PERSONAL DATA PROTECTION POLICY & PRIVACY NOTICE

QuantumNexis Sdn Bhd / Ziloy

Last Updated: 12 May 2026

1. INTRODUCTION

This Personal Data Protection Policy & Privacy Notice (“Policy”) is issued pursuant to the Personal Data Protection Act 2010 (“PDPA”) of Malaysia.

QuantumNexis Sdn Bhd (Company No. 202501025798 (1627211-P)) operating under the brand name “ZILOY” (“Company”, “we”, “us”, “our”) is committed to protecting personal data and ensuring that all personal data is processed in accordance with applicable Malaysian laws, including the Personal Data Protection Act 2010.

This Policy explains how personal data is collected, used, processed, disclosed, safeguarded, retained, and managed in connection with:

the Ziloy platform;

websites and mobile applications operated by the Company;

digital healthcare and teleconsultation services;

patient and healthcare support services;

communication channels and customer engagement;

operational and internal governance processes;

authorised personnel and service providers engaged by the Company.

This Policy also sets out the operational, confidentiality, platform usage, and data protection obligations applicable to all employees, clinicians, consultants, contractors, Care Navigators, vendors, and authorised users who access or process personal data through QuantumNexis Sdn Bhd and the Ziloy platform.

2. DATA CONTROLLER

QuantumNexis Sdn Bhd
Unit B-09-06 Plaza Mont Kiara,
No. 2, Jalan Kiara,
Mont Kiara,
50480 Kuala Lumpur,
Malaysia

Email: contact@ziloy.my
Website: https://ziloy.my

3. SCOPE OF APPLICATION

This Policy applies to all personal data processed by QuantumNexis Sdn Bhd in connection with its commercial activities, operational processes, healthcare-related services, digital platforms, teleconsultation services, onboarding activities, and internal governance functions.

The scope of this Policy extends to all users of the Ziloy platform, websites, mobile applications, communication channels, digital healthcare systems, and related services operated by the Company.

This Policy further applies to patients, clients, clinicians, healthcare practitioners, Care Navigators, employees, consultants, contractors, outsourced personnel, vendors, third-party service providers, management personnel, and any authorised individual or entity granted access to personal data, Company systems, operational information, or healthcare-related services administered by the Company.

The provisions contained in this Policy apply to all forms of personal data processing conducted by or on behalf of the Company, whether through digital systems, operational activities, healthcare services, administrative processes, customer engagement channels, or authorised third-party service arrangements.

4. PERSONAL DATA WE MAY COLLECT

“Personal Data” means any information relating directly or indirectly to an identifiable individual in connection with a commercial transaction as defined under the Personal Data Protection Act 2010.

Depending on the services requested, the Company may collect and process the following categories of personal data:

4.1 Personal Information

full name;

NRIC/passport details;

gender;

date of birth;

nationality;

address;

email address;

contact number;

emergency contact information.

4.2 Sensitive Personal Data

Where applicable and with appropriate consent, the Company may process Sensitive Personal Data including:

medical and health information;

mental health assessments;

consultation records;

treatment-related information;

medication and prescription records;

biometric information;
healthcare reports and related information.

4.3 Employment & Professional Information

For clinicians, consultants, contractors, and authorised personnel:

qualifications and certifications;

registration and licensing information;

employment or engagement records;

operational and onboarding information.

4.4 Technical & Operational Information

device and browser information;

IP address and system logs;

platform usage records;

application interaction records;

communication preferences;

system access information.

Where any technical or operational information identifies or is capable of identifying an individual, such information shall be treated as personal data.

5. HOW PERSONAL DATA IS COLLECTED

Personal data may be collected directly from individuals or through lawful third-party sources in connection with the Company’s operational, healthcare, administrative, compliance, and service-related activities.

Such collection may occur through registration forms, onboarding documentation, healthcare consultations, questionnaires, assessments, communication channels, customer support interactions, mobile applications, websites, teleconsultation services, operational processes, healthcare administration systems, or other authorised digital platforms operated by or on behalf of the Company.

Where permitted under applicable laws or with appropriate consent, personal data may also be obtained from healthcare providers, insurers, diagnostic laboratories, employers, regulatory authorities, authorised service providers, corporate partners, or other relevant third parties for purposes directly related to the provision, administration, coordination, or enhancement of the Company’s services.

The Company shall take reasonable steps to ensure that personal data collected is relevant, accurate, and limited to information necessary for lawful operational and service-related purposes.

6. PURPOSE OF PROCESSING

Personal data is processed only for lawful purposes directly related to the operation, administration, governance, and provision of the Company’s services, digital platforms, healthcare ecosystem, and business operations.

