Privacy & PDPA notice
What Jubi collects, why we collect it, what we do with it, and what you can ask us to do about it. Covers the marketing site at jubi.my, demo and pre-engagement materials, and platform use under a customer engagement. Aligned with PDPA Malaysia and the EU/UK GDPR.
1. Who this applies to
- Visitors to
jubi.myand its subpages. - Prospects who submit the demo form or otherwise engage in pre-engagement activity.
- Customers and their authorised users, once an engagement is in place. For customer data processed by Jubi on a customer's behalf, the customer is the data controller (PDPA: data user); see the DPA.
- Job applicants and visitors to our offices, where applicable. Recruitment-specific notices are provided at the point of application.
2. Controller and contact
For the personal data covered by this notice for which Jubi acts as controller, the controller is the Jubi entity that operates jubi.my. To exercise rights, ask questions, or report a privacy concern, email privacy@jubi.my. We will appoint a Data Protection Officer where required by law and an Article 27 GDPR EU representative if and when we target the EU/EEA at scale.
3. What we collect
| You visit the site | A small set of essential cookies (basic site preferences). No advertising trackers, no cross-site profiling. See the cookie policy. Server access logs (IP, user agent, request path) are retained for security and abuse handling. |
|---|---|
| You submit the demo form | Your name, company, work email, role, and a free-text description of your data stack (whatever you write). |
| You correspond with us | The contents of your messages, your contact details, and any attachments you choose to send. |
| You're an authorised user of a customer tenant | Identity attributes from your IdP (name, email, group memberships), queries you submit to the assistant, and the audit trail Guardian generates. The customer tenant's controller is the customer, not Jubi. |
| You apply for a role | The application materials you choose to send. Recruitment data handling is described separately at the point of application. |
4. How we use it
- To respond to your demo request and follow up on the conversation you started.
- To deliver the platform under an active engagement.
- To secure and improve the platform, including aggregate operational analytics that do not identify individuals.
- To meet legal obligations and respond to lawful requests from competent authorities.
- To defend our legal rights where necessary.
We do not sell personal data. We do not train AI models on your data or your customers' data. We do not share your personal data with model providers for their training.
5. Legal bases for processing (GDPR Article 6)
Where the GDPR applies, we rely on the following legal bases:
| Performance of a contract Art. 6(1)(b) | To provide the platform under an active engagement; to deliver pre-engagement evaluation activity you've asked for. |
|---|---|
| Legitimate interests Art. 6(1)(f) | To respond to inbound enquiries, to secure the platform and prevent abuse, to maintain and improve the operation of our service, to communicate with prospects and customers about their evaluation or engagement. We have weighed these interests against the rights and freedoms of data subjects. |
| Legal obligation Art. 6(1)(c) | To meet legal obligations imposed on Jubi (tax, regulatory, court orders). |
| Consent Art. 6(1)(a) | For non-essential cookies (when added) and for any direct marketing where consent is required. You may withdraw consent at any time without affecting prior lawful processing. |
Under the PDPA, our processing is supported by the data subject's consent and by exemptions for the performance of a contract and the legitimate interests of Jubi as the data user, as applicable.
6. Where it lives
- Prospect data (form submissions, marketing): hosted in Malaysia or Singapore.
- Customer data: stays in the deployment region selected at the start of the customer engagement. The AI use & data policy covers AI inference residency separately.
- Backups and archival storage: in encrypted form alongside the production region; ageing out of retention in the ordinary course.
7. International transfers
Where personal data is transferred from a jurisdiction with a data-export regime (the EU/EEA, the United Kingdom, Malaysia under the PDPA, and other jurisdictions as applicable) to a jurisdiction not benefitting from an adequacy decision, the transfer relies on a permitted mechanism, including:
- The European Commission's Standard Contractual Clauses, in the controller-to-processor module where Jubi acts as processor for customer data, and in the processor-to-subprocessor module for transfers to subprocessors;
- The UK International Data Transfer Addendum issued by the Information Commissioner;
- An applicable adequacy decision under the GDPR or local equivalent.
