LEGAL · PDPA-ALIGNED

Privacy Policy.

Marketing Lancers Consultancy Sdn Bhd (SSM 1460628-X) · Last updated 6 July 2026. PDPA Act 709 + 2024 amendments aligned. Plain English where the law allows.

POLICY · 8 SECTIONS

The full text.

01

Who we are

ONSET (operated by Marketing Lancers Consultancy Sdn Bhd, SSM 1460628-X) is an AI back-office platform for Malaysian and Singaporean SMEs. We are the data controller for information collected via app.onset.my.
02

Data we collect

  • Account: email address, name (required for authentication)
  • Usage: dashboard activity, page views, feature interactions
  • Conversations: messages with our AI Chat Assistant (Module A) — retained 24 months
  • Voice (if enabled): call recordings + transcripts via Retell AI — retained 12 months
  • Telemetry: error logs, performance traces (via Langfuse, HIPAA cloud, EU)
03

PDPA compliance (Malaysia)

We comply with the Personal Data Protection Act 2010 (Act 709) and its 2024 amendments. You may at any time:
  • Request access to your personal data (§ 30)
  • Request correction or deletion (§ 34)
  • Withdraw consent (may limit service — § 38)
  • Request portability — structured machine-readable export (§ 43B, 2024 amendment)
  • Lodge a complaint with the Personal Data Protection Commissioner

DPO contact: compliance@onset.my

04

Sub-processors

We use the following service providers. Full list with regions + certifications + DPA status at /trust/subprocessors.
  • Supabase (Singapore region) — database + auth + storage
  • Langfuse HIPAA Cloud (EU) — LLM observability
  • Anthropic, OpenRouter — LLM providers (US, provider-pass-through)
  • Stripe, Billplz — payment processors
  • Retell AI (US), 360dialog (EU) — voice + WhatsApp
  • n8n self-hosted (Hostinger Singapore VPS) — workflow execution
05

Data retention

  • Account data: retained while account is active + 6 years after closure (regulatory requirement)
  • Conversation data: 24 months from last interaction
  • Voice recordings: 12 months
  • Audit logs: 7 years (hash-chained, tamper-evident)
  • Backup snapshots: 30 days rolling
06

Data security

  • Row-Level Security on every Postgres table
  • TLS 1.3 in transit; AES-256 at rest (Supabase + Langfuse)
  • Service-role keys rotated quarterly; access reviewed annually
  • SOC 2 Type I engagement queued (Schellman, Q3 2026)
  • ISO 42001:2023 AI Management System readiness mapped
07

AI-specific disclosures (ISO 42001 § A.4)

We classify every AI feature into three governance classes:
  • Class A — Auto-evolvable with owner approval (chat tones, intent detection)
  • Class B — Manual-only changes (proposals, contracts, regulatory text)
  • Class C — Frozen by owner memo (foundation models, pricing floor)

Full policy: AI Change Management Policy.

08

Your rights & contact

To exercise PDPA rights or report a security concern:

MARKETING LANCERS CONSULTANCY SDN BHD · KUALA LUMPUR, MALAYSIA