Such processing may include activities relating to user registration, account administration, healthcare consultations, teleconsultation services, mental health assessments, patient engagement, Care Navigation services, appointment coordination, communication relating to services, healthcare administration, billing and payment processing, customer support, operational management, and service delivery.

Personal data may also be processed for compliance monitoring, audit and governance requirements, cybersecurity management, fraud prevention, incident management, operational analytics, service enhancement, digital platform administration, legal compliance, regulatory obligations, and responding to lawful requests from government authorities, regulators, or law enforcement agencies.

Where permitted under applicable laws, the Company may process personal data for operational improvement initiatives, digital healthcare enhancement, platform optimisation, internal reporting, business continuity, service quality management, and other legitimate operational purposes reasonably connected to the Company’s activities.

The Company shall not process personal data for purposes unrelated to its services, operational requirements, or lawful business activities unless consent has been obtained or such processing is otherwise permitted under applicable laws.

7. CONFIDENTIALITY & DATA PROTECTION OBLIGATIONS

All authorised personnel, clinicians, Care Navigators, consultants, contractors, vendors, and platform users who are granted access to personal data or Company systems shall comply with the following obligations:

Patient and client information is strictly confidential and shall only be accessed for authorised purposes directly related to assigned duties or service delivery.

Personal data and medical information shall not be downloaded, copied, photographed, screen-captured, recorded, stored locally, or shared outside Company-approved systems unless expressly authorised.

Login credentials, system access, and authentication information are strictly personal and must not be shared with any third party.

All users must use only authorised communication channels, systems, and workflows approved by QuantumNexis Sdn Bhd.

No clinician, consultant, Care Navigator, or authorised user shall bypass Company operational workflows, billing structures, reporting processes, or patient management procedures.

Direct engagement with patients or clients outside approved Company processes is strictly prohibited unless expressly authorised by the Company.

Any suspected data breach, unauthorised disclosure, cybersecurity incident, misuse of information, or suspicious activity must be reported immediately to the Company.

Failure to comply with these obligations may result in suspension of access, disciplinary action, termination of engagement, legal action, regulatory reporting, or other actions deemed necessary by the Company.

8. PLATFORM USAGE & SECURITY REQUIREMENTS

All authorised users of the Ziloy platform and related systems shall:

use only Company-approved devices, systems, or secured environments where reasonably practicable;

maintain confidentiality of all access credentials;

avoid accessing Company systems using unsecured public networks where possible;

ensure devices used to access Company systems are reasonably protected against unauthorised access;

comply with all information security procedures implemented by the Company from time to time.

The Company reserves the right to suspend or revoke system access where misuse, security concerns, or non-compliance is identified

9. TELECONSULTATION & DIGITAL HEALTHCARE SERVICES

Where healthcare consultations, assessments, or related services are conducted digitally through the Ziloy platform or other authorised systems:

consultations shall only be conducted through Company-approved platforms or systems;

recording of consultations is prohibited unless expressly consented to and authorised in accordance with applicable law;

clinicians and authorised personnel shall ensure consultations are conducted in a reasonably private and secure environment;

all medical information generated during consultations shall be treated as Sensitive Personal Data.

10. AI-ASSISTED TECHNOLOGIES & DIGITAL TOOLS

Certain features, assessments, analytics, or service functionalities may involve automated processing, AI-assisted technologies, or digital healthcare tools to support service delivery, operational efficiency, user experience, or healthcare administration.

Such technologies shall be used only for lawful purposes directly related to the services provided and subject to appropriate safeguards, confidentiality obligations, and applicable Malaysian laws.

Personal data and patient information must not be uploaded into unauthorised public AI platforms or systems.

11. DISCLOSURE OF PERSONAL DATA

Personal data may be disclosed by the Company only where such disclosure is lawful, necessary, proportionate, and directly related to the provision, administration, operation, compliance, or enhancement of the Company’s services and business activities.

Such disclosures may be made to healthcare providers, clinicians, healthcare practitioners, insurers, pharmacies, medication fulfilment partners, diagnostic laboratories, authorised healthcare-related parties, IT and cloud hosting providers, payment processors, auditors, legal advisers, compliance consultants, cybersecurity providers, operational service providers, regulatory authorities, government agencies, or other authorised third parties engaged by the Company.

Where personal data is disclosed to third-party service providers or operational partners, the Company shall take reasonable steps to ensure that such parties are contractually or operationally required to safeguard personal data, maintain confidentiality, implement appropriate security measures, and process personal data only in accordance with applicable laws and the Company’s instructions.

The Company shall not sell personal data or disclose personal data for unrelated third-party marketing purposes without appropriate consent or lawful basis.

