Privacy Policy

1. Introduction

This Privacy Policy explains how MyLock.my ("MyLock," "we," "us," or "our") collects, uses, discloses, and protects personal data when you interact with our platform — including our website (mylock.my), our WhatsApp dispatch service, our Telegram technician dispatch system, our course intake processes, and any related communications.

We are committed to handling your personal data in accordance with Malaysia's Personal Data Protection Act 2010 (PDPA) and the Personal Data Protection (Amendment) Act 2024.

This Privacy Policy applies to:

• Customers who request locksmith, smart lock, or access-systems services through our WhatsApp channel or website
• Technicians who apply to or participate in the MyLock dispatch network
• Course applicants who register interest in or enrol in MyLock workshops
• Visitors to mylock.my

By using MyLock services, you acknowledge that you have read and understood this Privacy Policy. Where applicable, we will obtain your explicit consent before processing your personal data.

2. Who We Are (Data Controller)

For the purposes of the PDPA, the data controller of your personal data is:

Future entity transfer: MyLock.my and its associated platform, customer data, technician records, and intellectual property may be transferred to a successor entity (such as MyLock Sdn Bhd or another corporate entity) as the business grows. In the event of such transfer, your personal data will continue to be protected under this Privacy Policy or an updated equivalent, and you will be notified of any material change in writing or via the platform. Continued use of MyLock services following such notification constitutes acknowledgment of the transfer.

For all data protection enquiries, requests, or complaints, please contact us at hello@mylock.my with the subject line "PDPA Request".

3. Personal Data We Collect

We collect different categories of personal data depending on how you interact with MyLock. We collect only what is necessary for the purposes described in Section 4.

3.1 Customer data (when you request a service)

• Identity data: name, mobile phone number (for WhatsApp dispatch)
• Contact data: WhatsApp number, address (street, postcode, building name)
• Location data: GPS coordinates from WhatsApp location pins (when you share your location for emergency dispatch)
• Service request data: description of the lock issue, photos you send (e.g., car make/model, lock type, problem area), urgency level, preferred service window
• Identity verification (limited cases only): in cases involving vehicle unlock or premises entry, we may require photographic evidence of identity card (IC) or vehicle ownership document (VOC) before dispatch, to protect against unauthorised entry requests
• Communication records: WhatsApp message logs, including text, images, and voice notes exchanged with our automated system
• Service ratings and feedback: ratings and comments you provide after service completion

3.2 Technician data (when you apply to join the dispatch network)

• Identity data: full name, IC number (last 4 digits only displayed in our system), date of birth
• Business data: SSM business registration number, business name, business address
• Contact data: mobile phone number, WhatsApp number, Telegram username, email
• Location data: declared response area (postcodes you cover), home/business location for distance calculations
• Skills and credentials data: declared specialisations, tools owned (model and serial where applicable), languages spoken, years of experience, training records
• Banking data: bank account details (for payment settlement, where applicable)
• Self-declaration of good conduct: signed declaration regarding criminal record status
• Performance data: dispatch acceptance rate, job completion rate, response time, customer ratings, dispute history

3.3 Course applicant data (when you register interest in or enrol in workshops)

• Identity and contact data: name, email, mobile phone number
• Background data: existing technical experience, current occupation, declared track of interest
• Communication records: WhatsApp/email exchanges regarding intake scheduling
• Enrolment data (if you proceed to enrol): payment records, attendance records, completion status

3.4 Website visitor data (passively collected)

• Technical data: IP address (anonymised after aggregation), browser type, device type, operating system, referring URL
• Usage data: pages visited, time on page, search queries on our internal site search, click patterns
• Analytics data: collected via Google Analytics (see Section 9 — Cookies and Tracking)

3.5 Categories of sensitive personal data

Under PDPA, "sensitive personal data" includes data on health, political opinions, religious beliefs, and similar categories. MyLock does not intentionally collect sensitive personal data. If you voluntarily disclose such data (e.g., mentioning a medical condition during a service request), we will treat it with additional care and use it only for the immediate service purpose.

