Privacy Policy – Your Data, Our Responsibility

Winngoo Platform – Malaysia

This Privacy Policy (“Policy”) is a legally binding document issued by Winngoo (“Company”, “We”, “Us”, “Our”) governing the Processing of Personal Data in connection with access to and use of the Winngoo platform, website, applications, products, and related services in Malaysia.

This Policy is adopted pursuant to the Personal Data Protection Act 2010 of Malaysia (PDPA 2010), including all subsidiary legislation, standards, guidelines and any amendments thereto.

 

1. PREAMBLE AND RECITALS

1.1 This Policy is made to inform Data Subjects of their rights and obligations relating to the Processing of Personal Data by the Company.

1.2 The Company acknowledges the importance of Personal Data, data confidentiality and the right to privacy guaranteed under applicable Malaysian law.

1.3 This Policy sets out the legal basis upon which Personal Data is collected, used, retained, stored, disclosed, transferred, erased or otherwise Processed.

1.4 By accessing or using the Platform, creating an account, submitting information, or communicating with the Company, the Data Subject is deemed to have accepted, acknowledged and consented to the terms of this Policy.

1.5 If a Data Subject does not agree with any provision herein, such person shall immediately cease use of the Platform and shall refrain from providing any Personal Data.

 

2. DEFINITIONS

For purposes of this Policy, the following terms shall have the meanings assigned below:

2.1 “Personal Data” means any information in respect of commercial transactions which relates directly or indirectly to a Data Subject who is identified or identifiable from that information.

2.2 “Sensitive Personal Data” includes any personal data consisting of information as to physical or mental health, religious belief, criminal conviction, political affiliation, biometric data, or any category designated as sensitive under Malaysian law.

2.3 “Processing” means collecting, recording, holding or storing Personal Data or carrying out any operation on Personal Data.

2.4 “Data Subject” means an individual who is the subject of Personal Data.

2.5 “Third Party” means any person other than the Data Subject and the Company.

2.6 “Platform” refers to the Winngoo websites, mobile applications, systems and digital interfaces.

2.7 “Consent” means any expression of will that is free, specific and informed by which the Data Subject signifies agreement to the Processing of Personal Data.

 

3. APPLICABILITY

3.1 This Policy applies to:

(a) Users of the Platform
(b) Merchants, vendors and business partners
(c) Agents, contractors and service providers
(d) Website visitors and mobile app users

3.2 This Policy applies regardless of the device or technology used to access the Platform.

3.3 This Policy forms an integral part of the Terms and Conditions of Use of the Platform.

 

4. PRINCIPLES OF PERSONAL DATA PROTECTION

The Company undertakes to comply with the following statutory principles:

4.1 General Principle – Personal Data shall not be processed unless for a lawful purpose and with Consent lawful basis.

4.2 Notice and Choice Principle – Data Subjects shall be informed of the purposes of collection and shall have choice.

4.3 Disclosure Principle – Personal Data shall not be disclosed except as permitted by law or authorised by the Data Subject.

4.4 Security Principle – Reasonable security safeguards shall be implemented.

4.5 Retention Principle – Data shall not be retained longer than necessary.

4.6 Data Integrity Principle – Reasonable steps shall be taken to ensure accuracy and completeness.

4.7 Access Principle – Data Subjects shall be granted access rights in accordance with law.

 

5. CATEGORIES OF PERSONAL DATA PROCESSED

Without limitation and subject to law, the Company may Process the following categories of Personal Data:

5.1 identity information including name, date of birth, identification number and nationality.
5.2 contact details including address, email address and telephone number.
5.3 account and profile information associated with Platform registration.
5.4 financial and transactional data required for payments and settlements.
5.5 technical and device data generated from Platform access.
5.6 communication records and support correspondence.
5.7 usage data and behavioural information relating to Platform activity.
5.8 Sensitive Personal Data where strictly necessary and legally permissible.

 

6. METHODS OF COLLECTION

6.1 Personal Data may be obtained:

(a) directly from the Data Subject;
(b) automatically through Platform use;
(c) from public sources;
(d) from governmental or regulatory authorities;
(e) from Third Parties lawfully authorised to disclose such data.

