Terms of Service

1. Introduction

These Terms of Service ("Terms") govern your access to and use of the websites, mobile applications, and services (collectively, the "Services") operated by EZ FLOW LABZ SDN. BHD. ("Company", "we", "us", or "our"), a company incorporated in Malaysia under the Companies Act 2016.

Our Services include, but are not limited to:

• EZLEASE — a tenant credential verification platform accessible at ezlease.my and through our mobile applications.
• EZFLOW — and any other products or services we may launch in the future under the EZ FLOW LABZ brand.

By accessing or using our Services, you agree to be bound by these Terms. If you do not agree, you must not use our Services.

2. Eligibility

You must be at least eighteen (18) years of age to use our Services. By creating an account or using our Services, you represent and warrant that you are at least 18 years old and have the legal capacity to enter into a binding agreement under the laws of Malaysia.

We reserve the right to request proof of age at any time. If we discover or have reason to believe that a user is under 18, we will immediately suspend or terminate their account and delete any associated personal data.

3. Account Registration and Security

3.1 Account Creation

To access certain features of our Services, you must create an account by providing accurate, current, and complete information. You agree to update your information promptly if it changes.

3.2 Account Security

You are responsible for maintaining the confidentiality of your account credentials. You must immediately notify us at hello@ezflowlabz.com if you suspect any unauthorised access to or use of your account.

3.3 Account Responsibility

You are responsible for all activity that occurs under your account, whether or not you authorised such activity. We are not liable for any loss arising from unauthorised use of your account where you have failed to safeguard your credentials.

4. Description of Services

4.1 EZLEASE — Tenant Credential Verification Platform

EZLEASE enables:

• Tenants to create verified credential profiles ("Tenant Passports") by uploading identity documents (MyKad), income proof, employment records, and other supporting documentation. Tenant accounts are free to create and maintain.
• Landlords to access and view verified tenant profiles to support informed tenant screening decisions. Landlord access is available through paid subscription plans or pay-per-view pricing.

4.2 Verification Process

EZLEASE verifies the authenticity of documents submitted by tenants. However, verification confirms the document's validity — it does not guarantee the future conduct, financial reliability, or character of any tenant. We do not perform criminal background checks or credit scoring unless expressly stated.

4.3 No Guarantee

We do not guarantee any outcome from using our Services, including but not limited to:

• Successful tenancy or tenancy agreements.
• The accuracy of self-reported information by users.
• The suitability of any tenant for any particular property.
• The reliability, conduct, or financial standing of any user.

5. User Obligations

5.1 General Obligations

By using our Services, you agree to:

• Provide truthful, accurate, and current information at all times.
• Use the Services only for lawful purposes and in accordance with these Terms.
• Not impersonate any person or entity or misrepresent your affiliation with any person or entity.
• Not upload, share, or transmit any fraudulent, forged, or misleading documents.
• Not attempt to gain unauthorised access to any part of the Services, other user accounts, or our systems.
• Not use the Services to harass, discriminate against, threaten, or harm any other user.

5.2 Tenant Obligations

If you use our Services as a tenant, you additionally agree to:

• Submit only genuine, unaltered documents for verification.
• Not share your Tenant Passport credentials with third parties who may misrepresent them as their own.
• Promptly update your profile if any submitted information becomes outdated or inaccurate.

5.3 Landlord Obligations

If you use our Services as a landlord, you additionally agree to:

• Use verified tenant information solely for the purpose of making informed tenancy decisions.
• Not share, redistribute, copy, or sell any verified tenant data obtained through our platform to any third party.
• Comply with all applicable data protection laws, including the Personal Data Protection Act 2010 (PDPA), when handling tenant data.
• Not use the Services or any data obtained through them to unlawfully discriminate against any person.

6. Fees and Payment

6.1 Pricing

Certain features of our Services require payment. Current pricing is displayed on our website and within our applications. All prices are stated in Malaysian Ringgit (RM) unless otherwise specified.

6.2 Payment Processing

Payments are processed through third-party payment processors, including Stripe. By making a payment, you agree to the terms and conditions of the applicable payment processor. We do not store your full credit card or payment details on our servers.

6.3 Lifetime Deals and Promotional Pricing

From time to time, we may offer limited-time promotional pricing or time-limited access deals ("Lifetime Deals"). These are subject to specific terms disclosed at the time of purchase, including access duration, unit caps, and feature limitations. "Lifetime" deals refer to a fixed access period (e.g., 12, 24, or 36 months) as stated in the offer, not perpetual access.

6.4 Refunds

Refund eligibility is determined on a case-by-case basis. If you believe you are entitled to a refund, please contact us at hello@ezflowlabz.com within fourteen (14) days of your purchase. We reserve the right to decline refund requests for Services that have been substantially used.

6.5 Taxes

You are responsible for any applicable taxes, levies, or duties imposed by your local tax authority in connection with your use of our Services, including Sales and Service Tax (SST) where applicable under Malaysian law.

