Privacy Notice (PDPA 2010)

1. Who we are

Medari Asia Digital Health Sdn Bhd
Company No.: 202501040183 [1641592-A]
Office: B2-2-3, No 1, Jalan Dutamas 1, Solaris Dutamas, 50480 Kuala Lumpur, Malaysia

PDPA Status: Compliance program in place (Data User registration pending with JPDP)
Data User Registration No.: [TBA]

2. What personal data we collect

Identification and contact details, professional information, health-related data necessary for service delivery (where applicable), billing and payment data, usage logs, device/IP information, and technical telemetry.

3. How we obtain personal data

Directly from you (forms, emails, support), from healthcare providers/partners you authorise, from devices/systems you connect, and from our websites and applications (cookies/logs limited to what is necessary).

4. Purpose of processing

To deliver and support our digital health platforms; coordinate with healthcare professionals and payors; perform identity and access management; billing and operations; security, audit and incident response; research and product improvement; and compliance with legal/regulatory requirements.

5. Lawful basis / consent

Processing is based on your consent, contractual necessity, legitimate interests (e.g., security, service improvement), and/or compliance with applicable laws/regulations. Where consent is required, you may withdraw it; this may affect our ability to provide certain services.

6. Disclosures

We may disclose data to healthcare professionals (as authorised), service providers (hosting/IT/support), payors/TPAs (as authorised), regulators/authorities, and where required by law or court order. We require appropriate confidentiality and security commitments from service providers.

7. Cross-border transfers

Where necessary, personal data may be transferred outside Malaysia with PDPA safeguards. We use contractual, technical and organisational measures to protect data during such transfers.

8. Security

We operate a security programme aligned with PDPA and international frameworks (HIPAA/GDPR/ISO 27001 aligned). Controls include encryption in transit and at rest, role-based access, least privilege, multi-factor access (where applicable), audit logging, backup and recovery, and incident response procedures.

9. Retention

We retain personal data only as long as necessary for the purposes stated above or as required by applicable laws/regulations and relevant clinical or financial record-keeping requirements.

10. Your rights

You may request access to and correction of your personal data, withdraw consent (where applicable), and make complaints to the Jabatan Perlindungan Data Peribadi (JPDP). We will respond within a reasonable time and in accordance with PDPA.

11. Cookies & tracking

We use minimal cookies/local storage strictly necessary for security, session continuity and basic analytics. You can control cookies via your browser settings; blocking some cookies may impact site functionality.

12. Children

Our services are intended for use by healthcare organisations and adults. Where children’s data is processed, it is only with appropriate consent/authorisation and in accordance with PDPA and applicable medical guidelines.

13. Contact our DPO

Data Protection Officer (DPO): privacy@medariasia.com

14. Updates to this notice

This notice may be updated periodically. The latest version will be posted on this page.
Last updated: 27 August 2025.

---

“Aligned” means our policies and controls follow these frameworks; formal certification is not yet obtained.