Data Protection Notice
Issued under the Personal Data Protection Act 2010 (Act 709)
Last updated: April 2026
1. About This Notice
This Data Protection Notice is issued by Axon Avenue PLT, the operator of Setara (“we”, “us”, or “our”), pursuant to Section 7 of the Personal Data Protection Act 2010 (Act 709), as amended by the Personal Data Protection (Amendment) Act 2024.
This notice informs you of how we collect, process, use, and protect your personal data when you use the Setara platform. Please read this notice together with our Privacy Policy and Terms of Service.
2. The Seven Data Protection Principles
We comply with all seven Data Protection Principles under the PDPA 2010. Here is how each principle applies to our processing of your data:
(a) General Principle
We only process your personal data with your consent. You provide consent when you create an account and again when you activate the SOS feature. You may withdraw consent at any time, though this may affect your ability to use certain features.
(b) Notice and Choice Principle
This notice serves to inform you of what data we collect, why we collect it, and how it is used. You have the choice to provide or withhold your personal data, understanding that withholding certain data may prevent you from using the Platform.
(c) Disclosure Principle
We only disclose your personal data for the purposes stated in this notice, or for purposes directly related to those stated purposes. We do not sell your data to third parties.
(d) Security Principle
We take practical steps to protect your data from loss, misuse, unauthorised access, modification, or disclosure. This includes encryption, access controls, and regular security assessments.
(e) Retention Principle
We do not keep your personal data longer than necessary for the purposes for which it was collected. Specific retention periods are detailed in Section 7 below.
(f) Data Integrity Principle
We take reasonable steps to ensure your personal data is accurate, complete, not misleading, and kept up to date. You can update your information through the Platform at any time.
(g) Access Principle
You have the right to access your personal data held by us and to request corrections if it is inaccurate, incomplete, or misleading.
3. Categories of Personal Data Processed
| Category | Examples | Sensitivity |
|---|---|---|
| Identity data | Full name, IC number | Personal |
| Contact data | Phone number, email, emergency contacts | Personal |
| Location data | GPS coordinates during SOS | Personal |
| Device data | Device model, OS, app version, IP address | Personal |
| Biometric data | Facial data from video, voice recordings | Sensitive |
| Recording data | Video and audio of SOS sessions | Sensitive |
| Financial data | Subscription and payment records | Personal |
4. Purposes of Processing
Your personal data is processed for the following purposes:
Primary Purposes (necessary for the service)
- Connecting you with an available lawyer when you activate SOS
- Recording your SOS session for preservation as legal evidence
- Sharing your GPS location with your connected lawyer and emergency contacts
- Verifying your identity and authenticating your access to the Platform
- Processing and managing your subscription payments
- Providing AI-powered rights briefings relevant to your situation
Secondary Purposes (with your additional consent)
- Improving our services and developing new features based on aggregated usage data
- Sending you updates about new features or changes to the Platform
- Conducting anonymised research on access to justice in Malaysia
5. Disclosure to Third Parties
We may disclose your personal data to the following categories of third parties:
- Lawyers: Licensed advocates and solicitors on our platform receive your name, location, and session details when connected to your SOS call. This disclosure is necessary to provide the legal service.
- Emergency contacts: Persons you have designated as emergency contacts will receive your name and GPS location when you activate SOS.
- Courts and authorities: We will disclose your data when compelled by a valid court order, subpoena, or lawful request from Malaysian law enforcement or regulatory authorities.
- Payment processors: Billplz and/or Stripe process your payment information. They operate under their own privacy policies and data protection obligations.
- Infrastructure providers: Amazon Web Services (AWS) hosts our data. LiveKit provides video calling infrastructure. These providers act as data processors under our instruction.
We do not sell, rent, or trade your personal data to any third party for marketing or commercial purposes.
6. Cross-Border Data Transfer
Your personal data is transferred to and stored on servers located in Singapore (AWS ap-southeast-1 region). Under Section 129 of the PDPA 2010, cross-border transfers are permitted where the receiving jurisdiction provides an adequate level of data protection.