6.2 Collection may occur through online forms, account registration, communication channels, cookies, tracking tools, verification systems or contractual interactions.

 

7. LEGAL BASIS FOR PROCESSING

Processing of Personal Data shall be based upon one or more of the following grounds:

(a) performance of contractual obligations;
(b) compliance with legal or regulatory duties;
(c) explicit Consent of the Data Subject;
(d) protection of vital interests;
(e) legitimate interest pursued by the Company.

 

8. PURPOSES OF PROCESSING

Personal Data may be Processed for the following purposes, among others:

(a) creation and management of user accounts;
(b) provision and operation of Platform services;
(c) verification, authentication and security;
(d) payment processing and financial reconciliation;
(e) compliance with statutory obligations;
(f) customer support, dispute resolution and complaint handling;
(g) prevention and detection of fraud or unlawful conduct;
(h) data analytics, research and service improvement;
(i) communication of notices, alerts or service-related messages;
(j) marketing activities where permitted by law.

 

9. SENSITIVE PERSONAL DATA

9.1 Sensitive Personal Data shall only be Processed:

(a) with explicit Consent;
(b) where required by law;
(c) where necessary to protect vital interests; or
(d) for legal claims or regulatory compliance.

9.2 Additional safeguards shall apply to Sensitive Personal Data.

 

10. DATA ACCURACY

10.1 The Data Subject warrants that all Personal Data submitted is accurate, complete and not misleading.

10.2 The Data Subject undertakes to update Personal Data where changes occur.

10.3 The Company shall not be liable for damages arising from inaccurate Personal Data supplied by the Data Subject.

 

11. RETENTION OF PERSONAL DATA

11.1 Personal Data shall be retained only for the period necessary to fulfil the purposes for which it was collected.

11.2 Upon expiry of the retention period, Personal Data shall be anonymised, destroyed or deleted using secure methods.

11.3 Residual copies may remain in backup systems for a limited operational period.

 

12. DISCLOSURE OF PERSONAL DATA

Personal Data may be disclosed to:

(a) employees and authorised personnel of the Company;
(b) subsidiaries, affiliates and related corporations;
(c) payment gateways and financial institutions;
(d) professional advisers, auditors or consultants;
(e) governmental authorities or law enforcement agencies;
(f) Third Party service providers acting on behalf of the Company;
(g) parties involved in corporate transactions or restructuring.

 

13. CROSS-BORDER TRANSFER OF PERSONAL DATA

13.1 The Company may transfer or permit the transfer of Personal Data to locations outside Malaysia where such transfer is necessary for the operation of the Platform, hosting of data, cloud storage, technical support, payment processing, or performance of contractual obligations.

13.2 Any such transfer shall be undertaken in compliance with the Personal Data Protection Act 2010, including any applicable restrictions or ministerial orders relating to cross-border data transfer.

13.3 The Company shall take reasonable steps to ensure that the receiving party in the foreign jurisdiction provides a level of protection comparable to the requirements under Malaysian law.

13.4 By continuing to use the Platform, the Data Subject expressly acknowledges and consents to cross-border transfer of Personal Data for the purposes described in this Policy.

 

14. SECURITY SAFEGUARDS

14.1 The Company shall implement appropriate administrative, technical and physical security measures designed to protect Personal Data against loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.

14.2 Without limiting the generality of Clause 14.1, such measures may include access controls, authentication procedures, encryption, logging, monitoring systems, secure storage environments, network safeguards, employee confidentiality obligations and documented information security policies.

14.3 Security measures shall be reviewed periodically having regard to technological developments, cost of implementation and nature of the Personal Data processed.

14.4 The Data Subject acknowledges that no system can be guaranteed completely secure and that risk is inherent in all electronic communications. The Data Subject agrees to take reasonable precautions including safeguarding login credentials and notifying the Company immediately of any suspected unauthorised access.

 

15. RIGHTS OF DATA SUBJECTS

15.1 Subject to applicable law, the Data Subject shall have the right to request access to Personal Data held by the Company.

15.2 The Data Subject shall have the right to request correction of Personal Data that is inaccurate, incomplete, misleading or outdated.

15.3 The Data Subject may withdraw Consent, in whole or in part, to the Processing of Personal Data, subject always to any legal or contractual restrictions and provided that such withdrawal shall not affect prior Processing lawfully carried out.

