Privacy Policy

Effective Date: 13 May 2026

This Privacy Policy explains how K3LAS SDN BHD (“k3las”, “we”, “us”, or “our”) collects, uses, discloses, stores, and otherwise processes personal data in connection with the k3las platform, including our web application, mobile application, backend services, and related tools (the “Service”).

This Policy applies to personal data processed when organizations, administrators, instructors, staff members, students, guardians, and other users access or use the Service.

1. Personal Data We May Collect

Depending on how the Service is used, we may collect and process personal data including:

• name, email address, phone number, profile photo, account identifiers, user role, and organization affiliation;
• organization details, branch details, business contact information, and addresses;
• student, guardian, instructor, and staff details, including names, contact details, and relationship information;
• schedules, lessons, attendance, holidays, waitlists, freezes, follow-up records, assessment records, notes, comments, and uploaded files;
• pricing, orders, credits, invoices, student fund balances, bucket configurations, and related transaction records;
• sign-in and session information, including email sign-in details, tokens, device-generated auth keys, IP address, request metadata, and technical logs;
• information stored locally on a browser or device for sign-in, organization context, and draft-saving purposes; and
• where provided by organizations, additional fields such as date of birth, identification details, tax or employment-related information, bank details, gender, race, marital status, and nationality.

2. How We Collect Personal Data

We may collect personal data:

• directly from you when you sign in, create or update records, upload files, contact us, or otherwise use the Service;
• from organizations and their authorized users who use the Service to manage students, guardians, instructors, staff, and related records;
• automatically through the operation of the Service, including authentication flows, API requests, cookies, local storage, device storage, and technical logs; and
• from service providers or platform providers supporting features such as email delivery, file storage, address lookup, diagnostics, or notifications.

3. Purposes of Processing

We may use personal data for purposes including:

• providing, operating, maintaining, and securing the Service;
• authenticating users and managing sessions;
• creating and managing organization, student, guardian, instructor, staff, and user records;
• operating scheduling, attendance, assessment, pricing, order, credit, invoice, and student-fund workflows;
• storing and retrieving uploaded files and generated documents;
• sending sign-in emails, invitations, service notifications, and other operational communications;
• supporting address-related and notification-related features;
• monitoring performance, troubleshooting issues, improving reliability, and protecting the Service against misuse or unauthorized access;
• responding to inquiries, feedback, and support requests; and
• complying with applicable legal or regulatory requirements.

4. Required Personal Data

Some personal data is required for us to provide the Service, such as account, organization, student, guardian, instructor, scheduling, attendance, billing, and operational information. If the required personal data is not provided, we may not be able to create an account, provide access, operate certain features, respond to requests, or continue providing the Service.

Other personal data may be optional depending on how an organization configures and uses the Service.

5. Disclosure of Personal Data

We may disclose personal data to:

• the organization that administers your use of the Service, including its authorized administrators and staff;
• our service providers and infrastructure vendors that help us operate the Service, such as hosting, database, email, storage, diagnostics, mapping, and notification providers;
• professional advisers, auditors, insurers, regulators, authorities, courts, or law enforcement where necessary to comply with law or protect our rights; and
• parties involved in a corporate transaction such as a merger, acquisition, restructuring, or asset sale.

We do not disclose personal data except as described in this Policy or as permitted or required by law.

6. Cookies, Local Storage, and Device Storage

We may use cookies, browser storage, secure mobile-device storage, and similar technologies for purposes such as:

• maintaining authenticated sessions;
• storing refresh tokens or similar session data;
• remembering organization context and user preferences;
• supporting draft-saving and usability features; and
• supporting diagnostics and service stability.

You may control some of these settings through your browser or device, but some parts of the Service may not function properly if they are disabled.

7. Notifications and Diagnostics

If enabled, the Service may use push notification services to send operational notifications.

We may also use diagnostic, logging, crash-reporting, and feedback tools to monitor performance, investigate issues, and improve the Service. These tools may process technical and usage information, and may capture information visible within the affected session.

8. Security

We take reasonable practical steps to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. These measures may include authentication controls, role-based access controls, signed file-access links, database security controls, and other technical and organizational safeguards.

However, no system is completely secure and we cannot guarantee absolute security.

9. Retention

We will retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to provide the Service, to comply with legal or regulatory obligations, to resolve disputes, and to enforce our agreements.

When personal data is no longer required, we may delete, destroy, or anonymize it in accordance with our retention practices and applicable law.

10. Transfers and Storage

Your personal data may be stored or processed in Malaysia or in other jurisdictions where our service providers operate. Where applicable, we will take reasonable steps to ensure that personal data transferred outside Malaysia is protected appropriately.

11. Student and Minor Data

The Service may be used by organizations to manage records relating to students, including minors. Organizations using the Service are responsible for ensuring that they have obtained any consents, notices, approvals, or authorizations required under applicable law for the collection and use of such personal data.

The Service is not intended for unsupervised direct use by children.

12. Access and Correction

Subject to applicable law, you may request access to your personal data or request correction of personal data that is inaccurate, incomplete, misleading, or not up to date.

Where your personal data is processed on behalf of an organization using the Service, we may direct your request to that organization.

To make a request, please contact us using the details below. We may require reasonable verification of your identity and may charge a fee where permitted by law.

13. Changes to This Policy

We may update this Policy from time to time. Any updates will be posted through the Service or on our website, and the updated version will take effect from the stated effective date.

14. Contact Us

If you have any questions, or if you wish to request access to or correction of your personal data, please contact hello@k3las.com.