Last updated: 22 April 2026 · Effective date: 22 April 2026 · Version 1.0
Summary: CoSec OS is a Malaysian platform. We collect only what we need to provide our service. We do not sell your data. AI-generated drafts use your company information only to produce the resolution — data is not retained by OpenAI beyond the API call. You have full rights under the PDPA 2010.
1. Who We Are
CoSec OS is operated by SLV Group Sdn. Bhd. (the "Company", "we", "us", or "our"), a company incorporated in Malaysia. Our registered address is Zenith 1 Corporate Park, Block B, 19-2, Jalan SS 7/26, 47301 Petaling Jaya, Selangor.
CoSec OS is a Software-as-a-Service (SaaS) platform that assists Company Secretaries and Malaysian businesses with the generation of CA2016-compliant board resolutions and corporate compliance documents.
For privacy inquiries: privacy@slvgroup.com.my
2. Data We Collect
2.1 Account Data
- Full name, email address, phone number
- Role (CoSec Principal, Associate, Entrepreneur, Director)
- Hashed password (bcrypt, never stored in plain text)
- Login timestamps and last active date
2.2 Company & Corporate Data
- Company name, SSM registration number, company type
- Registered address, financial year end, paid-up capital
- Director names, NRIC numbers, positions, appointment dates
- Shareholder information and share register data
NRIC Numbers: We collect director NRIC numbers solely for the purpose of generating CA2016-compliant resolutions that require director identification. NRIC data is encrypted at rest and never shared with third parties.
2.3 Document Data
- AI-generated board resolutions and their content
- Uploaded signed PDF documents
- Review notes and CoSec certification records
- Token usage and generation timestamps (for billing)
2.4 Technical Data
- IP address (hashed with SHA-256 — not stored in plain text)
- Browser type and operating system (for session management)
- Pages visited and features used (audit log)
- Error logs (for debugging, auto-purged after 30 days)
2.5 Payment Data
Payment processing is handled by Billplz (an SST-registered Malaysian payment gateway). We do not store credit card numbers or bank account details on our servers. We retain payment reference numbers and transaction amounts for billing records.
3. How We Use Your Data
| Purpose | Legal Basis (PDPA 2010) |
|---|
| Providing the CoSec OS platform and features | Contractual necessity |
| Generating AI board resolutions using your company data | Contractual necessity + your consent |
| Sending compliance deadline reminders | Contractual necessity |
| Processing payments for credits and subscriptions | Contractual necessity |
| Sending transactional emails (welcome, password reset) | Contractual necessity |
| Maintaining audit logs for compliance purposes | Legal obligation (CA2016) |
| Improving platform features and fixing bugs | Legitimate interest |
| Sending product updates and feature announcements | Legitimate interest (opt-out available) |
4. AI Processing (OpenAI)
CoSec OS uses OpenAI's API (GPT-4o-mini model) to generate board resolutions. When you generate a draft:
- Your company data and director information are included in the API prompt
- OpenAI processes this data to generate the resolution text
- OpenAI does not use API data to train their models (per their API data usage policy)
- The generated text is returned to CoSec OS and stored in your document vault
- No data is retained by OpenAI beyond the duration of the API call
Data minimisation: We only send to OpenAI the company information required to generate the specific resolution you requested. We do not send your entire company record or historical data.
OpenAI is subject to their own Privacy Policy: openai.com/privacy
5. Data Sharing
We do not sell your personal data. We share data only with:
- OpenAI — for AI resolution generation (see Section 4)
- Hostinger — our cloud hosting provider (servers in EU/US, SCCs in place)
- Billplz — payment processing (Malaysian provider, Bank Negara regulated)
- Your CoSec firm — if you are an Entrepreneur client, your assigned CoSec firm can view your company data and documents for the purpose of providing CoSec services
- Law enforcement — if required by Malaysian law, court order, or regulatory authority
6. Data Retention
| Data Type | Retention Period |
|---|
| Account data | Duration of account + 7 years after closure |
| Company & director records | Duration of subscription + 7 years (statutory requirement) |
| Generated resolutions | Duration of subscription + 7 years |
| Signed PDF documents | Duration of subscription + 7 years |
| Payment records | 7 years (Income Tax Act 1967 requirement) |
| Audit logs | 3 years |
| Error logs | 30 days (auto-purged) |
| Session data | 2 hours (auto-expired) |
7. Your Rights Under PDPA 2010
Under the Personal Data Protection Act 2010, you have the right to:
- Access — request a copy of all personal data we hold about you
- Correction — request correction of inaccurate or incomplete data
- Withdrawal of consent — withdraw consent for non-essential processing (note: this may limit platform functionality)
- Limit processing — request that we limit how we use your data in certain circumstances
- Complaint — lodge a complaint with the Personal Data Protection Department (JPDP) of Malaysia
To exercise any of these rights, email privacy@slvgroup.com.my. We will respond within 21 days as required by PDPA 2010.
8. Security
We implement the following technical and organisational measures to protect your data:
- All data transmitted over HTTPS (TLS 1.2+)
- Passwords hashed with bcrypt (cost factor 12)
- IP addresses stored as SHA-256 hashes (irreversible)
- Session tokens regenerated on every login
- CSRF protection on all form submissions
- Private configuration files stored outside the web root
- Database credentials never exposed in application code
- Signed PDF documents stored in a private directory inaccessible from the web
While we take reasonable precautions, no system is completely secure. In the event of a data breach affecting your personal data, we will notify you within 72 hours as required under PDPA 2010.
9. Cookies
CoSec OS uses only essential session cookies required for the platform to function. We do not use advertising cookies, third-party tracking cookies, or analytics cookies. Our cookie usage:
- Session cookie — maintains your login state (expires after 2 hours of inactivity or on logout)
- CSRF token — prevents cross-site request forgery (session-scoped)
No cookie consent banner is required as we use only strictly necessary cookies.
10. Children's Privacy
CoSec OS is a professional business platform not intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users by email at least 14 days before material changes take effect. Your continued use of CoSec OS after changes take effect constitutes acceptance of the updated policy.
12. Contact Us
For any privacy-related questions or to exercise your PDPA rights:
- Email: privacy@slvgroup.com.my
- Company: SLV Group Sdn. Bhd.
- Address: Zenith 1 Corporate Park, Block B, 19-2, Jalan SS 7/26, 47301 Petaling Jaya, Selangor, Malaysia
- JPDP (Personal Data Protection Department): www.pdp.gov.my