This Privacy Policy ("Notice") describes how VYROX INTERNATIONAL SDN BHD (New BRN 201201039321 (formerly 1023799-A); TIN: C22988575060; SST: W24-1808-32000228, registered office: A-16-05, The Vertical Business Suite Tower A, Jalan Kerinchi, Bangsar South, 59200 Kuala Lumpur, Wilayah Persekutuan KL, Malaysia.) ("VYROX", "we", "us", "our") collects, uses, discloses, transfers, retains and otherwise processes Personal Data through its snooker / cue-sports venue management software-as-a-service (the "Service"), in accordance with the Personal Data Protection Act 2010 of Malaysia ("PDPA") and other applicable laws.

Two roles, one Notice. We may act in either of two capacities depending on context:

• Data User / Data Controller — with respect to data we collect directly from Clients (subscribers) and from Authorised Users for our own commercial relationship (e.g. account creation, billing, marketing of our own products).
• Data Processor — with respect to data the Client uploads or causes to be processed through the Service about its Members, employees, customers and other data subjects. In that case the Client is the Data Controller and we process such data on the Client's behalf, under written instructions and the contractual terms in our Terms of Service (especially Section 5 of those Terms).

This Notice applies to: Clients (snooker centres / clubs / venues), Authorised Users (system administrators, owners, managers, operators, cashiers, employees, contractors), Members (end-customers / loyalty members of our Clients), website visitors, and anyone whose Personal Data is otherwise processed through the Service.

If you ever notice that your records appear inaccurate, that data has been displayed to the wrong account, or that any other irregularity has occurred, please report it promptly — to the relevant Client (your venue) where applicable, or to us. To the extent permitted by Malaysian law, VYROX cannot warrant that the Service is free of every defect, but we are committed to investigating and remediating any issue we are made aware of, and to honouring the rights of data subjects under the PDPA.

The Service is designed to manage every aspect of a snooker / cue-sports venue operation. Accordingly, the categories of Personal Data processed include:

(a) Client / Authorised-User identification data. Full name, NRIC / passport number, date of birth, gender, photograph, email, mobile and landline numbers, residential / business address, employment role, signature.

(b) Authentication & device data. Username, hashed password, two-factor codes, login timestamps, IP address, device fingerprint, browser, operating system, mobile-app build, push-notification tokens, geolocation (when explicitly allowed).

(c) Member / customer data. Names, contact details, NRIC, photographs, biometric face-recognition templates (where the Client enables Face Recognition), membership numbers, QR-code identifiers, member-card barcodes, membership tier, joining date, anniversaries.

(d) Financial data. Bank-card last-4 digits, payment-method type, transaction amounts, invoice numbers, e-invoice UUIDs (LHDN MyInvois), refund records, credit balances, loyalty points, stamp-card progress, deposits and refunds for rentals, tax identification numbers, business registration numbers.

(e) Operational & venue data. Table assignments, session start/end times, light-on/off timestamps, food-and-beverage orders, kitchen tickets, inventory adjustments, employee shift records, cash-drawer records, lighting-controller telemetry, IoT sensor data.

(f) Communications. In-app chat messages between Members, between Authorised Users, push notifications, email logs, WhatsApp/SMS message logs (where integrated), customer-feedback forms.

(g) CCTV / imagery. Where the Client uploads or links security camera images, CCTV snapshots or face-recognition images, those images and any biometric template derived from them are Personal Data and (in some cases) Sensitive Personal Data.

(h) Marketing & preferences. Subscription preferences, communication consents, gameplay history, ranking, social-feature interactions.

(i) Diagnostic data. Application logs, error stack traces, crash reports, slow-query logs, audit trails of every CRUD action against the database.

We (or, where applicable, the Client as Data Controller) process Personal Data for the following purposes, based on your consent, the performance of a contract, our legitimate interests or compliance with law:

• creating and authenticating accounts; controlling access; preventing unauthorised access;
• operating the Client's venue (table allocation, billing, payments, e-invoicing, food and beverage orders, member loyalty, rentals, tournaments);
• delivering the Service: hosting, scaling, monitoring, debugging, troubleshooting, providing 24×7 technical support, applying updates, restoring from backup, conducting security testing and incident response;
• generating reports, analytics, business intelligence and statutory filings (e.g. SST returns, LHDN e-invoices);
• fraud detection, anti-money-laundering checks (where applicable), and protection of the Service and its users;
• communications: transactional (booking confirmations, invoices, OTPs, system alerts), service (maintenance windows, breach notifications) and, where consented, marketing of our own products;
• customer-support: investigating tickets, reproducing bugs (which may require impersonating a User's account or querying their data);
• research, development, machine-learning training and product improvement, using anonymised, aggregated or de-identified datasets;
• complying with legal obligations including the PDPA, the Income Tax Act, the Sales Tax / Service Tax Acts, anti-money-laundering laws, and lawful requests from regulators, enforcement agencies and courts;
• establishing, exercising or defending legal claims.

