1) Who we are

This Privacy Statement describes how Quad Lab Sdn Bhd (Company No.: 1401911-V), referred to as “QuadLab,” collects, uses, discloses, and protects personal data when you register an account, create or join a campaign, or otherwise use our services.

Data Controller: Quad Lab Sdn Bhd, Malaysia.

2) Scope

This notice applies to personal data processed by QuadLab in connection with the operation of our web application and related services. QuadLab aligns with Malaysia’s Personal Data Protection Act 2010 (“PDPA”), including the PDPA data protection principles applicable to personal data in commercial transactions. :contentReference[oaicite:0]{index=0}

3) What we collect

  • Account & Identity Data — name, email, password (hashed), organization/industry (if provided), and account settings.
  • Campaign Participation Data — inputs/feedback you submit to a campaign’s problem statement; AI-grouped outputs; your rankings and votes; timestamps.
  • Invitation & Contact Data — email addresses for invitations; opt-in preferences; proof of consent (where applicable).
  • Technical & Usage Data — device/browser info, IP address, log data, and event telemetry for security and service reliability.
  • Cookies & Similar Technologies — necessary cookies to operate the site and, where used, optional analytics cookies (see “Cookies” below).
  • Sensitive Personal Data — we do not ask for sensitive personal data (e.g., health, religion, political opinions, or criminal records). If such data is inadvertently submitted in free-text inputs, we will minimize or delete it. :contentReference[oaicite:1]{index=1}

4) How we use personal data

  • Provide and improve the service — register accounts; host and administer campaigns; deduplicate, moderate, and analyze inputs; ensure integrity of rankings; detect abuse and fraud.
  • Run AI grouping — transform campaign inputs into nine (9) issue/problem groups to enable ranking and insights (see “How our AI works”).
  • Publish aggregated insights — we publish de-identified, aggregated statistics such as the Top 10 organization issues overall and by industry on the landing page. We do not publish participant identities or raw submissions unless you explicitly consent.
  • Communicate with you — send invitations, confirmations, and service notices; respond to enquiries.
  • Legal, compliance, and security — comply with applicable laws, enforce terms, and protect against harmful activity.

No sale of personal data: We do not sell your personal data and we do not share it with third parties for their independent marketing or advertising purposes.

5) How our AI works

  • Purpose-built analysis. Our AI groups submitted inputs into nine (9) issues/problems and supports ranking workflows. Outputs are used only to power campaign analytics and the publication of aggregated insights described above.
  • Human oversight & quality. We apply safeguards, including human-in-the-loop moderation for abuse detection and quality control.
  • Model training. Unless you opt in, your inputs and outputs are not used to train third-party foundation models. If we engage trusted processors to run AI functions, they act on our instructions and under data protection agreements.
  • No automated decisions with legal effects. AI outputs are for insight and facilitation; they are not used to make decisions that produce legal or similarly significant effects about an individual.

7) Sharing & international transfers

  • Service providers (processors) — cloud hosting, email delivery, analytics (if enabled), and security vendors who process data solely on our behalf under written agreements.
  • Legal disclosures — where required by law, regulation, or to protect rights, safety, and service integrity.
  • Aggregated insights — public insights are de-identified and aggregated (e.g., Top 10 issues overall/by industry). No raw submissions or personal identifiers are disclosed without your explicit consent.
  • Cross-border transfers — if personal data is transferred outside Malaysia, we implement safeguards consistent with Malaysia’s updated PDPA regime for cross-border transfers (risk-based adequacy/equivalence or other permitted conditions). :contentReference[oaicite:4]{index=4}

We do not sell personal data and do not allow third parties to use it for their own marketing.

8) How long we keep data

Data categoryRetention
Account & Identity Data For the life of the account and up to 24 months after closure (for audit, security, and legal compliance), unless a longer period is required by law.
Campaign Participation & Rankings Until the campaign ends and for up to 24 months thereafter for analytics integrity and audit; aggregated, de-identified statistics may be retained longer.
Invitation & Contact Data Until the invitation is sent and any related compliance windows close, or until you opt out; suppression lists are retained to honor opt-outs.
Technical & Logs Typically 12–24 months for security and troubleshooting (shorter where feasible).

Our retention practices align with the PDPA Retention Principle. :contentReference[oaicite:5]{index=5}

9) How we protect data

  • Encryption in transit, segmented infrastructure, and role-based access controls.
  • Audit logging, rate limiting, and abuse detection for ranking integrity.
  • Vendor due diligence and contractual safeguards with processors.
  • Employee confidentiality and access-on-need policies.

We implement measures appropriate to the risk and the PDPA Security Principle. :contentReference[oaicite:6]{index=6}

10) Cookies & similar technologies

We use strictly necessary cookies to operate the site. Where we use analytics cookies, we request your consent (or provide an opt-out) as required. Cookie obligations under Malaysia’s PDPA depend on whether cookie data constitutes personal data; where it does, PDPA principles apply. See our Cookie Notice for details and controls. :contentReference[oaicite:7]{index=7}

11) Your choices & rights

  • Access & Correction (PDPA) — request access to and correction of your personal data we hold about you. :contentReference[oaicite:8]{index=8}
  • Consent management — withdraw consent where processing is based on consent (e.g., optional analytics, marketing or invitations).
  • Objection/Restriction — where permitted by law, object to or request restriction of certain processing.
  • Deletion — request deletion of personal data where legally required or where we no longer need it for the stated purposes.
  • EEA/UK users — you may also have GDPR rights (access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making). :contentReference[oaicite:9]{index=9}

To exercise a right, contact us using the details below. We may need to verify your identity and the request’s scope.

12) Children’s privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children; if you believe a child has provided personal data, please contact us so we can delete it.

13) Changes to this statement

We may update this Privacy Statement from time to time. Material changes will be highlighted on this page or communicated via email or in-product notice. The “Effective date” above shows when this version took effect.

14) Contact us

QuadLab Sdn Bhd
13-1, Jalan Puteri 2A/3, Bandar Puteri Bangi, 43000 Kajang, Selangor, Malaysia
Email: [email protected]

For PDPA guidance, see the Personal Data Protection Department of Malaysia. :contentReference[oaicite:10]{index=10}

Quick summary

  • We collect account details, campaign inputs, rankings, and technical data to run the service.
  • We use AI to group inputs into nine issues; we publish only aggregated, de-identified Top 10 insights overall and by industry.
  • We do not sell personal data; sharing is limited to processors and legal requirements.
  • We follow PDPA principles; PDPA/GDPR rights are supported where applicable.