7. Intellectual Property

7.1 Our Intellectual Property

All content, features, functionality, trademarks, trade names, logos, designs, software, and technology associated with our Services (including but not limited to EZLEASE, EZFLOW, and EZ FLOW LABZ branding) are and shall remain the exclusive property of EZ FLOW LABZ SDN. BHD.

You are granted a limited, non-exclusive, non-transferable, revocable licence to access and use our Services for their intended purpose, subject to these Terms.

7.2 User-Generated Content

By uploading documents, images, or other content to our platform, you grant us a limited licence to process, store, display, and use such content solely for the purpose of providing and improving our Services. You retain ownership of your original content.

You represent and warrant that you have the legal right to upload and share any content you submit through our Services.

8. Prohibited Conduct

You must not:

• Reverse engineer, decompile, or disassemble any part of our Services.
• Use automated tools, bots, scrapers, or similar technology to access our Services without prior written consent.
• Attempt to interfere with, disrupt, or compromise the integrity or security of our Services.
• Upload any content that contains viruses, malware, or other harmful code.
• Use the Services for any fraudulent, deceptive, or illegal purpose.
• Collect, harvest, or store personal data of other users without their explicit consent and a lawful basis.
• Use verified tenant data for any purpose other than evaluating tenancy suitability.
• Resell, sublicence, or commercially exploit access to our Services without written agreement.

9. Suspension and Termination

9.1 By You

You may terminate your account at any time by contacting us at hello@ezflowlabz.com or through the account settings in our application. Termination does not entitle you to a refund for any unused portion of a paid subscription, except where required by applicable law.

9.2 By Us

We reserve the right to suspend or terminate your access to our Services, without prior notice, if:

• You breach any provision of these Terms.
• We reasonably believe your account has been used for fraudulent or unlawful activity.
• Your continued use poses a risk to the security, integrity, or availability of our Services or to other users.
• We are required to do so by law, regulation, or court order.

9.3 Effect of Termination

Upon termination, your right to use the Services ceases immediately. We will handle your personal data in accordance with our Privacy Policy and Data Protection Notice, including any applicable retention or deletion obligations under the PDPA.

10. Disclaimers

10.1 "As Is" Basis

Our Services are provided on an "as is" and "as available" basis. To the maximum extent permitted by Malaysian law, we disclaim all warranties, whether express, implied, or statutory, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

10.2 No Professional Advice

Nothing in our Services constitutes legal, financial, or professional advice. Our platform provides data and tools to assist with decision-making; it does not replace independent due diligence or professional consultation.

10.3 Third-Party Services

Our Services may contain links to or integrations with third-party services (including payment processors and analytics providers). We do not endorse, control, or assume responsibility for any third-party services or their content, privacy practices, or terms.

11. Limitation of Liability

To the maximum extent permitted by applicable law:

• Our total aggregate liability to you for any claims arising out of or related to these Terms or your use of our Services shall not exceed the total amount you have paid to us in the twelve (12) months preceding the claim.
• We shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, business opportunities, or goodwill, whether based on contract, tort, strict liability, or any other legal theory.
• We shall not be liable for any loss arising from your reliance on any information obtained through our Services, including verified tenant data.

Nothing in these Terms excludes or limits our liability for death or personal injury caused by our negligence, fraud, or any other liability that cannot be excluded under Malaysian law.

12. Indemnification

You agree to indemnify, defend, and hold harmless EZ FLOW LABZ SDN. BHD., its directors, officers, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable legal fees) arising out of or related to:

• Your use of or access to the Services.
• Your breach of these Terms.
• Your violation of any applicable law or regulation.
• Any content you upload or submit through the Services.
• Any dispute between you and another user of the Services.

13. Dispute Resolution

13.1 Governing Law

These Terms are governed by and construed in accordance with the laws of Malaysia.

13.2 Amicable Resolution

In the event of any dispute arising out of or in connection with these Terms, both parties shall first attempt to resolve the dispute amicably through good faith negotiation. Either party may initiate this process by sending written notice to the other party.

13.3 Jurisdiction

If the dispute cannot be resolved amicably within thirty (30) days of written notice, both parties submit to the exclusive jurisdiction of the courts of Malaysia, specifically the courts in Kuala Lumpur.

14. Changes to These Terms

We may update these Terms from time to time. When we do, we will revise the "Last Updated" date at the top of this page. If we make material changes, we will provide notice through our Services or by email.

Your continued use of the Services after the updated Terms take effect constitutes your acceptance of the revised Terms. If you do not agree with the updated Terms, you must stop using the Services and may terminate your account.

15. General Provisions

15.1 Severability

If any provision of these Terms is held to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect.

15.2 Waiver

Our failure to enforce any right or provision of these Terms shall not constitute a waiver of such right or provision.

15.3 Entire Agreement

These Terms, together with our Privacy Policy, Data Protection Notice, and Acceptable Use Policy, constitute the entire agreement between you and EZ FLOW LABZ SDN. BHD. regarding the use of our Services.