12. THIRD-PARTY SERVICES

The Company’s services may contain links to or integrations with third-party platforms or services operated independently of the Company.

Where you choose to interact with such third-party services, the collection, use, and disclosure of personal data shall be governed by the respective policies of those third parties.

The Company is not responsible for the privacy or data protection practices of independent third-party platforms.

13. USE OF SERVICES BY MINORS

The Company does not knowingly process personal data of individuals below eighteen (18) years of age without verifiable consent from a parent or legal guardian.

Where services are provided in relation to a minor:

the relevant account shall be managed by a parent or legal guardian;

personal data shall be processed only for purposes directly related to the requested services;

access to such data shall be restricted to authorised personnel.

Where the Company becomes aware that personal data relating to a minor has been collected without the required consent, such information shall be deleted as soon as reasonably practicable.

14. CONSENT TO PROCESSING

By providing personal data to the Company, you consent to the collection, use, disclosure, and processing of such personal data for purposes directly related to the Company’s services and operations.

Explicit Consent for Sensitive Personal Data

Sensitive Personal Data including health information, mental health assessments, biometric information, medical records, or other sensitive information shall only be processed with explicit consent or where otherwise permitted under applicable law.

Explicit consent may be obtained through:

registration processes;

consent forms;

digital acknowledgements;

onboarding documentation;

service acceptance processes.

15. DATA SECURITY

The Company implements reasonable administrative, technical, and physical safeguards to protect personal data against:

unauthorised access;

disclosure;

misuse;

loss;

destruction;

alteration;

cybersecurity threats.

Access to personal data is restricted to authorised personnel who require such access for legitimate operational or service-related purposes.

While reasonable safeguards are implemented, no transmission or storage system can be guaranteed to be completely secure.

Users are encouraged to notify the Company immediately if they become aware of any unauthorised access or suspicious activity involving personal data.

16. DATA BREACH & INCIDENT REPORTING

Any actual or suspected:

unauthorised access;

data leakage;

disclosure of confidential information;

cybersecurity incident;

phishing attempt;

compromised account;

misuse of patient information; or

breach of this Policy

must be reported immediately to the Company through designated reporting channels.

The Company reserves the right to investigate, suspend access, implement containment measures, notify affected parties where required, and report incidents to regulatory authorities in accordance with applicable laws.

17. DATA RETENTION

Personal data shall be retained only for as long as necessary to fulfil the purposes for which it was collected or as required under applicable laws, regulatory obligations, healthcare requirements, audit requirements, or operational needs.

Upon expiry of the applicable retention period, personal data shall be securely deleted, anonymised, or disposed of appropriately.

18. CROSS-BORDER TRANSFER OF DATA

Where personal data is transferred outside Malaysia, such transfer shall be carried out only in accordance with applicable Malaysian laws and subject to appropriate safeguards to ensure adequate protection of the personal data.

19. RETURN, DELETION & TERMINATION OF ACCESS

Upon termination, resignation, cessation of engagement, suspension, or expiry of authorised access:

all access to Company systems shall immediately cease;

all Company information, records, and confidential materials must be returned or securely deleted;

no copies shall be retained in any form;

the Company reserves the right to revoke access without prior notice where necessary for security or compliance purposes.

20. RIGHTS OF DATA SUBJECTS

Subject to the provisions of the Personal Data Protection Act 2010, individuals may:

request access to personal data;

request correction of inaccurate or incomplete personal data;

withdraw consent for processing where applicable;

enquire regarding the processing of personal data.

Requests may be submitted in writing to:

Email: contact@ziloy.my

The Company may take reasonable steps to verify the identity of the requesting individual before responding to any request.

21. INTERNAL COMPLIANCE & GOVERNANCE

The Company may implement internal policies, standard operating procedures (SOPs), compliance guidelines, information security procedures, onboarding requirements, and operational controls from time to time to support compliance with this Policy and applicable laws.

All authorised personnel are required to comply with such internal requirements.

22. COMPLAINTS

Any complaint relating to the processing of personal data may be directed to the Company using the contact details below.

Where applicable, complaints may also be lodged with the Department of Personal Data Protection (JPDP), Malaysia.

23. GOVERNING LAW

This Policy shall be governed by and construed in accordance with the laws of Malaysia.

24. UPDATES TO THIS POLICY

The Company reserves the right to amend or update this Policy from time to time.

Any revised version shall take effect upon publication through the Company’s website, platform, application, or official communication channels.

