Version: 1.0
Publish Date: 18 April 2025
2.1 We collect only the personal data essential for delivering our services effectively. Failure to provide the requested data may delay or prevent service provision, and in such cases, we may have to cancel the service, with notification provided where applicable.
2.2 Your Personal Data that we may collect, use, and process may include, but is not limited to, the types of information listed in this section below:
2.2.1 Basic Information: Your name, date of birth, nationality, identification card/passport details, photograph, information as to whether you are a politically-exposed-person.
2.2.2 Contact Information: Your email address, mailing addresses and telephone number and company details.
2.2.3 Account log-in credentials: Your email address or username and password when you sign up for an account with us on Agility together with information generated from your use of Agility such as date and time you use Agility, pages viewed and other related details.
2.2.4 KYC Information: For us to undertake credit, financial or other know-your-client checks on you.
2.2.5 Financial information: Your banking details, source of wealth, billing information, transaction and payment card information.
2.2.6 Location data: if you choose to provide us.
2.2.7 Service-Related Data: Information you provide when registering for or using our services, such as account details or preferences.
2.2.8 Interaction information: How you interact with us, including enquiries, client information and how you use our website and applications.
2.2.9 Transactional Data: Payment details or billing information necessary to process transactions (handled via third-party processors where applicable).
2.2.10 Technical Data: IP address, browser type, and usage data collected via cookies or similar technologies on our website.
2.2.11 Any other Personal Data that you may provide to us for the purpose of the commercial transaction between us, to the extent permitted under the Applicable Laws.
2.3 Applicable Law means any Personal Data related law, statute, order, regulation, rule, requirement, practice and guidelines of any government, regulatory authority or self-regulating organisation applicable to us in Malaysia where services will be provided by us to you.
2.4 Under Applicable Laws, some of this data may qualify as Sensitive Personal Data. We avoid collecting sensitive information (e.g., health records, religious beliefs, political affiliations) unless strictly necessary for the requested service. In such circumstances, we will obtain your express consent and implement stringent protection measures.
3.1 We gather your personal data through the following channels:
3.1.1 Direct Interaction: When you sign up for our services, fill out forms, or contact us via email, phone, or other means. This also includes interactions during events or activities like customer surveys, competitions, or promotions, as well as communication regarding our products and services through emails, social media, letters, telephone calls, and conversations with our personnel.
3.1.2 Indirect Interactions: We may gather data through our carefully selected partners and service providers, such as digital marketing providers, who may process your personal information.
3.1.3 Website and IT Systems Usage: Through your activity on our website and IT systems, including door entry systems, reception logs, automated monitoring of our websites and technical systems (e.g., computer networks, connections, CCTV, access control systems, communication systems, email, instant messaging platforms, or similar technologies), as well as data collected via cookies and analytics tools outlined in Section 9.
3.1.4 Publicly accessible sources: Such as Companies Registrar.
3.1.5 Third Parties: Any trusted third party with your consent or as legally permitted such as payment processors, auditors, government agencies, statutory bodies, sanctions screening providers, credit reference agencies, client due diligence providers, etc.
3.2 We strive for transparency by informing you of the purposes for which your data at or before the time of collection. Upon your request, we will also provide a copy of the list of third-party processors involved, along with their respective details.
4.1 We collect your Personal Data through means that are lawful, fair, and proportionate to the circumstances.
4.2 A lawful purpose refers to a legitimate business or commercial rationale for using your Personal Data, provided it does not conflict with your rights, interests, or applicable laws.
4.3 We strictly limit the use of your Personal Data to:
4.3.1 Deliver and maintain our services efficiently, including fee collection, payment processing, and issuing receipts, responding to inquiries, provide customer support,
4.3.2 Client onboarding, including conducting KYC checks, screening for politically exposed persons, sanctions, or embargoes, managing credit reference checks via external agencies, and adhering to anti-money laundering regulations and other legal and regulatory obligations under Malaysian law.
4.3.3 Facilitate audits, investigations, regulatory inquiries while upholding internal policies (security and internet use).
4.3.4 Enhance operational efficiency, confidentiality, and quality through training, control, and statistical analysis (e.g., financial performance or service improvements).
4.3.5 Promote and market our services. We may use your Personal Data to send updates, either directly or through appointed agents or third parties, via email, text message, telephone, or post, about our services, including exclusive offers, promotions, new services, or information we believe may be relevant to you (e.g., newsletters). Before doing so, we will obtain your written consent (including an indication of no objection), and only with such consent will we use your personal data for promotional or direct marketing purposes. This may involve using your name, contact details, service portfolio information, transaction patterns and behavior, financial background, and demographic data for direct marketing. Additionally, we may provide your Personal Data to third parties for marketing similar services, products, or subjects, but only after obtaining your written consent (including an indication of no objection). You retain the right to opt out of receiving promotional or direct marketing communications at any time by using the ‘unsubscribe’ link in emails. We may also ask you to confirm or update your marketing preferences if you request further services in the future or if changes occur in the law, regulations, or our business structure.
4.3.6 Support external audits, risk assessments, collaborations with partners, credit agencies, complaints processors, etc.