15.4 Assignment

You may not assign or transfer your rights or obligations under these Terms without our prior written consent. We may assign our rights and obligations without restriction.

15.5 Language

These Terms are drafted in English. In the event of any inconsistency between an English version and any translation, the English version shall prevail.

16. Contact Us

Privacy Policy

1. Introduction

EZ FLOW LABZ SDN. BHD. ("Company", "we", "us", or "our") is committed to protecting the privacy of all individuals who use our products and services, including EZLEASE and any future products we operate.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you access our websites (including ezflowlabz.com and ezlease.my), mobile applications, and related services (collectively, the "Services").

This policy is designed to comply with the Personal Data Protection Act 2010 (PDPA) of Malaysia and its subsidiary legislation. We encourage you to read this policy carefully and contact us if you have any questions.

2. Personal Data We Collect

We collect different types of personal data depending on how you interact with our Services and whether you are a tenant, landlord, or general visitor.

2.1 Information You Provide Directly

Account Information:

• Full name
• Email address
• Phone number
• Password (stored in hashed form only)

Tenant Verification Data (EZLEASE — Tenants Only):

• MyKad (Malaysian Identity Card) number and a photograph or scan of your MyKad
• Facial photograph (selfie) for identity verification purposes
• Proof of income (e.g., pay slips, bank statements, EA forms)
• Employment details (employer name, position, duration of employment)
• Rental history and references (if voluntarily provided)

Landlord Data (EZLEASE — Landlords Only):

• Property details for listing purposes
• Business or organisational information (if applicable)

Payment Information:

• Billing name and address
• Payment method details (processed and stored by our third-party payment processor, Stripe — we do not store your full card number on our servers)

Communication Data:

• Any messages, feedback, or correspondence you send to us via email, in-app messaging, or support channels

2.2 Information Collected Automatically

When you access our Services, we may automatically collect:

• Device information: Device type, operating system, browser type and version, unique device identifiers
• Usage data: Pages visited, features used, time spent on pages, navigation paths, interaction patterns
• Log data: IP address, access times, referring URLs, error logs
• Location data: General geographic location derived from your IP address (we do not collect precise GPS location without your explicit consent)

2.3 Information from Third-Party Services

• Payment processors (Stripe): Transaction status, payment confirmations, billing address verification (we do not receive your full card details)
• Analytics services (Google Analytics, Sentry): Aggregated and pseudonymised usage data to help us understand how our Services are used and to identify and fix errors

3. How We Use Your Personal Data

We process your personal data for the following purposes:

3.1 Providing and Operating Our Services

• Creating and managing your user account
• Verifying tenant identity and credentials to generate Tenant Passports
• Enabling landlords to search and view verified tenant profiles
• Processing payments and managing subscriptions
• Facilitating communication between users where applicable

3.2 Improving Our Services

• Analysing usage patterns to improve features, user experience, and performance
• Identifying and resolving bugs, errors, and technical issues (via Sentry error monitoring)
• Conducting internal research and analysis to develop new features and products

3.3 Security and Fraud Prevention

• Detecting, investigating, and preventing fraudulent, unauthorised, or illegal activity
• Protecting the integrity of verified credentials and preventing document fraud
• Monitoring for security threats and vulnerabilities

3.4 Communications

• Sending transactional messages (account confirmations, password resets, verification status updates)
• Sending product updates and announcements related to Services you use
• Responding to your enquiries and support requests

3.5 Marketing (With Your Consent)

• Sending promotional emails, newsletters, or offers about our Services — only with your prior consent
• You may withdraw your consent to marketing communications at any time by using the unsubscribe link in any marketing email or by contacting us

3.6 Legal and Regulatory Compliance

• Complying with applicable laws, regulations, and legal processes
• Responding to lawful requests from government authorities
• Enforcing our Terms of Service and other agreements

4. Legal Basis for Processing

Under the PDPA, we process your personal data based on the following grounds:

• Consent: Where you have given clear consent for us to process your personal data for a specific purpose (e.g., uploading identity documents for verification, opting in to marketing emails).
• Contractual necessity: Where processing is necessary for the performance of a contract between you and us (e.g., creating your account, processing your subscription payment).
• Legitimate interests: Where processing is necessary for our legitimate business interests, provided these do not override your fundamental rights and freedoms (e.g., fraud prevention, service improvement).
• Legal obligation: Where processing is necessary to comply with a legal requirement (e.g., responding to court orders or regulatory requests).

5. How We Share Your Personal Data

We do not sell, rent, or trade your personal data. We share your personal data only in the following limited circumstances:

5.1 Between Users (EZLEASE)

Verified tenant profile data is shared with landlords who have paid to access such profiles. Only the data included in the Tenant Passport is shared — landlords do not receive raw document files (e.g., MyKad scans) unless specifically stated.

5.2 Third-Party Service Providers

We engage trusted third-party service providers to perform functions on our behalf, including:

• Supabase — Database hosting, authentication, file storage (account data, verification data encrypted at rest)
• Stripe — Payment processing (billing name, email, payment method details)
• Google Analytics — Website and app usage analytics (anonymised/pseudonymised usage data)
• Sentry — Error monitoring and performance tracking (error logs, device info, anonymised user identifiers)
• ElevenLabs — AI voice generation for marketing content (no user personal data is shared)

All third-party providers are contractually bound to process personal data only as instructed by us and in accordance with appropriate data protection standards.

5.3 Legal Requirements

We may disclose your personal data if required by law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to:

• Comply with applicable law or respond to valid legal processes.
• Protect the rights, property, or safety of EZ FLOW LABZ SDN. BHD., our users, or the public.
• Detect, prevent, or address fraud, security, or technical issues.

5.4 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

6. Data Storage and Security

6.1 Storage Location

Your personal data is stored on secure servers provided by Supabase. Our primary database infrastructure is hosted in cloud data centres. Where data is stored outside Malaysia, we ensure appropriate safeguards are in place in accordance with Section 129 of the PDPA.

6.2 Security Measures

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest.
• Access controls: Row Level Security (RLS) is enforced across all database tables, ensuring users can only access data they are authorised to view.
• Authentication: Secure authentication with JWT token validation.
• Monitoring: Sentry error monitoring for real-time detection of anomalies and potential security issues.
• Secure file storage: Uploaded documents are stored in access-controlled storage buckets with no public access.
• Regular review: We periodically review our security practices and update them as necessary.

6.3 No Absolute Guarantee

While we take reasonable steps to protect your personal data, no method of electronic storage or transmission over the internet is completely secure. We cannot guarantee the absolute security of your data.

7. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

7.1 Retention Periods

• Account information: Duration of account + 6 months after deletion (account management and recovery)
• Tenant verification documents (MyKad, selfies): Duration of account + 30 days after account deletion (verification integrity; then permanently deleted)
• Income and employment records: Duration of account + 30 days after account deletion (credential validity; then permanently deleted)
• Payment and billing records: 7 years from transaction date (Malaysian tax and accounting requirements)
• Usage and analytics data: 24 months from collection (service improvement)
• Error logs (Sentry): 90 days from creation (debugging and performance monitoring)
• Marketing consent records: Duration of consent + 12 months after withdrawal (proof of consent)

7.2 Deletion

When personal data is no longer required, we will securely delete or anonymise it. For sensitive documents (MyKad scans, facial photographs, financial records), we follow secure deletion procedures that include removal from all storage buckets and database records.

8. Your Rights Under the PDPA

Under the Personal Data Protection Act 2010, you have the following rights:

8.1 Right of Access

You may request access to your personal data held by us. We will respond to your request within twenty-one (21) days and may charge a reasonable fee for processing the request.

8.2 Right of Correction

You may request that we correct any personal data that is inaccurate, incomplete, misleading, or not up to date.

8.3 Right to Withdraw Consent

Where we process your personal data based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Please note that withdrawing consent for processing that is essential to the Services (e.g., identity verification) may result in our inability to provide certain features or may require account closure.

8.4 Right to Limit Processing

You may request that we limit or cease processing your personal data in certain circumstances.

8.5 Right to Data Portability

You may request a copy of your personal data in a commonly used, machine-readable format.

8.6 Right to Complain

If you believe we have not handled your personal data in accordance with the PDPA, you may lodge a complaint with us at hello@ezflowlabz.com. You also have the right to lodge a complaint with the Jabatan Perlindungan Data Peribadi (JPDP) — the Department of Personal Data Protection.

9. Cookies and Tracking Technologies

9.1 What We Use

We use cookies and similar tracking technologies to enhance your experience and gather usage data. These include:

• Essential cookies: Necessary for the operation of our Services (e.g., session management, authentication).
• Analytics cookies: Used by Google Analytics to understand how visitors interact with our website. These cookies collect information in anonymised or pseudonymised form.
• Performance cookies: Used by Sentry to monitor application performance and detect errors.

9.2 Managing Cookies

You can manage your cookie preferences through your browser settings. Please note that disabling essential cookies may impair the functionality of our Services.

9.3 Do Not Track

We do not currently respond to "Do Not Track" browser signals, as there is no universally accepted standard for handling such signals.

10. Children's Privacy

Our Services are not directed at individuals under the age of eighteen (18). We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a person under 18, we will take immediate steps to delete that data and terminate the associated account.

If you believe a child under 18 has provided us with personal data, please contact us immediately at hello@ezflowlabz.com.

