfers:

Malaysia → Singapore (Supabase)

Primary database, authentication, and file storage. Singapore has a robust Personal Data Protection Act 2012 (PDPA SG), widely recognised as providing substantially equivalent protections. All transfers are encrypted in transit and at rest.

Malaysia → United States (Twilio, Meta/WhatsApp)

SMS OTP delivery (Twilio) and WhatsApp Business API (Meta). Transfers are limited to the minimum data necessary for these functions (mobile number for SMS; business phone number and message templates for WhatsApp). These providers are bound by contractual data processing terms that include obligations equivalent to the PDPA, and both operate under US-EU data transfer frameworks. EzFlow obtains subscriber consent to these transfers as part of account registration and feature activation.

Malaysia → United States / Ireland (Stripe)

Payment processing. Stripe is a PCI-DSS Level 1 certified global payment processor operating under recognised cross-border data transfer frameworks (including EU Standard Contractual Clauses). Only billing name, email, and transaction amount are shared. Raw card data is handled entirely by Stripe and never transmitted to or stored by EzFlow.

7. Contact Our Data Protection Officer

For any questions, concerns, access requests, correction requests, or complaints relating to the processing of your personal data by EzFlow, please contact our Data Protection Officer:

EZ FLOW LABZ SDN. BHD.

Company No.: 202201026529 (1472226-H)

Wisma Adiss Udarma Complex

No. 1-3A 4th Floor, Jalan 1/64A

Kuala Lumpur 50350, Malaysia

Data Protection Officer: [email protected]

General Enquiries: [email protected]

Website: ezflow.my

This PDPA Compliance Statement is reviewed annually or whenever there is a material change to our data processing practices. The version number and effective date at the top of this page reflect the most current revision.