4. Why We Collect Your Personal Data (Purposes)

We collect and process your personal data for the following purposes:

4.1 Core service delivery

• To match customer service requests with appropriate technicians based on location, urgency, and skills
• To enable communication between customers and technicians during a job
• To verify customer identity in cases involving vehicle unlock or premises entry
• To process payments and manage refunds where applicable
• To provide customer support and resolve disputes

4.2 Technician network management

• To verify technician identity, business registration, and declared skills
• To manage dispatch eligibility, performance monitoring, and the supervised first-10-jobs review process
• To pay commissions or settle invoices where applicable
• To investigate misconduct allegations or service quality issues

4.3 Course operations

• To manage workshop intakes, scheduling, and student communications
• To verify enrolment and process course payments where applicable
• To track attendance and issue completion records

4.4 Platform improvement and analytics

• To analyse aggregate usage patterns and improve service quality
• To identify operational bottlenecks (e.g., dispatch delays, areas with technician undersupply)
• To develop new features

4.5 Legal and compliance obligations

• To comply with Malaysian law, including PDPA, Consumer Protection Act 1999, Sales and Service Tax Act 2018, and any applicable industry regulations
• To respond to lawful requests from regulators, courts, or law enforcement
• To establish, exercise, or defend legal claims

4.6 Direct communication

• To send service updates, dispatch notifications, and post-service follow-ups
• To send course intake announcements (only if you have registered interest)
• To send important platform updates (e.g., changes to this Privacy Policy)

5. Lawful Basis for Processing

Under PDPA, we rely on the following lawful bases for processing your personal data:

• Your consent — for example, when you submit a course interest form or message us via WhatsApp to request service
• Performance of a contract — when processing is necessary to deliver the service you requested
• Legitimate interest — when processing is necessary for our operational interests (e.g., fraud prevention, dispatch quality monitoring) and your rights are not overridden
• Legal obligation — when we are required by Malaysian law to retain or disclose data
• Vital interest — in rare emergency cases (e.g., a lock-out situation involving an injured person), we may process location data to dispatch help even before formal consent is recorded

6. Whether Providing Data Is Obligatory

Most of the personal data we collect is provided voluntarily by you when you request our service or register for our workshops. You are not legally obligated to provide this data.

However, failure to provide certain data may prevent us from delivering the service you requested. For example:

• Without a phone number, we cannot dispatch a technician via WhatsApp
• Without a location, we cannot match you to the nearest available technician
• Without identity verification (in vehicle unlock cases), we cannot dispatch a technician

For technicians, providing complete and accurate registration data (including SSM proof and self-declaration) is a contractual condition of joining the dispatch network. Refusal to provide required data means we cannot enrol you as a technician.

7. Who We Share Your Personal Data With

We share personal data only when necessary for the purposes described in Section 4. We require all third parties to maintain appropriate security and confidentiality standards.

7.1 Service providers (data processors)

We use the following categories of third-party service providers to operate our platform:

We maintain a confidential internal register of our specific service providers, including the contractual data protection terms in place with each. We do not publish individual provider names to reduce attack surface and operational disclosure risk. If you have a specific concern about how your data is processed by a particular class of provider, please contact us at hello@mylock.my and we will provide reasonable additional information.

We work only with established providers that maintain industry-standard security practices and, where applicable, recognised certifications such as ISO 27001 or SOC 2.

7.2 Service providers within the network

When you request a service, we share necessary information with the assigned technician. This may include:

• Your name, phone number, address, and location
• The nature of your service request and any photos you provided
• Identity verification documents (only in vehicle/premises entry cases)

We do not share your data with technicians who have not accepted the job.

7.3 Trade-association coordination (limited)

MyLock is in active discussion with Gabungan Persatuan Peniaga Kunci Malaysia (GPPKM) on industry standards. We do not share customer or technician personal data with GPPKM. Any data shared with industry bodies in the future will be aggregated and anonymised, or based on explicit consent from the affected individuals.

7.4 Legal disclosures

We may disclose your personal data when required by law:

• To respond to lawful court orders, subpoenas, or regulatory requests
• To comply with PDPA Commissioner inquiries
• To protect our rights, your rights, or the rights of others (including in fraud or safety investigations)
• To enforce our Terms of Use or investigate violations

7.5 Business transfer

As noted in Section 2, MyLock may transfer ownership or operations to a successor entity. In such cases, your data will be transferred subject to the protections in this Privacy Policy or an equivalent updated policy.

8. Cross-Border Data Transfers

Several of our service providers (including our database, messaging, analytics, and email providers) process data on servers located outside Malaysia, principally in the United States, Singapore, and other recognised jurisdictions.

