// LEGAL · TRANSPARENCY
Privacy Policy
Introduction
Welcome to Teh Tarik Digital ("TTD", "we", "our", "us"). We are committed to protecting your privacy and handling personal data openly, lawfully, and in a manner consistent with our obligations under Malaysian and international data protection law.
TTD is a Malaysian technology company that builds enterprise and government-facing platforms — IRIS, JomWork, NURI, and SmartPole OS — as well as our public website and related services. Because we serve both direct users of our website and enterprise/government clients who deploy our platforms to their own employees, citizens, and end-users, this Policy describes two distinct roles TTD may occupy. Please read the section below carefully, as it determines how you exercise your rights and who you should contact.
Please read this Privacy Policy carefully to understand our practices regarding your personal data. If you do not agree with the data practices described in this Policy, you should discontinue your use of our website and direct services.
This Privacy Policy may be made available in Bahasa Malaysia, Simplified Chinese, Tamil, or other languages for your convenience. In the event of any conflict, inconsistency, or ambiguity between the English version and any translated version, the English version shall prevail.
Our Role: Data Controller vs. Data Processor
TTD does not sit in a single position with respect to your personal data. Depending on which part of our business you are interacting with, we act either as a:
- Data Controller — we determine the purposes and means of processing personal data, and are directly answerable to you for that data; or
- Data Processor — we process personal data strictly on the documented instructions of an enterprise or government client, who is the Data Controller and is answerable to you for that data.
Note: the PDPA Amendment replaced the term "Data User" with "Data Controller" throughout Malaysian law. This Policy uses "Data Controller" to reflect current terminology. The two terms refer to the same legal role.
Where TTD is the Data Controller
- Our public website (tehtarik.digital) and its cookies/analytics.
- Marketing enquiries, newsletter subscriptions, and sales contacts.
- Job applicants and career page submissions.
- Corporate contract administrators and procurement contacts at our clients.
For this category of data, you can exercise your rights directly with us — see "Your Privacy Rights" below.
Where TTD is the Data Processor
- Operational, employee, citizen, or end-user data processed through our platforms — IRIS, JomWork, NURI, and SmartPole OS — where an enterprise, government, or municipal client has deployed that platform.
If you are an employee, citizen, patient, or end-user interacting with one of these platforms via a deploying organisation, that organisation is your Data Controller, not TTD. We process data under contract and on their instructions, and cannot act on that data independently of them, including in response to individual rights requests (see below).
If you are unsure which category applies to you, contact privacy@tehtarik.digital and we will direct you appropriately.
Information We Collect
Depending on your relationship to TTD (see above), we or our clients may collect:
- Personal Identifiable Information (PII): name, email address, phone number, and postal address when you register, subscribe, or contact us.
- Usage Data: IP address, browser type, operating system, pages viewed, and visit timestamps.
- Device Information: hardware model, OS version, unique device identifiers, and mobile network information.
- Cookies and Tracking Technologies: used to track activity and maintain session state — see "Cookies and Tracking Technologies" below.
- Sensitive Personal Data, where applicable to a specific product — see "Sensitive Personal Data" below.
How We Use Your Information
Where TTD is the Data Controller, we use information to:
- Provide, operate, and maintain our services.
- Improve, personalise, and expand our services.
- Understand and analyse how our services are used.
- Develop new products, services, features, and functionality.
- Communicate with you for customer service, updates, and marketing purposes.
- Process transactions and manage accounts.
- Detect and prevent fraud and security incidents.
Where TTD is the Data Processor, data is used solely to deliver the contracted service to the relevant Data Controller (client), per our processing agreement with them.
Legal Basis for Processing
Where required by GDPR, PDPA, or equivalent law, we process personal information only when we have a valid legal basis:
- Consent — explicit consent has been given for a specific purpose.
- Contract — processing is necessary to perform a contract with you or your organisation.
- Legal Obligation — processing is required to comply with applicable law.
- Legitimate Interests — processing is necessary for a legitimate business interest, provided this does not override your fundamental rights.
Product-Specific Data Practices
This Policy applies across all TTD products. Because each product serves a different purpose and audience, the categories of data processed, TTD's role (Controller or Processor), and the applicable protections vary by product, as set out below.
IRIS
IRIS is an AI orchestration platform for enterprise and government workflows — procurement, contract approvals, document coordination, and compliance checks — where the priority is accountable, auditable process rather than autonomous decision-making. Documents and requests are processed by AI agents to extract, classify, and route information, but defined checkpoints require human approval before the workflow proceeds; the specific checkpoints are configurable per workflow type and risk level. Every agent action, decision, and human intervention is recorded in an immutable audit log, exportable for internal or regulatory review. Individuals may request further information about the logic involved in automated processing that affects them by contacting privacy@tehtarik.digital.
