Privacy Policy.

Version: 1.0.0 Effective Date: March 18, 2026 Last Updated: March 18, 2026 Company: CarBeep Sdn. Bhd. Registration No.: [INSERT REGISTRATION NUMBER] Registered Address: [INSERT REGISTERED ADDRESS] Applicable Law: Personal Data Protection Act 2010 (Act 709), including applicable amendments, regulations, standards, guidelines, and circulars in force in Malaysia

1. Introduction

1.1 About this Policy

This Privacy Policy explains how CarBeep Sdn. Bhd. ("CarBeep", "we", "us", or "our") collects, uses, stores, protects, shares, and otherwise processes personal data when you use the CarBeep customer app, the CarBeep Buddy workshop app, our website, and related services (together, the "Services").

This Policy applies to customers, workshop owners, workshop staff, prospective buyers or applicants, and other individuals whose personal data is processed through the Services or in connection with a commercial transaction involving CarBeep.

We process personal data in accordance with the Personal Data Protection Act 2010 (Act 709) of Malaysia ("PDPA") and other laws, regulations, circulars, and regulatory requirements that apply to our business and the services we facilitate.

1.2 Who is responsible for your personal data

For the purposes of the PDPA, CarBeep acts as the data user in relation to the personal data that we decide to collect and use.

CarBeep Sdn. Bhd. Registration No.: [INSERT REGISTRATION NUMBER] Registered Address: [INSERT REGISTERED ADDRESS] Privacy Contact: privacy@carbeep.com.my

1.3 Important terms

In this Policy:

• Personal data means information that relates directly or indirectly to an individual who is identified or identifiable from that information and other information in our possession.
• Sensitive personal data has the meaning given under the PDPA and includes data relating to health, political opinions, religious beliefs, or the commission or alleged commission of an offence.
• Processing includes collecting, recording, holding, storing, using, disclosing, correcting, transferring, restricting, anonymising, or deleting personal data.
• KYC documents means identity, financial, employment, or business verification documents collected for insurance, financing, or related compliance workflows.

2. What personal data we collect

We collect different categories of personal data depending on the feature you use, the transaction you request, and whether you are using the customer app, the Buddy app, or a related support or compliance process.

2.1 Identity and account data

• Data we may collect: full name, phone number, email address, gender, date of birth, and profile photo.
• How we collect it: registration, profile set-up, support interactions, profile updates, and user uploads.
• Why we use it: account identification, authentication, account security, service communications, account recovery, support, profile display, and, where relevant, age checks for insurance or financing workflows.
• When required: full name and phone number are required to create and secure an account. Other fields are optional unless a specific workflow requires them.

2.2 Government identity data

• Data we may collect: IC / MyKad number, IC / MyKad images, passport images, and driving licence images.
• How we collect it: insurance, financing, and KYC document-upload flows.
• Why we use it: quote generation, identity verification, eligibility checks, policy or application processing, and partner submission where required.
• When required: only for relevant insurance, financing, or verification workflows, and only to the extent needed for the relevant product or partner.

2.3 Financial data

• Data we may collect: monthly income, employment type, bank statement images, payslip images, EPF statement images, income tax form images, and payment transaction records.
• How we collect it: financing forms, KYC uploads, payment flows, and booking-related payment activity.
• Why we use it: eligibility review, affordability assessment, income verification, transaction history, reconciliation, refunds, and support.
• When required: only where a financing, insurance, or payment workflow depends on it.

2.4 Business documents for company applicants

• Data we may collect: SSM certificate images, company forms and statutory documents, constitutional documents, and board resolutions.
• How we collect it: company application and KYC upload flows.
• Why we use it: business verification, company profile and director verification, constitutional checks, and proof of authority for a purchase or financing request.
• When required: only for company applications or when the relevant product or partner asks for it.

