Effective date 28 April 2026·Version 2026.04.28
This Data Collection Notice (“Notice”) is issued by Zenara Jaya (the “Company”) in accordance with the Personal Data Protection Act 2010. It explains how Personal Data is collected, processed, used, disclosed and handled by the Company across our integrated digital ecosystem, which comprises:
By providing Personal Data, you acknowledge that you have been informed of this Notice. Where required by applicable law, explicit consent will be obtained prior to processing.
Identification, contact, employment, education, account, communications and technical data.
The Company may collect and process the following categories of Personal Data:
Personal Data may also be provided by Clients (e.g. candidate information uploaded by Clients) or obtained from third-party sources where lawful (publicly available information, background verification providers, integration partners or referrals).
Only collected where strictly necessary and with explicit consent or other lawful basis.
The Company may collect and process Sensitive Personal Data — including health-related information, criminal background data, or other categories defined as sensitive under applicable law — only where strictly necessary and:
Sensitive Personal Data is subject to enhanced protection.
Key terms used throughout this Notice.
The Company may act either as a data user (controller) for Personal Data collected directly from individuals, or as a data processor when processing Personal Data on behalf of Clients via TurntoHuman HRM.
Directly from you, automatically, or from Clients and third parties.
We collect Personal Data through:
We take reasonable steps to ensure that data obtained from third parties was collected and disclosed lawfully.
To operate TurntoHuman Jobs, support recruitment, communicate, secure the system, improve services and meet legal obligations.
We process Personal Data only for lawful purposes directly related to our business activities, including:
Where Personal Data is processed via TurntoHuman HRM, processing is conducted on behalf of Clients, who determine the specific recruitment purposes and criteria. The Company acts as a data processor in such cases.
To Clients, service providers, regulators, affiliates and parties to corporate transactions.
We may disclose Personal Data to:
The Company takes reasonable steps to ensure that recipients are subject to appropriate confidentiality and data protection obligations. We do not sell your Personal Data to third parties.
Some data is mandatory for core services; missing data may limit functionality.
The provision of Personal Data may be mandatory or optional. Mandatory fields are indicated at the point of collection where practicable.
Failure to provide mandatory Personal Data may result in inability to create or maintain an account, access certain features, process job applications, interact with Clients, verify identity, or comply with legal obligations.
Failure to provide optional Personal Data may reduce Platform functionality, limit personalisation, decrease the effectiveness of job matching, or reduce profile visibility to Clients. Withdrawal of consent may also affect the Company’s ability to continue providing certain services.
Access, correction, withdrawal of consent, objection, restriction, complaint and limited portability.
Subject to applicable law, you have the right to:
All requests are subject to verification of identity and may be limited where compliance would violate legal obligations, affect the rights of others, or compromise system security. The Company aims to respond within twenty-one (21) days, subject to extension where additional time is required. Reasonable administrative fees may be imposed where permitted by law.
Internal sharing within our platform ecosystem, with role-based access controls.
Personal Data may be transferred and shared within the Platform ecosystem, including sharing within our platform ecosystem, synchronisation of user profiles across system modules, and access by authorised personnel.
Access is regulated by role-based controls based on job function, operational necessity and system permissions. We take reasonable steps to ensure that data belonging to different Clients is segregated and that unauthorised cross-access is prevented.
Your data may be transferred outside Malaysia where necessary, with safeguards.
Personal Data may be transferred to locations outside Malaysia where necessary, including where the Company’s systems, servers or infrastructure are located outside Malaysia, where service providers operate internationally, or where Clients or users are located in different jurisdictions.
The Company implements safeguards including:
Where required, cross-border transfer is based on consent, contractual necessity or other lawful grounds. By using the Platform you acknowledge that such transfers may occur.
Retained only for as long as necessary; securely deleted, destroyed or anonymised when no longer required.
We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or as required or permitted under applicable law. Retention periods are determined based on the nature and sensitivity of the data, the purpose of collection, the duration of the relationship with the Data Subject, and legal, regulatory or contractual requirements.
When Personal Data is no longer required, it is securely deleted, destroyed or anonymised. Personal Data may continue to exist temporarily in backup systems but will not be actively processed during this period. Where Personal Data is processed via TurntoHuman HRM, retention is determined by the relevant Client.
Internal analytics and aggregated insights — no sale of identifiable Personal Data.
The Company may use Personal Data for internal analytics including:
Personal Data may be converted into aggregated or anonymised form for statistical analysis, reporting, benchmarking, research, business intelligence and lawful commercial purposes such as market insights and product optimisation. Such data does not identify any individual. The Company does not sell, lease or otherwise commercialise identifiable Personal Data unless explicit consent has been obtained or otherwise permitted under applicable law.
Reasonable technical and organisational measures, including encryption and access controls.
The Company implements technical measures to protect Personal Data, including:
Organisational controls include internal policies, role-based access restrictions, staff training and awareness programmes, and confidentiality obligations. You are responsible for maintaining the confidentiality of your account credentials and for notifying the Company of any suspected security breach.
While we take reasonable steps to protect Personal Data, no system can be guaranteed to be completely secure. To the extent permitted by applicable law, the Company shall not be liable for unauthorised access beyond its reasonable control.