To deliver Software-as-a-Service, we have, and we will continue to have, full technical access to the entire database of every Client. This includes (without limitation) every record about Clients, Authorised Users (system administrators, managers, operators, employees), Members, customers, transactions, photographs, biometrics, communications, and all logs.

This access is technically necessary because:

• the Service is hosted on infrastructure operated by us (or our cloud-infrastructure providers under our contracts);
• round-the-clock operation, monitoring, scaling, backup, restoration and incident response require qualified engineers to access live data;
• support tickets and bug reports often require us to query, view or modify specific records to reproduce or fix the issue;
• security monitoring, fraud detection and audit-trail integrity require continuous machine-and-human access to logs and data.

Personnel who exercise this access ("VYROX Personnel") include our employees, contractors, sub-processors and authorised AI / automated agents acting on our behalf. They are bound by written confidentiality obligations and are subject to internal access-control, role-based authorisation and audit-logging.

Cascading consent. Each Client (Data Controller) is contractually required to:

• display its own privacy notice to its Members, employees, customers and visitors;
• obtain the consents required under the PDPA and other applicable laws before entering any Personal Data into the Service;
• specifically inform such data subjects that the Service is operated by VYROX, and that VYROX (as Data Processor) has the technical access described in this Section.

If you are a Member, employee, manager or operator and you have a question about how your Personal Data is being processed, please first contact your venue (the Client / Data Controller). If your matter cannot be resolved there, you may contact us at enquiry@vyrox.com.

We disclose Personal Data only to the categories of recipients listed below, and only to the extent necessary:

• The Client. Authorised Users of a Client may see Personal Data of that Client's Members, employees and customers based on their role-based permissions.
• Sub-processors. Cloud-hosting providers (e.g. data-centre operators in Malaysia or, with appropriate safeguards, abroad), database providers, content-delivery networks, error-tracking services, customer-support platforms, transactional-email providers, SMS / WhatsApp gateways, analytics providers, and payment-gateway operators — each under contracts that impose data-protection obligations equivalent to ours.
• Payment processors and banks for processing card / e-wallet / online-banking transactions.
• LHDN MyInvois for e-invoice issuance, validation and submission, where applicable.
• Professional advisors (lawyers, auditors, tax advisors, insurers) under professional confidentiality.
• Authorities where required by law, court order, regulator request, criminal investigation or to protect the rights, property or safety of any person.
• Successors in connection with merger, acquisition, financing, restructuring, sale of all or substantially all of our assets, or insolvency proceedings.

We do not sell Personal Data, and we do not disclose identifiable Personal Data to advertising networks for cross-context behavioural advertising.

Personal Data is primarily processed and stored on infrastructure located in Malaysia. Where a sub-processor or cloud provider operates outside Malaysia (for example for global content-delivery, error-tracking, AI processing or push-notification services), the data may be transferred to and processed in jurisdictions including Singapore, the European Economic Area, the United Kingdom or the United States.

Such transfers are made only where (a) the destination provides equivalent levels of protection, (b) the transfer is necessary for the performance of the contract or with the data subject's consent, or (c) appropriate safeguards (such as standard contractual clauses) are in place, in compliance with section 129 of the PDPA.

We retain Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, including:

• active operational data — for the duration of the Client's subscription;
• financial / invoice / e-invoice records — for at least seven (7) years to comply with the Income Tax Act 1967 and the Sales Tax / Service Tax Acts;
• application and security logs — for up to twenty-four (24) months for fraud, security and incident-response purposes;
• encrypted backups — for up to ninety (90) days under our standard backup-rotation policy;
• data necessary to establish, exercise or defend a legal claim — until the relevant limitation period has expired.

After the applicable retention period, Personal Data is permanently deleted or irreversibly anonymised.

We apply commercially reasonable technical and organisational measures to safeguard Personal Data, including:

• HTTPS / TLS encryption in transit, encrypted backups at rest;
• password hashing using industry-standard algorithms; multi-factor authentication where supported;
• role-based access control with the principle of least privilege;
• rate-limiting, brute-force protection and audit logs of every authentication event;
• staff confidentiality undertakings and training;
• regular vulnerability scanning, patching and incident-response procedures.