IRIS deployments can run on-premise or within Malaysian cloud regions where data residency is required. For IRIS deployments to enterprise or government clients, TTD typically acts as Data Processor; the deploying organisation is the Data Controller for its own operational and end-user data.
JomWork
JomWork is an internal knowledge and document-retrieval platform. It indexes a client organisation's own content — internal documents, policies, and institutional knowledge held in systems such as Google Drive, Confluence, Notion, Jira, Slack, SharePoint, and email — and allows staff to query that content in natural language, with answers grounded in and cited to the client's own source documents. JomWork does not process workforce attendance, scheduling, or location data, and has no biometric functionality.
JomWork supports two isolated deployment modes on the same underlying index: an Internal Brain, accessible only to authenticated staff with full access to the client's indexed knowledge base, and an optional Public Brain, which exposes only content the client has explicitly approved for public-facing use (for example, a website FAQ chatbot). The two are architecturally separated so that internal-only content is never exposed through the public-facing surface.
JomWork is self-hosted on Malaysian cloud infrastructure. A client's data remains within that client's own environment, is never shared with or accessible to other clients, and is never used to train TTD's or any third party's AI models. Access within a client's deployment is controlled by granular, per-user and per-team permissions configured by the client (for example, restricting HR documents to HR staff).
TTD acts as Data Processor for the content indexed and processed through JomWork; the employer or organisational client is the Data Controller and determines what content is indexed and who may access it.
NURI
NURI is a localised clinical AI platform functioning as a digital twin for frontline healthcare and residential care teams — handling voice-driven clinical documentation, real-time vitals and incident monitoring, automated early-warning scoring (NEWS2), shift handover generation, and care scheduling, integrated with facility systems via HL7/FHIR. It is built around Malaysian care settings, including MOH clinical protocols and documentation standards.
NURI processes health-related data as part of this functionality. Health-related data is treated as sensitive personal data, requiring heightened protection: access is restricted to personnel with a defined operational need, data is retained only for the purpose it was collected, and it is never used for marketing or profiling. NURI is designed for on-premise or local-cloud deployment with no external data dependency: clinical data processing and inference are contained within the deploying facility's own environment rather than transmitted to or processed by external systems.
TTD's role for NURI varies by deployment and is set out in a dedicated NURI Platform Privacy Notice, which should be read together with this Policy for any NURI deployment. In general, a healthcare provider (hospital, clinic, or residential care operator) instructs TTD and is the Data Controller, with TTD acting as Data Processor; some deployments may involve a different arrangement, which the deployment-specific notice will confirm. If you are unsure which arrangement applies to your deployment, contact privacy@tehtarik.digital.
SmartPole OS
SmartPole OS is IoT middleware that normalises data from smart-pole-mounted devices — lighting controllers, EV chargers, environmental sensors, and IP cameras — into a single operations layer for municipal and enterprise deployments, supporting automation, predictive maintenance, and compliance/council reporting.
Several SmartPole OS modules process personal data and are relevant to this Policy:
- Video analytics module. Where a deployment connects standard IP cameras, the platform can run people-flow counting, crowd density monitoring, stationary-object/incident detection, and Automatic Number Plate Recognition (ANPR). These sub-modules process personal data (including vehicle plate data, in the case of ANPR) and are available as part of the platform's standard analytics capability.
- Facial recognition. A separate, distinct sub-module of video analytics, facial recognition is disabled by default and requires written authorisation from TTD prior to activation for a given deployment, consistent with the explicit consent requirement for sensitive personal data under PDPA Section 40 (biometric data was brought within the scope of "sensitive personal data" by the Personal Data Protection (Amendment) Act 2024). It is not enabled as a matter of course alongside the other video analytics functions above.
- Environmental and location-linked sensor data, including air quality, water level, and rainfall telemetry tied to specific pole locations, used for automated alerting and council/regulatory reporting.
SmartPole OS is supplied to clients as software deployed on the client's own infrastructure. TTD does not host, operate, or have access to a client's video, sensor, or telemetry data streams. The deploying municipal body, government authority, or enterprise client operates the platform and is responsible for any telecommunications licensing applicable to their network (for example, under the Communications and Multimedia Act 1998) — TTD is a technology provider and does not hold, and is not required to hold, any such licence.
For all SmartPole OS deployments, TTD acts as Data Processor only in the limited sense of supplying and supporting the software; the deploying enterprise, municipal body, or government authority is the Data Controller and the operator of the system, including for consent notices at the point of data capture (e.g. signage disclosing camera or sensor presence to the public) and for any facial-recognition-specific authorisation and notice requirements.
