Skip links
Haskart

Personal Data Protection Act Policy

Annex A Teledoc PDPA Compliance Addendum

HASKART PERSONAL DATA PROTECTION POLICY (PDPA)

v1.1 — Updated December 2025
Overview

Haskart is a lifestyle and wellness platform operating in Malaysia. The platform enables users to:

  • Discover scenic locations and merchants through Pitstop+
  • Book virtual non‑clinical wellness sessions
  • Book in‑person 1‑to‑1 services offered by participating wellness centres
  • Interact with contributors and merchants
  • Share user‑generated content

Haskart does not provide medical or clinical services. All wellness sessions are non‑clinical, and all in‑person services are delivered by independent wellness centres.

As a platform that processes personal data such as identity information, contact details, location data, Booking/Appointment records, behavioural data, and transaction details, Haskart is committed to full compliance with the Malaysian Personal Data Protection Act 2010 (PDPA) and the Personal Data Protection (Amendment) Act 2024.

This PDPA Policy explains how Haskart collects, uses, stores, discloses, and protects personal data.

1. Data Collection Policy

1.1 Types of Data Collected

Haskart collects the following categories of personal data:

  • Identity Data: Name, NRIC/Passport (where required), date of birth, gender, profile photo
  • Contact Information: Email address, phone number, address
  • Location Data: Check‑ins, GPS (only when user grants permission), merchant visits
  • Booking/Appointment Data: Virtual session Booking/Appointments, in‑person service Booking/Appointments, contributor/centre selection, session preferences
  • Behavioural Data: Likes, shares, flags on Pitstop+, browsing patterns, search history
  • Transaction Data: Booking/Appointment payments and settlement records
  • Technical Data: Device identifiers, IP address, login logs, browser information
  • User‑Generated Content: Posts, images, videos, audio uploads, comments

Haskart does not collect or process medical records, clinical diagnoses, prescriptions, or regulated health data.

1.2 Source of Collection

Data is collected:

  • Directly from users during registration or profile updates
  • Through platform usage
  • Through Booking/Appointments with contributors or wellness centres
  • Through user‑generated content
  • As required by law
1.3 Data Minimization

Haskart only collects data necessary for:

  • Account creation
  • Booking/Appointment and payment processing
  • Platform safety
  • Feature functionality
  • Legal compliance

2. Consent

2.1 Explicit and Informed Consent

Users provide consent through:

  • Registration
  • Booking/Appointment confirmations
  • Acceptance of privacy notices
  • Enabling device permissions (e.g., location, camera, microphone)

No sensitive medical data is collected.

2.2 Withdrawal of Consent

Users may withdraw consent at any time.
Certain features may become unavailable if consent is withdrawn.

3. Data Usage and Purpose Limitation

Personal data is used for:

  • Account management
  • Virtual and in‑person wellness Booking/Appointments
  • Communication (alerts, confirmations, updates)
  • Contributor and wellness centre interactions
  • Payment processing
  • Platform analytics and improvement
  • Legal compliance

No data is used for unrelated purposes without fresh consent.

4. Data Disclosure and Sharing

Data may be shared with:

  • Wellness contributors and wellness centres (for Booking/Appointment fulfilment)
  • Payment processors
  • Technical service providers
  • Regulatory authorities (when required by law)

Haskart does not share data with medical providers or telemedicine partners.

All third parties must comply with PDPA standards.

5. Data Retention and Disposal
  • Data is retained only as long as necessary for service delivery, legal compliance, and dispute resolution
  • Users may request deletion of their data
  • Deleted data is permanently erased or anonymized
6. Data Security and Protection

Haskart implements:

  • Encryption (in transit and at rest)
  • Role‑based access control
  • Multi‑factor authentication for admin access
  • Secure development practices
  • Incident response procedures
  • Continuous monitoring
7. Data Subject Rights

Users may request:

  • Access to their data
  • Correction of inaccurate data
  • Deletion (where legally permitted)
  • Withdrawal of consent
  • Objection to certain processing
  • Data portability (where feasible)

Requests are handled within PDPA timelines.

8. Third‑Party Integrations

Haskart integrates with:

  • Payment gateways
  • Wellness centres’ Booking/Appointment systems
  • Technical service providers

All integrations require PDPA‑compliant agreements.

No telemedicine or clinical integrations exist.

9. Cross‑Border Data Transfers

Cross‑border transfers occur only when:

  • Required for technical hosting
  • Adequate protection is ensured
  • User consent is obtained
  • A Transfer Impact Assessment is completed
10. Data Protection Governance

The Haskart Admin:

  • Oversees PDPA compliance
  • Handles user requests
  • Manages breach notifications
  • Conducts internal audits
  • Ensures staff training
11. Data Breach Notification

If a personal data breach occurs that may cause harm:

  • The Personal Data Protection Commissioner will be notified within 72 hours (if required)
  • Affected users will be notified within 7 days
  • Remediation steps will be taken immediately

This is required under the PDPA Amendment Act 2024.

12. Policy Review and Updates

This policy is reviewed:

  • Annually
  • After major platform changes
  • After regulatory updates
13. Contact Information

Haskart Admin
Email: admin@haskart.com
Phone: 603‑3319 1445
Address: No 62‑2, Lorong Batu Nilam 4B, Bandar Bukit Tinggi, Klang, Selangor