Suara Personal Data Protection Notice and Privacy Notice

1. Information of the Data User

If you have any questions concerning the collection, use, correction, deletion, withdrawal of consent, complaints, or any other privacy-related matters concerning your personal data, you may contact us through the contact details above.

2. Scope of this Notice

This Notice applies when we process your personal data in the following circumstances:

1. you register for, log in to, or use a Suara account;
2. you use voice rooms, chat rooms, private messages, comments, follows, gifts, events, or other interactive features;
3. you top up, purchase memberships, purchase virtual gifts, or use other paid services;
4. you upload an avatar, image, voice recording, text, personal profile information, or other content;
5. you contact customer support, submit feedback, make a complaint, or file a report;
6. we conduct security reviews, anti-fraud checks, anti-harassment measures, risk control, or violation handling;
7. we send you service notifications, verification codes, security alerts, or marketing information with your consent; and
8. you access the Suara website, H5 pages, or other related online services.

This Notice does not apply to services independently provided by third parties, such as third-party payment platforms, app stores, advertising platforms, social login platforms, cloud service providers, external links, or third-party websites. Such third-party services are governed by their own privacy policies.

3. Definition of Personal Data

In this Notice, “personal data” means any information relating to an identified or identifiable individual, including but not limited to name, contact details, account information, device information, transaction information, chat records, voice data, location information, and any other information that may directly or indirectly identify you.

“Sensitive personal data” includes, but is not limited to, identity verification information, biometric information, health information, religious beliefs, race, political opinions, data relating to minors, or any other information defined as sensitive under applicable law.

4. Types of Personal Data We Collect

We collect the following categories of personal data according to the functions of the service and the principle of necessity.

4.1 Account Registration and Login Data

When you register for or log in to Suara, we may collect:

1. mobile phone number;
2. email address;
3. nickname;
4. avatar;
5. gender;
6. age, date of birth, or age range;
7. country or region;
8. password, verification code records, or third-party login authorisation data;
9. user ID;
10. registration time, login time, and account status; and
11. language preference.

If you log in through Apple, Google, Facebook, or other third-party accounts, we may receive the account identification data, avatar, nickname, or email address provided by that third party based on your authorisation.

4.2 Personal Data You Voluntarily Provide

When using Suara, you may voluntarily provide:

1. personal profile or bio;
2. avatar and background image;
3. voice recordings, images, text, comments, or posts;
4. interest tags;
5. public profile information;
6. customer support communications;
7. complaint, report, or appeal materials; and
8. information submitted when you participate in events or campaigns.

Please exercise caution when publishing personal data in public areas. Content you publish publicly may be viewed, screenshotted, saved, or shared by other users.

4.3 Voice, Chat, and Interaction Data

To provide voice social networking, chat rooms, private messages, and platform safety services, we may process:

1. voice room participation records;
2. voice content or voice clips;
3. private messages, comments, and chat room messages;
4. interaction records such as follows, followers, likes, gift sending, invitations, blocks, and reports;
5. room ID, room name, entry time, exit time, and duration of stay;
6. interaction records among hosts, room owners, administrators, and ordinary users; and
7. review records relating to suspected violations.

Based on platform safety, user reports, legal compliance, or community management needs, we may conduct manual or automated review of public room content, reported content, or abnormal behaviour.

4.4 Transaction, Top-up, and Virtual Gift Data

When you use top-ups, memberships, virtual gifts, virtual coins, event rewards, or other paid functions, we may collect:

1. order number;
2. name of goods or services;
3. payment amount;
4. payment status;
5. transaction time;
6. transaction identifier returned by a third-party payment platform;
7. top-up records;
8. consumption records;
9. balance change records;
10. refund or dispute handling records; and
11. anti-fraud and risk control records.

We generally do not directly collect or store your full bank card number, credit card security code, payment password, or online banking login information. Such information is normally processed independently by third-party payment service providers, banks, or app stores.

4.5 Device, Log, and Technical Data

To protect account security, maintain service stability, troubleshoot errors, and optimise our products, we may automatically collect:

1. device model;
2. operating system;
3. app version;
4. device identifiers;
5. IP address;
6. network type;
7. telecommunications operator;
8. language settings;
9. time zone;
10. crash logs;
11. page browsing records;
12. click and operation records;
13. login logs; and
14. security and risk control logs.

4.6 Location Information

If you authorise location permission, we may collect your location information for the following purposes:

1. displaying nearby content or nearby users;
2. providing localised recommendations;
3. account security and abnormal login detection; and
4. legal compliance or risk control purposes.

You may disable location permission at any time through your device system settings. After location permission is disabled, certain location-based functions may no longer be available.

Even if you do not enable precise location permission, we may still infer your approximate country or region based on your IP address for language display, security assessment, and service optimisation.

4.7 Device Permission Data

Suara may request the following device permissions:

1. Microphone permission: used for voice rooms, live voice connection, and voice messages;
2. Camera permission: used for taking avatars, images, verification materials, or other functions you actively use;
3. Photo album permission: used for uploading avatars, images, videos, or saving content;
4. Notification permission: used to send message reminders, system notifications, and security alerts;
5. Storage permission: used for caching, uploading, downloading, or saving necessary files; and
6. Contacts permission: used only when you actively use friend invitation, contact matching, or similar functions.

You may manage or disable relevant permissions in your device system settings. Disabling a permission will not affect your use of other functions that do not rely on that permission.

4.8 Sensitive Personal Data

We will not request sensitive personal data without a valid reason.

We may process sensitive personal data in the following circumstances:

1. where required by law or regulation;
2. for identity verification or age verification;
3. for account security, fraud investigation, or violation handling;
4. where you voluntarily upload or publicly disclose such data;
5. for handling complaints, reports, disputes, or security incidents; and
6. for other purposes with your explicit consent.

We will apply stricter protection measures to sensitive personal data and will obtain your explicit consent where required by law.

5. Sources of Personal Data

We may obtain your personal data from the following sources:

1. directly from you;
2. automatically generated when you use Suara services;
3. third-party login services authorised by you;
4. third-party payment service providers;
5. app stores;
6. security, anti-fraud, or risk control service providers;
7. reports, complaints, or interaction data submitted by other users; and
8. publicly available sources permitted by law.

6. Purposes for Processing Personal Data

We process your personal data for the following purposes:

1. to create, verify, and manage your account;
2. to provide voice rooms, chats, private messages, comments, follows, gift sending, and other functions;
3. to process top-ups, memberships, virtual gifts, orders, refunds, and transaction records;
4. to send verification codes, security alerts, service notifications, and system announcements;
5. to provide customer support, complaint handling, report handling, and appeal services;
6. to maintain platform order and enforce user agreements and community rules;
7. to identify, prevent, and handle scams, harassment, spam, cheating, abnormal transactions, money laundering risks, or other unlawful or non-compliant conduct;
8. to protect the safety and legitimate interests of users, the platform, employees, partners, and the public;
9. to conduct data analysis, troubleshooting, service optimisation, and product improvement;
10. to provide localised services based on your language, region, and usage;
11. to send marketing, campaign, promotional, or advertising information with your consent or where permitted by law;
12. to comply with legal, regulatory, tax, audit, dispute resolution, or lawful enforcement requirements; and
13. to complete reasonable due diligence and transfer arrangements required for mergers, acquisitions, restructuring, financing, asset transfers, or similar transactions.

7. Legal Basis for Processing Personal Data

We process your personal data in accordance with the PDPA of Malaysia and applicable laws on one or more of the following bases:

1. you have given your consent;
2. the processing is necessary to provide Suara services;
3. the processing is necessary for the performance of a contract or service relationship;
4. the processing is necessary to comply with legal obligations;
5. the processing is necessary to protect your safety or the safety of others;
6. the processing is reasonably necessary to maintain platform security, prevent fraud, handle disputes, or protect legitimate interests; and
7. other circumstances permitted by law.

You have the right to withdraw your consent to the extent permitted by applicable law. Withdrawal of consent will not affect the lawfulness of any processing carried out before such withdrawal, but it may affect your ability to continue using some functions.

8. Disclosure and Sharing of Personal Data

We do not sell your personal data.

We will only disclose or share your personal data with the following parties where necessary, lawful, and reasonable:

8.1 Affiliates and Authorised Personnel

For operational, customer support, security, technical maintenance, finance, compliance, and management purposes, we may disclose necessary personal data to group companies, authorised employees, or authorised personnel.

8.2 Service Providers

We may disclose necessary personal data to the following service providers:

1. cloud server and data storage service providers;
2. SMS, email, WhatsApp, or push notification service providers;
3. payment service providers;
4. app stores;
5. content moderation service providers;
6. security and anti-fraud service providers;
7. data analytics service providers;
8. customer support system providers;
9. advertising and marketing service providers;
10. technical maintenance, log analysis, and crash monitoring service providers; and
11. legal, audit, accounting, tax, or professional advisers.

We will require service providers to process personal data only in accordance with our instructions and to adopt reasonable confidentiality and security measures.

8.3 Third-Party Platforms

When you actively use third-party login, third-party payment, social sharing, external links, or other third-party functions, the relevant third party may independently process your personal data. Such processing is not governed by this Notice but by the third party’s own privacy policy.

8.4 Legal and Regulatory Disclosure

We may disclose your personal data in the following circumstances:

1. to comply with applicable laws and regulations;
2. to respond to court orders, regulatory requirements, or lawful requests from enforcement authorities;
3. to handle fraud, scams, money laundering, harassment, infringement, threats of violence, or other legal risks;
4. to protect the life, property, safety, and legitimate rights of Suara, users, employees, partners, or the public; and
5. to enforce platform rules, investigate violations, or resolve disputes.

8.5 Company Transactions

If there is a merger, acquisition, restructuring, financing, asset sale, business transfer, liquidation, or similar transaction, your personal data may be transferred as part of that transaction. We will require the recipient to continue protecting your personal data in accordance with this Notice or standards no less protective than this Notice.

9. Cross-Border Transfer

As Suara may operate in multiple countries or regions, your personal data may be transferred to, stored in, or processed in countries or regions outside Malaysia.

We will only conduct cross-border transfers where permitted by law and will take reasonable steps to protect your personal data, including:

1. ensuring that the transfer has a lawful and necessary purpose;
2. transferring only the minimum data necessary to achieve the relevant purpose;
3. requiring overseas recipients to adopt reasonable personal data protection measures;
4. protecting data through contracts, confidentiality obligations, security measures, or other appropriate mechanisms; and
5. obtaining your consent where required by law.

If you do not agree to necessary cross-border transfers, certain services may not be provided properly.

10. Data Security

We adopt reasonable technical, organisational, and administrative measures to protect your personal data, including:

1. encrypted transmission;
2. encrypted password storage;
3. access permission control;
4. employee confidentiality requirements;
5. log audits;
6. security monitoring;
7. data backup;
8. firewalls and intrusion prevention;
9. payment and transaction risk control;
10. security incident response mechanisms; and
11. service provider security management.

Although we adopt reasonable security measures, no internet service can be guaranteed to be absolutely secure. Please keep your account, password, verification codes, and device secure, and do not disclose your login credentials to others.

If you discover any account abnormality, personal data leakage, or security risk, please contact us immediately.

11. Data Retention Period

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, provide services, comply with legal obligations, resolve disputes, protect security, or safeguard legitimate interests.

Our general retention principles are as follows:

1. account data is retained during the existence of the account;
2. transaction, top-up, refund, and accounting data is retained in accordance with tax, audit, payment, and legal requirements;
3. customer support, complaint, and report data is retained for a reasonable period after the matter is resolved;
4. security, log, and risk control data is retained for a reasonable period necessary to protect platform security;
5. data required to be retained by law will be retained for the period prescribed by law; and
6. after the retention period expires, we will delete, anonymise, or otherwise reasonably handle the relevant data.