Sensitive Personal Data
Under the PDPA (as amended), sensitive personal data includes health data, biometric data, religious beliefs, and financial information beyond basic transaction records. Under Section 40 of the PDPA, sensitive personal data may not be processed unless the data subject has given explicit consent, or another specific condition set out in that section applies — a materially stricter standard than the general consent basis that applies to ordinary personal data.
The following TTD products may process sensitive personal data:
- NURI — health data (see above).
- SmartPole OS — biometric (facial recognition) data, only where written authorisation has been granted and the feature activated for that deployment (see above). Note: SmartPole OS's standard video analytics (people counting, ANPR, crowd density, incident detection) process personal data more broadly — including vehicle plate data via ANPR — but are not classified as sensitive personal data in the same way biometric identification data is; this general personal data is still subject to the protections described throughout this Policy.
TTD applies restricted access, purpose limitation, and heightened security controls to any sensitive personal data it processes, whether as Controller or Processor.
Data Sharing and Disclosure
We may share information in the following situations:
- With Your Consent — when you give explicit consent.
- Service Providers — third-party vendors performing services on our behalf, including cloud infrastructure and hosting, email and communications delivery, analytics, and customer support tooling. These providers are contractually bound to protect data and use it only for the purposes we specify.
- Legal Requirements — when required by law or in response to valid requests by public authorities.
- Business Transfers — in connection with a merger, acquisition, or sale of company assets.
- Aggregated or Anonymised Data — data that cannot reasonably be used to identify an individual.
Where TTD acts as Data Processor for a client platform (IRIS, JomWork, NURI, SmartPole OS), data is shared only as instructed by the relevant Data Controller and as permitted under our processing agreement with them.
International Data Transfers
Our services may be hosted in countries outside your own, including Malaysia and jurisdictions where our service providers operate. Following the PDPA Amendment, the previous "whitelist" regime for cross-border transfers has been replaced with a risk-based framework: transfers are permitted to jurisdictions with data protection laws substantially similar to the PDPA, or that ensure an adequate level of protection, or under specified exceptions (including consent).
Where we transfer personal information across borders, we use standard contractual clauses, verify adequate data protection standards in receiving countries, or obtain explicit consent as required. By using our services, you acknowledge that your information may be transferred to and processed in countries with different data protection laws.
Data Retention
We retain personal information only as long as necessary to fulfil the purposes described in this Policy, unless a longer period is required by law:
| Category | Retention Period |
|---|---|
| Account information | While active, plus up to 6 months thereafter |
| Usage data | Up to 12 months, for analytics and service improvement |
| Marketing communications data | Until unsubscribe or deletion request |
| Transaction records | As required by applicable tax and commercial law (typically 7 years in Malaysia) |
| Client platform data (IRIS, JomWork, NURI, SmartPole OS) | Per the retention terms in the applicable client agreement; TTD retains only as instructed by the Data Controller |
When personal information is no longer needed, we securely delete or anonymise it.
Data Security
We protect personal information from unauthorised access, use, alteration, and disclosure using measures that include end-to-end encryption, role-based access controls, regular security assessments, and hosting environments provided by ISO/IEC 27001-certified providers.
Following the PDPA Amendment, Section 5(1A) of the PDPA now extends the Security Principle (set out in Section 9) directly to Data Processors, not only Data Controllers. TTD, in its capacity as Data Processor for IRIS, JomWork, NURI, and SmartPole OS, is directly and independently accountable for securing the data it processes on behalf of its clients.
No method of transmission over the Internet is 100% secure. While we use commercially reasonable means to protect data, we cannot guarantee absolute security.
Data Breach Notification
In the event of a personal data breach likely to cause significant harm to affected individuals, TTD will notify:
- The Personal Data Protection Commissioner of Malaysia, as soon as practicable and in any event within 72 hours of becoming aware of the breach (per Section 12B of the amended PDPA);
- Affected individuals, without unnecessary delay, where the breach causes or is likely to cause significant harm; and
- Relevant EU supervisory authorities, within 72 hours, where GDPR applies.
TTD maintains a breach register for a period of not less than two years, documenting the cause, impact, and remedial actions taken for each incident. Notification may be made by email, a prominent notice on our website, or other direct communication.
Where TTD acts as Data Processor, we notify the relevant Data Controller (client) of any breach without undue delay, so that they may fulfil their own notification obligations.
Cookies and Tracking Technologies
We use cookies and similar tracking technologies to operate and optimise our public website. Strictly necessary cookies, required for the site to function (such as session management and security), are used automatically. Non-essential cookies — such as those used for analytics — are used only in accordance with your consent choices; where our cookie consent banner is active, you can accept or reject non-essential categories individually, and change your choice at any time. Where the banner is not yet active for a given part of our site, you can control cookies through your browser settings; disabling cookies may affect service functionality.
