Data Collection Notice

Effective date 28 April 2026·Version 2026.04.28

This Data Collection Notice (“Notice”) is issued by Zenara Jaya (the “Company”) in accordance with the Personal Data Protection Act 2010. It explains how Personal Data is collected, processed, used, disclosed and handled by the Company across our integrated digital ecosystem, which comprises:

  • TurntoHuman Jobs — our job marketplace platform;
  • TurntoHuman HRM — human resource management platform.

By providing Personal Data, you acknowledge that you have been informed of this Notice. Where required by applicable law, explicit consent will be obtained prior to processing.

1. Categories of Personal Data we collect

Identification, contact, employment, education, account, communications and technical data.

The Company may collect and process the following categories of Personal Data:

  • Identification Data — name, national identification number, passport number, date of birth, gender, nationality and other identifying particulars;
  • Contact Data — email address, telephone number, residential address, and other contact details;
  • Employment and Professional Data — CV, job history, work experience, skills, certifications, references and employment preferences;
  • Education Data — academic qualifications, institutions attended and training records;
  • Account and Profile Data — usernames, encrypted login credentials, profile settings and preferences;
  • Communication Data — correspondence, messages, enquiries, feedback and interactions with the Company or through the Platform;
  • System and Technical Data — IP address, device identifiers, browser type and version, operating system, access timestamps, log files and system activity records;
  • Usage and Behavioural Data — pages visited, features used, navigation patterns, interaction frequency and session duration (collected automatically through system processes);
  • Inferred and Derived Data — job matching results, profile completeness scores, suitability indicators, behavioural insights and system-generated recommendations.

Personal Data may also be provided by Clients (e.g. candidate information uploaded by Clients) or obtained from third-party sources where lawful (publicly available information, background verification providers, integration partners or referrals).

2. Sensitive Personal Data

Only collected where strictly necessary and with explicit consent or other lawful basis.

The Company may collect and process Sensitive Personal Data — including health-related information, criminal background data, or other categories defined as sensitive under applicable law — only where strictly necessary and:

  • where explicit consent has been obtained; or
  • where otherwise permitted by law.

Sensitive Personal Data is subject to enhanced protection.

3. Definitions

Key terms used throughout this Notice.

  • Personal Data — any information in respect of commercial transactions that relates directly or indirectly to an individual and identifies or can reasonably be used to identify that individual.
  • Processing — any operation or set of operations performed on Personal Data, including collection, storage, retrieval, use, disclosure, alignment, restriction or deletion.
  • Platform — TurntoHuman Jobs, TurntoHuman HRM, and any associated websites, mobile applications, software modules, APIs or integrations.
  • User — any individual who accesses or uses the Platform, including job seekers, candidates and people interacting with job listings.
  • Client — any organisation, employer or entity that uses the Platform, for recruitment.
  • Data Subject — an individual who is the subject of Personal Data.
  • Anonymised Data — data processed so that the Data Subject is no longer identifiable by any means reasonably likely to be used.

The Company may act either as a data user (controller) for Personal Data collected directly from individuals, or as a data processor when processing Personal Data on behalf of Clients via TurntoHuman HRM.

4. How we collect Personal Data

Directly from you, automatically, or from Clients and third parties.

We collect Personal Data through:

  • Directly from you — when you register an account, complete your profile, submit your CV, apply for jobs, use Platform features, or communicate with us;
  • Automatically — through your use of the Platform, including system logs, cookies and tracking technologies, device and browser information, and interactions with features and content;
  • From third parties, where permitted by law — including Clients, service providers, publicly available sources and professional platforms.

We take reasonable steps to ensure that data obtained from third parties was collected and disclosed lawfully.

5. Purposes of collection and processing

To operate TurntoHuman Jobs, support recruitment, communicate, secure the system, improve services and meet legal obligations.

We process Personal Data only for lawful purposes directly related to our business activities, including:

  • Core Platform functionality — account creation, authentication, profile management and ensuring system availability;
  • Recruitment and job matching — matching candidates with opportunities, recommending listings, enabling applications, allowing Clients to review profiles and facilitating communication;
  • Communication and support — responding to enquiries, sending notifications, managing feedback;
  • System operations and security — maintaining integrity, detecting and investigating fraud, monitoring performance, enforcing rules;
  • Analytics and improvement — analysing usage trends, improving features, developing new services, conducting research and testing (often using aggregated or anonymised data);
  • Personalisation — tailoring job recommendations, customising content and improving search relevance;
  • Legal and regulatory compliance — complying with legal obligations, responding to lawful requests, supporting investigations;
  • Business operations — relationship management, reporting, governance, risk management and audit.