Singapore maintains comprehensive data protection legislation (Personal Data Protection Act 2012) that provides protections substantially similar to the Malaysian PDPA 2010. Additionally, our hosting provider (AWS) is certified under ISO 27001 and SOC 2 Type II.
By using the Platform, you provide your explicit consent to the transfer of your personal data to Singapore for the purposes stated in this notice.
7. Data Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| SOS video/audio recordings | 7 years | Legal evidence standard (Limitation Act 1953) |
| GPS location data | 7 years | Stored with associated recording |
| Account data | Duration + 2 years | Post-termination claims period |
| Financial/billing data | 7 years | Tax and regulatory requirements |
| Session and app logs | 1 year | Security and troubleshooting |
After the retention period expires, your data is securely deleted or anonymised so that it can no longer be associated with you.
8. Biometric Data Handling
Our SOS video calling feature captures biometric data including facial images and voice recordings. Under the PDPA 2010, biometric data is classified as sensitive personal data and is subject to additional protections.
Why we capture biometric data
Video recordings that include facial data and voice are necessary to preserve a complete and verifiable record of your legal encounter. This recording serves as potential evidence and helps ensure the integrity of the lawyer-client interaction.
How we protect biometric data
- Recordings are encrypted in transit (TLS 1.3) and at rest (AES-256)
- SHA-256 cryptographic hashing ensures recordings cannot be tampered with
- Access is restricted to you, your connected lawyer, and authorised personnel only
- We do not use facial recognition technology for identification or profiling purposes
- Biometric data is not shared with third parties except as required by court order
Your consent
By activating the SOS feature, you provide explicit consent to the capture and processing of your biometric data for the purposes stated above. You may withdraw this consent at any time, but doing so will prevent you from using the SOS video calling feature.
9. Your Rights as a Data Subject
Under the PDPA 2010, you have the following rights regarding your personal data:
Right of Access
Request a copy of all personal data we hold about you. We will respond within 21 days. A nominal fee may apply as permitted under the PDPA.
Right to Correction
Request that we correct any personal data that is inaccurate, incomplete, misleading, or not up to date.
Right to Withdraw Consent
Withdraw your consent to data processing at any time by contacting us. Note that withdrawing consent for essential processing will affect your ability to use the Platform.
Right to Data Portability
Request your personal data in a structured, commonly-used, machine-readable format (e.g., JSON or CSV) so you can transfer it to another service.
Right to Limit Processing
Request that we restrict processing of your data in certain circumstances, such as when you contest the accuracy of your data.
How to exercise your rights
Send your request to our Data Protection Officer at dpo@setara.my. Include your full name and IC number for verification. We will respond within 21 days of receiving your request.
10. Making a Complaint
If you believe that your personal data has been mishandled or that we have not complied with the PDPA 2010, you have the right to lodge a complaint.
Step 1: Contact us first
We encourage you to raise your concern with our Data Protection Officer at dpo@setara.my so we can attempt to resolve the issue directly.
Step 2: Complaint to the Commissioner
If you are not satisfied with our response, you may lodge a formal complaint with the Personal Data Protection Commissioner:
Jabatan Perlindungan Data Peribadi (JPDP)
Kementerian Komunikasi dan Digital
Aras 6, Blok C2, Kompleks C
Pusat Pentadbiran Kerajaan Persekutuan
62551 Putrajaya, Malaysia
Phone: +60 3-8000 8000
Website: www.pdp.gov.my
11. Contact Information
For any questions about this Data Protection Notice or how we handle your personal data, please contact:
Data Protection Officer
Axon Avenue PLT
Email: dpo@setara.my
General enquiries: support@setara.my
Kuala Lumpur, Malaysia
12. Updates to This Notice
We may update this Data Protection Notice from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated to you via the Platform or email. The “Last updated” date at the top of this notice indicates when it was last revised.
Note: This data protection notice is placeholder content for development purposes and will be reviewed and finalised by a qualified legal practitioner before launch.