11. Cross-Border Data Transfers

Where your personal data is transferred to, stored in, or processed in a jurisdiction outside Malaysia (including through our use of cloud-based service providers), we ensure that appropriate safeguards are in place as required by Section 129 of the PDPA. These safeguards may include contractual obligations with our service providers to maintain data protection standards substantially comparable to those in Malaysia.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the "Last Updated" date at the top of this page and, where appropriate, notify you via email or through our Services.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

13. Contact Us

Data Protection Notice

1. Purpose of This Notice

This Data Protection Notice ("Notice") is issued in accordance with the Personal Data Protection Act 2010 (Act 709) of Malaysia ("PDPA") and its subsidiary regulations to inform you about how EZ FLOW LABZ SDN. BHD. ("Company", "we", "us", or "our") collects, processes, and manages your personal data.

This Notice should be read together with our Privacy Policy and Terms of Service, which provide further detail on our data practices.

2. Data Controller

The data controller responsible for your personal data is:

3. Categories of Personal Data Collected

Depending on your use of our Services, we may collect the following categories of personal data:

3.1 General Users (All Services)

• Full name
• Email address
• Phone number
• Account credentials (password stored in hashed form)
• Device information and usage data

3.2 Tenants (EZLEASE)

In addition to the above:

• Sensitive personal data: MyKad (National Identity Card) number and image, facial photograph for identity verification
• Financial data: Income proof documents (pay slips, bank statements, EA forms)
• Employment data: Employer name, job title, duration of employment, employment verification letters
• Rental history: Previous rental addresses, landlord references (where voluntarily provided)

3.3 Landlords (EZLEASE)

In addition to general user data:

• Property information
• Business registration details (where applicable)
• Payment and billing information

4. Purposes of Processing

Your personal data is processed for the following purposes:

4.1 Primary Purposes (Necessary for Service Delivery)

• Account creation, authentication, and management
• Verification of tenant identity and credentials
• Generation and maintenance of Tenant Passports
• Enabling landlords to access verified tenant information
• Processing payments and managing subscriptions
• Providing customer support and responding to enquiries
• Ensuring the security and integrity of our platform

4.2 Secondary Purposes (Supporting Business Operations)

• Improving and developing our products and Services
• Analysing usage data for service optimisation
• Monitoring and resolving technical errors and performance issues
• Compliance with legal and regulatory obligations
• Fraud detection and prevention
• Internal record-keeping and auditing

4.3 Marketing Purposes (With Your Consent Only)

• Sending promotional materials, newsletters, and product updates
• Personalising your experience with relevant content and offers

You may opt out of marketing communications at any time without affecting the provision of our primary Services.

5. Sensitive Personal Data

Certain personal data we collect is classified as sensitive personal data under the PDPA, including:

• MyKad number and image — classified as data relating to identification documents
• Facial photographs — classified as biometric-related data

We process sensitive personal data only with your explicit consent and solely for the purposes stated in this Notice. You will be asked to provide specific consent for the collection of sensitive personal data during the registration and verification process.

6. Consent

6.1 How We Obtain Consent

Your consent to the collection and processing of personal data is obtained through:

• Account registration (by completing the sign-up process, you consent to the processing described in this Notice)
• Verification submission (by uploading identity documents and selfies, you provide explicit consent for the processing of sensitive personal data)
• Marketing opt-in (through explicit checkboxes or subscription forms)

6.2 Withdrawal of Consent

You may withdraw your consent at any time by:

• Contacting us at hello@ezflowlabz.com with "Consent Withdrawal" in the subject line
• Using in-app settings to manage your data preferences (where available)
• Using the unsubscribe link in marketing communications (for marketing consent only)

Please note that withdrawal of consent for processing essential to the Services may result in our inability to continue providing those Services to you, and may require the closure of your account.

Upon receiving your consent withdrawal request, we will:

• Acknowledge your request within seven (7) business days
• Cease processing the relevant personal data within a reasonable timeframe
• Inform you of any consequences of the withdrawal (e.g., loss of access to certain features)

7. Disclosure of Personal Data

We may disclose your personal data to the following categories of recipients:

7.1 Within Our Services

Verified tenant profile data is disclosed to landlords who have authorised access through our paid plans. Only processed credential information is shared — raw identity documents are not disclosed to landlords.

7.2 Third-Party Service Providers

• Cloud infrastructure and database providers — for data storage and hosting
• Payment processors — for processing financial transactions
• Analytics and monitoring providers — for service improvement and error detection
• Email service providers — for transactional and marketing communications (with consent)

All third-party providers are contractually obligated to process your data only as directed by us and to maintain appropriate security measures.

7.3 Legal and Regulatory Authorities

We may disclose personal data to government authorities, law enforcement agencies, or regulatory bodies where required by law, legal process, or governmental request.

8. Cross-Border Transfers

Your personal data may be transferred to and processed in jurisdictions outside Malaysia through our use of cloud-based service providers. In such cases, we comply with Section 129 of the PDPA by ensuring that the receiving jurisdiction provides an adequate level of data protection or by implementing appropriate contractual safeguards.

9. Data Security

We implement the following security measures to protect your personal data:

• Encryption of data in transit (TLS/SSL) and at rest
• Row Level Security (RLS) across all database tables
• Secure authentication with JWT token validation
• Access-controlled storage for uploaded documents
• Regular security audits and vulnerability assessments
• Incident response procedures for data breaches

In the event of a personal data breach that poses a risk to your rights and interests, we will take prompt action to contain the breach, assess its impact, and notify affected individuals and relevant authorities as required by law.

10. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Key retention periods include:

• Account data: Duration of account plus six (6) months
• Sensitive verification documents: Duration of account plus thirty (30) days, after which they are permanently deleted
• Financial and payment records: Seven (7) years from transaction date (per Malaysian tax requirements)
• Usage and analytics data: Twenty-four (24) months
• Error logs: Ninety (90) days

Upon expiry of the relevant retention period, personal data is securely deleted or anonymised.

11. Your Rights Under the PDPA

As a data subject, you have the following rights under the PDPA:

11.1 Right of Access (Section 12)

You may submit a written request to access your personal data held by us. We will respond within twenty-one (21) days and may charge a prescribed fee.

11.2 Right of Correction (Section 34)

You may request correction of any personal data that is inaccurate, incomplete, misleading, or not up to date. We will process your request within twenty-one (21) days.

11.3 Right to Withdraw Consent (Section 38)

You may withdraw your consent to the processing of your personal data at any time, subject to any legal obligations and contractual restrictions.

11.4 Right to Prevent Processing (Section 42)

You may request that we cease processing your personal data if such processing is causing or is likely to cause substantial damage or distress.

11.5 Right to Prevent Processing for Direct Marketing (Section 43)

You have the right to require us to cease processing your personal data for direct marketing purposes.

11.6 Right to Complain

You may lodge a complaint regarding our data processing practices:

• To us: Email hello@ezflowlabz.com with "Data Protection Complaint" in the subject line
• To the Commissioner: Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi, JPDP), Level 6, Kompleks Kementerian Komunikasi dan Multimedia, Lot 4G9, Persiaran Perdana, Presint 4, 62100 Putrajaya, Malaysia

12. Obligation to Provide Personal Data

The provision of personal data marked as mandatory during account registration and verification is a condition for us to provide our Services. Failure to provide such data may result in our inability to:

• Create or maintain your account
• Verify your credentials (for tenants)
• Process your payments (for landlords)
• Provide certain features of our Services

The provision of data for marketing purposes is voluntary and does not affect your access to core Services.

13. Automated Decision-Making

We do not currently use fully automated decision-making processes that produce legal effects or similarly significant effects on you. Any verification decisions are reviewed by authorised personnel before being finalised.

Should we introduce automated decision-making in the future, we will update this Notice and provide you with the right to request human intervention.

14. Updates to This Notice

We may revise this Notice from time to time to reflect changes in our data practices, legal requirements, or operational needs. Material changes will be communicated through our Services or via email. We encourage you to review this Notice periodically.

15. Contact Us

Acceptable Use Policy

1. Purpose

This Acceptable Use Policy ("AUP") sets out the rules and expectations for acceptable behaviour when using the products and services operated by EZ FLOW LABZ SDN. BHD. ("Company", "we", "us", or "our"), including EZLEASE and any future services under the EZ FLOW LABZ brand (collectively, the "Services").

This AUP is incorporated into and forms part of our Terms of Service. By using our Services, you agree to comply with this AUP.

2. General Principles

All users of our Services must:

• Act in good faith and with honesty in all interactions on our platform.
• Respect the rights, privacy, and dignity of other users.
• Use the Services only for their intended purposes.
• Comply with all applicable Malaysian laws and regulations, including the Personal Data Protection Act 2010, the Computer Crimes Act 1997, and the Communications and Multimedia Act 1998.

3. Prohibited Activities

You must not use our Services to engage in, facilitate, or promote any of the following:

3.1 Fraudulent and Deceptive Conduct

• Uploading forged, altered, or fraudulent documents (including but not limited to fake MyKad copies, falsified income statements, or fabricated employment letters).
• Creating accounts using false identities or impersonating another person.
• Providing misleading information in your user profile or verification submissions.
• Using another person's Tenant Passport or verified credentials as your own.

3.2 Misuse of Data

• Accessing, collecting, or storing personal data of other users for purposes other than those permitted by our Services.
• Sharing, selling, distributing, or otherwise disclosing verified tenant data obtained through our platform to any third party without authorisation.
• Using tenant data for any purpose other than evaluating tenancy suitability.
• Scraping, harvesting, or using automated means to extract data from our Services.
• Using personal data obtained through our Services for unsolicited marketing, profiling, or surveillance.

3.3 Discriminatory Conduct

• Using our Services or data obtained through them to unlawfully discriminate against any person on the basis of race, ethnicity, religion, gender, nationality, disability, age, marital status, or any other characteristic protected under Malaysian law.

