Privacy Policy & Malaysia PDPA 2010 Compliance Notice

Be Smart Global, LLC ("DocReport Malaysia", "we", "our", or "us"), a Delaware Limited Liability Company, provides the DocReport Malaysia B2B SaaS platform. This Privacy Policy is a legally binding agreement governing the processing of personal data within the territorial jurisdiction of Malaysia. This policy is structured in strict compliance with the **Personal Data Protection Act (PDPA) 2010** (Act 709) of Malaysia, the **Medical Act 1971**, and the **Private Healthcare Facilities and Services Act (PHFSA) 1998**.

Furthermore, as a digital health infrastructure provider, we align our platform with the guidelines published by the **Malaysian Medical Council (MMC)** regarding clinical confidentiality, electronic medical records, and telemedicine.

This policy applies to all registered healthcare practitioners, hospitals, private clinics, diagnostic centers, third-party administrators (TPAs), and their authorized administrative staff (collectively referred to as "Subscribers" or "Data Users") who upload, dictate, or transmit data through our clinical AI copilot, as well as the patients whose administrative and clinical coordinates are processed ("Data Subjects").

The DocReport Malaysia platform is owned and operated by Be Smart Global, LLC, a corporate entity registered in the State of Delaware, United States of America, under File Number 10620833. Our registered corporate agent and address are as follows:

All financial operations, payment gateway routing, subscription licensing, and corporate accounting are managed through our US bank accounts and our Stripe integration. Subscription fees calculated in Malaysian Ringgit (MYR) are billed dynamically and processed securely. Our contact email for all legal, compliance, and data protection inquiries is info@be-smart-business.de.

Under the PDPA 2010, the classification of parties is determined by who decides the purpose and means of processing personal data:

• Subscribing Clinic / Practitioner as the Data User: The registered medical practitioner, clinic, or hospital network determines the clinical purpose for compiling medical reports, dictating patient consults, and filing insurance appeals. Therefore, the Subscriber is the Data User and bears the primary statutory obligations to the patient (the Data Subject) under the PDPA 2010, including the obligation to obtain valid consent and provide appropriate notices.
• DocReport Malaysia as the Data Processor: We process personal data solely on behalf of the Subscriber in accordance with their instructions and B2B SaaS agreements. We act as a Data Processor. We implement advanced technical and organizational measures to ensure compliance, but we do not interact directly with patients or make clinical determinations.

In compliance with the PDPA 2010, we notify you of the specific categories of personal data processed on our platform:

A. Data User / Subscriber Account Data

To manage accounts and billing, we collect the following personal and professional details directly from registered practitioners and administrators:

• Full Name and Professional Title (e.g., MD, MBBS, MRCP).
• Medical Registration Number (issued by the Malaysian Medical Council (MMC) or National Specialist Register (NSR)).
• Clinic or Hospital Name, physical address, and corporate contact details.
• Email address, telephone number, and authentication credentials (hashed passwords).
• Subscription tier selections, transaction histories, and Stripe billing tokens. We do not store raw credit card numbers locally.

B. Ambient Clinical Dictation and Patient Data

To generate structured clinical documentation, medical necessity letters, prior authorizations, and billing payloads, the platform processes:

• Audio recordings and voice dictation transcripts of clinical consultations.
• Patient demographic data (such as age, gender, diagnostic history).
• Clinical observations, vital signs, physical examination records, and laboratory test results.
• Insurance claim details, rejection codes, policy numbers, and TPA case coordinates.

Under the PDPA 2010, we process personal data strictly for specified, lawful purposes:

• Clinical Documentation Automation: Converting unstructured spoken audio of doctor-patient interactions into structured SOAP notes, clinical reports, and consultation summaries.
• Insurance Appeal & Claims Optimization: Generating medically justified appeal letters to contest insurance claim denials under MMA Schedule of Fees and private insurance frameworks.
• Prior Authorization Copilot: Drafting clinical justification reports for surgical procedures and high-cost medical interventions.
• Account Administration & Security: Verifying subscriber identity, managing subscriptions, preventing billing fraud, and securing access to the practice dashboard.
• Legal Compliance: Maintaining cryptographically secure, immutable audit logs as mandated by the PHFSA 1998 and MMC guidelines.