4.3.7 Enhance website functionality, user experience, and send updates or promotional materials, subject to prior consent.
4.3.8 Address any incidental or ancillary processing required to support these purposes.
4.4 Unless we obtain your prior written consent, the Personal Data collected will only be used for its intended purpose at the time of collection or for purposes directly related to it.
5.1 We may, if necessary and as permitted under Applicable Laws, share or disclose your Personal Data with:
5.1.1 Any Xpatmobi affiliate, which refers to a corporate entity that directly or indirectly exercises control, is subject to control, or shares control with another corporate entity. “Control” refers to the authority to govern an entity’s operations through ownership of capital, shares, voting rights, or decision-making power.
5.1.2 Third parties engaged or appointed by us to help deliver our services, such as company secretaries, payment service providers, delivery companies, lawyers, accountants, auditors, and organisations to whom we subcontract services, requiring access to your Personal Data.
5.1.3 Third parties engaged to provide services to us, including credit reference agencies, insurers, brokers, banks, and legal advisors.
5.1.4 Other third parties assisting in our business operations, such as marketing agencies, IT contractors, call centers, stationery printing houses, mail houses, storage facilities, cloud storage providers, website hosts, and software development kits (SDKs).
5.1.5 Your agents and advisors, or other individuals or companies approved by you, including social media sites linked to your account or third-party payment providers.
5.1.6 Guarantors, professional advisors, banks, or organisations with an interest or potential interest in our business.
5.1.7 Individuals or entities considering acquiring an interest in our business or assets, such as potential investors or buyers of some or all of our business or during a re-structuring. Usually, information will be redacted but this may not always be possible. Rest assured that the recipient of the information will be bound by confidentiality obligations.
5.1.8 Government agencies, statutory or regulatory bodies where disclosure is necessary or desirable, such as corporate regulators, labor departments, or tax authorities.
5.1.9 Law enforcement or regulatory bodies to meet legal obligations.
5.2 We ensure the protection of Personal Data by implementing practicable measures to prevent unauthorized or accidental access, processing, erasure, loss, or misuse.
5.3 Service providers are permitted to handle data only after demonstrating adequate protection measures and are bound by contractual obligations restricting use to service delivery (to provide services to us and to you) while safeguarding against unauthorized activities. As such, we do not share your data for third-party marketing purposes without your consent. All third parties we engage are required to protect your data and use it solely for the tasks we assign.
5.4 Where required under Applicable Laws, we will notify you before sharing your Personal Data with any of the parties listed above. This notification will include the name and contact details of the recipients, the purposes and methods of processing, the types of data to be shared, and we will obtain your prior consent. A detailed list of third parties, along with their information, will be provided upon request.
5.5 Save and except for the purposes as set out above, we will not share your Personal Data with any other third party without your consent.
6.1 Local Processing: As a Malaysia-based company, Xpatmobi Sdn. Bhd. primarily processes and stores your personal data within Malaysia to ensure compliance with the Personal Data Protection Act 2010 (PDPA).
6.2 Storage Locations: Your personal data may be held at our offices or with trusted third parties, such as service providers, cloud storage providers, or agents, as outlined in Section 5. For example, we use SharePoint, a web-based document and storage system under our Microsoft Office 365 license, to securely store your data. Data uploaded to SharePoint is, by default, stored on cloud servers owned and operated by Microsoft in its data center infrastructure within the Asia Pacific (APAC) region: visit Microsoft’s Global Infrastructure page for more details.
6.3 If the jurisdiction where we access SharePoint and upload Personal Data lacks a readily available data center infrastructure, the data may be transferred to the nearest Microsoft-owned data center at their sole discretion for storage and backup purposes. In some cases, Microsoft may transfer the data to a data center in another jurisdiction if no suitable infrastructure is available locally. As this transfer is beyond our control, please refer to Microsoft’s compliance standards and their terms on data residency for further details: compliance with a variety of security standards and Microsoft’s definition and terms on data residency.
6.4 Safeguards for Transfers: If your personal data is transferred to overseas service providers (e.g., cloud storage or analytics tools), we ensure:
6.4.1 The recipient adheres to data protection standards equivalent to or stronger than the PDPA.
6.4.2 Appropriate safeguards, such as standard contractual clauses or other mechanisms required by law, are in place.
6.4.3 You are informed of the transfer and, where required by the PDPA, your prior consent is obtained.
6.5 Your Rights Regarding Transfers: You may request details about where your data is stored or transferred. We are committed to transparency and will provide this information to the extent permitted by law.
7.1 We have generally accepted industry standards of security measures to prevent Personal Data from being unlawfully or accidentally accessed, processed, erased, lost or used. We limit access to your Personal Data to those who have a genuine business need to access it. Those processing your Personal Data will do so only in an authorised manner and are subject to a duty of confidentiality. However, no
7.2 While we employ industry-standard safeguards, no online system is entirely immune to breaches. We commit to taking all reasonable measures to protect your information and will notify you promptly if a significant security incident occurs.