3.4 Harmful or Illegal Activity

• Using the Services for any activity that is illegal under Malaysian law or the laws of any applicable jurisdiction.
• Transmitting or uploading content that is defamatory, obscene, threatening, abusive, or hateful.
• Harassing, intimidating, bullying, or threatening any other user.
• Using the Services to facilitate money laundering, terrorist financing, or any financial crime.
• Engaging in any activity that could expose the Company, its users, or third parties to harm, liability, or reputational damage.

3.5 Technical Abuse

• Attempting to gain unauthorised access to any part of the Services, other user accounts, or our underlying systems and infrastructure.
• Introducing viruses, worms, trojans, ransomware, or any other malicious code.
• Performing denial-of-service attacks or any activity intended to disrupt the availability or performance of our Services.
• Reverse engineering, decompiling, disassembling, or otherwise attempting to derive the source code of our Services.
• Using automated bots, scripts, crawlers, or scrapers to access the Services without prior written consent.
• Circumventing or attempting to circumvent any security measures, access controls, or usage limits.

3.6 Commercial Misuse

• Reselling, sublicensing, or commercially redistributing access to any part of our Services without written agreement.
• Using our Services to build a competing product or service, or to benchmark our Services for competitive purposes.
• Using our branding, trademarks, or intellectual property without written authorisation.

4. Tenant-Specific Rules

If you use our Services as a tenant, you must:

• Submit only documents that belong to you and are genuine, unaltered, and current.
• Not upload documents belonging to another person or that have been digitally manipulated.
• Keep your profile information accurate and promptly update it if any information changes.
• Not share your account credentials with others or allow others to submit documents on your behalf without our knowledge.

5. Landlord-Specific Rules

If you use our Services as a landlord, you must:

• Use verified tenant information only for the purpose of making informed tenancy decisions for properties you own or manage.
• Not retain, copy, print, or archive tenant verification data beyond what is reasonably necessary for your tenancy decision.
• Handle all personal data obtained through our Services in compliance with the PDPA.
• Not contact tenants for purposes unrelated to a genuine tenancy enquiry.
• Not use verified data to create external databases or profiles of tenants.

6. Reporting Violations

If you become aware of any violation of this AUP, please report it to us immediately at:

Please include as much detail as possible, including the nature of the violation, the user(s) involved (if known), and any supporting evidence. We treat all reports seriously and will investigate promptly.

7. Consequences of Violation

We reserve the right to take any of the following actions in response to a violation of this AUP, at our sole discretion:

• Warning: Issuing a written warning to the offending user.
• Temporary suspension: Suspending the user's access to our Services for a defined period.
• Permanent termination: Permanently terminating the user's account and revoking all access.
• Content removal: Removing or disabling access to any content that violates this AUP.
• Data preservation: Preserving relevant data for potential disclosure to law enforcement or regulatory authorities.
• Legal action: Pursuing legal remedies, including reporting the matter to the relevant Malaysian authorities (such as the Royal Malaysia Police, the Malaysian Communications and Multimedia Commission, or the Department of Personal Data Protection).

The severity of our response will be proportionate to the nature and impact of the violation. We may act without prior notice where we reasonably believe that immediate action is necessary to protect our Services, our users, or third parties.

No refunds will be issued for any prepaid fees where an account is terminated due to a violation of this AUP.

8. Monitoring

We reserve the right to monitor the use of our Services to ensure compliance with this AUP and our Terms of Service. Monitoring may include reviewing uploaded documents for signs of fraud, analysing usage patterns for signs of automated or abusive behaviour, and investigating reports of violations.

Any monitoring will be conducted in accordance with applicable law and our Privacy Policy.

9. Changes to This Policy

We may update this AUP from time to time. When we do, we will revise the "Last Updated" date at the top of this page. Material changes will be communicated through our Services or by email. Your continued use of the Services after the updated AUP takes effect constitutes your acceptance of the revised policy.

10. Contact Us

Security Disclosure

1. Our Commitment to Security

EZ FLOW LABZ SDN. BHD. ("Company", "we", "us", or "our") takes the security of our users' data seriously. Our Services handle sensitive personal information — including identity documents, financial records, and verification credentials — and we are committed to protecting that data with appropriate technical and organisational measures.

This page describes (a) how we protect your data and (b) how security researchers can responsibly disclose vulnerabilities to us.

Part A: How We Protect Your Data

2. Infrastructure Security

Our Services are built on modern, security-focused infrastructure:

• Database: Supabase Postgres with Row Level Security (RLS) enforced across all tables. Users can only access data they are authorised to view.
• Authentication: Secure authentication with JWT (JSON Web Token) validation. Passwords are hashed and never stored in plaintext.
• Hosting: Our web applications are hosted on Vercel with automatic HTTPS/TLS encryption.
• Storage: Uploaded documents (MyKad scans, income proof, selfies) are stored in access-controlled storage buckets with no public access. Each file is accessible only to the user who uploaded it and to authorised verification processes.