To support Subscribers in fulfilling their duties of confidentiality under the PDPA 2010, the platform implements a zero-trust, zero-knowledge security architecture:

• Browser-Based PII Scrubbing: All patient-identifiable details (such as patient names, NRIC/Passport numbers, telephone numbers, and specific addresses) are redacted inside the Subscriber's web browser before any data is sent to our remote servers. Identifiable tokens are replaced with randomized tags (e.g., `[MY_PATIENT_XYZ]`).
• Local Re-identification: The compilation and restoration of redacted data occur strictly in the browser's active memory. The cleartext patient record is never stored on or transmitted to our database, keeping patient PII entirely within the clinic's local environment.
• Sovereign Client-Side Encryption: Stored clinical data is encrypted in the browser using an AES-GCM (256-bit) cryptographic key. This key is generated locally and stored solely in the browser's secure `localStorage`. We only store encrypted ciphertext blobs. If the local key is lost, we cannot decrypt or recover the data.

Under the General Principle (Section 6) of the PDPA 2010, a Data User must obtain the consent of the Data Subject (or their legal guardian) before processing personal data:

• Subscriber Consent Obligation: The Subscribing clinic is responsible for obtaining consent from patients before using the ambient scribe or generating medical documentation. We provide template consent forms in English and Malay.
• Clinical Dictation Access: A patient must give explicit or clear implied consent prior to the clinical conversation being captured. Practitioners must inform patients that DocReport is used solely as an administrative aid to transcribe notes and that all patient identifiers are automatically redacted browser-side.

Under the PDPA 2010, Data Subjects have specific statutory rights:

• Right to Withdraw Consent (Section 38): Patients can request consent withdrawal by contacting the clinic directly. Upon receiving a withdrawal request, the Subscriber (Data User) must stop processing the patient's data and instruct us (the Data Processor) to erase the corresponding records.
• Right to Access & Correction (Section 30 & 34): Patients have the right to request access to their personal data and request correction of inaccurate, incomplete, misleading or outdated data.
• We will delete all encrypted records associated with the patient within 30 days of receiving the instruction, unless retention is required by other applicable laws in Malaysia.

Under the Retention Principle (Section 10) of the PDPA 2010, personal data must not be kept longer than necessary for the fulfillment of its processing purpose.

However, healthcare providers in Malaysia are bound by the Private Healthcare Facilities and Services Act (PHFSA) 1998 and guidelines of the Malaysian Medical Council (MMC), which mandate specific retention periods:

• Outpatient Department (OPD) records must be preserved for at least **7 years** from the patient's last visit.
• Pediatric patient records must be retained until the child reaches the age of majority (18 years) plus an additional **7 years** (totaling 25 years of age).
• Medico-legal cases or clinical disputes must be archived indefinitely or until final judicial settlement.

These statutory retention mandates override standard erasure requests under the PDPA. The Subscribing clinic is responsible for managing these retention schedules. Upon subscription termination, we purge all corresponding encrypted cloud databases within 30 days.

Under Section 129 of the PDPA 2010, transfer of personal data outside Malaysia is prohibited unless the country has been specified by the Minister or falls under specific exceptions (such as performance of a contract or where the Data Subject has consented).

Our account administration, billing processing, and system telemetry are hosted in the United States by Be Smart Global, LLC and processed through Stripe. This transfer is necessary to provide the B2B subscription service. Clinical consultation data remains redacted and encrypted, meaning no readable patient personal data is transferred across borders. All B2B contracts incorporate strict data protection agreements to safeguard these transfers.

Under the Security Principle (Section 9) of the PDPA 2010, we implement reasonable security safeguards to prevent personal data breaches:

• Data Encryption: All data is encrypted in transit using TLS 1.3 and at rest in our cloud databases using AES-256.
• Access Control: Role-based access control (RBAC) and Multi-Factor Authentication (MFA) are enforced for all administrative interfaces.
• Breach Notification: In the event of a personal data breach, we will notify the affected Subscribers (Data Users) and relevant regulatory bodies in accordance with personal data protection standards.

For any privacy concerns, data access requests, or complaints, please contact our Compliance Department: