Legal·Effective 14 July 2026

Privacy policy

This is how TIMS collects, uses, retains, and deletes your personal data — mapped to Malaysian PDPA 2010, Singapore PDPA 2012, Indonesia PDP Law 2022, and the EU GDPR where relevant.

Last updated: 14 July 2026 · Data Protection Officer: privacy@tims.systemsandbox.cloud

The short version

  • You can access everything we hold about you.Sign in → Settings → Privacy → “Export my data”. You get a JSON file. No forms, no waiting.
  • You can delete your account any time.Same page, “Delete my account”. Your personal data is purged immediately. A few things (payments, certificates, audit log) stay attached to an anonymised shell to satisfy Malaysian tax + PDPA law — see the table below.
  • We don’t sell your data. Ever. Not to advertisers, brokers, or partners.
  • PRISM assessment results are yours. Your employer only sees what you explicitly consent to share (Settings → PRISM sharing).

What we store, why, and for how long

The load-bearing table. This is exactly what happens when you use “Delete my account”.

CategoryWhat we storeRetentionOn deletion
Account identity
Contract performance
Name, email, phone, profile photo
Purpose: Authentication, notifications, marketplace identity
Purged on account deletionPurged
Authentication
Contract performance
Password hash, session tokens, email verification
Purpose: Log you in securely
Purged on account deletionPurged
Emergency profile (SOS)
Explicit consent, vital interests
Blood type, allergies, insurance policy (encrypted), emergency contacts
Purpose: First-responder access via NFC tap
Purged on account deletionPurged
Assessments (PRISM, TalentACE, WorkStyle, EQ Pulse)
Explicit consent
Responses, computed scores, AI narratives
Purpose: Personal insight, employer talent analytics (with consent)
Purged on account deletion; anonymised aggregate stats may persistPurged
Enrollments, sessions, certificates
Contract performance
What you enrolled in, attendance, certificates issued
Purpose: Track training completion, issue verifiable credentials
7 years — required by Malaysian tax law + HRD Corp audits. Attached to an anonymised user shell after deletion.Retained
Payments, refunds
Legal obligation (tax law)
Amount, gateway reference, receipt number, tax breakdown
Purpose: Prove transactions to authorities and to you
7 years — required by Malaysian tax law. Attached to an anonymised user shell.Retained
NFC card
Contract performance
TIMS ID, activation history, scan logs
Purpose: Verify physical card + rate-limit abuse
Card deactivated on account deletion. Scan logs retained 12 months for security investigations.Redacted
Programme enquiries / quotes
Contract performance
Quote requests to providers, provider replies, conversation thread
Purpose: B2B sales conversations
Provider retains for their own compliance; your identity anonymised in the thread after deletion.Redacted
Audit log
Legitimate interest, legal obligation
Login events, permission changes, admin actions on your account
Purpose: Security, fraud investigation, compliance
2 years — organisation admin obligation under Malaysian PDPA s.9.Retained
Support tickets
Contract performance
Messages you sent to TIMS support
Purpose: Resolve your issue, improve service
Purged on account deletion; anonymised summaries may be retained for pattern analysis.Purged
Notifications, library items, cookie prefs
Contract performance
In-app notifications, bookmarked resources, cookie choices
Purpose: Convenience features
Purged on account deletionPurged
Account identity
Purged
Contract performance

Name, email, phone, profile photo

Retention: Purged on account deletion

Authentication
Purged
Contract performance

Password hash, session tokens, email verification

Retention: Purged on account deletion

Emergency profile (SOS)
Purged
Explicit consent, vital interests

Blood type, allergies, insurance policy (encrypted), emergency contacts

Retention: Purged on account deletion

Assessments (PRISM, TalentACE, WorkStyle, EQ Pulse)
Purged
Explicit consent

Responses, computed scores, AI narratives

Retention: Purged on account deletion; anonymised aggregate stats may persist

Enrollments, sessions, certificates
Retained
Contract performance

What you enrolled in, attendance, certificates issued

Retention: 7 years — required by Malaysian tax law + HRD Corp audits. Attached to an anonymised user shell after deletion.

Payments, refunds
Retained
Legal obligation (tax law)

Amount, gateway reference, receipt number, tax breakdown

Retention: 7 years — required by Malaysian tax law. Attached to an anonymised user shell.

NFC card
Redacted
Contract performance

TIMS ID, activation history, scan logs

Retention: Card deactivated on account deletion. Scan logs retained 12 months for security investigations.

Programme enquiries / quotes
Redacted
Contract performance

Quote requests to providers, provider replies, conversation thread

Retention: Provider retains for their own compliance; your identity anonymised in the thread after deletion.

Audit log
Retained
Legitimate interest, legal obligation

Login events, permission changes, admin actions on your account

Retention: 2 years — organisation admin obligation under Malaysian PDPA s.9.

Support tickets
Purged
Contract performance

Messages you sent to TIMS support

Retention: Purged on account deletion; anonymised summaries may be retained for pattern analysis.

Notifications, library items, cookie prefs
Purged
Contract performance

In-app notifications, bookmarked resources, cookie choices

Retention: Purged on account deletion

Your rights

Right to access

Download everything we hold about you as JSON, whenever you want (3× per day).

Export my data →

Right to correct

Update your name, email, phone, timezone, language, sharing preferences at any time.

Edit profile →

Right to be forgotten

Delete your account. Personal data is purged; regulated records stay attached to an anonymous shell.

Delete my account →

Right to withdraw consent

Change PRISM sharing prefs or opt out of marketing. Cookie preferences are stored locally and honoured platform-wide.

Manage sharing →

Third parties we share data with

We use these processors for specific technical functions. Each is bound by a data processing agreement.

  • Alibaba CloudSingapore

    OSS file storage (course materials, banners, profile photos, brochures) + Qwen AI text/image generation

  • Zoho MailMalaysia / EU

    Transactional emails (verification, password reset, notifications, quotes)

  • Prisma + PostgreSQLSingapore

    Primary database — self-hosted on our VPS

  • Cloudflare / LiteSpeedGlobal anycast

    TLS termination + reverse proxy + DDoS protection

Cross-border data transfers

Primary hosting is Singapore. Backups replicate to Alibaba OSS (Singapore region). For learners outside Malaysia, we transfer your data on the basis of your consent at registration + our Data Processing Agreement with each downstream processor. Under Singapore PDPA Part VIB and Malaysian PDPA s.129, the receiving jurisdiction offers a comparable level of protection.

Contact us

Complaints, questions, or requests for information we don’t make available in the self-service export:

Data Protection Officer
privacy@tims.systemsandbox.cloud

We reply within 21 days (Malaysian PDPA s.30 requires ≤21 days for access requests; ≤14 days for correction requests).

Terms of service·Data processing agreement (B2B)·Manage my data