3. Encryption

• In transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
• At rest: Data stored in our database and file storage is encrypted at rest using industry-standard encryption algorithms provided by our infrastructure providers.

4. Access Controls

• Row Level Security (RLS): Every database table is protected by RLS policies that restrict data access to authorised users and roles. A tenant can only view their own data. A landlord can only view tenant data they have paid to access.
• Role-based access: Internal access to production systems is restricted to authorised personnel on a need-to-know basis.
• API security: All API endpoints enforce authentication and authorisation checks. Unauthenticated requests are rejected.

5. Monitoring and Incident Response

• Error monitoring: We use Sentry for real-time error detection and performance monitoring, allowing us to identify and respond to anomalies quickly.
• Logging: Access and activity logs are maintained to support security investigations and audit requirements.
• Incident response: We have procedures in place to detect, contain, investigate, and recover from security incidents. In the event of a data breach that poses a risk to users, we will notify affected individuals and relevant authorities as required by the Personal Data Protection Act 2010 (PDPA).

6. Secure Development Practices

• Regular security reviews and code audits.
• Separation of development, staging, and production environments.
• Dependencies are monitored for known vulnerabilities and updated regularly.
• Sensitive credentials and secrets are never stored in code repositories.

7. Third-Party Security

We carefully vet third-party service providers and ensure they maintain appropriate security standards:

• Supabase (Database, auth, file storage) — SOC 2 Type II compliant infrastructure
• Stripe (Payment processing) — PCI DSS Level 1 certified
• Vercel (Web hosting) — SOC 2 Type II, automatic HTTPS
• Sentry (Error monitoring) — SOC 2 Type II compliant
• Google Analytics (Usage analytics) — ISO 27001 certified

Part B: Responsible Disclosure Policy

8. Scope

We welcome and appreciate reports from security researchers and members of the public who discover potential vulnerabilities in our Services. This policy covers:

• In scope: Websites and web applications at ezflowlabz.com and ezlease.my, our mobile applications (Android and iOS), our APIs and backend services, and any other systems operated under the EZ FLOW LABZ brand.
• Out of scope: Third-party services not operated by us (e.g., Supabase, Stripe, Vercel, Sentry — please report vulnerabilities in these services directly to those providers), social engineering or phishing attacks against our employees or users, denial-of-service (DoS/DDoS) attacks, physical security testing, and any testing that could harm or disrupt our Services or user data.

9. How to Report a Vulnerability

If you believe you have discovered a security vulnerability in our Services, please report it to us by email:

Please include:

• A clear description of the vulnerability and its potential impact.
• Detailed steps to reproduce the vulnerability (proof of concept).
• The affected URL, endpoint, or component.
• Your contact information so we can follow up with you.
• Any screenshots or supporting evidence.

10. What We Ask of You

To ensure responsible disclosure, we ask that you:

• Give us reasonable time to investigate and address the vulnerability before disclosing it publicly. We ask for at least ninety (90) days from the date of your report.
• Do not exploit the vulnerability beyond what is necessary to demonstrate its existence.
• Do not access, modify, delete, or exfiltrate user data or our proprietary data.
• Do not perform any testing that could degrade, disrupt, or damage our Services or infrastructure.
• Do not use automated scanning tools against our production systems without prior written consent.
• Act in good faith and avoid any activity that could be considered illegal or harmful.

11. What You Can Expect from Us

• Acknowledgement: We will acknowledge receipt of your report within five (5) business days.
• Assessment: We will investigate and validate the reported vulnerability as quickly as reasonably possible.
• Communication: We will keep you informed of our progress and expected timeline for remediation.
• Credit: With your permission, we are happy to publicly acknowledge your contribution once the vulnerability has been resolved. Please let us know how you would like to be credited (name, alias, or anonymous).
• No legal action: We will not pursue legal action against individuals who discover and report vulnerabilities in good faith and in accordance with this policy.

12. Severity Assessment

We assess the severity of reported vulnerabilities based on factors including:

• The potential impact on user data confidentiality, integrity, and availability.
• The ease of exploitation.
• The number of users or systems potentially affected.
• Whether the vulnerability is being actively exploited.

Critical and high-severity vulnerabilities will be prioritised for immediate investigation and remediation.

13. Bug Bounty

We do not currently operate a formal bug bounty programme with monetary rewards. However, we deeply appreciate responsible disclosure and will acknowledge contributors publicly (with permission) and may offer tokens of appreciation at our discretion as our company grows.

14. Limitation of Liability

While we implement reasonable security measures, no system is entirely immune to threats. We cannot guarantee the absolute security of your data. To the extent permitted by Malaysian law, we are not liable for any loss or damage arising from security incidents that occur despite our reasonable efforts to prevent them.

15. Updates

We may update this Security Disclosure page from time to time to reflect improvements to our security practices or changes to our responsible disclosure policy. Material changes will be reflected in the "Last Updated" date at the top of this page.

16. Contact Us