2.5 Vehicle data

• Data we may collect: vehicle registration number, vehicle identification number (VIN), make, model, year, variant, current mileage, insurance expiry date, road tax expiry date, and vehicle photos.
• How we collect it: vehicle profiles, request forms, booking flows, and user uploads.
• Why we use it: vehicle identification, service delivery, workshop matching, service eligibility checks, insurance quote or renewal support, reminders, and support review.
• When required: vehicle registration number, make, model, year, and variant are required for relevant vehicle-based services. Other fields are optional unless the relevant workflow requires them.

2.6 Location data

• Data we may collect: GPS location or approximate device location.
• How we collect it: device location permissions.
• Why we use it: nearby workshop search, maps, and routing support.
• When required: location access is optional, but some location-based search features may not work without it.

We process location data for real-time functionality such as nearby workshop discovery and navigation support. We do not maintain a user-facing location history as a product feature. Standard server and security logs may still record network and device-level access information such as IP address.

2.7 Communications data

• Data we may collect: chat messages, reviews and ratings, booking notes, and push notification tokens.
• How we collect it: in-app communication tools, post-service submissions, booking requests, app registration, and device permissions.
• Why we use it: customer and workshop communication, service coordination, dispute handling, quality assurance, marketplace trust, support review, and push notification delivery.
• When required: chat messages and notification tokens are collected only if you use those features. Reviews, ratings, and booking notes are optional, although booking notes may improve service accuracy.

2.8 Technical and device data

• Data we may collect: IP address, user agent and device details, and app version.
• How we collect it: automatically when you use the Services.
• Why we use it: security, fraud prevention, operational logging, device compatibility, diagnostics, troubleshooting, support, and audit purposes.
• When required: this data is collected automatically as part of operating and securing the Services.

2.9 Workshop business data in CarBeep Buddy

• Data we may collect: workshop name, SSM registration number, business address, business phone and email, operating hours, workshop photos, and transaction or booking data.
• How we collect it: business registration, workshop profile updates, uploads, and platform activity.
• Why we use it: business listing, navigation, communications, verification, compliance, service operations, reporting, and payout administration.
• When required: core business identity and contact details are required for Buddy accounts and workshop listings. Other information is optional unless required for listing quality or a relevant business workflow.

3. How we use your personal data

We use personal data only for purposes connected with the operation of CarBeep, the services you request, compliance, security, support, and related commercial transactions.

3.1 Providing the Services

We use personal data to:

• create and maintain user accounts;
• authenticate users and protect account security;
• process workshop bookings, updates, and related communications;
• manage vehicle profiles and service-related records;
• connect customers with workshops based on vehicle and service information; and
• send operational notifications such as confirmations, reminders, and status updates.

3.2 Insurance and financing support

We use personal data to:

• support insurance quotation or renewal workflows;
• collect, review, and transmit KYC documents where required;
• support application handling with authorised insurers, takaful operators, financing partners, or related service providers; and
• communicate application progress or supporting-document requirements.

3.3 Car marketplace and vehicle purchase workflows

We use personal data to:

• support vehicle purchase or marketplace enquiries;
• collect application details for financing or purchase-related workflows; and
• facilitate communications between the relevant parties involved in the request.

3.4 Platform improvement and support

We use personal data to:

• troubleshoot user issues;
• investigate complaints and disputes;
• improve product features, usability, and service quality; and
• maintain internal quality assurance, testing, and operational controls.

3.5 Security, compliance, and fraud prevention

We use personal data to:

• prevent fraud, abuse, and unauthorised access;
• investigate suspicious or unlawful activity;
• maintain audit trails and compliance records;
• respond to lawful requests, court orders, or regulatory requirements; and
• support internal security investigations and incident response.

3.6 Communications and marketing

We use personal data to:

• send service-related and account-related notifications;
• send reminders for time-sensitive features such as insurance or road tax when enabled; and
• send marketing or promotional messages only through channels and preferences you have consented to.

We do not use WhatsApp OTP authentication flows as a channel for general marketing.

4. How we share your personal data

We do not sell your personal data. We share personal data only where it is needed to provide the relevant service, complete a transaction you requested, comply with law, protect the platform, or support our business operations.