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and we disclaim liability beyond what is required by law and what is expressly stated in our Terms of Service.

If we become aware of a personal-data breach that is likely to result in significant harm to data subjects, we shall, without undue delay and to the extent legally required, notify the affected Client (Data Controller) and co-operate with the Client to fulfil any regulatory notification obligations under the PDPA. The Client (Data Controller) is primarily responsible for notifying the relevant data subjects.

Subject to the conditions and exceptions in the PDPA, you have the following rights with respect to your Personal Data:

• Right of access — to request a copy of the Personal Data we hold about you;
• Right to correct — to request correction of inaccurate or incomplete Personal Data;
• Right to limit processing — to limit purposes for which the data is processed;
• Right to withdraw consent — to withdraw consent given for processing (this may affect your ability to use the Service);
• Right to prevent processing for direct marketing;
• Right to lodge a complaint with the Personal Data Protection Commissioner of Malaysia.

If you are a Member or other data subject of a Client, please send your request first to that Client (the Data Controller). If you are a Client or Authorised User, send your request to enquiry@vyrox.com. We may require proof of identity and may charge a reasonable fee where permitted by law.

We may decline a request where the PDPA permits, including where compliance would breach a duty of confidentiality, prejudice an investigation, or be impossible or disproportionate.

Where the Service's Face Recognition, photo-based member identification, fingerprint, voiceprint or any other biometric feature is enabled by a Client, the resulting biometric templates are Sensitive Personal Data under section 40 of the PDPA and require the data subject's explicit consent.

It is the responsibility of the Client (Data Controller) to:

• obtain explicit, informed and freely-given written or click-through consent from each individual before enrolling their face / biometric data;
• display a visible biometric / CCTV notice on premises;
• provide a non-biometric alternative for any individual who declines;
• provide individuals with the right to delete their biometric template at any time;
• not use biometric data for any purpose beyond what was disclosed (e.g. no employment surveillance, no profiling beyond member-identification at point of entry).

VYROX, as Data Processor, will store biometric templates in encrypted form and will permit the Client (or the data subject through the Client) to delete them on request.

The Service offers public-facing screens (lobby TV monitors), public URLs (member rankings, tournament brackets), QR-shared customer apps and similar features that may display member names, photographs, statistics or rankings. Public display = public disclosure. The Client must obtain prior consent from each individual whose data appears, and must offer an opt-out (e.g. anonymisation, masking, or removal). VYROX bears no liability for any privacy claim arising from public display authorised by the Client.

If the Client uses or integrates CCTV / video systems with the Service, the Client must comply with applicable CCTV-notification laws, including displaying clear signage, retaining footage only as long as necessary, and restricting access to authorised personnel.

Messages, posts, photos, reviews and any other content created by Members or Authorised Users through chat / social / tournament / community features are stored to deliver those features. By posting, the author grants other permitted recipients (and VYROX, for the purpose of operating the Service) a licence to display such content. Authors are responsible for ensuring that posted content is lawful and does not infringe any third party's rights. The Service may implement automated or human moderation; we do not guarantee removal of any specific content.

Direct marketing (e.g. promotional emails, WhatsApp campaigns, SMS blasts, in-app pop-ups) is sent only to recipients who have given the consents required under the PDPA, the Communications and Multimedia Act 1998 and any other applicable law. Each recipient may opt out at any time by following the unsubscribe instructions in the message, by changing their preferences in the Service, or by contacting the relevant Client (Data Controller). The Client warrants that all marketing lists it imports or compiles within the Service comply with these requirements.

The Service may use AI / ML to assist with member-matching, fraud-detection, no-show prediction, tournament seeding and similar tasks. Authorised Users always have the ability to override automated outputs. We do not use solely-automated decisions to produce legal effects against any data subject without human review.

The Service uses functional cookies, local storage and similar technologies to maintain login sessions, remember preferences (theme, language, layout), prevent fraud, and gather aggregated analytics. We do not use third-party advertising cookies. You can control cookies through your browser settings; disabling essential cookies will impair the Service.

The Service is intended for businesses and adult Authorised Users. We do not knowingly collect Personal Data of children under 18 except as part of a Client's lawfully-operated minor-friendly venue (e.g. junior tournaments) and only when the Client warrants that proper parental / guardian consent has been obtained.

