Background

Privacy & Data Protection Policy (Malaysia)

Effective Date: October 17, 2025

TEERA.AI (“TEERA.AI”, “we”, “us”, or “our”) respects your privacy and is committed to protecting personal data in accordance with the Personal Data Protection Act 2010 (Malaysia) (PDPA) and other applicable Malaysian laws. This Privacy & Data Protection Policy (the “Policy”) explains how we collect, use, disclose, store, secure, and retain personal data when you visit our websites, use our accounting SaaS (including invoicing and e-invoice modules), or otherwise interact with us.

Drafting note: This Policy is intentionally drafted on behalf of “TEERA.AI” without listing a specific legal entity or SSM registration number, per business instruction. Capitalised terms not defined here have the meanings given in the TEERA.AI Terms of Service (Malaysia).

1. Scope & Roles

  • Website & Business Operations. For personal data we collect via our websites (e.g., contact forms, marketing sign-ups) and for billing, customer success, and account management, TEERA.AI acts as a data user/controller under PDPA.
  • SaaS Platform. For personal data uploaded or generated within the TEERA.AI platform by a customer (e.g., user accounts, end-customer information, invoice details), the Customer is the data user/controller and TEERA.AI acts as a data processor. The Data Processing Addendum (DPA) in the Terms of Service applies.
  • Third-Party Services. Our Services interoperate with third-party providers (e.g., cloud hosting, analytics, payment gateways, e-invoice connectors). Those providers process personal data under their own terms and policies. See Section 9 and the Sub-processor list.
2. What We Collect

We may collect and process the following categories of personal data: - Identity & Contact: name, job title, company name, email, phone, addresses. - Account & Auth: username, role (Owner/Admin/Standard), credentials (hashed), MFA settings. - Billing: plan, billing contact, payment method tokens, tax information (incl. SST status), invoices, receipts. - Usage & Technical: device and browser data, IP address, app logs, feature usage, error diagnostics. - Content & Business Records: transaction data you upload to the Services (e.g., invoices, e-invoice payloads), documents, notes, and attachments. - Support & Communications: support tickets, chat/email correspondence, surveys, feedback. - Marketing Preferences: newsletter opt-ins/opt-outs, campaign interactions, referral information.

We do not intentionally collect special-category/sensitive personal data (e.g., health, religion) within our ordinary course of business. Do not submit such data unless required by law or expressly requested by us.

3. How We Collect Data

  • Directly from you when you create an Account, subscribe to a plan, contact support, or participate in surveys/webinars.
  • Automatically through cookies, SDKs, and similar technologies when you use the Site or Services (see Section 8).
  • From service providers (e.g., payment processors, analytics) and publicly available sources as permitted by law.
4. How We Use Personal Data (Purposes)

We use personal data for the following purposes, aligned to PDPA principles: 1. Provide the Services: create and manage Accounts; authenticate users; process transactions; enable invoicing and e-invoice workflows; provide customer support; operate and maintain the platform. 2. Improve & Secure: monitor usage, diagnose issues, prevent fraud/abuse, test new features, conduct analytics, and enhance performance and security. 3. Billing & Collections: manage subscriptions, charge fees, issue invoices/e-invoices, and follow up on payments. 4. Communications: send service-related notices (operational, security, updates), respond to enquiries, and provide onboarding and training. 5. Marketing (Consent/Opt-out): send product news, promotions, and event invitations where permitted; you can opt out at any time. 6. Legal & Compliance: comply with PDPA and other laws (e.g., tax, AML, anti-corruption), enforce our Terms, and protect rights, property, and safety.

E-Invoice note: At your instruction, the platform may exchange data with regulatory or tax systems (e.g., LHDN e-Invoice). You are responsible for the accuracy, completeness, and lawful basis for such filings. TEERA.AI processes that data as your processor.

5. Disclosure & Sharing

We may disclose personal data to: - Service providers/Sub-processors who support our operations (cloud hosting, storage, email/SMS, analytics, logging/monitoring, payments, e-invoice connectors). We require appropriate confidentiality, security, and data-protection commitments. - Your organisation/admins to manage access, roles, and billing. - Professional advisors (legal, auditors) under duties of confidentiality. - Authorities when required by law, regulation, legal process, or to protect rights and safety. - Business transfers in connection with a corporate transaction (e.g., restructuring, merger, acquisition). We will continue to protect personal data consistent with this Policy.We do not sell personal data.

6. International Transfers

Personal data may be processed in or transferred to jurisdictions outside Malaysia. Where we transfer personal data overseas, we will ensure appropriate safeguards consistent with PDPA (e.g., contractual commitments with recipients, ensuring comparable protection). Primary hosting region: [PLACEHOLDER: AWS REGION; e.g., ap-southeast-1]. A current list of sub-processors is available at [PLACEHOLDER: SUB-PROCESSOR LIST / URL].

7. Security

We implement reasonable and appropriate technical and organisational measures to protect personal data, including (as appropriate): - encryption in transit and at rest; - access controls (least privilege, MFA options), network segmentation, logging/monitoring; - secure software development and change management; - vulnerability management and third-party risk assessments; - staff confidentiality obligations and security training.

