PDPA Notice

We collect personal data that you voluntarily provide to us, including:

• Name, IC number / passport number, date of birth, and contact details • Medical history, health conditions, and investigation results • Appointment records and treatment notes • Payment and billing information • Device and usage data when you access our platform

We do not collect sensitive personal data beyond what is necessary for the provision of healthcare services.

Your personal data is collected and processed for the following purposes:

• Managing appointments, patient records, and clinical documentation • Sending appointment reminders via SMS and email • Facilitating communications between you and your healthcare provider • Billing, invoicing, and payment processing • Compliance with legal and regulatory obligations under Malaysian law • Improving our platform and services

Your data will only be used for the purposes stated above, or with your additional consent.

We do not sell your personal data. We may disclose your data to:

• Your registered healthcare provider and their staff • Third-party service providers who process data on our behalf (e.g., SMS providers, cloud infrastructure) • Regulatory authorities when required by law • Law enforcement agencies in connection with investigations

All third-party processors are bound by data processing agreements that restrict their use of your data to the purposes specified by Klinikfy.

We retain your personal data for as long as it is necessary for the purposes for which it was collected, or as required by applicable law.

• Patient records are retained for a minimum period as required by Malaysian healthcare regulations • Account data is retained until you request deletion or close your account • After account closure, data is retained for a 60-day grace period before deletion, in compliance with cancellation terms

You may request deletion of your data at any time, subject to legal retention obligations.

Under the PDPA, you have the right to:

• Request access to your personal data held by us • Request correction of inaccurate or incomplete data • Withdraw consent for the processing of your data (where processing is based on consent) • Request data portability, where applicable • Lodge a complaint with the Department of Personal Data Protection (DPDP) Malaysia

To exercise any of these rights, contact us at privacy@klinikfy.com or through the privacy settings in your Klinikfy account.

We implement appropriate technical and organisational measures to protect your personal data, including:

• End-to-end encryption of data in transit and at rest • Access controls and role-based permissions within our platform • Regular security audits and vulnerability assessments • Staff training on data protection obligations

No system is completely secure. We are committed to continuously improving our security practices.

Klinikfy primarily stores and processes data within Malaysia. Where data is transferred outside Malaysia (e.g., to cloud service providers), we ensure adequate protections are in place, including contractual clauses that meet PDPA requirements for international transfers.

If you have any questions about this PDPA Notice or wish to exercise your data rights, contact our Data Protection Officer:

Email: privacy@klinikfy.com Address: Kuala Lumpur, Malaysia

We will respond to all requests within 30 days, as required by the PDPA.