Privacy Policy
Status: DRAFT — pending Malaysian privacy lawyer review. Items in[REPLACE: ...]brackets need to be filled in before publication. Once finalised, this file is the canonical text; the public web rendering at/privacymirrors it.
Effective date: [REPLACE: e.g. 1 May 2026] Version: 1.0-draft
1. Who we are
This privacy notice is issued by [REPLACE: full legal entity name — e.g. RMT Solutions Sdn Bhd] ("RMT", "we", "us", "our"), a company incorporated in Malaysia with company registration number [REPLACE: SSM number] and registered office at [REPLACE: registered address].
RMT operates the RMT Solutions retail merchandising tracking platform (the "Platform") consisting of (a) a mobile field application for merchandisers, (b) an administrative web application for our operating personnel, and (c) a distributor portal for our brand-owner clients.
Under the Personal Data Protection Act 2010 ("PDPA") and the Personal Data Protection (Amendment) Act 2024, we are the data user (controller) for personal data collected through the Platform.
2. Data Protection Officer
Our DPO can be contacted at:
- Name:
[REPLACE: DPO name] - Email:
[REPLACE: dpo@<domain>] - Phone:
[REPLACE: phone — required for breach contact] - Postal address: as in Section 1 above
You may contact the DPO for any privacy-related inquiry, to exercise your rights described in Section 8, or to file a complaint.
3. Personal data we collect
3.1 Merchandiser users (field staff)
| Class of data | Why we collect it | Source |
|---|---|---|
| Full name, email | Account identity, sign-in, audit trail of captures | Provided by you / your employer at invitation |
| Profile photograph (if uploaded) | Visual identification in admin views | Provided by you |
| Geolocation (latitude, longitude, accuracy) | Verifying you are at the assigned outlet at clock-in; recording clock-out location | Captured by the mobile app at the moment of clock-in/clock-out only — not continuously tracked between visits |
| Photographs taken at retail outlets (shelf images, batch labels) | Evidence of merchandising work; analytics aggregates (share-of-shelf, OOS rate) | Captured by you on tap |
| Free-text remarks, signatures captured at visit close | Audit record of the visit's outcome | Provided by you / by store contact |
3.2 Distributor / client users (brand-owner staff)
| Class of data | Why we collect it | Source |
|---|---|---|
| Full name, email | Account identity, sign-in | Provided at invitation |
| Brand and outlet scope (which brands the user is permitted to view) | Row-level security enforcement | Configured by your account admin or by RMT |
3.3 Operating company / admin users (RMT or its tenant operating company)
| Class of data | Why we collect it | Source |
|---|---|---|
| Full name, email, role | Account identity, sign-in, role-based access | Provided at invitation |
3.4 Third parties
| Class of data | Why we collect it | Source |
|---|---|---|
| Store-contact name + handwritten signature at visit close | Proof of visit; audit trail | Provided by the store contact in the moment, with our merchandiser explaining the purpose |
We do not knowingly collect personal data of children under 18.
4. How we use it
We process personal data described in Section 3 only for these purposes:
- Operating the Platform (sign-in, session management, role-based access, RLS enforcement)
- Verifying that field visits actually occurred at the correct location
- Producing operational analytics and reports for the operating company and its distributor clients
- Maintaining audit trails required for commercial accountability
- Compliance with applicable laws and lawful requests from regulators
We do not use personal data for advertising, profiling, or any automated decision-making with legal effect.
5. Lawful basis for processing
Under PDPA, we rely on the following bases:
- Consent for merchandiser geolocation, photographs, and signatures captured at clock-in/clock-out and visit close
- Contractual necessity for sign-in credentials of all account holders
- Legitimate interest for operational audit trails and aggregated analytics, balanced against the data subject's interests
You may withdraw consent at any time by contacting the DPO. Withdrawing consent for geolocation/photography means you cannot continue to perform field visits through the Platform.
6. Disclosure / data sharing
We share personal data only with:
- Subprocessors who provide infrastructure on our behalf (see subprocessor register). Each subprocessor is contractually bound by a Data Processing Agreement.
- Your operating company's authorised admins (for merchandiser data — names, emails, capture history)
- Distributor clients scoped only to brands they are authorised to view (analytics aggregates and capture metadata for products in their brand scope)
- Government authorities or courts where lawfully compelled
We do not sell personal data.
7. Cross-border data transfer
Our database and file storage are operated by Supabase Inc. The data is hosted in [REPLACE: confirm Supabase region from dashboard — likely ap-southeast-1 (Singapore) for rmt-dev]. To the extent personal data is transferred outside Malaysia, we rely on:
- Your consent (acknowledged via this notice on first sign-in), and
- Contractual safeguards with the receiving subprocessor (see DPA in subprocessor register)
8. Your rights
Under PDPA you have the right to:
- Access — request a copy of the personal data we hold about you
- Correct — request correction of inaccurate or incomplete data
- Withdraw consent — for any processing based on consent
- Limit processing — for direct marketing (which we do not currently engage in)
- Lodge a complaint with the Personal Data Protection Commissioner
To exercise any of these rights, contact our DPO (Section 2). We will respond within 21 days of receipt of a verified request and will not charge a fee unless the request is manifestly excessive.
For the operational procedure see DSAR procedure.
9. How long we keep your data
See the full schedule in data retention policy. Headlines:
- Active account data: kept while the account is active, plus 12 months after deactivation
- Captures, photos, sessions: 24 months from creation
- GPS clock-in/out fixes: 24 months from creation
- Audit logs: 24 months from creation (kept longer than the underlying data only as needed for compliance investigations)
- Anonymised aggregates (no personal data): may be kept indefinitely
10. Security
We protect personal data using:
- TLS encryption for all network traffic
- Row-level security in the database — your operating company's data is isolated from other tenants
- Encryption at rest (provided by our database subprocessor)
- Role-based access control: admins, merchandisers, and distributor clients see only what their role permits
- Multi-factor authentication available (and recommended) for admin accounts
- Regular review of access and audit logs
No security measure is perfect. If a personal data breach occurs that is likely to result in significant harm to you, we will notify you and the Personal Data Protection Commissioner in accordance with Section 12B of the PDPA (within 72 hours of becoming aware). See incident response plan.
11. Changes to this notice
We may update this notice from time to time. The current version is always available at /privacy. Material changes will be notified to active users via the platform.
12. Complaints
If you are not satisfied with our handling of your personal data, you may complain to the:
Personal Data Protection Department (Jabatan Perlindungan Data Peribadi) Aras 6, Kompleks Kementerian Komunikasi dan Multimedia, Lot 4G9, Persiaran Perdana, Presint 4, 62100 Putrajaya https://www.pdp.gov.my