Privacy Notice

Last updated: May 2025

1. About this Privacy Notice

1.1 Pertiwimedik (‘Pertiwimedik‘, ‘we‘, ‘our‘, ‘us‘) is committed to protecting the privacy and security of your Personal Data (as defined below) and wishes to be transparent about the types of Personal Data that the company collects about you and how it uses them. This Privacy Notice of the myAED Control application (hereinafter the ‘Notice‘) explains how we collect, use and share any information collected about you (‘Personal Data‘) through your use of Pertiwimedik’s myAED Control application (hereinafter the ‘Application‘) and aims to inform you of the rights and freedoms that you can exercise with regard to our use of your Personal Data. This Notice also describes the measures we take to protect your Personal Data.

1.2 This Application is managed as defined in myAED Control’s Terms of Service. For more information about this Application, see the Terms of service section of the Application.

1.3 If you do not wish for Pertiwimedik to process your Personal Data through this Application, as set out in this Notice, do not use the Application. Note that some services can only be provided through the Application and therefore, subscription to these services involves use of the Application.

2. The types of Personal Data we collect and why

2.1 When you use the Application, we collect the following types of Personal Data about you, which we will process for the purposes described below:

Types of Personal Data	Purpose of Data Processing	Legal Basis
Management of user accounts related to myAED Control services
Identification data: first name, last name. Contact details: email address, phone number. Professional information: company, billing address. Account data: user identification, username, password, preferences.	To enable you to create your account To enable you to have access to information about your customer To provide you with on-demand reports To enable you to create customer profiles on your Application.	Contractual necessity (Art. 6(1)(b), GDPR)
Identification data: first name, last name. Contact details: email address, phone number. Professional information: company, job title. Account data: username, password, preferences. Log data: date and type of request. Device data: serial number and type of device used by your customer.	To manage our relationship with you and to provide you with our assistance and support regarding your use of the Application	Contractual necessity (Art. 6(1)(b), GDPR)
Application management, maintenance and security
Identification data: first name, last name. Contact details: email address. Account data: username, password, preferences. Device data: serial number and type of device used by your customer.	The management, maintenance, improvement and security of our Application; To inform you of any technical updates of the Application.	Our legitimate interest in offering, maintaining and improving our Application (Art. 6(1)(f), GDPR)
Online tracking and marketing
Information collected through non-essential cookies and other online tracking devices: traffic data, IP address, device, user access to screens, time spent on a screen, event and type of myAED Control launch (email notification, etc.), login/logout events, email opening events.	Strictly necessary cookies: These cookies are essential for allowing you to navigate around the website and use its features, such as accessing secure areas of the site. Performance cookies: These cookies collect information about how visitors use a website, for example, which pages visitors consult most often and whether they receive error messages from web pages. All the information these cookies collect is aggregated and it does not directly identify visitors. This information is only used to improve the functioning of a website. Functional cookies: These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.	Your consent as the legal basis for storing or accessing information on your device (Art. 5(3) of the Privacy and Electronic Communications Directive) For more information on our use of cookies and the conditions under which we are required to obtain your consent, refer to the Cookie Notice.
Marketing communication management
Identification data: first name, last name. Contact details: email address.	To provide you with exclusive email updates, promotions and notifications, including information about our products or services and our newsletter if you opted to receive it.	Our legitimate interest to carry out marketing activities and to promote our products and services with our existing clients (art. 6.1.f, GDPR).
Statistics and analytics
Professional information: company, billing address, country, email address. Identification data: first name, last name. Connection: type of device used, etc.	To perform data analytics, statistics, and audience measurements regarding the use of our Application and our services. To perform data analytics on how to improve our products and services.	Our legitimate interest in helping us understand how our Application is used, in helping us to personalize our Application and in measuring our Application’s audience (Art. 6(1)(f), GDPR)
Administrative and legal obligations
Identification data: last name, first name, date of birth, sex, username, country. Contact details: email address. Administrative and accounting documents Device data: serial number, type of device used by your patient, etc	For the establishment, exercise and defense of legal rights To respect our legal declarations to public authorities To comply with our legal obligations (including tax and accounting laws)	Compliance with our legal obligation (Art. 6(1)(c), GDPR) Our legitimate interest in establishing, exercising and defending legal rights.

3. What is the legal basis for processing your Personal Data?

3.1 General reasons for processing

Depending on the purpose for which we process your Personal Data (see table above), the legal basis for processing your Personal Data may be either the need to perform our contractual or pre-contractual obligations with you or our obligation to comply with the laws and regulations applicable to us, ie, the pursuit of our legitimate interests.

