PDPA Compliance

Introduction to PDPA Compliance

The Personal Data Protection Act 2010 ("PDPA") establishes seven data protection principles that organizations must follow when processing personal data in Malaysia. As a data user under the PDPA, EZLEASE has implemented comprehensive policies and procedures to ensure compliance with each principle.

This document explains how EZLEASE complies with each of the seven PDPA principles:

1. General Principle
2. Notice and Choice Principle
3. Disclosure Principle
4. Security Principle
5. Retention Principle
6. Data Integrity Principle
7. Access Principle

1. General Principle

1.1 How EZLEASE Complies

Explicit Consent Requirement

We process personal data only with your explicit consent. Before collecting any personal data, we:

• Present clear Terms of Service and Privacy Policy during account registration
• Require affirmative action (checkbox acceptance) to create an account
• Do not use pre-checked boxes or assume consent
• Obtain separate consent for optional data such as CTOS credit reports

Consent for Document Submission

When you submit verification documents (MyKad, income proof, property titles, etc.), you explicitly consent to:

• Our collection and storage of these documents
• Review and verification by authorized EZLEASE personnel
• Display of verification status (but not underlying documents) to other Users

Freely Given Consent

Your consent is:

• Informed: We clearly explain what data we collect and why
• Specific: We obtain separate consent for different types of data processing
• Freely given: You can decline optional data submission without affecting your core account access
• Revocable: You can withdraw consent and delete your data at any time

Lawful Processing Beyond Consent

In limited circumstances, we may process data without explicit consent where:

• Contractual necessity: Processing is necessary to provide the Platform services you requested
• Legal obligation: We are required by Malaysian law to retain or disclose certain data
• Vital interests: Processing is necessary to protect your safety or the safety of others

2. Notice and Choice Principle

2.1 How EZLEASE Complies

Clear Notice Before Collection

Before you provide any personal data, we provide clear notice of:

• What data we collect: Specific categories of personal data, including identity documents, financial information, and property documents
• Why we collect it: The purposes for which data will be used (verification, account management, service provision)
• Who will access it: Which parties will have access to your data (EZLEASE personnel, third-party service providers)
• How long we keep it: Retention period (indefinitely until you request deletion)
• Your rights: Rights to access, correct, and delete your data
• How to contact us: Data Protection Officer contact information

Role-Specific Data Collection Notice

We provide tailored notices based on your role:

• Tenants: Informed that we will collect MyKad, income proof, employment details, and optionally CTOS reports
• Owners/Landlords: Informed that we will collect MyKad, property title, grant documents, and SPA pages

Clear Choices for Optional Data

For optional data such as CTOS credit reports, we:

• Clearly mark the submission as optional
• Explain the benefits of providing optional data (enhanced credibility)
• Allow you to decline without penalty or reduced service quality

Notice of Data Practices

Our Privacy Policy provides comprehensive notice of:

• All third-party service providers and what data they access
• Cross-border data transfers (Malaysia to Singapore via Supabase)
• Document confidentiality rules (EZLEASE-only visibility, no User-to-User sharing)
• Security measures protecting your data
• Your rights under PDPA and how to exercise them

Advance Notice of Policy Changes

When we make material changes to our data practices:

• We send email notification at least 14 days before changes take effect
• We display prominent notices on the Platform
• We update version numbers to track changes
• We seek fresh consent where required by law

3. Disclosure Principle

3.1 How EZLEASE Complies

No Data Sale

We categorically do NOT sell, rent, or trade your personal data to any third party for any purpose.

No User-to-User Document Disclosure

Your verification documents are NEVER disclosed to other Users:

• Tenant documents: MyKad, income proof, CTOS reports, and employment details remain confidential. Owners see only verification status, never the underlying documents.
• Owner documents: MyKad, property titles, grant documents, and SPA pages remain confidential. Tenants see only verification status, never the underlying documents.
• EZLEASE as intermediary: We act as a trusted intermediary—we verify documents but do not expose them to other Users.