Where Personal Data is processed via TurntoHuman HRM, processing is conducted on behalf of Clients, who determine the specific recruitment purposes and criteria. The Company acts as a data processor in such cases.

6. Disclosure of Personal Data

To Clients, service providers, regulators, affiliates and parties to corporate transactions.

We may disclose Personal Data to:

  • Clients and employers — to enable review of candidate profiles, facilitate applications and assess suitability. Clients act as independent data users in respect of data accessed through the Platform;
  • Service providers and vendors — including hosting and infrastructure providers, system maintenance providers, communication and notification services, and analytics and performance monitoring providers, all subject to contractual confidentiality obligations;
  • Regulatory authorities, government agencies or law enforcement — where required by law or for investigation or enforcement purposes;
  • Internal Platform ecosystem — including sharing between TurntoHuman Jobs and sharing within our platform for operational purposes, and access by authorised personnel for operational purposes;
  • Business transactions — in connection with mergers, acquisitions, restructuring, sale of assets or due diligence;
  • Aggregated or anonymised data — for analytics, research and business intelligence purposes that do not identify any individual.

The Company takes reasonable steps to ensure that recipients are subject to appropriate confidentiality and data protection obligations. We do not sell your Personal Data to third parties.

7. Consequences of failing to provide Personal Data

Some data is mandatory for core services; missing data may limit functionality.

The provision of Personal Data may be mandatory or optional. Mandatory fields are indicated at the point of collection where practicable.

Failure to provide mandatory Personal Data may result in inability to create or maintain an account, access certain features, process job applications, interact with Clients, verify identity, or comply with legal obligations.

Failure to provide optional Personal Data may reduce Platform functionality, limit personalisation, decrease the effectiveness of job matching, or reduce profile visibility to Clients. Withdrawal of consent may also affect the Company’s ability to continue providing certain services.

8. Your rights as a Data Subject

Access, correction, withdrawal of consent, objection, restriction, complaint and limited portability.

Subject to applicable law, you have the right to:

  • Access — request access to your Personal Data, including confirmation of processing, a description of data held, processing purposes and categories of recipients;
  • Correction — request correction of inaccurate, incomplete, misleading or out-of-date Personal Data;
  • Withdraw consent — withdraw consent for processing at any time, with possible effects on services;
  • Object to processing — object in certain circumstances;
  • Restrict processing — request restriction where the accuracy of data is contested, processing is excessive, or you have objected;
  • Data portability (limited) — request data in a reasonable format where technically feasible;
  • Lodge complaints — with the Company directly, or with the relevant regulatory authority.

All requests are subject to verification of identity and may be limited where compliance would violate legal obligations, affect the rights of others, or compromise system security. The Company aims to respond within twenty-one (21) days, subject to extension where additional time is required. Reasonable administrative fees may be imposed where permitted by law.

9. Data transfer and Platform ecosystem handling

Internal sharing within our platform ecosystem, with role-based access controls.

Personal Data may be transferred and shared within the Platform ecosystem, including sharing within our platform ecosystem, synchronisation of user profiles across system modules, and access by authorised personnel.

Access is regulated by role-based controls based on job function, operational necessity and system permissions. We take reasonable steps to ensure that data belonging to different Clients is segregated and that unauthorised cross-access is prevented.

10. Cross-border data transfer

Your data may be transferred outside Malaysia where necessary, with safeguards.

Personal Data may be transferred to locations outside Malaysia where necessary, including where the Company’s systems, servers or infrastructure are located outside Malaysia, where service providers operate internationally, or where Clients or users are located in different jurisdictions.

The Company implements safeguards including:

  • contractual obligations requiring recipients to protect Personal Data;
  • encryption and access controls;
  • internal policies governing cross-border data handling;
  • restrictions on further disclosure by recipients.

