Privacy Policy

Last updated: 3 September 2025

Introduction

Million Virtue Partners Sdn. Bhd. ("MVP", "we", "our", or "us") operates and owns the myCSR Platform ("Platform"), a cloud‑based solution used by agencies, currently Lembaga Tabung Haji ("TH") to manage Corporate Social Responsibility (CSR) funds and programmes. This Privacy Policy explains how MVP collects, uses, discloses, and safeguards personal data when you interact with the Platform, whether you are an applicant, reviewer, fund‑agency staff member, donor, beneficiary, auditor, or public visitor.

We comply with the Personal Data Protection Act 2010 (PDPA), Malaysia and, where relevant, Islamic accounting standards such as the Piawaian Perakaunan Islam bagi Baitulmal, Zakat dan Wakaf (PPIBZW). By using the Platform, you acknowledge that your personal data will be processed in accordance with this Policy.

Relationship of the Parties

  • MVP is the primary Data Controller for data collected through the Platform interface, analytics, and authentication services.
  • Participating fund agencies (currently TH) act as Independent Data Controllers for the applicant and project data they access or upload.
  • MVP acts as Data Processor for certain agencies‑provided data, pursuant to data‑sharing agreements.

Scope of This Policy

Who is covered?

  • Individuals whose data is processed via the Platform, including applicants, beneficiaries, donors, agency employees, reviewers, approvers, auditors, and visitors.

What systems are covered?

  • The production, staging, and backup environments of the myCSR Platform hosted on MVP‑approved Malaysian cloud infrastructure and any future on‑prem deployments.

Personal Data We Collect

Depending on your role and interactions, we may process:

  1. Identity & Contact Data – name, NRIC/passport, organisation registration number, postal address, email, phone.
  2. Application & Project Data – CSR proposals, budgets, supporting files, beneficiary lists, milestone reports.
  3. Financial Data – bank details, payment references, zakat calculations, disbursement schedules.
  4. Technical & Usage Data – login credentials, role identifiers, IP address, device information, cookies, error logs.
  5. Special Category Data – data revealing religious beliefs (e.g., zakat eligibility) or sensitive beneficiary information; processed only with explicit consent or another lawful basis.
  6. Audio/Visual Data – photographs, video or voice recordings that you upload (e.g., project evidence, receipts), webinar session recordings, or images captured during MVP‑hosted events.

How We Collect Data

  • Directly from you via forms, file uploads, webinars, feedback features, or donor checkout.
  • From fund agencies such as TH when they import, verify, or supplement information you supply.
  • Automatically through cookies, analytics scripts, security logs, and similar technologies.
  • From you about others – If you provide personal data relating to third parties (e.g., beneficiaries or referees), you represent that you have obtained their consent to do so for the purposes set out in this Policy.

Consequences of Not Providing Personal Data

Where personal data requested by the Platform is marked as mandatory, failure to provide such information may result in:

  • Inability to create or maintain your user account.
  • Rejection or delay of CSR applications.
  • Restriction of access to certain Platform features or agency services.

Optional data fields are clearly indicated; withholding optional data will not affect core functionality.

Purposes & Legal Bases for Processing

Purpose Legal Basis under PDPA Details
Account registration & authentication Contract Create and secure your user account.
CSR application submission, review & monitoring Contract & Legal obligation Facilitate funding workflows required by agencies.
Financial management & audits Legal obligation Ensure transparent disbursements, zakat compliance, and statutory reporting.
Cross‑agency duplicate checking & fraud prevention Legitimate interests & Consent Detect duplicate funding requests and fraudulent activities.
Analytics & UX optimisation Legitimate interests / Consent Improve Platform performance and user experience with aggregated or pseudonymised data.
Security monitoring & incident response Legitimate interests Protect confidentiality, integrity, and availability of data.
Donor services (zakat calculation, akad receipts) Contract & Consent Provide donors with accurate calculations and digital receipts.

Automated assessments (e.g., AI‑generated risk scores) do not constitute final decisions; participating agencies retain discretion. You may request human review.

Cookies & Tracking Technologies

We use:

  • Essential cookies for session management and CSRF protection.
  • Analytics cookies (opt‑in) to measure feature adoption and usage trends.
  • Security cookies to detect unusual login patterns.

