Privacy Notice

Effective date: 1 July 2025 · Last updated: 21 June 2026

This notice is issued by Kondoservis Management Sdn Bhd (“we”, “us”, “our”) in compliance with the Personal Data Protection Act 2010 (Act 762) of Malaysia. It explains how we collect, use, store, and protect personal data when you use PropOS, our AI-powered property management platform.

1. Who We Are

PropOS is a SaaS platform operated by Kondoservis Management Sdn Bhd, a property management company registered in Malaysia. We provide property managers, building managers, and strata management firms with tools to manage residential and commercial strata properties under the Strata Management Act 2013.

For any privacy-related queries, contact us at: privacy@propos.my

2. What Personal Data We Collect

Data	What it includes	Why we collect it
Account data	Full name, work email address, phone number	Account creation and login
Company data	Company name, SSM registration number, office address, company email and phone	Setting up your organisation in PropOS
Team member data	Full name, email, phone, job role of invited staff	Team collaboration features
Property data	Property name, address, strata title number, unit details, developer info	Property management operations
Resident / unit data	Unit owner name, contact details imported via Excel onboarding template	WhatsApp routing, correspondence, and compliance tracking
Usage data	Pages visited, features used, timestamps	Product improvement and security monitoring
Error logs	API errors, HTTP status codes, anonymised IP addresses (last octet removed), request paths	Diagnosing technical issues — auto-deleted after 90 days
WhatsApp messages	Inbound and outbound WhatsApp message content, sender number	WhatsApp Hub routing and logging
Payment data	Billing plan, payment status — processed by Billplz or Stripe	We do not store raw card numbers

3. How We Use Your Data

To provide and operate the PropOS platform
To authenticate you and manage your account securely
To process AI-assisted compliance queries, email drafts, and meeting minutes
To route and log WhatsApp messages to the correct property
To send invitation emails to team members you add
To process subscription payments through Billplz or Stripe
To diagnose and fix technical errors
To comply with legal obligations, including Malaysia's Strata Management Act 2013

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

4. Legal Basis for Processing

We process your personal data on the following grounds under PDPA 2010:

Consent — you explicitly agree to this notice when creating an account
Contract performance — processing necessary to provide the subscribed service
Legitimate interests — security monitoring, fraud prevention, error diagnostics
Legal obligation — compliance with Malaysian law where required

5. Data Sharing

We share data only with the following categories of processors, under written agreements:

Data	What it includes	Why we collect it
Supabase (PostgreSQL)	Database and authentication	USA (AWS us-east-1) — SOC 2 Type II, ISO 27001
Vercel	Frontend hosting	USA / Global CDN — SOC 2 Type II
Railway	Backend hosting	USA — SOC 2 Type II
Anthropic (Claude API)	AI processing	USA — enterprise DPA available
360dialog	WhatsApp Business API	EU — GDPR compliant
Billplz	Malaysian payment processing	Malaysia
Stripe	International payment processing	USA — PCI-DSS Level 1

All processors are bound by data processing agreements and provide adequate levels of protection as required under the PDPA (Amendment) Act 2024.

6. Data Retention

Data type	Retention period
Account & company data	Until account is deleted + 30 days
Error logs	90 days (auto-deleted)
WhatsApp messages	12 months from message date
Compliance query history	Duration of active subscription
Payment records	7 years (financial record requirement under Malaysian law)

7. Your Rights Under PDPA 2010

You have the right to:

Access — request a copy of personal data we hold about you
Correction — request that inaccurate or incomplete data be corrected
Withdrawal of consent — withdraw consent at any time (this may affect your ability to use PropOS)
Deletion — request deletion of your account and associated data
Objection — object to processing for direct marketing purposes

To exercise any of these rights, email privacy@propos.my. We will respond within 21 days as required by PDPA 2010. You may also delete your account directly from Settings → My Account → Delete Account.

8. Security Measures

All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
Role-based access controls — staff only see data for their company
Row-Level Security (RLS) enforced at the database level
IP addresses anonymised before storage (last octet removed)
PII redacted from error logs (IC numbers, phone numbers, emails)
Rate limiting on all API endpoints
Multi-factor authentication available via Supabase Auth
Minimum 12-character password policy enforced

9. Cookies

PropOS uses only technically necessary cookies required for authentication (session tokens via @supabase/ssr). We do not use advertising, tracking, or analytics cookies.

10. Changes to This Notice

We may update this Privacy Notice from time to time. We will notify active users by email at least 14 days before any material change takes effect. Continued use of PropOS after the effective date constitutes acceptance of the updated notice.

11. Contact & Complaints

For any privacy concerns, contact our Data Protection Officer at privacy@propos.my.

If you believe your rights have been violated and we have not resolved your concern, you may lodge a complaint with the Personal Data Protection Commissioner of Malaysia (PDPC) at www.pdp.gov.my.