Your privacy matters to us. SLV Group Sdn. Bhd. is committed to protecting the personal data of all users and employees processed through GajiHub. This Privacy Policy explains what data we collect, why we collect it, and your rights under Malaysia's Personal Data Protection Act 2010 (PDPA).
1. Data Controller
SLV Group Sdn. Bhd. ("we", "us", "our") is the data controller responsible for the personal data processed through the GajiHub platform.
2. What Personal Data We Collect
We collect personal data in two categories: data provided by Client Companies (employers) and data generated through use of the Platform.
2.1 Employee Data (provided by Client Companies)
| Data Type | Examples | Purpose |
|---|
| Identity Data | Full name, IC/Passport number, date of birth, gender, nationality | Employee record management, statutory compliance |
| Contact Data | Email, phone number, home address, emergency contact | Communication, emergency notification |
| Employment Data | Position, department, date joined, employment type, salary | HR management, payroll processing |
| Financial Data | Bank account, EPF number, SOCSO number, income tax number | Payroll disbursement, statutory contributions |
| Attendance Data | Punch-in/out times, GPS coordinates, attendance status | Attendance tracking, payroll computation |
| Leave Data | Leave applications, types, durations, balances | Leave management, HR records |
| Claims Data | Expense claims, amounts, receipts, approval status | Reimbursement processing |
| Performance Data | KPI scores, appraisal notes, ratings | Performance management |
| Document Data | Uploaded documents, certificates, acknowledgements | HR documentation |
2.2 Account & Usage Data
- Account information — names, email addresses, roles of HR administrators and managers;
- Login activity — timestamps, IP addresses, session data for security purposes;
- Usage data — pages visited, features used, system logs for service improvement;
- Device data — browser type, operating system, mobile device type (for portal compatibility).
2.3 HRDC Training Data
- Company levy calculations, training applications, course preferences;
- Names and contact details of training coordinators for scheduling purposes.
3. How We Use Your Personal Data
We process personal data only for the following lawful purposes:
- Service Delivery — to provide HR management, payroll computation, leave tracking, and all other services under our subscription;
- Statutory Compliance — to assist Client Companies in meeting obligations under EPF, SOCSO, EIS, LHDN and the Employment Act 2022;
- Security — to protect accounts, detect unauthorised access, and maintain audit logs;
- Customer Support — to respond to queries, troubleshoot issues, and provide training assistance;
- Service Improvement — anonymised, aggregated usage data may be used to improve platform performance and features;
- Legal Compliance — to comply with applicable Malaysian laws and court orders;
- Communications — to send important service notifications, policy updates, and scheduled maintenance alerts.
We do not sell, rent, or trade your personal data to third parties for marketing purposes.
4. Legal Basis for Processing
Under Malaysia's Personal Data Protection Act 2010 (PDPA), we process personal data on the following grounds:
- Contractual necessity — processing required to deliver the services under the subscription agreement;
- Legal obligation — processing necessary to comply with Malaysian employment and tax laws;
- Consent — where required, particularly for optional communications and non-essential processing;
- Legitimate interest — for security, fraud prevention, and platform improvement, where this does not override individual rights.
5. Data Sharing & Third Parties
We share personal data only in the following limited circumstances:
| Recipient | Purpose | Safeguards |
|---|
| Hostinger (web hosting) | Secure server infrastructure for the Platform | Data processing agreement, ISO 27001 certified |
| HRD Corp / HRDC | HRDC training applications and levy management | Malaysian government body, statutory requirement |
| Payment Processors | Subscription fee processing | PCI-DSS compliant, encrypted transactions |
| Email Service Provider | System notifications and alerts | Data processing agreement in place |
| Law Enforcement | Only when required by Malaysian court order or law | Verified legal demand required |
All third-party service providers are contractually required to process data only as instructed by SLV Group and to maintain appropriate security measures.
We do not transfer personal data outside Malaysia except where necessary for cloud infrastructure purposes, and only to jurisdictions that provide adequate data protection.