We may update this Notice from time to time. Material changes will be communicated through an in-app notification or by re-prompting acceptance on next login. Continued use after the effective date of an updated Notice constitutes acceptance of the change.

Where the Service is used by a Client outside Malaysia, or where Personal Data of any data subject located outside Malaysia is processed through the Service, the following jurisdiction-specific protections apply in addition to the rights described elsewhere in this Notice. In each case, the rights below are limited to the extent permitted by, and subject to the conditions of, the relevant statute.

Singapore (PDPA 2012). Data subjects in Singapore have the rights of access and correction (sections 21 and 22), the right to withdraw consent (section 16), and the right to receive a copy of their Personal Data in a commonly used machine-readable format (data-portability). The Client (Data Controller) is responsible for appointing a Data Protection Officer in Singapore where required and for transfer-impact assessments before sending data outside Singapore. VYROX, where acting as a data intermediary, complies with the Transfer Limitation Obligation under section 26.

Australia (Privacy Act 1988 (Cth) & Australian Privacy Principles). Data subjects in Australia have the right to access (APP 12), correct (APP 13), withdraw consent and complain to the Office of the Australian Information Commissioner (OAIC). Cross-border disclosure (APP 8) is governed by contractual safeguards equivalent to the APPs. Data subjects may also benefit from the Notifiable Data Breaches scheme.

United Kingdom (UK GDPR & Data Protection Act 2018). Data subjects in the UK have the rights of access, rectification, erasure ("right to be forgotten"), restriction, data portability, objection (including to direct marketing) and rights related to automated decision-making (Articles 15-22 UK GDPR). Complaints may be lodged with the Information Commissioner's Office (ICO). Where transfers are made out of the UK, the Company relies on UK International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses, as applicable.

European Union / EEA (GDPR - Regulation (EU) 2016/679). Data subjects in the EU/EEA have the same Article 15-22 rights as UK subjects, plus the right to lodge a complaint with their local supervisory authority. Cross-border transfers rely on EU Standard Contractual Clauses (SCCs) and supplementary measures where required by Schrems II. The Company is willing, on request, to enter into a Data Processing Addendum (DPA) modelled on Article 28 GDPR with any EU/EEA-located Client.

United Arab Emirates (Federal Decree-Law No. 45 of 2021 on Personal Data Protection). Data subjects in the UAE have the rights of access, correction, deletion, restriction, transfer of data, objection and to withdraw consent. Sensitive Personal Data (including biometric, health and financial data) requires an explicit, separate basis. Cross-border transfers are permitted to jurisdictions providing an adequate level of protection, or under contractual safeguards approved under the UAE PDPL Implementing Regulations. The Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) free zones operate their own data-protection regimes (DIFC Data Protection Law No. 5 of 2020; ADGM Data Protection Regulations 2021); Clients in those free zones should consult those laws.

Other Southeast-Asian jurisdictions. Data subjects in Thailand (PDPA 2019), Indonesia (PDP Law 27 of 2022), the Philippines (Data Privacy Act 2012), Vietnam (Decree 13/2023/ND-CP), and other ASEAN jurisdictions have rights broadly equivalent to those described above. Where the Client is located in such a jurisdiction, the Client warrants that it has appointed any local representative or DPO required and that it has performed any transfer-impact assessment required by local law before sending Personal Data into the Service.

Hong Kong, India, New Zealand & Canada: data subjects in these jurisdictions have access, correction and complaint rights under the Hong Kong PDPO, India's Digital Personal Data Protection Act 2023, New Zealand's Privacy Act 2020, and the Canadian PIPEDA respectively. The Client is responsible for compliance with notification, consent and breach-reporting obligations specific to those statutes.

Where the Service uses artificial-intelligence, machine-learning or computer-vision models (including face recognition, fraud-pattern detection, demand forecasting, recommendation engines and natural-language generation), Authorised Users always retain the ability to override automated outputs with manual judgement. The Service does not use solely-automated decisions that produce legal or similarly significant effects on a data subject without human review. Where the EU AI Act (Regulation (EU) 2024/1689) classifies any feature as "high-risk", the Company shall publish a model card and a transparency notice in the relevant feature documentation. Clients deploying the Service to data subjects in the EU/EEA, the UK or other jurisdictions with AI-specific transparency rules are responsible for any local notice or deployment-impact-assessment obligations on the Client side.