12. Data Accuracy

You should ensure that the personal data you provide to us is true, accurate, complete, and kept up to date.

If your information changes, such as your mobile phone number, email address, region, or other account information, you may update it through the app settings or by contacting customer support.

We will also take reasonable steps to ensure that the personal data we process is accurate, complete, and not outdated.

13. Access to and Correction of Personal Data

Subject to applicable law, you have the right to request:

1. confirmation as to whether we hold your personal data;
2. access to your personal data held by us; and
3. correction of personal data that is inaccurate, incomplete, misleading, or outdated.

You may submit such requests through the in-app settings or through the contact details stated in this Notice.

To protect your account security, we may require you to complete identity verification. We will handle your request within a reasonable time.

Where permitted by law, we may refuse all or part of a request if the request is repetitive, unreasonable, affects the rights of others, relates to a security investigation, or is restricted by law, and we will inform you of the reason.

14. Withdrawal of Consent

You may withdraw your consent to the processing of your personal data to the extent permitted by applicable law.

You may withdraw consent by:

1. disabling relevant permissions or settings in the app;
2. unsubscribing from marketing communications;
3. contacting customer support; or
4. submitting a request through the privacy contact email.

Withdrawal of consent will not affect the lawfulness of processing conducted before the withdrawal. However, if the relevant data is necessary for the provision of services, we may no longer be able to provide some or all services to you after your withdrawal.

15. Data Deletion and Account Cancellation

You may request account cancellation or deletion of personal data through the in-app settings or by contacting customer support.

After account cancellation:

1. you will no longer be able to log in to or use that account;
2. we will delete, hide, or anonymise personal data associated with the account;
3. unresolved orders, top-ups, refunds, disputes, complaints, violation investigations, or legal obligations may need to be completed first;
4. data required to be retained for legal, tax, audit, security, anti-fraud, or dispute resolution purposes may continue to be retained for the necessary period; and
5. account cancellation will not affect completed transactions, processing, authorisations, or legal liabilities that occurred before cancellation.

We will not impose unreasonable restrictions such as “users can never cancel their accounts” or “mobile numbers can never be unlinked.” However, where account security, fraud investigation, unresolved transactions, or legal requirements are involved, we may need to delay processing and explain the reason to you.

16. Marketing Communications

With your consent or where permitted by law, we may send you events, offers, promotions, or marketing information through app push notifications, SMS, email, WhatsApp, in-app messages, or other methods.

You may refuse or opt out of marketing communications at any time, including by:

1. disabling marketing notifications in the app settings;
2. disabling notification permissions in your device system settings;
3. following the unsubscribe instructions in the message; or
4. contacting customer support or the privacy email to request that marketing communications stop.

Service-related notifications are not marketing communications, such as verification codes, security alerts, order notifications, account abnormality alerts, system maintenance notices, policy update notices, and similar necessary communications. You may not be able to fully disable such notices.

17. Cookies, SDKs, and Similar Technologies

We may use cookies, SDKs, local storage, device identifiers, and similar technologies for the following purposes:

1. maintaining login status;
2. remembering language and preference settings;
3. counting visits and usage;
4. analysing app performance and crashes;
5. protecting account and transaction security;
6. preventing fraud, cheating, and abnormal behaviour;
7. improving product experience; and
8. providing advertising and marketing services with your consent or where permitted by law.

You may manage relevant permissions through your device settings, browser settings, or app settings. After certain functions are disabled, some services may not operate properly.

Suara should separately provide a Third-Party SDK List setting out the name of each third-party SDK, service provider, type of personal data processed, purpose of use, official website, and privacy policy link.

18. Automated Processing and Personalised Recommendations

To improve service experience, maintain platform safety, and optimise content, we may use algorithms or automated tools for:

1. content recommendations;
2. user interest analysis;
3. risk identification;
4. anti-cheating detection;
5. spam identification;
6. violation content identification; and
7. advertising and campaign recommendations.

