⚠ DRAFT — Privacy notice subject to Malaysian legal counsel review. Not for publication until STORY-047 legal gate clears.
PRIVACY NOTICE
Privacy Notice
Effective: [EFFECTIVE_DATE — insert on publish]
MotorSaver.my is operated as an RHB Insurance Berhad Authorized Agent. We collect and use your personal data under Malaysia's Personal Data Protection Act 2010 (PDPA) as amended by the Personal Data Protection (Amendment) Act 2024.
This Notice explains what data we collect, why we collect it, how we use it, and the rights available to you.
§2 Your Rights Under PDPA 2024
Under the PDPA 2010 (as amended 2024), you have the following rights in relation to your personal data:
- Access:
- You may request a copy of the personal data we hold about you. We will respond within 21 days of a verified request. ⚠ Counsel review: confirm statutory response window under 2024 Amendment
- Correction:
- You may request correction of inaccurate or incomplete personal data. We will act on verified correction requests within 21 days. ⚠ Counsel review: confirm timeline
- Withdrawal of consent:
- For data processed on the basis of your consent (marketing communications), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Withdrawing consent for service-related processing (which we process under contract lawful basis) will prevent us from delivering the service.
- Erasure:
- You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, subject to our legal and regulatory obligations. ⚠ Counsel review: confirm erasure rights scope under Malaysia PDPA 2024 vs GDPR
- Data portability:
- ⚠ Counsel review: confirm whether PDPA 2024 Amendment introduces data portability rights and applicable scope
- Lodge a complaint:
- You may lodge a complaint with the Personal Data Protection Commissioner (PDPC) at pdp.com.my if you believe your rights have been violated.
To exercise your rights, contact us at: privacy@motorsaver.my⚠ Counsel review: confirm correct contact address
§3 Data We Collect
We collect the following categories of personal data:
| Data | When collected | Why |
|---|---|---|
| Email address | Registration / magic link | Account creation; service delivery; transactional communications |
| Full name | Registration | Account and policy identification |
| Malaysian identity card number (MyKAD / NRIC) | Quote flow | Required for motor insurance underwriting by RHB Insurance Berhad |
| Vehicle registration number | Quote flow | Required for motor insurance underwriting |
| Postcode | Quote flow | Rate determination |
| Odometer reading | At renewal (via RHB panel workshop) | Mileage plan rebate verification |
| IP address (hashed) | Session | Security; fraud detection; registration-failure telemetry |
| Marketing consent flag | Registration (optional) | To send motor insurance tips and renewal reminders — only if you opt in |
We do not collect: telematics or GPS tracking data, dashcam footage, or odometer photos submitted by users (verification is conducted at RHBI panel workshops).
§4 Lawful Bases for Processing
We rely on the following lawful bases under the PDPA 2010 (as amended 2024):
| Purpose | Data used | Lawful basis |
|---|---|---|
| Account creation and authentication | Email, name | Contract |
| Motor insurance quote and application | NRIC, vehicle reg, postcode | Contract; legal obligation (insurance underwriting) |
| Mileage plan rebate verification | Odometer reading (via RHB panel workshop) | Contract |
| Transactional communications (magic link, renewal reminders) | Contract | |
| Security and fraud detection | IP address (hashed) | Legitimate interests |
| Marketing communications (tips, promotions) | Consent — opt-in only; unsubscribe at any time |
§6 Data Retention
| Data category | Retention period |
|---|---|
| Account data (email, name) | Duration of active account + 7 years after last transaction [⚠ Counsel review] |
| Motor insurance application data | 7 years from policy expiry (regulatory requirement) [⚠ Counsel review: confirm under Bank Negara / PIDM requirements] |
| NRIC | 7 years from policy expiry [⚠ Counsel review] |
| Marketing consent flag | Until withdrawn; record of withdrawal retained indefinitely |
| Security logs (hashed IP) | 90 days [⚠ Counsel review] |
§7 Security and Breach Notification
We implement technical and organisational measures to protect your personal data, including encryption at rest and in transit and access controls.
Breach notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Personal Data Protection Commissioner within 72 hours of becoming aware, and notify affected individuals without undue delay where required.⚠ Counsel review: confirm breach notification obligations and timelines under PDPA 2024 Amendment — verify 72h applies to this data controller category
§9 Contact and Complaints
Data controller: [REGISTERED_ENTITY_NAME — pending confirmation]
RHB Insurance Berhad Authorized Agent
Privacy enquiries: privacy@motorsaver.my⚠ Counsel review: confirm address
DPO: [DPO_NAME_AND_CONTACT — pending designation per PRD §22.6]
Complaints: You may contact the Personal Data Protection Commissioner (PDPC) at pdp.com.my.
§10 Updates to This Notice
We will notify registered users by email if we make material changes to this Privacy Notice.
Version: DRAFT — [VERSION_DATE on publish]