Note that the information you provide through our Application may be necessary for contractual purposes and to enable us to comply with our legal obligations. Without this information, we may not be able to process your order or answer your questions.

3.2 Processing based on your consent

In some cases, we rely on your consent to process your Personal Data.

Cookies and other tracking technologies
We automatically collect certain information from your device through cookies and other similar technologies. Specifically, the information we collect automatically may include information such as your IP address, device type, unique device identification numbers (eg, the IMEI number), operation system version, the dates you access and use the Application, user behaviour (such as your interactions with the Application), geographic location (eg, country or city) and other technical information.
Collecting this information allows us to better understand how you use our Application, where you are from and which content in our Application is most relevant to you. Where applicable, we will ask for your consent before accessing or storing any information on your device. For more information on the types of cookies and similar tracking technologies we use, read our below Cookie Notice.

4. Who we share your Personal Data with

4.1 We may disclose your Personal Data to the following categories of recipients:

(a) to our group of companies based in the European Union for purposes consistent with this Notice. We take precautions to only allow access to Personal Data to staff members who have a legitimate business need and with a contractual prohibition on using Personal Data for other purposes.
(b) to our suppliers, service providers and third-party partners who provide us with data processing services or who process Personal Data for the purposes described in this Notice or who are notified to you when we collect your Personal Data. This may include disclosures to third-party vendors and other service providers that we use in connection with the services they provide us, including to assist us in areas such as IT platform management or support services, infrastructure and Application services, marketing and data analysis. Additional information on our secondary Subcontractors is available at myAED Control.
(c) to any law enforcement agency, regulatory body, government agency, court or other competent third party where we believe disclosure is necessary (i) under applicable laws or regulations, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
(d) to our auditors, advisers, legal representatives and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under the contractual prohibition against using Personal Data for other purposes;
(e) to a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we advise the buyer to use your Personal Data only for the purposes disclosed in this Notice;
(f) to any other person if you have given your prior consent to the disclosure.

5. How we protect your privacy

5.1 We will process Personal Data in accordance with the following principles:

(a) Fairness: We will process Personal Data fairly. This means we are transparent about how we handle Personal Data.
(b) Lawfulness: We will process Personal Data for legal reasons only.
(c) Purpose limitation: We will process Personal Data for explicit and legitimate purposes specified, and we will not process Personal Data in a manner inconsistent with those purposes, except as permitted by applicable data protection laws.
(d) Data minimization: We will process Personal Data which is adequate, relevant and limited to what is necessary to achieve the purposes for which the data is processed.
(e) Data accuracy: We take appropriate steps to ensure that the Personal Data we hold about you is accurate, complete and, where applicable, up to date. However, you are also responsible for ensuring that your Personal Data is as accurate, complete and current as possible by notifying us promptly of any changes or errors. You must notify us of any changes to the Personal Data we hold about you (for example, a change of address).
(f) Data security: We use appropriate technical and organisational measures to protect the Personal Data that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your Personal Data. In particular, all data is protected according to the different levels of risk by physical measures, such as secure areas, technical measures, such as encryption, and organizational measures, such as employee security through control and supervision.
(g) Retention period: We retain your Personal Data in a form that enables us to identify you for as long as necessary to achieve the purposes for which we are processing your data and we do not retain it any longer, unless we need to comply with applicable legislation.

6. Storage, retention and deletion of data

6.1 The Personal Data that we collect from you are stored respectively in Germany (main system and backup).

6.2 If you no longer wish to use the Application, you can ask the primary administrator of your company to deactivate your account. If you are the primary administrator, you can ask us directly to deactivate or archive your account. Once your account is deactivated, we will continue to store your Personal Data for a limited period of time, on paper or in electronic form, to comply with applicable laws and regulations.

6.3 At the point in time when we no longer need to retain your Personal Data, we will delete it.

7. Technical and organizational measures

7.1 We use various data security and privacy measures to protect your Personal Data and to comply with applicable data protection laws.

7.2 myAED Control requires two-factor authentication. myAED Control can be accessed by the user only after two levels of security authentication to prevent abuse or identity theft.

7.3 A confidentiality agreement has been signed by all Pertiwimedik employees who are also trained in security and privacy protection in various ways (e-learning, Privacy Champion training, etc.). By implementing these training programmes, Pertiwimedik can demonstrate that its security and privacy protection processes are well understood and followed by all of its employees who process European Personal Data.

