Effective Date: 23 December 2025 TFX Islamic Sdn Bhd ("we," "us," or "our"), a company incorporated in Malaysia, operates a cloud-based facial verification and authentication service (the "Service"). This Privacy Policy explains how we collect, use, disclose, store, and protect personal data, including sensitive personal data such as biometric data, in accordance with the Personal Data Protection Act 2010 (Act 709) as amended (PDPA), including the Personal Data Protection (Amendment) Act 2024. As a data processor under the PDPA, we process personal data (including biometric data) strictly on behalf of and as instructed by our customers (who act as data controllers). Our customers remain primarily responsible for obtaining necessary consents from end users (data subjects), providing appropriate notices, and ensuring overall compliance with the PDPA and other applicable laws. Important Note: Biometric data (including facial recognition data and facial templates) is classified as sensitive personal data under the amended PDPA. Processing of such data requires explicit consent from data subjects (unless an exemption applies), and we process it only upon the lawful instructions of our customers. 1. Information We Collect and Process We collect and process the following categories of personal data: Biometric Data (Sensitive Personal Data): Facial images, videos, or live captures submitted via our API for verification (1:1 matching) or authentication purposes. From these, we generate irreversible facial templates (mathematical representations/embeddings). Raw facial images are not stored long-term unless required for a specific customer-instructed purpose (e.g., temporary processing). Customer Account and Usage Data: Company name, contact person details, billing information, API keys, and usage logs (e.g., number of verifications performed). Technical and Log Data: IP addresses, device/browser information, timestamps, API request metadata, and error logs. We do not collect or process personal data for our own independent purposes (e.g., marketing, profiling, or resale). 2. How We Collect Information Directly through API integrations when our customers submit facial data for processing on behalf of their end users. Automatically via server logs and API interactions. We do not obtain personal data from public sources or third parties without customer authorization. 3. Purposes of Processing We process personal data solely to: Provide the Service: Perform facial verification/authentication as instructed by the customer. Ensure security: Detect presentation attacks (e.g., liveness detection to prevent spoofing). Maintain and improve the Service: Use aggregated, fully anonymized data for system performance and accuracy (customers may opt out). Fulfil legal obligations: Comply with Malaysian law or respond to valid legal requests. Manage customer relationship: Billing, support, and account administration. We do not use biometric data for any purpose beyond the customer's explicit instructions. 4. Legal Basis for Processing As a data processor, we rely on the legal basis established by our customers (data controllers). For sensitive personal data (biometric data), Malaysian law generally requires explicit consent from data subjects. Our customers must ensure they have obtained such consent or rely on another valid exemption before submitting data to us. 5. Data Retention Raw facial images are processed temporarily and deleted immediately after verification/authentication unless otherwise instructed by the customer. Facial templates are retained only as long as necessary to fulfil the customer's service request or as specified in our agreement. Customers may request deletion of stored templates via API or support at any time. Account and usage logs are retained for limited periods for security, billing, and audit purposes (typically up to 12 months). Upon account termination or customer request, all associated personal data is deleted within a reasonable period, subject to legal retention requirements. 6. Disclosure and Sharing of Personal Data We do not sell, rent, or disclose personal data to third parties except: To trusted subprocessors (e.g., cloud infrastructure providers) bound by strict confidentiality, security, and PDPA-compliant agreements. As required by Malaysian law, court order, or regulatory authority. In connection with a merger, acquisition, or sale of assets (with notice to customers where feasible). We do not transfer personal data outside Malaysia without appropriate safeguards as required under Section 129 of the PDPA (e.g., standard contractual clauses or adequacy decisions). 7. Data Security We implement reasonable technical and organizational measures to protect personal data, including: Encryption of data in transit (TLS 1.3) and at rest (AES-256 for biometric templates). Strict access controls, regular security audits, and penetration testing. Liveness detection and anti-spoofing technologies. Incident response procedures in line with PDPA breach notification requirements. While we strive to maintain the highest security standards, no system is completely immune to risk. We will notify affected customers without undue delay in the event of a personal data breach. 8. International Data Transfers Personal data may be processed on secure cloud servers located in Malaysia and/or other jurisdictions. Any cross-border transfer complies with PDPA requirements, including the use of approved safeguards. 9. Data Subject Rights End users (data subjects) should exercise their PDPA rights (access, correction, withdrawal of consent, etc.) directly with our customers (data controllers). As a processor, we assist our customers in responding to such requests within the required timeframes, including providing access to or deletion of biometric data where instructed. 10. Children's Privacy The Service is not directed at children under 13 years of age (or the applicable age under Malaysian law). We do not knowingly process sensitive personal data of children without appropriate parental/guardian consent obtained by our customers. 11. Changes to This Privacy Policy We may update this Policy to reflect changes in law, technology, or our practices. Material changes will be notified to customers via email or our website. Continued use of the Service after such changes constitutes acceptance. 12. Contact Us For inquiries, data subject assistance requests, or complaints regarding our processing activities: Data Protection Officer TFX Islamic Sdn Bhd D-1-3, Jalan PJU 5/1, Encorp Strand Garden Office, Kota Damansara, 47810 Petaling Jaya, Selangor, Malaysia Email: privacy@tfx.global This Privacy Policy is provided as a template and should be reviewed by legal counsel to ensure full compliance with your specific operations, the PDPA (as amended), and any other applicable laws.