We have assessed the transfer destinations on which we currently rely. Customers acting as controllers for their own customer data remain responsible for any transfer-impact analysis on their side.
8. Retention
- Demo form submissions: retained for the duration of the evaluation conversation and for a reasonable period of follow-up activity, then deleted absent a converted engagement.
- Customer audit logs and tenant data: per the engagement-specific retention configuration set out in the DPA.
- Server access logs: retained for a limited period for security and abuse handling.
- Records required for legal, tax, or regulatory purposes: retained for the period required by applicable law.
- Job-applicant data: per the recruitment notice provided at the point of application.
Specific retention periods may evolve as our practice matures. Where retention applies under an executed engagement, the engagement controls.
9. Your rights
Subject to the limits and conditions in applicable law, you may ask us to:
- Tell you what personal data we hold about you (right of access).
- Correct inaccurate or incomplete data (right to rectification).
- Delete your data (right to erasure), subject to legal retention obligations.
- Restrict or object to processing in certain circumstances.
- Receive your data in a portable form, where it was provided to us under consent or contract.
- Withdraw consent where consent is the basis for processing.
Send the request to privacy@jubi.my. We aim to respond within thirty (30) days of receipt and within the timeline set by applicable law. We may ask you to verify your identity before responding.
If you are an authorised user of a customer tenant and your request relates to data Jubi processes on the customer's behalf, we will refer you to the customer (the data controller) and notify the customer of your request, as set out in the DPA.
You may also lodge a complaint with the Personal Data Protection Department of Malaysia, the Information Commissioner's Office (UK), your local supervisory authority in the EU/EEA, or another competent authority where applicable.
10. Automated decision-making (GDPR Article 22)
In the ordinary course, Jubi does not make decisions producing legal or similarly significant effects on individuals based solely on automated processing. Jubi is decision-support tooling; outputs are presented to a human user.
If a customer chooses to use Jubi as part of a workflow that produces solely automated decisions about a natural person with legal or similarly significant effect, the customer (as controller) is responsible for meeting Article 22 obligations — including providing the data subject's right to obtain human intervention, to express their point of view, and to contest the decision. The customer should not deploy Jubi for such workflows without scoping that explicitly with us; see the AI use & data policy.
11. Children's privacy
Jubi is a B2B platform and is not designed for, marketed to, or intended for children. We do not knowingly collect personal data from individuals under the age of sixteen. If you believe a minor has provided personal data to Jubi, contact privacy@jubi.my and we will take reasonable steps to delete it.
12. Cookies and similar technologies
Detail is in the cookie policy. In summary: the marketing site uses a small number of essential cookies and does not run third-party advertising trackers, cross-site profiling, or session-replay tools. We honour the browser's "Do Not Track" and Global Privacy Control signals to the extent we operate any tracking that would otherwise apply (today, we don't operate such tracking on the marketing site).
13. Marketing communications
If we send you marketing emails, you may opt out using the unsubscribe link in any such message or by emailing privacy@jubi.my. Opt-out applies to marketing only; we will continue to send transactional and engagement-related communications.
14. California privacy disclosures
Where the California Consumer Privacy Act and California Privacy Rights Act apply to a California resident's personal information processed by Jubi as a "business" (rather than as a "service provider" for a customer tenant), the rights of access, correction, deletion, and to opt out of "sale" or "sharing" of personal information apply. Jubi does not "sell" personal information for monetary consideration and does not engage in "sharing" for cross-context behavioural advertising. Submit requests to privacy@jubi.my; we will not discriminate against you for exercising these rights.
15. Security
We maintain technical and organisational measures appropriate to the risk of processing. Details are in the security overview and, for customer engagements, in Annex B of the DPA. No system is perfectly secure; we will not warrant it as such.
16. Changes
If this notice changes materially, we update the "Last updated" date and, where required by law or where the change is adverse, take additional steps such as direct notification or a banner on the site. For customers under an executed engagement, changes to this public notice do not vary the engagement; the engagement controls.
Privacy: privacy@jubi.my · Security: security@jubi.my · General: hello@jubi.my