Under PDPA Section 129, we are required to ensure cross-border transfers protect your data adequately. We rely on the following safeguards:

• Contractual safeguards: processor agreements requiring providers to apply data protection standards comparable to PDPA
• Provider certifications: where available, we use providers that are compliant with frameworks such as ISO 27001, SOC 2, and equivalent
• Aggregation and pseudonymisation: where feasible, we transmit aggregated or pseudonymised data rather than raw personal data
• Your consent: by using MyLock services, you consent to your data being processed on these provider platforms

If you have concerns about cross-border transfers, please contact us at hello@mylock.my.

9. Cookies and Tracking Technologies

Our website (mylock.my) uses cookies and similar technologies to:

• Maintain your session and preferences
• Analyse aggregate website usage (via Google Analytics)
• Enable e-commerce functionality (when our shop is active)
• Optimise site performance

You can control cookies through your browser settings. Disabling cookies may affect website functionality.

We use Google Analytics 4 to understand aggregate usage patterns. Google Analytics may set cookies and process data on Google servers. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser Add-on or by configuring your browser's "Do Not Track" setting.

We do not currently use third-party advertising cookies or behavioural retargeting.

10. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected. Specific retention periods:

After the retention period, we will either securely delete the data or anonymise it so it can no longer be linked to you.

You may request earlier deletion by contacting hello@mylock.my — see Section 11. Deletion may be refused only where retention is required by law or necessary for the establishment, exercise, or defence of legal claims.

11. Your Rights Under PDPA

You have the following rights regarding your personal data. To exercise any of these rights, contact hello@mylock.my with the subject line "PDPA Request" and we will respond within 21 days (or longer if the request is complex, in which case we will inform you of the expected timeline).

11.1 Right to access (PDPA Section 30)

You can request a copy of the personal data we hold about you, along with information on how it is being processed.

11.2 Right to correction (PDPA Section 34)

You can request correction of personal data that is inaccurate, incomplete, misleading, or out of date.

11.3 Right to withdraw consent (PDPA Section 38)

Where we rely on your consent for processing, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Withdrawing consent for essential service data may mean we can no longer provide the service.

11.4 Right to data portability (PDPA 2024 Amendment)

Where technically feasible, you can request your personal data in a structured, commonly used, machine-readable format, or request that we transmit it to another data controller.

11.5 Right to object to direct marketing (PDPA Section 43)

You can request that we stop using your personal data for direct marketing communications. We will comply within a reasonable period.

11.6 Right to lodge a complaint

If you believe we have not handled your personal data lawfully, you can lodge a complaint with the Personal Data Protection Department of Malaysia (Jabatan Perlindungan Data Peribadi, JPDP):

• Website: pdp.gov.my
• Email: aduan@pdp.gov.my

We encourage you to contact us first at hello@mylock.my so we can attempt to resolve your concern directly.

11.7 Verifying your identity

For security reasons, we may need to verify your identity before processing data subject requests. We may request identity verification (e.g., responding from the same WhatsApp number on file, or providing an SSM document for technician requests) before complying.

12. Data Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Measures include:

• Encryption: data in transit is encrypted using TLS/SSL; database connections use encrypted channels
• Access controls: access to personal data is limited to authorised personnel based on role
• Authentication: multi-factor authentication on administrative accounts where available
• Backups: regular backups maintained on secure infrastructure
• Vendor due diligence: we use third-party processors with industry-standard security practices
• Incident response: documented procedures for responding to suspected data breaches

13. Data Breach Notification

In the event of a personal data breach that is likely to result in significant harm to data subjects, we will:

• Notify the Personal Data Protection Commissioner within 72 hours of becoming aware of the breach, in accordance with the PDPA 2024 Amendment
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to your rights and interests
• Document the breach, our response, and lessons learned

If you suspect that your data has been compromised, please contact us immediately at hello@mylock.my.

14. Children's Personal Data

MyLock services are intended for individuals 18 years of age or older.

For course applicants, we require confirmation of age at the point of registration. We do not knowingly collect personal data from minors under 18. If we become aware that we have collected data from a minor without verified parental consent, we will delete it.

If you are a parent or guardian and believe a minor has provided us with personal data, please contact hello@mylock.my.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational reasons. When we make material changes:

• We will update the "Last Updated" date at the top of this page
• For significant changes, we will notify you via WhatsApp (for customers and technicians on file) or email (for course applicants and registered users), and post a prominent notice on our website
• Continued use of MyLock services after such notification constitutes acceptance of the updated Privacy Policy

We recommend reviewing this page periodically.

16. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal data:

This Privacy Policy is governed by the laws of Malaysia and shall be interpreted in accordance with the Personal Data Protection Act 2010 and the Personal Data Protection (Amendment) Act 2024.