Where required, cross-border transfer is based on consent, contractual necessity or other lawful grounds. By using the Platform you acknowledge that such transfers may occur.

11. Data retention and deletion

Retained only for as long as necessary; securely deleted, destroyed or anonymised when no longer required.

We retain Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or as required or permitted under applicable law. Retention periods are determined based on the nature and sensitivity of the data, the purpose of collection, the duration of the relationship with the Data Subject, and legal, regulatory or contractual requirements.

When Personal Data is no longer required, it is securely deleted, destroyed or anonymised. Personal Data may continue to exist temporarily in backup systems but will not be actively processed during this period. Where Personal Data is processed via TurntoHuman HRM, retention is determined by the relevant Client.

12. Data analytics, aggregation and commercial use

Internal analytics and aggregated insights — no sale of identifiable Personal Data.

The Company may use Personal Data for internal analytics including:

  • analysis of user behaviour and interaction patterns;
  • evaluation of Platform performance and usage trends;
  • improvement of recruitment matching algorithms;
  • development of new features and services.

Personal Data may be converted into aggregated or anonymised form for statistical analysis, reporting, benchmarking, research, business intelligence and lawful commercial purposes such as market insights and product optimisation. Such data does not identify any individual. The Company does not sell, lease or otherwise commercialise identifiable Personal Data unless explicit consent has been obtained or otherwise permitted under applicable law.

13. Data security

Reasonable technical and organisational measures, including encryption and access controls.

The Company implements technical measures to protect Personal Data, including:

  • encryption of data in transit and, where appropriate, at rest;
  • secure authentication and access control mechanisms;
  • firewall and intrusion detection systems;
  • system monitoring and logging;
  • regular system updates and patch management.

Organisational controls include internal policies, role-based access restrictions, staff training and awareness programmes, and confidentiality obligations. You are responsible for maintaining the confidentiality of your account credentials and for notifying the Company of any suspected security breach.

While we take reasonable steps to protect Personal Data, no system can be guaranteed to be completely secure. To the extent permitted by applicable law, the Company shall not be liable for unauthorised access beyond its reasonable control.

14. Data breach management

Detection, containment, assessment, notification and remediation.

Where the Company becomes aware of an actual or suspected data breach, we take reasonable steps to contain the breach, prevent further unauthorised access, and secure affected systems. We assess the nature and severity of the breach, including the type and volume of Personal Data involved, the sensitivity of the data, and the potential impact on Data Subjects.

Where required under applicable law or where appropriate, we may notify affected Data Subjects and relevant regulatory authorities. We take reasonable steps to mitigate the impact, address vulnerabilities, strengthen security controls and implement corrective measures to prevent recurrence.

15. Cookies and tracking technologies

Used to enable features, improve performance and analyse usage.

The Company may use various tracking technologies, including:

  • cookies stored on user devices;
  • session identifiers;
  • local storage mechanisms;
  • tracking pixels or similar technologies.

Categories include:

  • Essential cookies required for basic Platform functionality;
  • Performance cookies used to analyse usage and performance;
  • Functional cookies used to remember user preferences;
  • Analytical cookies used to collect statistical data.

Where required by applicable law, a cookie consent mechanism will be implemented before activating non-essential tracking technologies. You may manage or disable cookies through your browser settings, although this may affect certain Platform functionalities.

16. Third-party links and external platforms

Independent third parties have their own privacy policies — interact at your own discretion.

The Platform may contain links, integrations or connections to third-party websites, applications or services that are not operated or controlled by the Company. We do not control, and are not responsible for, the content, data collection or processing practices, or security measures of such third-party platforms.

Third-party platforms may collect and process Personal Data independently, governed by their own privacy policies. Users should review those policies before providing any Personal Data to third parties.

17. Marketing communications

Service-related notifications always; marketing only with consent — opt out anytime.

We may send service-related communications necessary for the provision of the Platform — including account-related notifications, job application updates, system alerts and security notifications. These do not require separate marketing consent.

We may send marketing communications — such as job alerts, recommendations, promotional messages, and updates on services or features — where you have provided consent or where otherwise permitted under applicable law.

You may opt out of marketing communications at any time using unsubscribe links, account settings or by contacting us. Opting out of marketing does not affect the Company’s ability to send service-related communications. The Company shall not disclose Personal Data to third parties for their independent marketing purposes without explicit consent or lawful basis.