Disclosure to Third-Party Service Providers

We disclose personal data to third-party service providers ONLY for operational purposes and ONLY with your consent. These include:

Contractual Safeguards

All third-party service providers are bound by:

• Contractual obligations to protect your data
• Restrictions on using data for purposes beyond service provision
• Obligations to comply with applicable data protection laws

Disclosure Required by Law

We may disclose personal data without consent where required by:

• Court orders or subpoenas
• Malaysian law enforcement or regulatory authorities
• Legal obligations under Malaysian statutes

In such cases, we will disclose only the minimum data necessary to comply with the legal requirement.

No Marketing Disclosures to Third Parties

We do NOT share your personal data with third parties for their marketing purposes. Any marketing communications you receive will come directly from EZLEASE and only with your explicit opt-in consent.

4. Security Principle

4.1 How EZLEASE Complies

Technical Security Measures

We implement industry-standard technical safeguards:

Document Security

Verification documents (MyKad, CTOS, property titles, etc.) are subject to enhanced security:

• Stored in encrypted cloud storage separate from general database
• Access restricted to authorized verification personnel only
• Audit logs track all access to sensitive documents
• Documents never exposed to other Users under any circumstances
• Secure upload and download protocols

Organizational Security Measures

We implement administrative safeguards:

• Employee training: Personnel are trained on data protection and PDPA compliance
• Confidentiality obligations: Employees sign confidentiality agreements
• Limited access: Only personnel with legitimate need to access data are granted permissions
• Data Protection Officer: Designated DPO oversees compliance and security practices

Incident Response

We maintain security incident response procedures:

• Regular security audits and vulnerability assessments
• Incident detection and monitoring systems
• Data breach notification protocol (Users notified within 72 hours)
• Remediation plans to address security vulnerabilities

Third-Party Security Standards

We select third-party service providers who meet rigorous security standards:

• Supabase complies with international security certifications and standards
• All service providers contractually obligated to maintain data security
• Regular review of third-party security practices

5. Retention Principle

5.1 How EZLEASE Complies

Retention While Account Active

We retain your personal data indefinitely while your account remains active. This retention serves legitimate purposes:

• Maintaining your verified status without requiring re-submission of documents
• Providing continuity of service
• Preserving your account history and preferences
• Enabling you to use the Platform seamlessly over time

User-Controlled Deletion

You have complete control over data retention. You may request deletion of all your personal data at any time through:

• In-app deletion: Account settings include a data deletion feature for immediate self-service deletion
• Email request: Send deletion request to privacy@ezlease.my

Deletion Timeline

Upon receiving a valid deletion request:

• We permanently delete your personal data and verification documents within thirty (30) days
• Deletion includes all database records, uploaded documents, and profile information
• Deletion is irreversible; you cannot recover your data after deletion

Legal Retention Exceptions

In limited circumstances, we may retain certain data beyond your deletion request where:

• Legal obligation: Malaysian law requires retention (e.g., financial records for tax purposes)
• Legal claims: Data necessary to establish, exercise, or defend legal claims
• Ongoing disputes: Data relevant to unresolved disputes or investigations

Even where exceptions apply, we retain only the minimum data necessary and delete it once the retention obligation expires.

Anonymized Data

We may retain anonymized, aggregated data that cannot identify you personally for:

• Platform analytics and improvement
• Research and statistical purposes
• Trend analysis

Such data does not fall under PDPA as it is not personal data.

Third-Party Retention

When you request deletion, we also instruct our third-party service providers to delete your data in accordance with their retention policies and contractual obligations.

6. Data Integrity Principle

6.1 How EZLEASE Complies

User Responsibility for Accuracy

You are required to provide accurate and complete information when:

• Creating your account
• Submitting verification documents
• Posting property listings
• Communicating through the Platform

Our Terms of Service require truthful information and prohibit submission of false or fraudulent documents.