6. Data Retention
We retain personal data for as long as necessary to provide the Services and comply with legal obligations:
- Active subscription — data is retained for the full duration of the subscription;
- After subscription ends — data is retained for 90 days to allow data export. After 90 days, data is permanently deleted or anonymised;
- Payroll & statutory records — certain payroll and statutory records may be retained for up to 7 years as required by LHDN and EPF regulations;
- Audit logs — security and access logs are retained for 12 months;
- Backup data — may be retained in encrypted backups for up to 30 days after deletion.
7. Data Security
We implement industry-standard technical and organisational measures to protect your personal data:
- All data is transmitted over HTTPS with TLS encryption;
- Passwords are hashed using bcrypt — plaintext passwords are never stored;
- Multi-tenant data isolation — each Client Company's data is logically separated;
- Role-based access control — HR Admins, Managers, and Employees access only appropriate data;
- Regular security audits and access log monitoring;
- Hostinger infrastructure with automatic backups and DDoS protection.
Despite these measures, no system is 100% secure. In the event of a data breach that poses risk to your rights, we will notify affected Client Companies within 72 hours of becoming aware of the breach, as required by PDPA guidelines.
8. Your Rights Under Malaysia's PDPA 2010
As a data subject or a representative of a data subject, you have the following rights:
👁
Right of Access
Request a copy of the personal data we hold about you or your employees.
✏
Right to Correct
Request correction of inaccurate or incomplete personal data.
🚫
Right to Prevent Processing
Object to processing that causes damage or distress, where applicable.
📤
Right to Data Export
Request an export of your company's data in a standard format (CSV/PDF).
🗑
Right to Deletion
Request deletion of data after subscription ends (subject to legal retention requirements).
📧
Withdraw Consent
Withdraw consent for optional data processing at any time without affecting past processing.
To exercise any of these rights, contact our Data Protection Officer at hello@slvgroup.com.my. We will respond within 21 days as required by the PDPA.
9. Cookies & Tracking
GajiHub uses the following types of cookies and tracking technologies:
- Session cookies — essential for login and authentication (deleted when browser is closed);
- Preference cookies — to remember your settings and language preferences;
- Analytics cookies — Google Analytics (if configured) to understand how the platform is used. This uses anonymised data;
- Security cookies — to detect and prevent fraudulent access attempts.
You may disable non-essential cookies through your browser settings. This may affect some functionality of the Platform.
10. Employee Consent & PDPA Notice
For Client Companies: When you upload employee data to GajiHub, you represent and warrant that:
- You have provided employees with a PDPA notice informing them of the collection and processing of their personal data;
- Where required, you have obtained employees' consent for data processing;
- You are authorised under Malaysian employment law to collect and process the employee data uploaded;
- You will comply with PDPA 2010 obligations as the data controller of your employees' personal data.
SLV Group acts as a data processor on behalf of Client Companies for employee data. Both parties are responsible for compliance with PDPA in their respective capacities.
11. Children's Privacy
GajiHub is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor's data has been uploaded without authorisation, contact us immediately.
12. Links to Third-Party Sites
The Platform may contain links to third-party websites (e.g. HRD Corp portal, LHDN, KWSP). This Privacy Policy does not apply to those external sites. We encourage you to review their privacy policies before providing any personal data.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify registered Client Companies by email of any material changes at least 14 days before they take effect. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the Platform constitutes acceptance of the updated Policy.
14. Complaints
If you believe we have not handled your personal data in accordance with this Privacy Policy or the PDPA 2010, you may:
- Contact our Data Protection Officer at hello@slvgroup.com.my;
- Lodge a complaint with the Personal Data Protection Commissioner of Malaysia at the Department of Personal Data Protection (JPDP) via pdp.gov.my.
15. Contact Our Data Protection Officer
Data Protection Officer — SLV Group Sdn. Bhd.
📧
hello@slvgroup.com.my
📬 Subject line:
PDPA Data Request — [Your Company Name]
📍 Petaling Jaya, Selangor, Malaysia
We aim to respond to all data protection enquiries within 21 days as required under the PDPA 2010.