25. CONTACT INFORMATION

For any enquiries relating to this Policy or the processing of personal data, please contact:

QuantumNexis Sdn Bhd
Unit B-09-06 Plaza Mont Kiara,
No. 2, Jalan Kiara,
Mont Kiara,
50480 Kuala Lumpur,
Malaysia

Email: contact@ziloy.my
Website: https://ziloy.my

DASAR PERLINDUNGAN DATA PERIBADI & NOTIS PRIVASI

QuantumNexis Sdn Bhd / Ziloy

Kemaskini Terakhir: 12 Mei 2026

1. PENGENALAN

Dasar Perlindungan Data Peribadi & Notis Privasi (“Dasar”) ini dikeluarkan menurut Akta Perlindungan Data Peribadi 2010 (“PDPA”) Malaysia.

QuantumNexis Sdn Bhd (No. Syarikat 202501025798 (1627211-P)) yang beroperasi di bawah jenama “ZILOY” (“Syarikat”, “kami”, “kita”, atau “milik kami”) komited dalam melindungi data peribadi dan memastikan semua data peribadi diproses selaras dengan undang-undang Malaysia yang berkuat kuasa termasuk Akta Perlindungan Data Peribadi 2010.

Dasar ini menerangkan bagaimana data peribadi dikumpul, digunakan, diproses, didedahkan, dilindungi, disimpan, dan diuruskan berkaitan dengan:

platform Ziloy;

laman web dan aplikasi mudah alih yang dikendalikan oleh Syarikat;

perkhidmatan penjagaan kesihatan digital dan telekonsultasi;

perkhidmatan sokongan pesakit dan penjagaan kesihatan;

saluran komunikasi dan penglibatan pelanggan;

proses operasi dan tadbir urus dalaman; dan

kakitangan serta penyedia perkhidmatan yang diberi kuasa oleh Syarikat.

Dasar ini juga menetapkan kewajipan operasi, kerahsiaan, penggunaan platform, dan perlindungan data yang terpakai kepada semua pekerja, klinikal, perunding, kontraktor, Care Navigator, vendor, dan pengguna yang diberi kuasa yang mengakses atau memproses data peribadi melalui QuantumNexis Sdn Bhd dan platform Ziloy.

2. PENGAWAL DATA

QuantumNexis Sdn Bhd
Unit B-09-06 Plaza Mont Kiara,
No. 2, Jalan Kiara,
Mont Kiara,
50480 Kuala Lumpur,
Malaysia

Email: contact@ziloy.my
Website: https://ziloy.my

3. SKOP PEMAKAIAN

Dasar ini terpakai kepada semua data peribadi yang diproses oleh QuantumNexis Sdn Bhd berkaitan dengan aktiviti komersial, proses operasi, perkhidmatan berkaitan penjagaan kesihatan, platform digital, perkhidmatan telekonsultasi, aktiviti onboarding, dan fungsi tadbir urus dalaman.

Skop Dasar ini meliputi semua pengguna platform Ziloy, laman web, aplikasi mudah alih, saluran komunikasi, sistem penjagaan kesihatan digital, dan perkhidmatan berkaitan yang dikendalikan oleh Syarikat.

Dasar ini turut terpakai kepada pesakit, pelanggan, klinikal, pengamal penjagaan kesihatan, Care Navigator, pekerja, perunding, kontraktor, kakitangan luar, vendor, penyedia perkhidmatan pihak ketiga, pihak pengurusan, dan mana-mana individu atau entiti yang diberi kuasa untuk mengakses data peribadi, sistem Syarikat, maklumat operasi, atau perkhidmatan berkaitan penjagaan kesihatan yang ditadbir oleh Syarikat.

Peruntukan dalam Dasar ini terpakai kepada semua bentuk pemprosesan data peribadi yang dijalankan oleh atau bagi pihak Syarikat sama ada melalui sistem digital, aktiviti operasi, perkhidmatan penjagaan kesihatan, proses pentadbiran, saluran penglibatan pelanggan, atau pengaturan perkhidmatan pihak ketiga yang dibenarkan.

4. DATA PERIBADI YANG MUNGKIN DIKUMPUL

“Data Peribadi” bermaksud sebarang maklumat yang berkaitan secara langsung atau tidak langsung dengan individu yang boleh dikenal pasti berkaitan transaksi komersial sebagaimana ditakrifkan di bawah Akta Perlindungan Data Peribadi 2010.

Bergantung kepada perkhidmatan yang diminta, Syarikat boleh mengumpul dan memproses kategori data peribadi berikut:

4.1 Maklumat Peribadi

nama penuh;

maklumat NRIC/pasport;

jantina;

tarikh lahir;

kewarganegaraan;

alamat;

alamat emel;

nombor telefon; dan

maklumat hubungan kecemasan

4.2 Data Peribadi Sensitif

Jika berkaitan dan dengan persetujuan sewajarnya, Syarikat boleh memproses Data Peribadi Sensitif termasuk:

maklumat kesihatan dan perubatan;

penilaian kesihatan mental;

rekod konsultasi;

maklumat berkaitan rawatan;

rekod ubat dan preskripsi;

maklumat biometrik; dan

laporan penjagaan kesihatan serta maklumat berkaitan.