User Control to Update Data

You have the ability to update your personal information at any time through:

• Account settings: Update name, email, phone number, and profile information
• Document re-submission: Upload updated documents if your circumstances change
• Property listings: Edit property details, photos, and rental terms
• Support requests: Contact hello@ezlease.my for assistance with updates

Verification for Data Integrity

We verify submitted documents to ensure data integrity:

• Manual review by authorized personnel checks authenticity of MyKad, income proof, and property documents
• Detection of forged or altered documents
• Cross-verification of information across multiple documents
• Rejection of suspicious or incomplete submissions

Encouraging Updates

We encourage Users to keep their information current:

• Reminders to update profile information if circumstances change (e.g., new employment, address change)
• Notifications if documents are approaching expiration
• Easy update mechanisms through the Platform interface

Right to Correction

Under the PDPA Access Principle (Section 7), you have the right to request correction of inaccurate or incomplete personal data. We will promptly correct any errors upon request.

System Integrity

Our technical systems maintain data integrity through:

• Database constraints preventing invalid data entry
• Input validation and format checks
• Regular database integrity checks
• Audit trails tracking data modifications

7. Access Principle

7.1 How EZLEASE Complies

Right to Access Personal Data

You have the right to request access to all personal data we hold about you, including:

• Account information (name, email, phone number)
• Verification documents (MyKad, income proof, property documents)
• Property listings and messages
• Transaction history and subscription records
• Communications with EZLEASE

How to Request Access

To request access to your personal data:

• Send a written request to privacy@ezlease.my
• Include your name, account email, and specific data you wish to access
• Verify your identity (we may request additional verification to protect your data)

Access Request Response

Upon receiving a valid access request:

• We will respond within twenty-one (21) days as required by PDPA
• We will provide a copy of your personal data in a readable format
• We will explain how your data is being processed
• We will identify all third parties who have access to your data
• There is no fee for access requests (unless requests are excessive or manifestly unfounded)

Information About Data Processing

In addition to providing your data, we will inform you of:

• The purposes for which your data is being processed
• The classes of personal data we hold
• The recipients or classes of recipients to whom your data is disclosed
• Whether we transfer data across borders (Malaysia to Singapore via Supabase)
• Your rights to correction, deletion, and withdrawal of consent

Data Download Feature (Planned)

We are developing a self-service data download feature that will allow you to:

• Download a complete copy of your personal data directly from your account settings
• Receive data in a structured, machine-readable format (JSON or CSV)
• Access your data instantly without waiting for manual processing

This feature is currently under development and will be announced when available.

Ongoing Access Through Account

While logged into your account, you have ongoing access to:

• Your profile information and account details
• Your property listings and messages
• Your verification status
• Your subscription and payment history

Right to Correction

If you discover inaccuracies in your personal data, you have the right to request correction:

• Update information directly through account settings
• Contact privacy@ezlease.my to request corrections
• We will correct inaccurate data within twenty-one (21) days
• We will notify any third parties to whom the data was disclosed of the correction

Limits on Access Rights

In limited circumstances permitted by PDPA, we may refuse or limit access where:

• Disclosure would reveal personal data about another individual
• Access would compromise an ongoing investigation
• Legal privilege applies
• Access is prohibited by law

We will inform you of the reason for any refusal or limitation.

8. Contact Our Data Protection Officer

For questions about our PDPA compliance, to exercise your rights, or to lodge a complaint, please contact our Data Protection Officer:

If you are not satisfied with our response to your data protection concerns, you have the right to lodge a complaint with:

9. Changes to This Compliance Statement

We will notify users of material changes (major version updates) via email and prominent notice on our website at least 14 days before the changes take effect. Continued use of EZLEASE after the effective date constitutes acceptance of the updated terms.

Version control follows the format described at the top of this document:

• Major updates (e.g., 2.0.0): Significant changes to compliance practices
• Minor updates (e.g., 1.1.0): New procedures or clarifications
• Patch updates (e.g., 1.0.1): Corrections or contact updates

By using EZLEASE, you acknowledge that you have read and understood this PDPA Compliance Statement and how we comply with the Personal Data Protection Act 2010.