Privacy Policy

1. Introduction & Scope

Nexhaul Safe ("we," "us," "our," or "Company") is committed to protecting your privacy and ensuring transparency in how we handle your personal data. This Privacy Policy outlines our practices in compliance with:

• Malaysia's Personal Data Protection Act 2010 (PDPA)
• Malaysia's Communications and Multimedia Act 1998
• Malaysian Communications and Multimedia Commission (MCMC) regulations
• General industry best practices for data protection

This policy applies to all users of our platform, including operators, fleet managers, inspectors, and administrators accessing Nexhaul Safe through web or mobile applications.

2. What Personal Data We Collect

Account & Identity Data

• Name, email address, phone number
• Business registration (SSM) details
• APAD license and operator ID
• Company address and tax identification number
• User role and authentication credentials

Fleet & Vehicle Data

• Vehicle registration numbers and chassis numbers
• Vehicle make, model, and specifications
• GPS location data and route information
• Fuel consumption records
• Vehicle maintenance and inspection history

Driver & Personnel Data

• Driver name, license number, and classification
• Contact information and emergency contacts
• Training and certification records
• Performance and incident history

ICOP Compliance & Operational Data

• Lampiran A2 (inspection record) uploads
• Lampiran B (vehicle condition) reports
• Cargo documentation and manifests
• Incident and accident records
• OCR-extracted data from documents

Usage & Technical Data

• IP address, browser type, and device identifiers
• Pages visited and features used
• Login timestamps and session duration
• Error logs and system performance data

Communication Data

• Support tickets and communication history
• Feedback and survey responses
• Email and notification preferences

3. How We Use Your Data

Core Service Delivery

• Provision and management of ICOP compliance tracking
• Processing GPS tracking and fleet monitoring
• Document upload, storage, and OCR extraction
• Generating compliance scorecards and reports
• User authentication and account management

Regulatory & Compliance

• Maintenance of mandatory 7-year record retention for APAD compliance
• Audit trail generation for regulatory inspections
• Compliance reporting and certificate generation

Service Improvement & Analytics

• Aggregated analytics to improve platform features
• Identification of bugs and performance issues
• User behavior analysis (non-identifying, where permitted)
• Development of new compliance features

Communications

• Sending service notifications and alerts (e.g., ICOP deadline reminders)
• Responding to support inquiries
• Sending billing and invoice information
• Marketing communications (with your consent)

Safety & Security

• Prevention of fraud, abuse, and unauthorized access
• Enforcement of Terms of Service and legal agreements
• Protection of our rights and those of other users
• Investigation of complaints and security incidents

4. Legal Basis for Processing

Under Malaysia's PDPA, we process your data based on the following legal grounds:

• Contract Fulfillment: Processing necessary to provide our services to you
• Legal Obligation: Compliance with APAD, ICOP, and MCMC regulatory requirements
• Consent: Where explicitly provided for specific purposes (e.g., marketing)
• Legitimate Interests: Service improvement, security, fraud prevention (balanced against your rights)

For sensitive personal data (e.g., driver license information), we only process with explicit consent or when required by law.

5. Data Security & Protection

We implement industry-standard security measures to protect your personal data:

• Encryption: Data in transit (TLS/SSL) and at rest (AES-256)
• Access Controls: Role-based access, multi-factor authentication (MFA)
• Infrastructure Security: Regular security audits and vulnerability assessments
• Backup & Disaster Recovery: Geographic redundancy and regular backups
• Staff Training: Mandatory data protection and confidentiality training
• Incident Response Plan: Documented procedures for handling data breaches

Limitation: While we take reasonable precautions, no internet-based system is 100% secure. We cannot guarantee absolute security of your data.

6. Data Retention

ICOP Compliance Records: We retain all ICOP-related data (vehicle inspections, maintenance records, driver logs) for a minimum of 7 years as required by APAD regulations, or longer if legally mandated.

Account Data: We retain your account information as long as your account is active. Upon deletion or termination, personal identifiable information is anonymized or securely deleted within 30 days, except where required by law.

Usage & Technical Data: Server logs and analytics data are retained for 12 months; aggregated, anonymized data may be retained longer for service improvement.