4.1 Workshop partners through CarBeep Buddy

• Data we may share: your name, vehicle details such as make, model, plate, and variant, booking notes, service selections, and relevant chat messages.
• Why we share it: service delivery, workshop coordination, related support, and dispute handling.
• When we share it: when a booking is sent to or accepted by a workshop, while the booking is active, or where related support requires it.

Workshop partners must use customer data only for the requested service and related support or compliance purposes.

4.2 Insurance providers or intermediaries

• Data we may share: IC / MyKad number, vehicle registration and vehicle details, and KYC documents where required.
• Why we share it: quote support, renewal handling, policy application processing, or verification.
• When we share it: when you request insurance support, and only to the extent needed for the relevant provider or workflow.

4.3 Financing institutions or financing intermediaries

• Data we may share: identity and contact details, financial and employment information, and KYC or supporting documents.
• Why we share it: application processing, eligibility review, supporting assessment, and compliance.
• When we share it: when you request a financing workflow, and only where the relevant provider requires it.

4.4 Payment service providers

• Data we may share: payment details submitted in the payment flow, the transaction amount, and the relevant booking or payment reference.
• Why we share it: payment authorisation, settlement, and refunds.
• When we share it: when you make a payment through the Services and the payment is handled by an authorised payment service provider.

CarBeep does not store your full card number, CVV, or online-banking credentials inside the public website. Payment-sensitive information is handled through the relevant payment flow and provider infrastructure.

4.5 Communication and notification providers

• Data we may share: phone number and OTP code, plus device tokens and notification payload data.
• Why we share it: OTP delivery, authentication, and push notification delivery.
• Who receives it: our WhatsApp Business API provider and Firebase Cloud Messaging (Google).

4.6 Infrastructure and hosting providers

• Provider: Supabase infrastructure hosted on the AWS Singapore region.
• Data involved: platform data, file storage, application records, and related operational data.
• Why it is processed: database hosting, file storage, and backend operations.

Use of these infrastructure providers may involve cross-border processing or storage outside Malaysia. Where cross-border transfer rules apply, we rely on one or more transfer conditions permitted under the PDPA and applicable guidance, which may include consent, contractual safeguards, technical and organisational safeguards, or another condition permitted by law.

4.7 Legal, regulatory, and enforcement disclosures

We may disclose personal data to regulators, law-enforcement agencies, government authorities, courts, or professional advisers where disclosure is required or reasonably necessary to comply with law, protect rights, investigate misconduct, or respond to a lawful request.

5. Data security

We implement technical and organisational measures designed to protect personal data from unauthorised access, misuse, loss, alteration, or disclosure. Security measures are risk-based and may change over time.

5.1 Core security measures

Our core security measures include:

• encryption at rest for platform data and stored files;
• encryption in transit for data sent through the Services;
• role-based access controls restricted to authorised personnel and service processes;
• audit logging for sensitive workflows and document-access events; and
• restricted document controls for KYC materials, including time-limited access and additional operational safeguards.

5.2 Additional KYC document safeguards

For KYC documents and other sensitive verification documents, we apply additional controls that may include:

• separate or restricted storage locations;
• time-limited signed URLs;
• one-time or session-bound document access tokens;
• in-app watermarking or similar visibility controls;
• screenshot deterrence or secure-viewing controls on supported platforms;
• malware-scan status checks before document access is allowed; and
• restricted staff access based on job function.

5.3 Data breach response

If a personal data breach occurs, we will assess the incident promptly, contain it where possible, investigate impact, and take remedial steps.

Where required by the PDPA and current Commissioner guidance:

• we will notify the Commissioner as soon as practicable and, where required, within seventy-two (72) hours of becoming aware of the breach;
• we will notify affected individuals where the breach causes or is likely to cause significant harm, and within the period required by applicable guidance; and
• we will maintain the records and supporting information required by law.

6. Your rights and choices

The PDPA gives individuals important rights in relation to personal data. The scope of a particular right may depend on the circumstances, the reason we hold the data, and any legal or regulatory obligations that still apply.