In addition to first-party cookies, we may use third-party services that set their own cookies, including Google Analytics.
Do Not Track (DNT): Our website does not currently respond to DNT signals, as no universal standard has been adopted. You may use your browser settings to manage tracking technologies.
Your Privacy Rights
If TTD is your Data Controller
If you are a direct visitor, subscriber, or contact of TTD (see "Our Role" above), you may exercise the following rights by contacting privacy@tehtarik.digital. We will respond within 30 days and may ask you to verify your identity first.
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion, subject to legal exceptions.
- Restriction — request that we limit how we use your data.
- Data Portability — receive your data in a structured, commonly used, machine-readable format, or have it transmitted directly to another controller of your choice, where technically feasible (per Section 43A of the amended PDPA).
- Objection — object to processing based on legitimate interests or direct marketing.
- Withdraw Consent — at any time, without affecting the lawfulness of processing carried out before withdrawal.
- Lodge a Complaint — with the Malaysian Department of Personal Data Protection (www.pdp.gov.my) or your local supervisory authority.
If TTD is a Data Processor for a platform you use
If your data is processed through IRIS, JomWork, NURI, or SmartPole OS as an employee, contractor, patient, or citizen of one of our clients, TTD acts as a Data Processor for that data. Please direct your rights request to the deploying organisation (your employer, healthcare provider, or the relevant government/municipal authority) — they are the Data Controller and are responsible for responding to your request.
TTD supports and cooperates with these requests under our processing agreements, but cannot alter, export, or delete platform data without verified instruction from the Data Controller.
Data Protection Officer (DPO)
Under Section 12A of the amended PDPA, organisations — whether acting as Data Controller or Data Processor — must appoint a DPO if they meet at least one of the following thresholds, per the Commissioner's Guideline effective 1 June 2025:
- processing the personal data of 20,000 or more individuals; or
- processing the sensitive personal data (or financial information) of 10,000 or more individuals; or
- carrying out regular and systematic monitoring of personal data (examples given by the Commissioner include CCTV-type monitoring and algorithmic recommendation systems).
Current status: TTD's products are licensed to clients who provision, own, and operate their own deployment infrastructure; TTD does not itself operate client-side monitoring or analytics infrastructure as part of its current business model. On this basis, TTD's assessment is that the statutory DPO appointment thresholds are not currently met. This assessment is tied to TTD's current operating model and will be reviewed, and this Policy updated accordingly, if that model changes.
In the interim, all PDPA-related queries should be directed to dpo@tehtarik.digital.
Children's Privacy
Our services are not directed to children under the age of 16. We do not knowingly collect personal information from children under this age. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately and we will delete it promptly.
Security & Compliance Framework
How TTD operates
TTD's data protection practices are structured around the following frameworks and standards. These describe how we operate — they are not, except where explicitly stated, independent certifications of TTD itself; ISO 27001 and SOC 2 Type II certifications below are held by TTD's infrastructure and hosting providers, not TTD directly.
- Personal Data Protection Act 2010, as amended by the Personal Data Protection (Amendment) Act 2024 ("PDPA"): TTD complies with the PDPA's data protection principles — General, Notice & Choice, Disclosure, Security, Retention, Data Integrity, and Access — in its capacity as both Data Controller and Data Processor, including the direct Security Principle obligations now placed on Data Processors under Section 9.
- General Data Protection Regulation ("GDPR"): for users in the European Economic Area or United Kingdom, TTD complies with GDPR requirements including lawful basis for processing, data subject rights, breach notification within 72 hours, and appointment of a Data Protection Officer where applicable. GDPR-related requests: gdpr@tehtarik.digital.
- ISO/IEC 27001 Information Security Management: TTD hosts its platform and data infrastructure on providers certified to ISO/IEC 27001, covering risk assessment, access management, and encryption at rest and in transit.
- SOC 2 Type II: TTD's platform is hosted on infrastructure provided by SOC 2 Type II-certified providers, covering the Security, Availability, and Confidentiality Trust Service Criteria.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be notified by posting the updated policy on this page and updating the effective date above. For significant changes, we may also provide notice by email. You are advised to review this Policy periodically.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- General privacy queries: privacy@tehtarik.digital
- Data Protection Officer: dpo@tehtarik.digital
- GDPR requests: gdpr@tehtarik.digital
- Legal queries: legal@tehtarik.digital
- Address: SunTech @ Penang CyberCity, 11950 Bayan Lepas, Pulau Pinang, Malaysia
- Phone: +604 - 44 20 891
- Malaysian PDPA Complaints: www.pdp.gov.my