Communication Data: Support tickets are retained for 5 years for dispute resolution and compliance verification.

7. Your Rights & Choices

Under Malaysia's PDPA, you have the following rights:

Right of Access

You may request access to personal data we hold about you and obtain a copy in a machine-readable format.

Right to Correction

You may request correction of inaccurate or incomplete personal data.

Right to Deletion

You may request deletion of your personal data, subject to legal retention requirements (e.g., 7-year ICOP record retention). We will not delete data required for regulatory compliance.

Right to Object

You may object to processing of your data for certain purposes, including marketing communications.

Right to Restrict Processing

You may request restriction of processing in certain circumstances (e.g., pending accuracy verification).

Right to Data Portability

You may request your personal data in a structured, machine-readable format for transfer to another service provider.

Managing Preferences

• Email Communications: You may unsubscribe from marketing emails by clicking the "Unsubscribe" link in emails or updating your preferences in your account settings
• Cookies & Tracking: You may adjust cookie preferences through your browser settings (see Section 10)
• SMS Notifications: Reply "STOP" to SMS notifications to opt-out

Exercising Your Rights

To exercise any of these rights, contact us at privacy@logisafe.my with "Data Subject Request" in the subject line. We will respond within 30 days (or longer if legally permitted).

8. Third Parties & Data Sharing

We do not sell or rent your personal data. We may share data with trusted third parties in the following circumstances:

Service Providers

• Cloud Infrastructure: AWS, Google Cloud (data centers in Singapore/Australia for regional compliance)
• Payment Processors: Stripe, FPX, for payment processing
• SMS & Email Services: Twilio, SendGrid, for notifications
• Analytics: Google Analytics (anonymized), Mixpanel
• OCR & AI Services: Third-party OCR providers for document extraction

All service providers are contractually obligated to protect your data and use it only as directed.

Legal Requirements

• Compliance with court orders, subpoenas, or legal requests from Malaysian authorities (APAD, SPAD, Royal Police)
• Investigation of suspected illegal activity or fraud
• Protection of our legal rights and those of other users

Business Transitions

In the event of merger, acquisition, bankruptcy, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you and provide an opportunity to opt-out where legally permitted.

Aggregated & De-identified Data

We may share anonymized, aggregated data (e.g., "80% of operators achieve ICOP compliance by Q2") for market research or industry reporting without your consent.

9. International Data Transfers

Your personal data may be transferred to, stored in, and processed in countries outside Malaysia, including:

• Singapore (cloud infrastructure)
• Australia (backup servers)
• United States (third-party service providers)

We ensure that any international transfer complies with Malaysia's PDPA and implement appropriate safeguards (e.g., Standard Contractual Clauses) to protect your data. By using Nexhaul Safe, you consent to the transfer of your personal data to countries with potentially different data protection laws.

10. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience. Types of cookies used:

Essential Cookies

Required for platform functionality (authentication, session management, security). Cannot be disabled.

Performance Cookies

Collect data on how you use the platform to improve features and identify issues. You may disable these in your browser settings.

Marketing Cookies

Track your activity for targeted advertising. You may opt-out through privacy settings or your browser's "Do Not Track" signal.

Managing Cookies

• Browser Settings: Most browsers allow you to refuse cookies or alert you when cookies are sent
• Cookie Management Tool: Visit our preferences page to adjust cookie settings
• Do Not Track: Some browsers support a "Do Not Track" header we will honor where technically feasible

Disabling cookies may limit certain platform features.

11. Contact & Complaints

Complaints to MCMC & PDP Commissioner

If you believe we have violated your privacy rights under Malaysia's PDPA, you may lodge a complaint with:

• Malaysian Communications and Multimedia Commission (MCMC)
  Email: consumer@mcmc.gov.my
  Website: www.mcmc.gov.my
• Personal Data Protection Commissioner's Office (PDPC)
  Phone: +603-2733 8000
  Email: enquiry@pdp.gov.my
  Website: www.pdp.gov.my

Policy Changes

We may update this Privacy Policy to reflect legal changes or service improvements. We will notify you of material changes via email or by posting a notice on our website. Your continued use of the platform after changes constitutes your acceptance of the updated policy.

Last Updated: January 1, 2026
Version: 1.0