PDPA s.7 Notice

1. Who we are

Klinik Dr Gian Sdn Bhd operates the Caregiver System (the “System”) — an internal clinical workflow platform used by the clinic's staff to coordinate home-care visits, capture assessments, generate care reports, and communicate with families about visit outcomes.

2. Personal data we collect

We collect the following categories of personal data:

• Patient identity — full name, IC / passport number (stored hashed and displayed as last-4 digits to all but admin-tier staff), date of birth, gender, residential address and approximate GPS coordinates of the registered address.
• Patient health — clinical assessments (Mini-CGA, Environmental Fit, ADL, fall risk), vital signs, allergies, mobility level, chronic conditions, medication notes, photographs taken during visits.
• Family-contact identity — full name, phone number (WhatsApp), email address, relationship to patient.
• Staff identity — full name, email address, phone number, professional credentials (for nurses), Telegram chat identifier (for nurses).
• Operational metadata — visit timestamps, GPS clock-in / clock-out coordinates, audit log of every action a staff member takes against the data.

3. Purposes of processing

We process personal data for the following purposes:

• To deliver in-home care services to the patient.
• To dispatch nurses to a visit and verify that the nurse arrived at the patient's home (via GPS geofencing).
• To produce a clinical care report after each visit and send a copy to the patient's primary contact.
• To invoice the patient's family / financial guarantor for services rendered.
• To maintain an audit trail of every action taken on patient data (required for clinical-record retention and regulatory defensibility).
• To detect and respond to security incidents that could affect data subjects.

We do not use personal data for marketing, third-party analytics, or any purpose unrelated to clinical care delivery and the operational necessities listed above.

4. Source of personal data

Personal data is provided directly by the data subject (at registration), by an authorised primary contact acting on the data subject's behalf, or generated by the System during the course of care delivery (e.g. visit GPS coordinates, assessment scores, audit log entries).

5. Disclosure to third parties

We disclose personal data only to the following sub-processors, each engaged under a written agreement that requires PDPA-level data protection:

• Supabase (database / authentication / file storage) — hosted in Singapore (ap-southeast-1).
• Vercel (web application hosting) — global edge network; primary serving region is Singapore (sin1).
• Sentry GmbH (error monitoring) — hosted in Germany (Frankfurt). Error events are PII-scrubbed before transmission.
• Meta Platforms Inc.(WhatsApp Cloud API) — used to send care-report notifications to the patient's registered WhatsApp number. Limited to phone number, recipient name, patient name, and a verify-URL token.
• Telegram Messenger LLP — used by nurses to receive visit assignments and acknowledge them. Limited to chat identifier, visit dispatch payload.
• Dropbox Sign LLC (electronic signatures) — when a care report requires a co-signing physician.
• Google LLC (Maps Platform) — for geocoding patient addresses and rendering address maps. Limited to the address string; no patient identity is sent.

We do not sell personal data. We do notdisclose personal data to any party other than the sub-processors listed above except where required by Malaysian law, by a court of competent jurisdiction, or with the data subject's explicit written consent.

6. Cross-border transfer

Personal data is stored primarily in Singapore (Supabase ap-southeast-1). Error monitoring events are transferred to Germany (Sentry Frankfurt) after PII scrubbing. WhatsApp, Telegram, and Google Maps may process data on global infrastructure under their respective standard contractual clauses. Each cross-border transfer is to a jurisdiction recognised by the Malaysian Personal Data Protection Commissioner (PDPC) as offering substantially similar data protection, or made under a PDPA-compliant data-processing agreement.

7. Retention

We retain clinical records for seven (7) yearsfrom the date the patient's case is closed, in line with Malaysian medical-records retention practice. Audit logs are retained for the same period. After this period, soft-deleted records are permanently removed by an automated reaper process (see the System's scheduled jobs documentation).

Operational metadata (e.g. session refresh tokens, transient rate-limit counters) is deleted automatically on a much shorter cycle — typically minutes to days.

8. Your rights as a data subject

Under the PDPA, you have the following rights with respect to your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right of correction — request correction of inaccurate or incomplete data.
• Right to withdraw consent — for any processing that depends on your consent, you may withdraw consent at any time. (Note: processing required to deliver clinical care or required by law is not consent-based and cannot be withdrawn.)
• Right to limit processing — request that we limit how we use your data while a query or correction is pending.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to lodge a complaint — with the Personal Data Protection Commissioner of Malaysia at pdp.gov.my or phone 03-8911-7000.

To exercise any of these rights, contact our Data Protection Officer at dpo@klinikdrgian.com.my. We respond within 21 days of a verified request.

9. Security

We protect personal data with a defence-in-depth posture including (but not limited to): TLS in transit, encryption at rest, role-based access controls enforced at the database level via row-level-security policies, multi-factor authentication for staff with administrative privileges, audit logging of every data access, and a documented breach-notification runbook aligned with the PDPA's 72-hour notification requirement.

10. Changes to this notice

We may update this notice from time to time. Material changes will be communicated by email to all active data subjects whose email address is on file, and the “Last reviewed” date at the top of this page will be updated.

11. Contact

Klinik Dr Gian Sdn Bhd
Data Protection Officer: dpo@klinikdrgian.com.my
General enquiries: hello@klinikdrgian.com.my