LEGAL

Privacy Policy

Welluber Sdn Bhd
Last updated: April 2026

1. Who We Are

Welluber Sdn Bhd ("Welluber", "we", "us", or "our") operates a corporate wellness benefits platform that connects organisations, employees, and service providers. We are the data processor acting on behalf of the organisations ("HR Clients") that use our platform to manage employee benefits.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights under the Personal Data Protection Act 2010 (PDPA) of Malaysia.

By using the Welluber platform, you consent to the practices described in this policy.

2. The Data We Collect

We collect the following categories of personal data depending on your role on the platform:

2.1 All Users

Full name
Email address
Phone number
Account credentials (encrypted)

2.2 Employees

Employer organisation and branch
Role, department, and employment type
Salary band (where provided by the HR Client for policy eligibility purposes)
Benefit wallet balance and transaction history
Health and wellness spending categories (e.g. fitness, mental health, medical)

2.3 HR Administrators

Name and work contact details
Role and access permissions within the platform
Audit logs of policy changes and administrative actions

2.4 Service Providers

Business registration details
Bank account information for settlement purposes
Transaction and payout history
Service categories and listings

2.5 Payment Data

We do not store full payment card details. Payment transactions are processed by authorised third-party payment gateways. We retain transaction references, amounts, timestamps, and status records for reconciliation and audit purposes.

3. Why We Collect This Data

We collect and process personal data for the following purposes:

Purpose	Legal Basis (PDPA)
Creating and managing user accounts	Consent / Contractual necessity
Delivering the benefits platform to HR Clients and their employees	Contractual necessity
Processing transactions and settlements	Contractual necessity
Enforcing benefit policy rules configured by HR Clients	Contractual necessity
Sending transactional notifications (wallet activity, payouts)	Consent
Compliance, audit, and fraud prevention	Legal obligation
Platform improvement and analytics (aggregated, non-identifiable)	Legitimate interest

We do not use your personal data for advertising or sell it to third parties.

4. Data Processed on Behalf of HR Clients

Where an HR Client uploads or submits employee data to Welluber — including names, roles, departments, and salary bands — Welluber acts as a data processor on behalf of that HR Client, who is the data controller.

HR Clients are responsible for:

Obtaining lawful consent from their employees to share such data with Welluber
Ensuring the accuracy of employee data submitted to the platform
Notifying Welluber of any data correction or deletion requests from employees

Welluber will process such data only as instructed by the HR Client and as necessary to deliver the platform services.

5. How We Share Your Data

We share personal data only where necessary:

Payment gateways — to process transactions on your behalf
Cloud infrastructure providers — for platform hosting and data storage (see Section 6)
HR Clients — employees' utilisation data is visible to their HR administrators within the scope of the configured benefit policy
Regulatory and law enforcement authorities — where required by Malaysian law

We do not share personal data with unaffiliated third parties for marketing purposes.

6. Where Your Data Is Stored

Your data is hosted on infrastructure located in Malaysia and Singapore (e.g. AWS Singapore region). Cross-border transfers to Singapore are made in compliance with Section 129 of the PDPA, and we apply appropriate safeguards to ensure your data receives equivalent protection.

7. How Long We Keep Your Data

Data Type	Retention Period
Account and profile data	Duration of account + 7 years
Transaction and settlement records	7 years (for regulatory compliance)
Audit logs	7 years
Inactive accounts	3 years from last activity, then deleted

Upon written request for account deletion, we will remove identifiable personal data except where retention is required by law.

8. Your Rights Under PDPA

You have the right to:

Access the personal data we hold about you
Correct inaccurate or incomplete data
Withdraw consent for non-essential processing (note: this may affect your ability to use certain platform features)
Request deletion of your data, subject to legal retention requirements

To exercise any of these rights, contact us at privacy@welluber.com. We will respond within 21 days.

If you are an employee, your HR administrator may also submit data correction or deletion requests on your behalf.

9. Data Security

We implement technical and organisational measures to protect your personal data, including:

Encryption in transit (TLS) and at rest
Role-based access controls
Immutable audit logs
Regular security assessments

No system is completely secure. In the event of a data breach affecting your personal data, we will notify affected parties in accordance with our obligations under Malaysian law.

10. Cookies

We use cookies and similar technologies to maintain session state, prevent fraud, and improve platform performance. We do not use third-party advertising cookies. You may disable cookies in your browser settings, though this may affect platform functionality.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email or in-platform notification at least 14 days before changes take effect. Continued use of the platform after that date constitutes acceptance of the updated policy.

12. Contact Us

Data Protection Officer
Welluber Sdn Bhd
Kuala Lumpur, Malaysia

Email: contact@welluber.com

This Privacy Policy is governed by the laws of Malaysia. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of Kuala Lumpur.