Detection, containment, assessment, notification and remediation.
Where the Company becomes aware of an actual or suspected data breach, we take reasonable steps to contain the breach, prevent further unauthorised access, and secure affected systems. We assess the nature and severity of the breach, including the type and volume of Personal Data involved, the sensitivity of the data, and the potential impact on Data Subjects.
Where required under applicable law or where appropriate, we may notify affected Data Subjects and relevant regulatory authorities. We take reasonable steps to mitigate the impact, address vulnerabilities, strengthen security controls and implement corrective measures to prevent recurrence.
Used to enable features, improve performance and analyse usage.
The Company may use various tracking technologies, including:
Categories include:
Where required by applicable law, a cookie consent mechanism will be implemented before activating non-essential tracking technologies. You may manage or disable cookies through your browser settings, although this may affect certain Platform functionalities.
Independent third parties have their own privacy policies — interact at your own discretion.
The Platform may contain links, integrations or connections to third-party websites, applications or services that are not operated or controlled by the Company. We do not control, and are not responsible for, the content, data collection or processing practices, or security measures of such third-party platforms.
Third-party platforms may collect and process Personal Data independently, governed by their own privacy policies. Users should review those policies before providing any Personal Data to third parties.
Service-related notifications always; marketing only with consent — opt out anytime.
We may send service-related communications necessary for the provision of the Platform — including account-related notifications, job application updates, system alerts and security notifications. These do not require separate marketing consent.
We may send marketing communications — such as job alerts, recommendations, promotional messages, and updates on services or features — where you have provided consent or where otherwise permitted under applicable law.
You may opt out of marketing communications at any time using unsubscribe links, account settings or by contacting us. Opting out of marketing does not affect the Company’s ability to send service-related communications. The Company shall not disclose Personal Data to third parties for their independent marketing purposes without explicit consent or lawful basis.
Algorithms support job matching but do not make final hiring decisions.
The Platform uses automated systems, algorithms and analytical tools to support functions including job matching, recommendations and ranking of candidates. These processes are designed to assist, not replace, human decision-making. The Company does not make final employment or recruitment decisions on behalf of Clients.
Outcomes may be influenced by data provided by users, system configurations and Client-defined criteria. The Company does not guarantee the accuracy, completeness or suitability of automated outcomes. Profiling that produces legal or similarly significant effects will not be carried out without appropriate safeguards and, where required, explicit consent.
System activity is monitored and logged to support security, compliance and dispute resolution.
The Company maintains monitoring, logging and audit mechanisms to support security, integrity and proper functioning of the Platform, including system access logs, user activity logs, authentication and login records, and administrative actions.
Logs may include metadata such as timestamps, user identifiers and system events, and may be used as evidence in internal investigations, dispute resolution processes, and legal or regulatory proceedings. Access to logs is restricted to authorised personnel.
Different Clients’ data is logically separated; internal access is role-based.
The Company implements measures to ensure Personal Data is segregated and protected across different users, Clients and system environments. Personal Data belonging to one Client is not accessible to another Client. Users only have access to their own Personal Data and data explicitly shared with them through authorised interactions.
Internal access is restricted based on roles and responsibilities. Technical measures include logical separation of data within systems, role-based access control, system- level permissions and database-level access controls where applicable.
We keep records of consents, requests, activity and incidents for compliance.
The Company may maintain records including:
These records may be used as evidence in internal investigations, dispute resolution and legal or regulatory proceedings. They are protected by access controls, secure storage and audit trails.
We may restrict or terminate access where Personal Data or the Platform is misused.
The Company may take action where Personal Data or the Platform is used unlawfully or inconsistently with this Notice, including:
Misuse may include unauthorised disclosure, use of data for unrelated purposes, or exploitation of data for unauthorised commercial gain. Immediate action may be taken without prior notice where necessary to protect Personal Data or maintain system security.
Personal Data may transfer to a successor in mergers, acquisitions or restructuring.
In the event of a merger, acquisition, restructuring or transfer of assets, Personal Data may be transferred to a successor entity, an acquiring party or an affiliated entity. Any entity receiving Personal Data shall be expected to continue processing it in accordance with this Notice or an equivalent policy and to comply with applicable data protection laws. Where permitted by applicable law, transfer as part of a business transaction may not require separate consent.
We may update this Notice; continued use means acceptance.
We may update, modify or revise this Notice from time to time to reflect changes in legal or regulatory requirements, business operations, or technology. Updates take effect upon publication on the Platform or on the specified effective date. Where updates involve material changes, we take reasonable steps to highlight them and, where required by applicable law, obtain additional consent.
The Company maintains version control and may retain previous versions of this Notice. Updates do not affect the lawfulness of processing carried out prior to the effective date.
For data protection enquiries, requests or complaints.
For questions, requests or complaints regarding this Notice or the handling of your Personal Data, you may contact us at:
Zenara Jaya
Email: connect@quanta8.com.my
Address: Bangunan Bei Lot 1180, Ground Floor Jalan Krokop 2, 98000 Miri, Sarawak, Malaysia.
We aim to respond within twenty-one (21) days, subject to extension where additional time is required. Where a complaint cannot be resolved internally, you may also escalate the matter to the Personal Data Protection Commissioner of Malaysia.