You may disable certain personalised recommendation or marketing uses to the extent permitted by applicable law. Automated processing necessary for security, anti-fraud, violation handling, and platform order maintenance may not be fully disabled.

19. Personal Data of Minors

Suara does not encourage minors to use the service without the guidance of parents or legal guardians.

If you are under 18 years old, you should use Suara with the consent and guidance of your parent or legal guardian.

If we discover that a minor has provided personal data to us without the necessary consent, we may take the following measures:

1. delete the relevant data;
2. restrict account functions;
3. suspend or close the account;
4. require confirmation from a guardian; and
5. take other measures required by law.

Parents or legal guardians who believe that a minor has provided personal data to us may contact us through the contact details stated in this Notice.

20. Public Data and User Content Notice

Suara is a voice social and interactive platform. Content that you publish in voice rooms, chat rooms, comments, posts, personal profiles, avatars, nicknames, or other public areas may be visible to other users.

Please note that:

1. you should not publicly publish identity documents, bank cards, home addresses, private contact details, or other sensitive information;
2. you should not upload another person’s photos, voice recordings, videos, contact details, or other personal data without authorisation;
3. public content may be screenshotted, screen-recorded, saved, or shared by others;
4. even if you delete relevant content, copies already saved by other users or third parties may not be within our control; and
5. content related to complaints, reports, safety review, or legal compliance may be retained for the necessary period.

21. Personal Data Breach or Security Incident

If an incident occurs that may affect the security of your personal data, we will take reasonable measures in accordance with applicable laws and regulatory requirements, including:

1. investigating the cause of the incident;
2. controlling and mitigating risks;
3. repairing security vulnerabilities;
4. assessing the scope of impact;
5. notifying relevant regulatory authorities where required by law;
6. notifying affected users where required by law or where the risk is high; and
7. maintaining incident handling records.

22. Complaints and Contact Us

If you have any questions, requests, or complaints about how we process personal data, please contact us through the following channels:

When contacting us, please provide, where possible:

1. your account information;
2. your question or request;
3. relevant supporting materials; and
4. how you would like us to handle the matter.

We will respond to your request within a reasonable time.

If you believe that our handling of your personal data violates applicable personal data protection laws, you may also file a complaint with the relevant personal data protection regulator in Malaysia or another competent regulator in your jurisdiction.

23. Updates to this Notice

We may update this Notice from time to time.

If an update involves material changes to the way personal data is processed, user rights, or data sharing arrangements, we will notify you through app pop-ups, in-app notifications, email, website announcements, or other appropriate methods.

The updated Notice will take effect from the date of publication or the date stated in the notice. If you do not agree with the updated Notice, you may stop using Suara services and may request account cancellation or deletion of your personal data.

24. Language Versions

This Notice may be made available in Chinese, English, Bahasa Malaysia, or other language versions.

For operation in Malaysia, Suara should provide at least an English version. Where required by applicable Malaysian law or regulatory practice, a Bahasa Malaysia version should also be provided.

If there is any inconsistency among different language versions, the English version shall prevail, unless Malaysian law mandatorily requires the Bahasa Malaysia version to prevail, in which case the legally required version shall prevail.

Appendix 1: Suara Third-Party Service / SDK List Template

Before official launch, it is recommended that this table be supplemented below the Privacy Notice page:

Appendix 2: Information to Complete Before Launch

Before official publication, please complete the following information:

1. full company name;
2. registered company address;
3. privacy contact email;
4. customer support email;
5. data protection contact person or department;
6. server hosting country or region;
7. third-party SDK list;
8. list of payment service providers;
9. whether any advertising SDK is used;
10. whether any content moderation service is used;
11. whether identity verification is involved;
12. whether minors are allowed to register;
13. account cancellation entry path; and
14. actual process for users to access, correct, and delete their personal data.