4.3 Maklumat Pekerjaan & Profesional

Bagi klinikal, perunding, kontraktor, dan kakitangan yang diberi kuasa:

kelayakan dan pensijilan;

maklumat pendaftaran dan pelesenan;

rekod pekerjaan atau penglibatan; dan
maklumat operasi dan onboarding.

4.4 Maklumat Teknikal & Operasi

maklumat peranti dan pelayar;

alamat IP dan log sistem;

rekod penggunaan platform;

rekod interaksi aplikasi;

keutamaan komunikasi; dan
maklumat akses sistem.

Sekiranya mana-mana maklumat teknikal atau operasi boleh mengenal pasti seseorang individu, maklumat tersebut akan dianggap sebagai data peribadi.

5. BAGAIMANA DATA PERIBADI DIKUMPUL

Data peribadi boleh dikumpul secara terus daripada individu atau melalui sumber pihak ketiga yang sah berkaitan dengan aktiviti operasi, penjagaan kesihatan, pentadbiran, pematuhan, dan perkhidmatan Syarikat.

Pengumpulan tersebut boleh berlaku melalui borang pendaftaran, dokumentasi onboarding, konsultasi penjagaan kesihatan, soal selidik, penilaian, saluran komunikasi, interaksi sokongan pelanggan, aplikasi mudah alih, laman web, perkhidmatan telekonsultasi, proses operasi, sistem pentadbiran penjagaan kesihatan, atau platform digital lain yang dikendalikan oleh atau bagi pihak Syarikat.

Jika dibenarkan di bawah undang-undang yang terpakai atau dengan persetujuan sewajarnya, data peribadi juga boleh diperoleh daripada penyedia penjagaan kesihatan, syarikat insurans, makmal diagnostik, majikan, pihak berkuasa kawal selia, penyedia perkhidmatan yang dibenarkan, rakan korporat, atau pihak ketiga lain yang berkaitan.

Syarikat akan mengambil langkah yang munasabah untuk memastikan data peribadi yang dikumpul adalah relevan, tepat, dan terhad kepada maklumat yang diperlukan bagi tujuan operasi dan perkhidmatan yang sah.

6. TUJUAN PEMPROSESAN

Data peribadi diproses hanya bagi tujuan yang sah dan berkaitan secara langsung dengan operasi, pentadbiran, tadbir urus, dan penyediaan perkhidmatan Syarikat, platform digital, ekosistem penjagaan kesihatan, dan operasi perniagaan.

Pemprosesan tersebut boleh merangkumi aktiviti berkaitan pendaftaran pengguna, pentadbiran akaun, konsultasi penjagaan kesihatan, perkhidmatan telekonsultasi, penilaian kesihatan mental, penglibatan pesakit, perkhidmatan Care Navigation, penyelarasan janji temu, komunikasi berkaitan perkhidmatan, pentadbiran penjagaan kesihatan, pemprosesan bil dan pembayaran, sokongan pelanggan, pengurusan operasi, dan penyampaian perkhidmatan.

Data peribadi juga boleh diproses untuk pemantauan pematuhan, keperluan audit dan tadbir urus, pengurusan keselamatan siber, pencegahan penipuan, pengurusan insiden, analitik operasi, penambahbaikan perkhidmatan, pentadbiran platform digital, pematuhan undang-undang, obligasi kawal selia, dan bagi memenuhi permintaan sah daripada pihak berkuasa kerajaan atau penguat kuasa.

Syarikat tidak akan memproses data peribadi bagi tujuan yang tidak berkaitan dengan perkhidmatannya melainkan dengan persetujuan atau sebagaimana dibenarkan oleh undang-undang.

7. KEWAJIPAN KERAHSIAAN & PERLINDUNGAN DATA

Semua kakitangan yang diberi kuasa, klinikal, Care Navigator, perunding, kontraktor, vendor, dan pengguna platform yang diberikan akses kepada data peribadi atau sistem Syarikat hendaklah mematuhi kewajipan berikut:

Maklumat pesakit dan pelanggan adalah sulit dan hanya boleh diakses bagi tujuan yang dibenarkan berkaitan tugas atau penyampaian perkhidmatan.
Data peribadi dan maklumat perubatan tidak boleh dimuat turun, disalin, diambil gambar, dirakam skrin, direkodkan, disimpan secara tempatan, atau dikongsi di luar sistem yang diluluskan oleh Syarikat melainkan dibenarkan secara nyata.
Maklumat log masuk, akses sistem, dan pengesahan adalah bersifat peribadi dan tidak boleh dikongsi dengan mana-mana pihak ketiga.
Semua pengguna hendaklah menggunakan hanya saluran komunikasi, sistem, dan aliran kerja yang diluluskan oleh QuantumNexis Sdn Bhd.
Tiada klinikal, perunding, Care Navigator, atau pengguna yang diberi kuasa dibenarkan memintas proses operasi, struktur bil, proses pelaporan, atau pengurusan pesakit Syarikat.
Sebarang pelanggaran data, pendedahan tanpa kebenaran, insiden keselamatan siber, penyalahgunaan maklumat, atau aktiviti mencurigakan hendaklah dilaporkan segera kepada Syarikat.

Kegagalan mematuhi kewajipan ini boleh mengakibatkan penggantungan akses, tindakan operasi atau undang-undang, penamatan penglibatan, pelaporan kawal selia, atau tindakan lain yang dianggap perlu oleh Syarikat.

8. PENGGUNAAN PLATFORM & KEPERLUAN KESELAMATAN

Semua pengguna yang diberi kuasa bagi platform Ziloy dan sistem berkaitan hendaklah:

menggunakan hanya peranti, sistem, atau persekitaran yang diluluskan oleh Syarikat;
memastikan kerahsiaan semua maklumat akses;
mengelakkan penggunaan rangkaian awam yang tidak selamat;
memastikan peranti yang digunakan dilindungi daripada akses tanpa kebenaran; dan
mematuhi semua prosedur keselamatan maklumat yang dilaksanakan oleh Syarikat.

Syarikat berhak menggantung atau membatalkan akses sistem sekiranya terdapat penyalahgunaan, kebimbangan keselamatan, atau ketidakpatuhan.

9. TELEKONSULTASI & PERKHIDMATAN PENJAGAAN KESIHATAN DIGITAL

Sekiranya konsultasi penjagaan kesihatan, penilaian, atau perkhidmatan berkaitan dijalankan secara digital melalui platform Ziloy atau sistem yang dibenarkan:

konsultasi hendaklah dijalankan hanya melalui platform atau sistem yang diluluskan oleh Syarikat;
rakaman konsultasi adalah dilarang melainkan dengan persetujuan dan kebenaran yang sewajarnya;
klinikal dan kakitangan yang diberi kuasa hendaklah memastikan konsultasi dijalankan dalam persekitaran yang selamat dan privasi; dan
semua maklumat perubatan yang dihasilkan semasa konsultasi akan dianggap sebagai Data Peribadi Sensitif.

10. TEKNOLOGI BANTUAN AI & ALAT DIGITAL

Ciri-ciri tertentu, penilaian, analitik, atau fungsi perkhidmatan mungkin melibatkan pemprosesan automatik, teknologi bantuan AI, atau alat penjagaan kesihatan digital untuk menyokong penyampaian perkhidmatan, kecekapan operasi, pengalaman pengguna, atau pentadbiran penjagaan kesihatan.

Teknologi tersebut hendaklah digunakan hanya bagi tujuan yang sah dan tertakluk kepada perlindungan yang sewajarnya serta undang-undang Malaysia yang terpakai.

Data peribadi dan maklumat pesakit tidak boleh dimuat naik ke platform AI awam yang tidak dibenarkan.

11. PENDEDAHAN DATA PERIBADI

Data peribadi boleh didedahkan oleh Syarikat hanya apabila pendedahan tersebut sah, perlu, berkadar, dan berkaitan secara langsung dengan penyediaan, pentadbiran, operasi, pematuhan, atau penambahbaikan perkhidmatan dan aktiviti perniagaan Syarikat.

Pendedahan tersebut boleh dibuat kepada penyedia penjagaan kesihatan, klinikal, syarikat insurans, farmasi, rakan berkaitan penjagaan kesihatan, penyedia hosting awan, pemproses pembayaran, juruaudit, penasihat undang-undang, perunding pematuhan, pihak berkuasa kawal selia, agensi kerajaan, dan pihak ketiga lain yang dibenarkan oleh Syarikat.

Syarikat tidak akan menjual data peribadi atau mendedahkan data peribadi bagi tujuan pemasaran pihak ketiga yang tidak berkaitan tanpa persetujuan sewajarnya.

12. PERKHIDMATAN PIHAK KETIGA

Perkhidmatan Syarikat mungkin mengandungi pautan atau integrasi dengan platform atau perkhidmatan pihak ketiga yang dikendalikan secara bebas daripada Syarikat.