18. Automated processing and system recommendations

Algorithms support job matching but do not make final hiring decisions.

The Platform uses automated systems, algorithms and analytical tools to support functions including job matching, recommendations and ranking of candidates. These processes are designed to assist, not replace, human decision-making. The Company does not make final employment or recruitment decisions on behalf of Clients.

Outcomes may be influenced by data provided by users, system configurations and Client-defined criteria. The Company does not guarantee the accuracy, completeness or suitability of automated outcomes. Profiling that produces legal or similarly significant effects will not be carried out without appropriate safeguards and, where required, explicit consent.

19. Monitoring, logging and audit

System activity is monitored and logged to support security, compliance and dispute resolution.

The Company maintains monitoring, logging and audit mechanisms to support security, integrity and proper functioning of the Platform, including system access logs, user activity logs, authentication and login records, and administrative actions.

Logs may include metadata such as timestamps, user identifiers and system events, and may be used as evidence in internal investigations, dispute resolution processes, and legal or regulatory proceedings. Access to logs is restricted to authorised personnel.

20. Data segregation and access isolation

Different Clients’ data is logically separated; internal access is role-based.

The Company implements measures to ensure Personal Data is segregated and protected across different users, Clients and system environments. Personal Data belonging to one Client is not accessible to another Client. Users only have access to their own Personal Data and data explicitly shared with them through authorised interactions.

Internal access is restricted based on roles and responsibilities. Technical measures include logical separation of data within systems, role-based access control, system- level permissions and database-level access controls where applicable.

21. Records, documentation and evidence

We keep records of consents, requests, activity and incidents for compliance.

The Company may maintain records including:

  • user account registration details;
  • consent records and acceptance logs (with timestamps and applicable Notice version);
  • system access and activity logs;
  • data processing and disclosure records;
  • communications with users and Clients;
  • records of Data Subject requests and responses;
  • complaints and incidents.

These records may be used as evidence in internal investigations, dispute resolution and legal or regulatory proceedings. They are protected by access controls, secure storage and audit trails.

22. Misuse, abuse and enforcement

We may restrict or terminate access where Personal Data or the Platform is misused.

The Company may take action where Personal Data or the Platform is used unlawfully or inconsistently with this Notice, including:

  • restricting or suspending access;
  • terminating accounts;
  • limiting Platform functionality;
  • blocking access to certain data or features;
  • reporting to relevant authorities where required by law.

Misuse may include unauthorised disclosure, use of data for unrelated purposes, or exploitation of data for unauthorised commercial gain. Immediate action may be taken without prior notice where necessary to protect Personal Data or maintain system security.

23. Business transfer and corporate restructuring

Personal Data may transfer to a successor in mergers, acquisitions or restructuring.

In the event of a merger, acquisition, restructuring or transfer of assets, Personal Data may be transferred to a successor entity, an acquiring party or an affiliated entity. Any entity receiving Personal Data shall be expected to continue processing it in accordance with this Notice or an equivalent policy and to comply with applicable data protection laws. Where permitted by applicable law, transfer as part of a business transaction may not require separate consent.

24. Updates to this Notice

We may update this Notice; continued use means acceptance.

We may update, modify or revise this Notice from time to time to reflect changes in legal or regulatory requirements, business operations, or technology. Updates take effect upon publication on the Platform or on the specified effective date. Where updates involve material changes, we take reasonable steps to highlight them and, where required by applicable law, obtain additional consent.

The Company maintains version control and may retain previous versions of this Notice. Updates do not affect the lawfulness of processing carried out prior to the effective date.

25. Contact us

For data protection enquiries, requests or complaints.

For questions, requests or complaints regarding this Notice or the handling of your Personal Data, you may contact us at:

Zenara Jaya

Email: connect@quanta8.com.my

Address: Bangunan Bei Lot 1180, Ground Floor Jalan Krokop 2, 98000 Miri, Sarawak, Malaysia.

We aim to respond within twenty-one (21) days, subject to extension where additional time is required. Where a complaint cannot be resolved internally, you may also escalate the matter to the Personal Data Protection Commissioner of Malaysia.

Last updated: 28 April 2026
Back to home