You can manage cookies via your browser; disabling cookies may impair functionality.

Data Sharing & Disclosure

We never sell or rent personal data. We may share data:

  1. With Participating Agencies (e.g., TH) – Applicant and project information is shared with the agency handling your application on a need‑to‑know basis.
  2. Across Agencies (future capability) – Only if you provide explicit consent or where authorised by law.
  3. Service Providers – Cloud hosting, AI engines, payment gateways, ID‑verification vendors, all bound by strict data‑processing agreements.
  4. Regulators & Law Enforcement – When required under PDPA or other applicable laws.
  5. Corporate Transactions – In connection with mergers or acquisitions, subject to PDPA safeguards.

International Data Transfers

All primary servers are located in Malaysia. If data must be transferred overseas (e.g., global cloud redundancy), we ensure equivalent protection via contractual clauses compliant with PDPA Sections 129–133.

Data Security

We implement a defence‑in‑depth approach, including:

  • Encryption – TLS 1.3 in transit; AES‑256 at rest.
  • Multi‑Factor Authentication (MFA) for privileged users.
  • Role‑Based Access Control (RBAC) & least‑privilege principles.
  • Continuous monitoring (SIEM), quarterly penetration tests, and vulnerability scans.
  • Daily encrypted backups and disaster‑recovery drills targeting 99.9% availability.
  • Immutable audit trails retained for at least seven (7) years.

Data Breach Notification

In the unlikely event of a data breach that is reasonably likely to result in harm to affected individuals, MVP will:

  1. Contain & investigate the incident immediately upon discovery.
  2. Notify the Personal Data Protection Commissioner (PDPC) and other relevant regulators within 72 hours where required by law.
  3. Alert affected users without undue delay, describing the nature of the breach, potential impacts, and remedial steps they can take.
  4. Maintain detailed incident records for audit and continuous improvement.

Data Retention & Disposal

Data Type Retention Period Disposal Method
Application & project records 7 years after project close‑out or per agency policy (whichever longer) Secure deletion (NIST 800‑88)
Financial & transaction logs 7 years Cryptographic wipe & physical destruction
System logs & backups 24 months Automated purge & key‑shredding
Accounts inactive > 24 months 30‑day notice, then deletion Irreversible erase
Longer‑term legal/audit obligations As required Minimal data retained strictly for the relevant mandate

Data Accuracy & Integrity

MVP takes reasonable steps to ensure that personal data is accurate, complete, not misleading, and kept up‑to‑date in line with PDPA Principle 5. You are encouraged to review and update your information via your account dashboard at any time. MVP and participating agencies may conduct periodic validation of key fields (e.g., organisation registration numbers) to maintain data quality.

Your Rights under PDPA

You may, subject to exemptions:

  1. Access your personal data.
  2. Correct inaccurate or incomplete data.
  3. Withdraw consent for non‑mandatory processing.
  4. Object or restrict processing based on legitimate interests.
  5. Request erasure when data is no longer needed or unlawfully processed.
  6. Request human review of automated assessments.
  7. Administrative fee – MVP reserves the right to charge a reasonable fee (currently RM 10) for each data‑access request, as permitted by PDPA Section 30(2).

Submit requests via the Platform or contact us. We will respond within 21 days.

Children & Vulnerable Individuals

If you submit data on behalf of minors or vulnerable groups, you confirm you have obtained the necessary guardian or legal authority. MVP applies additional safeguards, such as field‑level masking, for such data.

Third‑Party Links

The Platform may contain links or iFrames to external sites or agency portals. MVP is not responsible for their privacy practices. Please review their policies.

Accountability & Governance

MVP maintains an Accountability Framework that includes:

  • Annual privacy review & policy update overseen by the Data Protection Officer.
  • Mandatory PDPA awareness training for all staff and contractors.
  • Privacy Impact Assessments ("DPIAs") for new or high‑risk features.
  • Internal & external audits of privacy controls at least once every 12 months.
  • Vendor due‑diligence programme ensuring processors meet our security and privacy standards.

Governance & Contact Details

Data Controller

Million Virtue Partners Sdn. Bhd. (1433026‑H)
Email: [email protected]

© 2025 Million Virtue Partners Sdn. Bhd. All rights reserved.
This Privacy Policy is effective from 6 July 2025.