15.4 Requests under this Clause must be made in writing in the prescribed manner and accompanied by such information as may be necessary to verify the identity of the requester.

15.5 The Company reserves the right to refuse any request for access or correction where permitted by law, including where the request is frivolous, vexatious, or would prejudice the rights of another person.

 

16. DIRECT MARKETING

16.1 The Company may process Personal Data for the purposes of direct marketing where permitted by law.

16.2 Direct marketing may include provision of information regarding promotions, services, programs, events, offers, news, surveys, loyalty programs or other communications that the Company considers may be of interest to the Data Subject.

16.3 The Data Subject shall have the right at any time to object to the Processing of Personal Data for direct marketing purposes, and upon receipt of such objection the Company shall cease such Processing.

16.4 Personal Data shall not be sold, rented or otherwise disclosed to unrelated Third Parties for their own marketing purposes without the explicit Consent of the Data Subject.

 

17. COOKIES AND TRACKING TECHNOLOGIES

17.1 The Platform may employ cookies, web beacons, log files, device identifiers and similar technologies to facilitate operation, security, performance measurement and user experience enhancement.

17.2 Cookies may enable recognition of returning users, storage of preferences, authentication of sessions and collection of usage statistics.

17.3 The Data Subject may configure browser settings to refuse or delete cookies; however, doing so may impair functionality or availability of certain Platform features.

17.4 Continued use of the Platform constitutes Consent to the use of cookies and tracking technologies as described in this Clause.

 

18. CHILDREN’S PERSONAL DATA

18.1 The Platform is not intended for minors unless explicitly stated otherwise and subject to applicable legal requirements.

18.2 The Company does not knowingly collect Personal Data of individuals below the age prescribed by Malaysian law without verifiable parental or guardian consent.

18.3 Where it is discovered that Personal Data of a minor has been collected without proper Consent, the Company reserves the right to delete such data.

 

19. DATA BREACH NOTIFICATION

19.1 A “Personal Data Breach” shall mean any incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

19.2 In the event of a Personal Data Breach, the Company shall take reasonable steps to:

(a) contain and assess the breach;
(b) mitigate potential harm;
(c) investigate the cause; and
(d) implement corrective measures.

19.3 Where required by law, affected Data Subjects and/or authorities shall be notified within the prescribed time frame.

 

20. THIRD-PARTY SITES AND SERVICES

20.1 The Platform may contain links to or integrations with websites, applications or services operated by Third Parties.

20.2 The Company shall not be responsible for the privacy practices, policies or content of such Third Parties.

20.3 Use of Third-Party platforms shall be governed by their respective privacy policies and terms, and the Data Subject accesses such platforms at their own risk.

 

21. EMPLOYEES, CONTRACTORS AND AGENTS

21.1 Personal Data of employees, contractors, agents or job applicants may be Processed for employment administration, recruitment, payroll, disciplinary matters, legal compliance and internal management.

21.2 Such Processing shall be undertaken in accordance with this Policy and applicable employment and data protection laws.

 

22. RECORDS MANAGEMENT

22.1 The Company shall maintain records of Processing activities as required by law.

22.2 Records may be stored electronically or physically and may be archived for statutory retention periods.

 

23. AUTOMATED DECISION-MAKING AND PROFILING

23.1 The Platform may utilise automated processes, algorithms or profiling mechanisms for authentication, fraud detection, recommendation engines, service customization or transaction evaluation.

23.2 The Company shall ensure such mechanisms are not discriminatory and are subject to human oversight where appropriate.

Continuing in the same strict legal contract format and expanding further. I will keep adding comprehensive clauses to build this into a long, detailed Malaysian Privacy Policy. You may say continue again and I will keep extending it.

 

24. LIMITATION OF LIABILITY

24.1 To the fullest extent permitted by law, the Company, its directors, officers, employees, agents, affiliates and service providers shall not be liable for any loss, damage, cost or expense, whether direct, indirect, consequential, exemplary or punitive, arising out of or in connection with the Processing of Personal Data in accordance with this Policy.