7.3 We also have procedures in place to deal with any suspected data security breach.We take robust steps to secure your personal data, including:
7.3.1 Encrypting data during transmission and storage.
7.3.2 Restricting access to authorized personnel only.
7.3.3 Conducting periodic security reviews to address potential risks.
7.4 In addition to your rights to access your Personal Data and to make corrections to any inaccurate Personal Data which is held by us, we will take all practicable steps to ensure that the Personal Data we collect from you is accurate having regard to the purpose (including any directly related purpose) for which the Personal Data is or is to be used.
8.1 We will keep your Personal Data while you remain a client of ours or while we are providing services to you and where we have a business or legal need to do so and as may be required by Applicable Laws. Different retention periods apply for different types of Personal Data. In addition, we impose contractual obligations on service providers to prevent Personal Data from being kept longer than it is necessary for processing the Personal Data transferred to them.
8.2 To determine the appropriate retention period for Personal Data held by us, we will consider the legal or contractual need to retain the Personal Data, nature and sensitivity of the Personal Data, the potential risk of harm from loss, unauthorised use or disclosure of the Personal Data, the purpose for which we collect and process the Personal Data and whether we can achieve those purposes through other means and the applicable legal, regulatory, tax, accounting and other relevant requirements.
8.3 We retain your personal data only as long as necessary to fulfil the purposes outlined in this policy (e.g., maintaining your account or processing transactions), and to comply with legal obligations, such as tax or auditing requirements.
8.4 Save and except for the purposes as set out above, once retention is no longer required for the purpose for which the data was collected, we will take all practicable steps to erase or anonymize your data to prevent unauthorized use.
9.1 Our website uses technologies such as cookies, browser analytics, server logs, and web beacons to collect information about your interactions with us. Cookies, which are alphanumeric identifiers transmitted to your device or computer hard drive via your web browser (with your agreement), help identify your browser and store settings. They enable us to recognize you upon returning to our website, track usage frequency, and detect fraud, providing valuable operational insights. When information collected through cookies or other technologies is associated with your Personal Data, this privacy policy applies.
9.2 You have the ability to control or delete cookies. While you can remove all cookies from your computer and set browsers to block them, doing so may require manually adjusting preferences during each visit and may limit some services or functionalities. Blocking all cookies (including essential cookies) via browser settings may limit access to certain parts of the website or functionalities.
9.3 The types of cookies we use include:
9.3.1 Strictly Necessary Cookies: Essential for website functionality, such as logging into secure areas or using e-billing services.
9.3.2 Analytical or Performance Cookies: Allow the recognition and counting of visitors and track movement across the website, enhancing usability and functionality.
9.3.3 Functionality Cookies: Recognize returning users, personalize content, and remember preferences (e.g., language or region).
9.3.4 Targeting Cookies: Record visits, pages viewed, and links followed to tailor website content and displayed advertising to your interests.
11.1 This Privacy Policy was last updated in April 2025.
11.2 We revise this Privacy Policy periodically to align with changes in Applicable Laws, our business practices, procedures, or structure, as well as evolving privacy expectations. Any updates will be communicated via email or through our website. Please ensure you review this policy regularly, as continued use of our services indicates your acceptance of the updated terms.
11.3 We will ensure that your rights under this privacy policy remain unaffected unless we obtain your explicit consent to make any limitations.
12.1 Under the PDPA, you have the following rights:
12.1.1 Request access: Ascertain whether we hold your Personal Data, obtain a copy, and understand our policies and practices related to it, including appointing an authorized representative to make the request.
12.1.2 Know: Receive clear and transparent information on how your data is used and your associated rights.
12.1.3 Request correction: Correct inaccuracies in your Personal Data or appoint a representative to do so.
12.1.4 Request erasure or anonymity: Delete or anonymize your Personal Data if there is no lawful reason for continued processing.
12.1.5 Object to processing: Object to processing based on legitimate interests where your specific circumstances justify it.
12.1.6 Restrict processing: Temporarily suspend processing to verify accuracy or the purpose of processing.
12.1.7 Withdraw consent: Withdraw consent for data collection or processing without affecting prior lawful processing.
12.1.8 Request explanation: Seek clarification on this policy and other data processing rules.
12.1.9 Lodge complaints: Make a formal complaint regarding the handling of your Personal Data as outlined in Section 13.
13.1 If you would like to exercise your rights, make any inquiries, requests, or complaints about your personal data, you may contact us at info@xpatmobi.com, or write to Xpatmobi at Level 10, Uptown, 3, Jalan SS 21/39, Damansara Utama, 47400 Petaling Jaya, Selangor, Malaysia.
13.2 We hope that we can resolve any query or concern you may raise about our collection and use of your Personal Data. We aim to respond within 21 days, as required by law. If you’re dissatisfied with our response, you may escalate your concern to the Personal Data Protection Commissioner.
14.1 We are not liable for breaches resulting from your failure to secure your login information.
14.2 While we strive to protect your personal data, no transmission or storage method is 100% secure. By using our services, you acknowledge this inherent risk and agree that we are not responsible for unauthorized access beyond our reasonable control. To help us protect your data, please be reminded to:
14.2.1 Keep your account credentials confidential.
14.2.2 Notify us immediately if you suspect unauthorized access to your account.