6.1 Right to be informed

You have the right to be told what personal data we collect, the purpose for collection and processing, and the categories of recipients to whom the data may be disclosed.

6.2 Right of access

You may request access to the personal data we hold about you, subject to the PDPA and any lawful limitations or exceptions.

6.3 Right of correction

You may ask us to correct personal data that is inaccurate, incomplete, misleading, or not up to date.

6.4 Right to withdraw consent

Where we rely on your consent, you may withdraw that consent at any time. Withdrawal does not affect processing that was lawful before the withdrawal.

Please note:

• if you withdraw consent for processing that is necessary to provide a feature you requested, that feature may no longer be available to you;
• if documents have already been shared with a provider or partner for a request you submitted, that provider may continue to retain or process them under its own legal obligations; and
• withdrawing marketing consent will not affect your ability to use the core Services.

6.5 Right to object to certain processing

Subject to the PDPA, you may ask us to stop or limit processing that is likely to cause damage or distress, and you may require us to stop processing your personal data for direct marketing.

6.6 Automated decision-making

You have the right to be free from decisions that significantly affect you where those decisions are made solely by automated means, except where permitted by law. CarBeep does not currently state in this Policy that insurance, financing, or KYC approval decisions are made solely by an automated system without human involvement.

6.7 Copies, exports, and deletion requests

You may request a copy of personal data that we hold about you. Where applicable law grants a portability right, and where technically feasible, we may provide the relevant data in a structured, commonly used format.

You may also request deletion or anonymisation of your account data, subject to legal, security, accounting, audit, dispute, and regulatory retention obligations.

6.8 How to exercise your rights

You may contact us at privacy@carbeep.com.my to exercise your rights or raise a privacy concern.

If self-service privacy controls are available in the app, you may use them. If they are not available or you cannot access the app, you may use our public support and deletion channels, including:

• https://carbeep.com.my/support
• https://carbeep.com.my/delete-account

We may ask for identity verification before acting on a request. We aim to respond within twenty-one (21) days or within another period permitted by law, depending on the type of request and the complexity involved.

7. Data retention

We retain personal data only for as long as it is reasonably necessary for the purpose for which it was collected, for operational support, or to comply with legal, audit, regulatory, accounting, or dispute-handling requirements.

7.1 General retention periods

As a general rule:

• active account data may be retained while your account remains active;
• deleted account records that have been anonymised or retained for compliance may be kept for up to seven (7) years where required;
• chat messages may be kept for up to two (2) years after booking completion, and longer if needed for a dispute or investigation;
• reviews may be kept while they remain relevant to the platform or until they are removed or anonymised;
• audit logs may be kept for up to seven (7) years where required; and
• consent records may be retained as needed to evidence consent history and compliance, including after account closure where required for audit or legal defence.

7.2 KYC document retention

For KYC and regulated workflow documents:

• loan or financing records that are approved may be retained for up to seven (7) years from verification, approval, or another legally relevant trigger;
• loan or financing records that are rejected or withdrawn may be retained for up to twenty-four (24) months from the decision or closure date;
• insurance requests where no policy is issued may be retained for up to one hundred eighty (180) days from quote or renewal closure;
• insurance requests where a policy is issued may be retained for up to seven (7) years from the end of the policy period or another legally required trigger;
• account deletion requests with no active regulated workflow may still require retention for up to twenty-four (24) months from completion of the deletion request; and
• account deletion requests tied to an active or completed regulated workflow may require retention for up to seven (7) years from the applicable retention trigger.

After the applicable retention period ends, we will securely delete or anonymise the retained material unless further retention is required by law or for a live dispute, investigation, or enforcement process.

7.3 Payment-related records

We may retain transaction records, payment references, dates, and settlement information for accounting, audit, refund, fraud-prevention, and tax purposes for the period required by law or internal financial controls.

