Privacy Policy

PART A
PRIVACY POLICY

This Privacy Policy explains how Peoplehive Consulting Sdn Bhd ("we", "us", or "our") collects, uses, stores, and protects personal data when you use SkillKlip (the "Platform"), an AI-powered video learning and assessment tool delivered via web browser.
This Policy applies to all users of the Platform, including: (a) HR administrators and organizational account holders ("Admin Users"); and (b) employees, learners, and any individual assigned to complete training through the Platform ("Learner Users"). Both categories of users are collectively referred to as "you" unless the context requires distinction.
This Policy is issued in compliance with the Personal Data Protection Act 2010 (PDPA 2010) of Malaysia. As the Platform expands internationally, applicable data protection laws of relevant jurisdictions, including the General Data Protection Regulation (GDPR) for European users, shall also apply.

1. Lawful Basis for Processing Personal Data
We process personal data on the following lawful bases:
User Category
Processing Activity
Lawful Basis
Admin Users
Account creation and management
Contractual necessity
Admin Users
Billing and subscription management
Contractual necessity / Legal obligation
Admin Users
Video upload and content management
Contractual necessity
Learner Users
Assignment of learning modules
Legitimate interests of the employer organization
Learner Users
Recording quiz results and completion status
Legitimate interests / Contractual necessity (employment context)
Learner Users
Individual performance reporting to HR
Legitimate interests of the employer organization
All Users
Security monitoring and fraud prevention
Legitimate interests
All Users
Analytics and service improvement
Consent (where required) / Legitimate interests
All Users
Marketing communications
Consent

2. Who We Are � Data Controller and Processor Roles
The Platform operates with a layered data responsibility structure:
� We (Peoplehive Consulting Sdn Bhd) act as: the Data Controller for account and platform-level data; and the Data Processor for all employee learning data processed on behalf of the Subscribing Organization.
� The Subscribing Organization (the employer) acts as: the Data Controller for all employee personal data, learning records, quiz results, and completion tracking data generated within their organizational account.

3. Categories of Personal Data Collected
3.1 Admin Users (HR / Organizational Accounts)
� Account Data: Full name, work email address, job title, department, company name, and country.
� Billing Data: Payment method details, invoicing address, and transaction records (processed via third-party payment processors; we do not store raw card data).
� Content Upload Data: Videos, documents, and materials uploaded to the Platform, including associated metadata (file name, upload timestamp, uploader identity).
� Usage Data: Login activity, content management actions, report access logs, and administrative activity audit trails.
3.2 Learner Users (Employees)
� Identity Data: Full name, work email address, employee ID (if provided by the organization), department, and job role.
� Learning Activity Data: Modules assigned and accessed, video viewing progress (including time watched, sections replayed, and drop-off points), AI-generated instructional content viewed.
� Assessment Data: Quiz responses submitted, scores achieved for each attempt, number of attempts made, pass/fail status, date and time of each attempt.
� Completion & Competency Data: Overall course completion status, competency gap identification (modules not yet passed), and remediation assignments issued by HR.
� Technical Data: IP address, browser type and version, device type, session duration, and access timestamps.
3.3 Video Content Data (All Uploaders)
Videos uploaded to the Platform may contain the following categories of data, which uploaders are responsible for disclosing and obtaining consent for:
� Visual and audio recordings of identifiable individuals (employees, trainers, or other persons appearing on camera);
� Verbal or written proprietary business information, trade secrets, or confidential operational procedures;
� Third-party content (including music, footage, or branded materials) subject to separate intellectual property rights.

4. How We Use Personal Data
4.1 Platform Operations
� To create and manage user accounts and organizational subscriptions.
� To process uploaded videos using AI to segment content into learning modules.
� To generate AI-produced instructional guidance, summaries, and learning objectives for each module.
� To create and administer AI-generated quizzes to assess learner comprehension.
� To record and store learner quiz responses, scores, and completion status.
4.2 HR Monitoring & Competency Management
� To provide HR and Admin Users with individual learner dashboards showing: module completion status per employee; quiz scores and pass/fail results per attempt; identification of employees who have not completed required modules; and identification of employees with knowledge gaps who require remediation.
� To generate organizational-level completion and competency reports.
� To support HR in assigning remedial learning to employees who have not met the required competency threshold.

4.3 AI Model and Service Improvement
� We do NOT use uploaded video content, learner assessment data, or any personally identifiable information to train our AI models. AI improvement is conducted solely using anonymized, aggregated usage metrics.

5. Individual Employee Performance Data � Special Provisions
Given the sensitive nature of individual employee learning and assessment records, the following additional provisions apply:
� Access Control: Individual employee quiz scores, completion records, and competency gap data are accessible only to designated HR Administrators and authorized organizational account holders within the Subscribing Organization. We do not grant ourselves access to individual employee performance data except for technical support purposes, which are logged and auditable.
� Purpose Limitation: Employee performance data collected through the Platform shall be used solely for the purpose of internal learning and development management within the Subscribing Organization. It shall not be used for disciplinary action, performance appraisal, or employment decisions without the Subscribing Organization establishing a separate, appropriate legal basis for such use under applicable employment law.
� Employee Notification Obligation: The Subscribing Organization is solely responsible for informing its employees that their learning activity, quiz attempts, scores, and completion status are recorded and visible to HR. We strongly recommend this disclosure be made in writing prior to Platform access being granted.
� Data Minimization: We collect only the assessment and completion data strictly necessary to provide the learning management and HR reporting features. We do not track keystrokes, facial recognition, or biometric data in connection with quiz completion.