24.2 Without prejudice to the generality of Clause 24.1, the Company shall not be liable for:

(a) any unauthorised access to Personal Data arising from circumstances beyond the Company’s reasonable control;
(b) any loss or damage resulting from telecommunications or network failure;
(c) any accidental disclosure occurring despite reasonable security safeguards;
(d) reliance by any Third Party on inaccurate or incomplete Personal Data supplied by the Data Subject.

24.3 Nothing in this Policy shall exclude liability for fraud, wilful misconduct or any liability that cannot be excluded under Malaysian law.

 

25. INDEMNITY

25.1 The Data Subject agrees to indemnify and hold harmless the Company and its affiliates from and against any claims, losses, damages, liabilities, penalties, costs and expenses arising directly or indirectly from:

(a) any breach of this Policy by the Data Subject;
(b) submission of inaccurate, incomplete or misleading Personal Data;
(c) misuse of the Platform or violation of applicable law;
(d) assertion of rights by Third Parties arising from Personal Data provided by the Data Subject.

25.2 This indemnity obligation shall survive termination of the Data Subject’s account or cessation of Platform use.

 

26. LEGAL AND REGULATORY COMPLIANCE

26.1 The Company shall Process Personal Data in compliance with the Personal Data Protection Act 2010 and applicable subsidiary legislation, regulations, standards, directives and regulatory advisories.

26.2 The Company may disclose Personal Data to governmental, regulatory or law enforcement authorities where such disclosure is required by law, court order, regulatory direction or lawful request.

26.3 The Data Subject unequivocally agrees that such disclosure shall not constitute a breach of confidentiality obligations by the Company.

 

27. GOVERNING LAW AND JURISDICTION

27.1 This Policy shall be governed by and construed in accordance with the laws of Malaysia.

27.2 Any dispute, controversy or claim arising out of or relating to this Policy shall be subject to the exclusive jurisdiction of the courts of Malaysia.

27.3 The Data Subject hereby irrevocably submits to such jurisdiction.

 

28. AMENDMENT AND REVISION OF POLICY

28.1 The Company reserves the absolute right to revise, amend, vary or supplement this Policy at any time.

28.2 Amendments shall take effect upon publication on the Platform unless otherwise stated.

28.3 Continued use of the Platform following such amendments shall constitute deemed acceptance of the revised Policy.

 

29. CONSENT AND ACKNOWLEDGMENT

29.1 By providing Personal Data, accessing the Platform or continuing to use the services, the Data Subject expressly:

(a) confirms that they have read and understood this Policy;
(b) consents to the Processing of Personal Data in the manner described herein;
(c) confirms that Personal Data furnished is accurate and not misleading;
(d) authorises disclosure and transfer of Personal Data as contemplated in this Policy.

29.2 Where Personal Data is provided on behalf of another person, the provider warrants that valid consent has been obtained from such person.

 

30. WITHDRAWAL OF CONSENT

30.1 The Data Subject may withdraw Consent to Processing at any time by submitting a written notice.

30.2 Withdrawal of Consent may result in the inability of the Company to continue providing services.

30.3 Withdrawal shall not affect Processing carried out prior to such withdrawal or Processing required under law.

 

31. TERMINATION OF ACCOUNT AND DATA HANDLING UPON TERMINATION

31.1 Upon termination of a user account for any reason, the Company may:

(a) deactivate or delete the account;
(b) restrict future access;
(c) retain Personal Data for legally required periods;
(d) anonymise data for statistical or research purposes.

31.2 Termination of account shall not affect rights or obligations accrued prior to termination.

32. INTERPRETATION CLAUSE

32.1 Headings and titles in this Policy are for convenience only and shall not affect interpretation.

32.2 Words importing the singular include the plural and vice versa.

32.3 Any reference to statutes includes amendments or re-enactments thereof.

 

33. LANGUAGE

33.1 This Policy may be issued in multiple languages. In the event of inconsistency, the English version shall prevail unless otherwise mandated by law.

 

34. SEVERABILITY

34.1 If any provision of this Policy is found to be invalid, unlawful or unenforceable, such provision shall be severed without affecting the remaining provisions.

 

35. ENTIRE POLICY

35.1 This Policy constitutes the entire agreement between the Data Subject and the Company concerning the Processing of Personal Data and supersedes all prior statements, notices or representations relating thereto.

test