8. Consent management

8.1 Types of consent we may request

Depending on the feature you use, we may request separate consent for matters such as:

• acceptance of the relevant Terms of Service, which is required to use the relevant app;
• acknowledgement of this Privacy Policy, which is required to use the relevant app;
• consent for KYC data collection, which is required only for relevant insurance or financing features;
• consent for third-party sharing needed to fulfil a service request, which is required only for the relevant workflow;
• consent for cross-border transfer where applicable, which is required only where the relevant workflow or infrastructure makes it necessary; and
• consent for marketing communications, which is optional.

8.2 How consent records are maintained

Where consent is recorded, we may keep records such as:

• the type of consent given or withdrawn;
• the policy or notice version shown at the time;
• the date and time of the consent event;
• technical metadata reasonably required for audit and security; and
• the relevant user or account identifier.

8.3 Managing consent choices

Where a consent management screen or preference control is available in the app, you may use it to manage optional consents. You may also contact privacy@carbeep.com.my if you need help updating a privacy preference.

9. Cross-border data transfer

9.1 Where data may be processed

CarBeep uses infrastructure and service providers that may process or store personal data outside Malaysia, including in Singapore.

9.2 Safeguards

When cross-border processing occurs, we seek to apply safeguards that may include:

• contractual restrictions and processing terms with service providers;
• access controls and storage restrictions;
• encryption and technical security safeguards; and
• consent or another transfer condition permitted under the PDPA and applicable guidance.

9.3 Your choice

Where the law or the relevant workflow requires us to seek your consent for a cross-border transfer, we will do so before the relevant processing takes place. If you withdraw that consent later, some insurance, financing, or document-handling features may no longer be available.

10. Children's data

The Services are not directed to children and are not intended to be used by individuals under the age of eighteen (18) for regulated insurance or financing workflows.

If we become aware that personal data of a child has been collected in circumstances where it should not have been collected, we will take reasonable steps to delete or restrict that data, subject to any legal requirements.

11. Automated decision-making and profiling

CarBeep may use rules, system checks, routing logic, matching logic, and fraud-prevention signals in the operation of the Services. However, this Policy does not state that legally significant decisions about insurance approval, financing approval, or regulatory verification are made solely by an automated system without human involvement.

If that position changes, we will update this Policy and any required notices.

12. Third-party links and services

The Services may contain links to third-party services, provider portals, maps, payment flows, or partner websites. Those third parties control their own privacy practices. You should review the privacy notices of any third party before submitting personal data to them.

13. Updates to this Policy

We may update this Policy from time to time to reflect changes in our services, security practices, legal requirements, operational needs, or third-party processing arrangements.

When we make a material change, we may give additional notice through the app, website, or another appropriate channel. The latest version will always show the current "Last Updated" date.

14. Complaints

If you believe that your personal data has been mishandled or that we have not complied with the PDPA, please contact us first at privacy@carbeep.com.my so that we can investigate.

You may also lodge a complaint with the Personal Data Protection Commissioner / Jabatan Perlindungan Data Peribadi (JPDP):

Jabatan Perlindungan Data Peribadi Level 8, Galeria PjH, Jalan P4W, Persiaran Perdana Precinct 4, Federal Government Administrative Centre 62100 Putrajaya, Malaysia Main line: 03-8000 8000 JPDP call centre: 03-7456 3888 Website: https://www.pdp.gov.my/

15. Contact us

If you have a privacy request, legal question, support issue, or complaint, please contact us:

CarBeep Sdn. Bhd. Registration No.: [INSERT REGISTRATION NUMBER] Registered Address: [INSERT REGISTERED ADDRESS]

• Privacy: privacy@carbeep.com.my
• Customer Support: support@carbeep.com.my
• Legal: legal@carbeep.com.my
• Data access or deletion requests: privacy@carbeep.com.my

By using CarBeep, you acknowledge that you have read this Privacy Policy. Where processing depends on your consent, you may withdraw that consent subject to the limits described in this Policy and any lawful retention or compliance obligation.

Document Control

Version: 1.0.0 Date: March 18, 2026 Changes: Reworked privacy-policy language and structure for public website publication