Biometric data (face templates, fingerprint hashes, voiceprints) is a regulated category in many jurisdictions. The Client must, before enrolling any biometric data of any individual:

• Malaysia — obtain explicit consent (s.40 PDPA) and display a clear notice;
• Singapore — obtain consent under the PDPA and have a documented purpose;
• EU / UK — obtain explicit consent under Article 9(2)(a) GDPR / UK GDPR or rely on another permitted Article 9(2) condition;
• Australia — comply with APP 3 (collection of sensitive information) and obtain consent;
• United States (where any user enrolls from a US state) — comply with the Illinois Biometric Information Privacy Act (BIPA), the Texas CUBI, the Washington biometric statute, and any successor state biometric-privacy laws (written consent, written retention schedule, prohibition on sale);
• UAE — treat biometric data as Sensitive Personal Data under the UAE PDPL and obtain explicit consent.

VYROX provides the technical means to capture, store and match biometric templates in encrypted form, and to delete them on request, but the underlying lawful basis is the Client's responsibility. Failure by the Client to comply with the applicable biometric-privacy regime is a material breach of this Notice and the Terms of Service.

Where any Authorised User, Member or other data subject is below the age of majority of their jurisdiction (typically under 18 in Malaysia, 13 in the United States under COPPA, 13-16 in the EU under Article 8 GDPR depending on Member State, 18 in the UAE), the Client must obtain verifiable parental or guardian consent before collecting, processing or storing the child's Personal Data, and must comply with any age-appropriate-design, marketing, profiling and behavioural-advertising restriction applicable in the relevant jurisdiction (including, in the UK, the ICO's Age-Appropriate Design Code). VYROX does not knowingly market the Service directly to children.

Where the Service sends marketing communications on the Client's behalf (email, SMS, WhatsApp, push notification, in-app), the Client warrants compliance with each applicable statute, including, without limitation:

• Malaysia — the PDPA 2010 and the Communications and Multimedia Act 1998;
• Singapore — the Spam Control Act 2007 and the Do Not Call Provisions of the PDPA;
• Australia — the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth);
• United Kingdom — the Privacy and Electronic Communications Regulations (PECR);
• European Union — the ePrivacy Directive 2002/58/EC (and the forthcoming ePrivacy Regulation, when in force);
• United Arab Emirates — the Federal Decree-Law No. 34 of 2021 on Combatting Rumours and Cybercrimes and the TDRA framework on commercial communications;
• United States (where applicable) — the CAN-SPAM Act of 2003 and the TCPA.

For website cookies and similar technologies operated by the Client through the Service, the Client is responsible for displaying any cookie banner or consent management platform required by the local jurisdiction (including the UK PECR, the EU ePrivacy framework, and the California CCPA / CPRA where applicable to the Client's Members).

Where the Company acts as Data Processor on behalf of the Client (Data Controller), the following terms apply and form part of this Notice. They are intended to satisfy the requirements of Article 28 of the EU GDPR, the UK GDPR, equivalent provisions of the Malaysian PDPA 2010, the Singapore PDPA 2012, the Australian Privacy Act 1988 (Cth), the UAE Federal Decree-Law No. 45 of 2021, and similar regimes:

• Subject-matter and duration: the processing relates to the operation of the Client's snooker / cue-sports venue and continues for the term of the Client's subscription, plus any post-termination period required for export, retention and statutory record-keeping.
• Nature and purpose: the Company processes Personal Data only to operate, maintain, secure and improve the Service, and only on documented instructions from the Client (which are deemed given by the Client's configuration of the Service).
• Categories of data subjects: the Client's Authorised Users, Members, employees, contractors, customers and visitors.
• Confidentiality: the Company ensures that personnel authorised to process Personal Data are bound by written confidentiality obligations.
• Security: the Company implements appropriate technical and organisational measures (encryption in transit and at rest, access controls, audit logs, vulnerability management) commensurate with the risks.
• Sub-processors: general written authorisation is given (see "Subprocessors" in the Terms of Service); the Company shall impose equivalent data-protection obligations on each sub-processor.
• Assistance to the Client: the Company shall provide reasonable assistance to the Client in responding to data-subject access requests, conducting data-protection impact assessments, and notifying authorities or affected data subjects of any breach.
• Return / deletion at end of services: on termination, the Company shall, at the Client's choice, return or delete Personal Data subject to legal-retention obligations, encrypted-backup-rotation cycles, and the limitations described elsewhere in this Notice.
• Audit: the Client may exercise audit rights as described in the Terms of Service (typically by reviewing the Company's written security posture rather than on-site audit).

