Data Subject Access Request (DSAR)

Under PDPA 2010 § 30 and § 30A (and the equivalent GDPR articles), you have the right to: · Access the personal data we hold about you · Correct inaccurate data · Request portable export · Request erasure (subject to legal retention) · Object to processing How to exercise: 1. Email privacy@onset.my from the email address on file. 2. Specify what you want (access / correction / portability / erasure). 3. We verify your identity (likely with a magic-link confirmation). 4. We respond within 21 calendar days (PDPA) / 30 calendar days (GDPR). What we cannot do: · Erase data we are legally required to retain (e.g. LHDN e-Invoice archive is 7 years). · Erase data necessary for an ongoing legal dispute. · Process a request that would require disclosing another person's data. Free of charge for the first request per calendar year. Subsequent requests may incur a reasonable administrative fee under PDPA § 31.