Sekiranya anda memilih untuk berinteraksi dengan perkhidmatan pihak ketiga tersebut, pengumpulan, penggunaan, dan pendedahan data peribadi akan tertakluk kepada dasar pihak ketiga berkenaan.

Syarikat tidak bertanggungjawab terhadap amalan privasi atau perlindungan data pihak ketiga yang bebas.

13. PENGGUNAAN PERKHIDMATAN OLEH BAWAH UMUR

Syarikat tidak akan memproses data peribadi individu di bawah umur lapan belas (18) tahun tanpa persetujuan yang boleh disahkan daripada ibu bapa atau penjaga sah.

Sekiranya perkhidmatan disediakan kepada individu bawah umur:

akaun hendaklah diuruskan oleh ibu bapa atau penjaga sah;
data peribadi hanya diproses bagi tujuan berkaitan perkhidmatan yang diminta; dan
akses kepada data tersebut adalah terhad kepada kakitangan yang diberi kuasa.

14. PERSETUJUAN TERHADAP PEMPROSESAN

Dengan memberikan data peribadi kepada Syarikat, anda bersetuju terhadap pengumpulan, penggunaan, pendedahan, dan pemprosesan data peribadi tersebut bagi tujuan berkaitan dengan perkhidmatan dan operasi Syarikat.

Persetujuan Jelas bagi Data Peribadi Sensitif

Data Peribadi Sensitif termasuk maklumat kesihatan, penilaian kesihatan mental, maklumat biometrik, rekod perubatan, atau maklumat sensitif lain hanya akan diproses dengan persetujuan jelas atau sebagaimana dibenarkan oleh undang-undang.

15. KESELAMATAN DATA

Syarikat melaksanakan langkah keselamatan pentadbiran, teknikal, dan fizikal yang munasabah untuk melindungi data peribadi daripada akses tanpa kebenaran, pendedahan, penyalahgunaan, kehilangan, kemusnahan, pengubahan, dan ancaman keselamatan siber.

Akses kepada data peribadi adalah terhad kepada kakitangan yang diberi kuasa dan memerlukan akses tersebut bagi tujuan operasi atau perkhidmatan yang sah.

16. PELAPORAN PELANGGARAN DATA & INSIDEN

Sebarang pelanggaran data, akses tanpa kebenaran, kebocoran data, insiden keselamatan siber, akaun yang dikompromi, penyalahgunaan maklumat pesakit, atau pelanggaran Dasar ini hendaklah dilaporkan segera kepada Syarikat melalui saluran pelaporan yang ditetapkan.

Syarikat berhak menjalankan siasatan, menggantung akses, melaksanakan langkah pembendungan, memaklumkan pihak terjejas jika diperlukan, dan melaporkan insiden kepada pihak berkuasa kawal selia mengikut undang-undang yang terpakai.

17. PENYIMPANAN DATA

Data peribadi akan disimpan hanya selama yang diperlukan bagi memenuhi tujuan pengumpulannya atau sebagaimana dikehendaki di bawah undang-undang, keperluan kawal selia, audit, atau operasi.

Selepas tamat tempoh penyimpanan yang berkaitan, data peribadi akan dipadam, dinyahpengenalan, atau dilupuskan dengan selamat.

18. PEMINDAHAN DATA MERENTASI SEMPADAN

Sekiranya data peribadi dipindahkan ke luar Malaysia, pemindahan tersebut akan dijalankan selaras dengan undang-undang Malaysia yang terpakai dan tertakluk kepada perlindungan yang sewajarnya.

19. PEMULANGAN, PEMADAMAN & PENAMATAN AKSES

Apabila berlaku penamatan, peletakan jawatan, tamat penglibatan, penggantungan, atau tamat tempoh akses:

semua akses kepada sistem Syarikat hendaklah dihentikan segera;
semua maklumat, rekod, dan bahan sulit Syarikat hendaklah dipulangkan atau dipadam dengan elamat; dan
tiada salinan boleh disimpan dalam apa jua bentuk.

20. HAK SUBJEK DATA

Tertakluk kepada Akta Perlindungan Data Peribadi 2010, individu boleh:

meminta akses kepada data peribadi;
meminta pembetulan data peribadi yang tidak tepat atau tidak lengkap;
menarik balik persetujuan bagi pemprosesan data; dan
membuat pertanyaan berkaitan pemprosesan data peribadi.

Permintaan boleh dikemukakan secara bertulis kepada:

Emel: contact@ziloy.my

21. PEMATUHAN & TADBIR URUS DALAMAN

Syarikat boleh melaksanakan dasar dalaman, prosedur operasi standard (SOP), garis panduan pematuhan, prosedur keselamatan maklumat, keperluan onboarding, dan kawalan operasi dari semasa ke semasa bagi menyokong pematuhan terhadap Dasar ini dan undang-undang yang terpakai.