7.4 The confidentiality and integrity of your data is protected through encryption controls, which secure data that is stored, in transit or in use. Adequate encryption policies have been put in place to ensure the effectiveness of the controls implemented.

7.5 Backup procedures have been put in place to ensure the availability of your data. Backup operations are controlled, secure and documented. In addition, a disaster recovery plan and a business continuity plan have been implemented and tested.

7.6 Protection against malware and malicious attacks has been put in place by implementing firewall solutions and anti-malware/anti-virus solutions, as well as through vulnerability scanning and operating system patching. In addition, a secure disposal process has been put in place to ensure the secure deletion of your data.

7.7 Access to system components and applications is restricted to authorised service personnel based on the principles of least privilege, need-to-know and segregation of duties. myAED Control applies logical controls at the Application, database and system levels to ensure that the data from one organisation can never be viewed or changed by another organisation.

7.8 An auditing mechanism has been put in place to examine logs and detect malicious activity using appropriate tools.

7.9 Pertiwimedik has implemented a change management process to ensure that a security check is performed prior to any significant change.

7.10 A security incident response plan has been implemented and tested. In addition, Pertiwimedik has implemented a security incident and event management tool that aims to report accesses and to alert if a prohibited action has occurred, enabling a quick and efficient response.

7.11 Despite the high level of security measures that we have applied, be aware that it is impossible to guarantee an absolute level of security for data transmitted over the internet. If we confirm that your Personal Data has been subjected to a data breach, we will comply with all relevant legal provisions regarding notification of data security breaches.

8. Minors

8.1 The services that we offer on this Application are not intended for persons under eighteen (18) years of age. If you are under 18, do not use this Application.

9. Your data protection rights

9.1 You have the following data protection rights:

(a) If you wish to access your Personal Data, you may do so at any time by contacting us using the contact details set out in the How to contact us section below.
(b) If you wish to correct or update your Personal Data, you may do so directly in your myAED Control profile.
(c) You can erase Personal Data from your profile by deleting it directly from your myAED Control profile. You can also contact the primary manager of your company who can archive your account. Note that once your account is archived, you will no longer be able to use the Application.
(d) In addition, in certain circumstances, as provided for by applicable data protection laws, you may object to the processing of your Personal Data or make a request to the primary manager of your company to restrict the processing of your Personal Data. You can also request the portability of your Personal Data by contacting us at the contact details indicated in the How to contact us section below.
(e) If we have collected and processed your Personal Data with your consent, you may withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we carried out prior to your withdrawal, nor the processing of your Personal Data carried out on the basis of legal processing grounds other than consent.
(f) At any time, you have the right to refuse commercial communications that we send you. You can unsubscribe from our emails, communications and newsletters at any time by clicking the unsubscribe link at the bottom of any newsletter or email we send you.
(g) If you have a complaint or concern about the way we process your Personal Data, we will endeavour to address such concerns. If you believe that we have not sufficiently addressed your complaint or concern, you have the right to complain to a data protection authority about our collection and use of your Personal Data. For more information, contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and some non-European countries (including the United States and Canada) are available here.

9.2 You may exercise any of the above rights at any time by contacting us as described in the How to contact us section below. We will respond to your request in accordance with applicable data protection laws.

9.3 We answer all requests received from people wishing to exercise their data protection rights in accordance with applicable laws.

10. External links

10.1 Where any part of this Application provides links to third-party websites, the latter are consequently not subject to this Notice. We encourage you to review the Privacy Notices of those websites to understand their procedures for collecting, using and disclosing Personal Data.

11. Updates to this Notice

11.1 We may update this Privacy Notice from time to time based on legal, technical or business developments. Once we update our Privacy Notice, we shall take appropriate steps to notify you, based on the significance of the changes. 11.2 You can see when this Privacy Notice was last updated by checking the ‘last updated’ date displayed at the top of this Privacy Notice.

12. How to contact us

12.1 If you have any questions, concerns or complaints about this Notice or the way we process your Personal Data, or if you want to exercise your rights as described above, contact our privacy office as follows: by sending an email to the following email address: feedback@pertiwimedik.com.my .You can also write to the following address:

Unit 4, Hub Pengilang Peranti Perubatan,

749, Persiaran Cassia Selatan 4,

Taman Perindustrian Batu Kawan,

Bandar Cassia, Simpang Ampat,

14110 Pulau Pinang, MALAYSIA

12.2 DPO Email: dpo@pertiwimedik.com.my