Privacy Policy

We collect the following categories of personal information:

<b>Account Information</b> Name, email address, phone number, IC/passport number, date of birth, and profile photo (optional).

<b>Health & Clinical Information</b> Medical history, diagnosis, treatment notes, investigation results, prescriptions, and appointment records. This is considered sensitive personal data and is handled with additional care.

<b>Usage & Technical Information</b> Device type, IP address, browser type, operating system, pages visited, and interaction data when you use our platform.

<b>Communication Data</b> Records of support requests, feedback, and correspondence with our team.

<b>Payment Information</b> Billing name, address, and transaction history. Payment processing is handled by certified third-party payment processors.

We use your personal information for the following purposes:

• Creating and managing your Klinikfy account • Providing, maintaining, and improving the Services • Facilitating appointment scheduling and reminders • Enabling secure communication between you and your healthcare provider • Generating clinical records and documentation • Processing payments and sending billing notifications • Responding to your support requests and enquiries • Complying with legal and regulatory obligations • Detecting, preventing, and addressing fraud, abuse, or security issues • Sending you service-related communications (e.g., account updates, security alerts)

We do not use your personal information for purposes beyond those stated without your consent, except as required by law.

Klinikfy uses cookies and similar tracking technologies to operate and improve our platform:

• <b>Essential cookies</b>: Required for the platform to function (e.g., authentication, security) • <b>Analytics cookies</b>: Help us understand how users interact with our platform so we can improve it • <b>Preference cookies</b>: Remember your settings and preferences

You can control cookies through your browser settings. Disabling essential cookies may impair platform functionality.

We do not sell your personal information. We may share your information in the following circumstances:

<b>Healthcare Providers</b> When you are a patient, your information is shared with your registered healthcare provider and their authorised staff on the Klinikfy platform.

<b>Service Providers</b> Third-party providers who deliver services on our behalf — such as cloud hosting (AWS), SMS delivery (Twilio), and email services. These providers are contractually bound to use your data only for the purposes we specify.

<b>Legal Requirements</b> We may disclose information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

<b>Business Transfers</b> In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email of any such event.

We retain your personal information for as long as your account is active and for a reasonable period thereafter:

• <b>Patient records</b>: Retained as required by Malaysian healthcare regulations (minimum 7 years after last visit) • <b>Account data</b>: Retained until account deletion; then a 60-day grace period before permanent deletion • <b>Usage logs</b>: Retained for up to 2 years for security and analytics purposes

Upon request, we will delete or anonymise your personal information, subject to legal retention obligations.

We implement robust security measures to protect your personal information:

• AES-256 encryption for data at rest • TLS 1.2+ encryption for data in transit • Role-based access control (RBAC) within the platform • Multi-factor authentication (MFA) for staff and clinic accounts • Regular penetration testing and security audits • SOC 2 Type II compliance for our cloud infrastructure

While we strive to protect your data, no system is completely immune to breach. In the event of a data breach that affects your personal information, we will notify you and the relevant authorities as required by the PDPA.

Under the PDPA, you have the following rights regarding your personal data:

• <b>Right of access</b>: Request a copy of your personal data held by us • <b>Right to correction</b>: Request correction of inaccurate or incomplete data • <b>Right to withdraw consent</b>: Withdraw consent for processing based on consent (note: this may affect certain services) • <b>Right to erasure</b>: Request deletion of your data, subject to legal retention requirements • <b>Right to data portability</b>: Receive your data in a structured, machine-readable format • <b>Right to prevent processing</b>: Object to processing likely to cause damage or distress

To exercise any right, contact us at privacy@klinikfy.com or visit your account privacy settings. We will respond within 30 days.

Klinikfy does not knowingly collect personal information from children under 18 without parental or guardian consent. If we become aware that we have collected data from a minor without appropriate consent, we will take steps to delete that information promptly.

Parents or guardians who believe their child's information has been collected without consent may contact us at privacy@klinikfy.com.

Klinikfy primarily stores and processes your data on servers located in Southeast Asia. Where data is transferred outside Malaysia, we ensure appropriate safeguards are in place, including:

• Data processing agreements with recipients that meet PDPA requirements • Standard contractual clauses approved by relevant data protection authorities • Ensuring equivalent levels of data protection as required by Malaysian law

Our platform may contain links to third-party websites, services, or applications that are not operated by Klinikfy. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through our platform.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

• Material changes will be communicated via email to the address associated with your account • We will also post a notice on the platform at least 30 days before the changes take effect • Your continued use of Klinikfy after any changes constitutes acceptance of the updated policy

We encourage you to review this page periodically for the latest information on our privacy practices.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:

Email: privacy@klinikfy.com Mailing address: Kuala Lumpur, Malaysia

We are committed to resolving your concerns and will endeavour to respond within 30 days.