Semua kakitangan yang diberi kuasa hendaklah mematuhi keperluan dalaman tersebut.

22. ADUAN

Sebarang aduan berkaitan pemprosesan data peribadi boleh dikemukakan kepada Syarikat menggunakan maklumat hubungan yang dinyatakan di bawah.

Jika berkaitan, aduan juga boleh dikemukakan kepada Jabatan Perlindungan Data Peribadi (JPDP), Malaysia.

23. UNDANG-UNDANG TERPAKAI

Dasar ini hendaklah ditadbir dan ditafsirkan menurut undang-undang Malaysia.

24. KEMASKINI DASAR

Syarikat berhak meminda atau mengemaskini Dasar ini dari semasa ke semasa.

Sebarang versi yang dikemaskini akan berkuat kuasa sebaik sahaja diterbitkan melalui laman web, platform, aplikasi, atau saluran komunikasi rasmi Syarikat.

25. MAKLUMAT HUBUNGAN

The Company reserves the right to amend or update this Policy from time to time.

Any revised version shall take effect upon publication through the Company’s website, platform, application, or official communication channels.

25. CONTACT INFORMATION

Untuk sebarang pertanyaan berkaitan Dasar ini atau pemprosesan data peribadi, sila hubungi:

QuantumNexis Sdn Bhd
Unit B-09-06 Plaza Mont Kiara,
No. 2, Jalan Kiara,
Mont Kiara,
50480 Kuala Lumpur,
Malaysia

Emel: contact@ziloy.my
Laman Web: https://ziloy.my

Audience

Organisations

Company

PERSONAL DATA PROTECTION POLICY & PRIVACY NOTICE

1. INTRODUCTION

2. DATA CONTROLLER

3. SCOPE OF APPLICATION

4. PERSONAL DATA WE MAY COLLECT

5. HOW PERSONAL DATA IS COLLECTED

6. PURPOSE OF PROCESSING

7. CONFIDENTIALITY & DATA PROTECTION OBLIGATIONS

8. PLATFORM USAGE & SECURITY REQUIREMENTS

9. TELECONSULTATION & DIGITAL HEALTHCARE SERVICES

10. AI-ASSISTED TECHNOLOGIES & DIGITAL TOOLS

11. DISCLOSURE OF PERSONAL DATA

12. THIRD-PARTY SERVICES

13. USE OF SERVICES BY MINORS

14. CONSENT TO PROCESSING

15. DATA SECURITY

16. DATA BREACH & INCIDENT REPORTING

17. DATA RETENTION

18. CROSS-BORDER TRANSFER OF DATA

19. RETURN, DELETION & TERMINATION OF ACCESS

20. RIGHTS OF DATA SUBJECTS

21. INTERNAL COMPLIANCE & GOVERNANCE

22. COMPLAINTS

23. GOVERNING LAW

24. UPDATES TO THIS POLICY

25. CONTACT INFORMATION

DASAR PERLINDUNGAN DATA PERIBADI & NOTIS PRIVASI

1. PENGENALAN

2. PENGAWAL DATA

3. SKOP PEMAKAIAN

4. DATA PERIBADI YANG MUNGKIN DIKUMPUL

5. BAGAIMANA DATA PERIBADI DIKUMPUL

6. TUJUAN PEMPROSESAN

7. KEWAJIPAN KERAHSIAAN & PERLINDUNGAN DATA

8. PENGGUNAAN PLATFORM & KEPERLUAN KESELAMATAN

9. TELEKONSULTASI & PERKHIDMATAN PENJAGAAN KESIHATAN DIGITAL

10. TEKNOLOGI BANTUAN AI & ALAT DIGITAL

11. PENDEDAHAN DATA PERIBADI

12. PERKHIDMATAN PIHAK KETIGA

13. PENGGUNAAN PERKHIDMATAN OLEH BAWAH UMUR

14. PERSETUJUAN TERHADAP PEMPROSESAN

15. KESELAMATAN DATA

16. PELAPORAN PELANGGARAN DATA & INSIDEN

17. PENYIMPANAN DATA

18. PEMINDAHAN DATA MERENTASI SEMPADAN

19. PEMULANGAN, PEMADAMAN & PENAMATAN AKSES

20. HAK SUBJEK DATA

21. PEMATUHAN & TADBIR URUS DALAMAN

22. ADUAN

23. UNDANG-UNDANG TERPAKAI

24. KEMASKINI DASAR

25. MAKLUMAT HUBUNGAN

25. CONTACT INFORMATION