Incident response. We will notify affected customers of a confirmed personal-data breach within 72 hours of confirmation, consistent with contractual commitments and PDPA obligations.

8. Cookies & Similar Technologies

We use cookies, pixels, and local storage to: - enable core functionality (authentication, session management); - remember preferences; - measure site performance and diagnostics; - support marketing/communication (subject to consent/opt-out).

Cookie categories: (i) Strictly Necessary, (ii) Functional/Preferences, (iii) Performance/Analytics, (iv) Marketing. You can manage preferences via your browser or our banner/tool [PLACEHOLDER: COOKIE PREFERENCES LINK]. Blocking some cookies may impact your experience.

9. Sub-processors & Third-Party Services

A list of key sub-processors (purpose and location) is available at [PLACEHOLDER: SUB-PROCESSOR LIST / URL] and may include: cloud hosting, email/SMS, analytics, logging/monitoring, payments (e.g., FPX/Stripe/PayPal), and e-invoice connectors. We conduct due diligence and require contractual protections no less protective than this Policy and our DPA.

10. Data Retention

  • Customer Data in the SaaS. Upon termination/expiry of your subscription or trial, you may export Customer Data for 7 days. We will delete or irreversibly anonymise Customer Data by day 14, subject to legal retention requirements (e.g., tax laws).
  • Account, billing, and support records. Retained for as long as needed for legitimate business purposes and legal obligations (e.g., financial reporting, fraud prevention), then securely deleted or anonymised per our internal schedule.
  • Logs & analytics. Retained for security and performance analysis for a limited period, then aggregated or deleted.
11. Your Rights (PDPA)

Subject to PDPA and exceptions, you may have the right to: - Access: request confirmation whether we hold personal data about you and obtain a copy. - Correction: request corrections to inaccurate, incomplete, misleading, or outdated personal data. - Withdraw consent: where processing is based on consent, withdraw your consent (we may continue processing where permitted by law or the Terms). - Choice: opt out of direct marketing communications at any time using unsubscribe links or by contacting us.

We will respond to requests within a reasonable period in accordance with PDPA. We may take steps to verify your identity and may charge a fee where allowed by law. Some requests may be restricted by legal, regulatory, or contractual obligations.

12. Children’s Privacy

Our Services are intended for business users. We do not knowingly collect personal data from children under 18. If you believe a child under 18 has provided personal data, please contact us and we will take appropriate steps.

13. Marketing Communications

Where permitted, we may send you product updates, newsletters, and invitations. You may opt out at any time by clicking the unsubscribe link in an email or contacting us. We may still send you service-related communications (e.g., security, billing, transactional messages).

14. Do-Not-Track / Automated Decision-Making

Our Services do not respond to browser Do-Not-Track signals. We do not engage in solely automated decision-making that produces legal or similarly significant effects without appropriate human oversight.

15. Links to Other Sites

Our Site may contain links to third-party websites. We are not responsible for their privacy practices or content. Please review their privacy policies before submitting personal data.

16. Changes to This Policy

We may update this Policy to reflect changes in our practices or the law. We will post the updated Policy with a new Effective Date and, where changes are material, will provide additional notice (e.g., email or in-app). Your continued use of the Services after the Effective Date constitutes acceptance of the updated Policy.

17. Contact Us

For privacy questions, data-subject requests, or complaints: - Email (Privacy/DPO): [PLACEHOLDER: privacy@TEERA.AI] - Legal: legal@TEERA.AI - Postal address: [PLACEHOLDER: POSTAL ADDRESS] (for formal notices)

If you are unsatisfied with our response, you may contact the Personal Data Protection Commissioner (JPDP) in Malaysia.

18. Sub-processor List (Summary)

A detailed and current list is available at [PLACEHOLDER: SUB-PROCESSOR LIST / URL]. Below is a typical (illustrative) set: - Cloud Hosting & Storage: [AWS Region: [PLACEHOLDER]] - Email & Communications: [PLACEHOLDER] - Analytics & Monitoring: [PLACEHOLDER] - Payments: FPX / Stripe / PayPal [PLACEHOLDER] - E-Invoice Connectors: [PLACEHOLDER]

19. Quick Reference (PDPA Principles Mapping)

  • General Principle: We process personal data for lawful purposes described in Section 4.
  • Notice & Choice: This Policy provides notice. You may opt out of marketing (Section 13) and withdraw consent (Section 11).
  • Disclosure Principle: We disclose per Section 5 and only for purposes described.
  • Security Principle: See Section 7 for safeguards.
  • Retention Principle: See Section 10 (including 7-day export / 14-day deletion for Customer Data after termination/expiry).
  • Data Integrity Principle: We take reasonable steps to keep personal data accurate and up to date; you can request corrections (Section 11).
  • Access Principle: You may request access (Section 11) using the contact information in Section 17.
20. Related Documents

  • Terms of Service (Malaysia): [PLACEHOLDER: TOS URL]
  • Data Processing Addendum (DPA): Annex A to the Terms of Service
  • Service Availability — No SLA/Credits: Annex B to the Terms of Service
  • Acceptable Use Policy: Annex C to the Terms of Service

Last updated: October 17, 2025