6. Third-Party Sharing & Data Processors
We share personal data only with the following categories of third-party processors, each of which is bound by contractual data protection obligations:
Processor Category
Purpose
Examples
AI Model Providers
Video segmentation, content generation, quiz generation
Anthropic, OpenAI, Gemini
Cloud Infrastructure
Data hosting, storage, and content delivery
AWS, Supabase
Video Processing Services
Video transcoding, streaming, and segmentation
AWS
Payment Processors
Subscription billing
Stripe 
Analytics Providers
Platform usage analytics (anonymized)
Google Analytics
Email / Notification Services
System notifications and communications
Resend

� We do NOT share employee learning performance data with any third party outside the Subscribing Organization's account, except where required by law or court order.
� We do NOT sell, rent, or trade any personal data to any third party for commercial purposes.
7. Data Retention Policy
Data Category
Retention Period
Notes
Admin account and profile data
Duration of active subscription + 90 days post-termination
Then permanently deleted
Uploaded video content
Duration of active subscription + 30 days grace period after cancellation
Organization may export prior to deletion
AI-generated learning modules and content
Duration of active subscription + 30 days grace period
Linked to uploaded video; deleted together
Learner completion records and quiz scores
Duration of active subscription + 90 days post-termination
Organization may export prior to deletion
Individual learner activity logs
60 months from date of activity
Auto-purged on a rolling basis
Billing and payment records
7 years
Required under Malaysian financial regulations
Security and audit logs
12 months
Auto-purged on a rolling basis

* Statutory Retention Warning: The retention periods listed above are platform-default settings for data privacy compliance. Subscribing Organizations are solely responsible for ensuring these periods align with their specific industry�s statutory record-keeping obligations (e.g., OSHA Malaysia, financial audits, or employment laws). We strongly recommend that Organizations export all necessary learner records and competency data prior to the expiration of the 30-day grace period, after which data is non-recoverable
8. Security Measures
� Encryption of all data in transit using TLS 1.2 or higher.
� Encryption of all data at rest using AES-256 or equivalent standards.
� Role-Based Access Control (RBAC) ensuring Admin Users can only access data within their own organizational account.
� Strict segregation of organizational data � no cross-organization data access.
� Audit logging of all HR access to individual employee performance reports.
� Regular vulnerability assessments and penetration testing of the Platform.
� Data breach response plan with notification to affected organizations within 72 hours of discovery of a material breach.

9. User Rights Under PDPA 2010 (Malaysia)
Learner Users (employees) who wish to exercise their data rights should direct requests to their employing organization's HR department in the first instance, as the organization is the Data Controller for their learning records. We will cooperate with such requests as directed by the Subscribing Organization.

10. Cross-Border Data Transfer
As the Platform is deployed internationally, your data may be transferred to and processed in countries outside Malaysia, including the United States and European Union member states. We ensure the following safeguards are in place for all cross-border transfers:
� Standard Contractual Clauses (SCCs) or Data Processing Agreements (DPAs) with all overseas processors requiring data protection standards equivalent to PDPA 2010.
� For European users: compliance with GDPR Chapter V transfer mechanisms, including SCCs approved by the European Commission.
� For users in other jurisdictions: compliance with applicable local data protection laws as we expand regionally.
� Maintenance of a data flow register documenting all cross-border transfers and applicable safeguards.

11. Video Content � Uploader Responsibilities
Where Admin Users or employees upload video content to the Platform, the following responsibilities apply to the uploader and the Subscribing Organization:
� Consent for Identifiable Persons: If uploaded videos contain identifiable individuals (employees, trainers, or third parties appearing on camera), the uploading organization is solely responsible for having obtained valid consent from those individuals for their image and voice to be recorded, stored, and used as training content on the Platform.
� Third-Party Intellectual Property: Uploaders must have full legal right to use, reproduce, and distribute any content within uploaded videos. We are not responsible for copyright infringement arising from uploaded content.
� Confidential Business Information: Organizations should assess whether uploaded videos contain trade secrets or commercially sensitive information before uploading. We implement technical safeguards, but the decision to upload sensitive content is the organization's responsibility.
� Prohibited Content: Uploaders must not upload content that is illegal, defamatory, discriminatory, or in violation of any applicable law or regulation.

12. Cookies & Tracking
� Essential Cookies: Required for the Platform to function (session management, authentication). Cannot be disabled.
� Analytics Cookies: Used to measure Platform usage and performance. May be opted out via browser settings or our cookie preference panel.
� Preference Cookies: Used to remember user settings and preferences.

We do not use advertising or third-party marketing cookies.

13. Children's Data & Minimum Age
The Platform is designed exclusively for use in a corporate and organizational training context. All users must be at least 18 years of age or the legal age of employment in their jurisdiction. We do not knowingly collect personal data from individuals under the minimum applicable age.

14. Policy Updates
We may update this Privacy Policy to reflect changes in our practices, technology, or applicable law. Material changes will be communicated to Admin Users via email and in-app notice at least 14 days before the changes take effect. The Subscribing Organization is responsible for communicating relevant changes to its Learner Users. Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

SkillKlip  |  Privacy Policy & Terms and Conditions

Version 1.0  |  Last Updated: [Insert Date]	Page 1