Clients located in jurisdictions requiring a separate signed DPA may request one from the Company. In the absence of a separate signed DPA, the terms set out here and in the Terms of Service constitute the binding written processing terms between the parties.

The Client and the Company do not jointly determine the purposes and means of processing Personal Data within the meaning of Article 26 GDPR or any equivalent provision. The Client is the sole Data Controller of all Personal Data of its Members, Authorised Users and customers; the Company is the Client's Data Processor in respect of such data, save where the Company processes Personal Data of the Client's authorised contacts for its own commercial relationship (account management, billing, marketing of own products), in which case the Company is the independent Data Controller of that limited dataset.

Where Article 30 GDPR, the Singapore PDPA, the UAE PDPL, or any equivalent statute requires a written record of processing activities to be kept by the Data Controller, the Client (and not the Company) is responsible for maintaining that record. The Company shall, on reasonable written request, provide information from its own systems necessary to populate the Client's record of processing.

Where the Company becomes aware of a Personal-Data breach affecting Personal Data it processes on behalf of a Client, the Company shall notify the affected Client without undue delay and shall use reasonable endeavours to do so within seventy-two (72) hours of becoming aware of the breach where the breach is likely to result in a risk to data subjects (mirroring the Article 33(2) GDPR / UK GDPR processor-to-controller notification timeline). The Client (Data Controller) is then responsible for any onward notification to:

• the Personal Data Protection Commissioner of Malaysia under the PDPA;
• the Information Commissioner's Office (ICO) in the United Kingdom (within 72 hours of awareness);
• the relevant supervisory authority in the EU/EEA (within 72 hours);
• the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme;
• the Personal Data Protection Commission (PDPC) of Singapore (within 72 hours of assessment of notifiability);
• the UAE Data Office under the PDPL;
• any other competent authority required by law in any other jurisdiction.

The Company shall co-operate in good faith with such onward notification, but the obligation rests on the Client.

The Company's primary production infrastructure for the Service is hosted in Malaysia. Disaster-recovery, content-delivery, error-tracking, AI-processing, push-notification and similar ancillary services may be hosted, mirrored or routed through facilities in Singapore, the European Economic Area, the United Kingdom, the United States, the Hong Kong SAR and other jurisdictions. The Company makes no representation that Personal Data will remain exclusively within any single jurisdiction. Clients with strict data-localisation requirements (e.g. under Indonesian Government Regulation 71/2019, the Vietnamese Decree 53/2022/ND-CP, the Saudi PDPL, or the Russian Federal Law 152-FZ) shall verify, prior to deployment, that the Service's infrastructure model is compatible with their localisation obligations; the Company makes no specific commitment in this regard and may decline to onboard Clients in jurisdictions whose localisation rules are incompatible with the Service's architecture.

Where the Service processes any of the following categories of Personal Data, the Client (Data Controller) must establish an explicit, separate lawful basis (e.g. explicit consent under Article 9(2)(a) GDPR / s.40 PDPA Malaysia / s.21 UAE PDPL) before such data is entered into the Service:

• biometric data and facial-recognition templates;
• health and medical information;
• data revealing racial or ethnic origin, religious or philosophical beliefs, political opinions, trade-union membership, sexual orientation or sex life;
• genetic data;
• data relating to criminal convictions or alleged offences;
• data of children below the age of digital consent in their jurisdiction;
• any other category designated as "special category", "sensitive" or equivalent under any applicable law.

The Company shall apply equivalent or stronger technical safeguards to such data, but does not itself determine the lawful basis for processing.

Where Personal Data is transferred from the EU/EEA or the United Kingdom to the United States via a US-based sub-processor, the Company shall rely on the EU-US Data Privacy Framework (DPF), the UK Extension to the DPF, or, where the sub-processor is not DPF-certified, on the EU Standard Contractual Clauses (with the UK Addendum, where applicable) plus supplementary measures sufficient under Schrems II and the EDPB Recommendations. The Company will publish or make available to qualifying Clients the names of US sub-processors and their relevant transfer mechanism on request.

VYROX INTERNATIONAL SDN BHD

New BRN 201201039321 (formerly 1023799-A); TIN: C22988575060; SST: W24-1808-32000228

A-16-05, The Vertical Business Suite Tower A, Jalan Kerinchi, Bangsar South, 59200 Kuala Lumpur, Wilayah Persekutuan KL, Malaysia.

Email: enquiry@vyrox.com

For complaints not resolved with us, you may contact: Personal Data Protection Commissioner, Department of Personal Data Protection, Ministry of Digital, Malaysia — www.pdp.gov.my.