This Privacy Policy explains how Xilnex Holdings Sdn. Bhd. (Company Registration No. 200701041800 (799832-T)) (formerly known as Web Bytes Sdn. Bhd.) (“Xilnex”, “we”, “us”, “our”) collects, uses, discloses, and protects personal data in connection with the Xilnex cloud retail management platform, our websites, mobile applications, integrations (including the Xilnex app for Lark), and related services (collectively, the “Service”).
This Policy is issued pursuant to the Personal Data Protection Act 2010 (Malaysia) (“PDPA”) and forms part of our Terms & Conditions. By using the Service, you consent to the processing of personal data as described in this Policy.
1. Whose Data We Process, and Our Role
(a) Merchant Data – Xilnex as data user. When you register for, subscribe to, or use the Service as a merchant, we collect personal data about you, your directors, and your staff (e.g. account holders, cashiers, managers). For this data, Xilnex is the data user (controller).
(b) End-Customer Data – Xilnex as data processor. Merchants use the Service to record data about their own customers (e.g. sales transactions, loyalty memberships, contact details). For this data, the merchant is the data user, and Xilnex processes it only on the merchant’s behalf and instructions. End customers should direct privacy enquiries to the merchant they transacted with.
2. Personal Data We Collect
-
Account and identity data: name, business name and registration details, email address, phone number, billing address, job title, and login credentials.
-
Billing data: payment method details, invoices, and transaction records relating to your subscription. Card payments are processed by licensed third-party payment providers; we do not store full card numbers.
-
Operational data: data you or your staff enter into the Service, including sales, inventory, employee shift, and customer records.
-
Technical data: device identifiers, IP address, browser type, log files, and usage analytics collected when you access the Service.
-
Support data: records of your communications with our support and sales teams.
-
Integration data (including Lark): where you connect the Service to a third-party platform such as Lark, we receive the data you authorise that platform to share with us – for example your Lark workspace identity (name, avatar, open ID), and the content necessary to deliver notifications, reports, or documents through the integration.
3. How We Use Personal Data
We process personal data to: (a) provide, operate, secure, and support the Service; (b) set up and administer your account and subscription; (c) process billing and collect payment; (d) deliver integrations you enable, including exchanging data between your Xilnex account and your Lark workspace within the permission scopes you approve; (e) communicate service notices, updates, and (with your consent, where required) marketing about Xilnex products; (f) improve and develop the Service, including through anonymised and aggregated analytics; (g) detect, investigate, and prevent fraud, abuse, and security incidents; and (h) comply with legal and regulatory obligations, including tax and accounting laws.
We do not sell personal data.
4. Disclosure of Personal Data
We may disclose personal data to: (a) our related companies for the purposes above; (b) service providers who host, support, or help us deliver the Service (e.g. cloud hosting, communications, analytics, and payment providers), under confidentiality and data-protection obligations; (c) third-party platforms you have chosen to connect (e.g. Lark, accounting software, marketplaces) – to the extent required to operate the integration you enabled; (d) professional advisers, auditors, and insurers; (e) regulators, law enforcement, or courts where required by law; and (f) an acquirer or successor in connection with a merger, acquisition, or sale of assets, subject to this Policy.
5. International Transfers
The Service is hosted on cloud infrastructure that may be located outside Malaysia. Where personal data is transferred outside Malaysia, we take reasonable steps to ensure it is protected to a standard consistent with the PDPA and this Policy.
6. Security
We implement administrative, technical, and physical safeguards appropriate to the nature of the data, including encryption in transit, access controls, and logical separation of merchant data. No system is completely secure; you are responsible for keeping your login credentials confidential and for the security of devices used to access the Service.
7. Retention
We retain personal data for as long as your account is active and thereafter as necessary to comply with legal, tax, accounting, and audit obligations, resolve disputes, and enforce agreements. Merchant Data may be exported for thirty (30) days following termination of your subscription, after which it may be permanently deleted in accordance with our Terms & Conditions, except where retention is required by law.
8. Your Rights Under the PDPA
Subject to the PDPA, you have the right to: (a) request access to your personal data; (b) request correction of inaccurate, incomplete, or outdated personal data; (c) withdraw consent to processing (which may affect our ability to provide the Service); (d) limit processing of your personal data, including for direct marketing purposes.
To exercise these rights, contact us at the details in Section 12. We may charge a prescribed fee for access requests as permitted by the PDPA and may need to verify your identity before responding.
9. Cookies & Similar Technologies
Our websites and web applications use cookies and similar technologies to keep you signed in, remember preferences, and understand usage. You can manage cookies through your browser settings; disabling them may affect functionality.
10. Third-Party Platforms (Including Lark)
Where you access the Service through, or connect it to, a third-party platform such as Lark, that platform’s own privacy policy governs its collection and use of your data. Lark is operated by Lark Technologies Pte. Ltd. and its affiliates; Xilnex is not responsible for Lark’s data practices. We access Lark data only within the permission scopes you approve at installation, use it solely to provide the integration’s features, and do not disclose it except as described in this Policy. You may revoke the integration’s access at any time from your Lark administrator console, after which we will cease collecting Lark data and delete it in accordance with Section 7.
11. Minors
The Service is intended for business use by persons aged 18 and above. We do not knowingly collect personal data from minors.
12. Contact Us
For privacy enquiries, access or correction requests, or complaints:
Xilnex Holdings Sdn. Bhd. (Company Registration No. 200701041800 (799832-T))Unit 70-3-71, D’Piazza Mall, Jalan Mahsuri, Bayan Baru, 11900 Pulau Pinang, Malaysia. Email: info@xilnex.com (Attn: Data Protection) | Phone: +604 611 0162
13. Changes to This Policy
We may update this Policy from time to time. Material changes will be notified by email, in-Service notice, or by posting the updated Policy with a revised “Last Updated” date. Continued use of the Service after changes take effect constitutes acceptance.
Nota: Selaras dengan Seksyen 7(3) Akta Perlindungan Data Peribadi 2010, versi Bahasa Malaysia bagi notis ini boleh didapati atas permintaan di info@xilnex.com. / In accordance with Section 7(3) of the Personal Data Protection Act 2010, a Bahasa Malaysia version of this notice is available on request at info@xilnex.com.