Privacy Policy

Dear Customer,

We are pleased that you are interested in data protection. We would like to give you an easily understandable overview of the data processing practices, and our privacy compliance measures in relation to our delivery websites, applications and related services (collectively referred to as "platform" below). Our goal is to provide you with an amazing customer experience while keeping your personal data secure. Trust, transparency and honesty are our leading principles. Your trust in our product is the reason why we can provide you with an amazing customer experience.

In this Privacy Policy, “personal data” means any information which directly identifies you as a person (like the combination of your full name and address), or can be used to identify you as a person (like a user ID connected to your identity). The categories of personal data are set out below. Similarly, “processing” refers to any operation performed on your personal data, for example the collection, storage, use, disclosure, or destruction of your personal data.

1. Who we are

We are Z BEE Sdn Bhd (“we", “us" or “our"), but usually we just use the name zBee or zBee Delivery.

As regards the processing activities conducted on our platform, we will be the data controller responsible for what happens with your personal data. "Data controller" is a legal term and simply means that we are the party determining how your personal data is processed, for what purposes this is done and by what means. While we are required by law to provide you with all of the following information, we do so also out of the belief that a partnership should always be honest.

If you have any questions about data protection at zBee, you can contact our data protection officer at any time by sending an email to support@zbee.my. We will continue to be your point of contact if you have any questions about data protection.

While visiting our platform, registering or placing orders, you agree to this Privacy Policy. This Privacy Policy applies to all personal data obtained by us through your use of our platform. It does not apply to any websites controlled by third parties not affiliated with us that our platform may link to (“Third Party Sites”). The relevant privacy policies set out in the respective Third-Party Sites shall apply in those cases.

2. Privacy is your right and the choice is yours

As a customer you have the choice which information you would like to share with us. Please be aware, however, that when signing up to and/or continuing access to our platform, you are required to accept our terms of use. Legally speaking, this means you will enter into a contract with us under which you are entitled to use the platform, in accordance with the terms of use. Of course, we need some information from you to be able to perform our obligations under this contract. However, it is entirely up to you to choose whether you would like to provide such information or would rather not use our platform.

You can take the following steps to control and manage how much personal data you share with us:

• Cookies & web-tracking: You can set your device or web browser to decline cookies and other web-tracking technologies (which is also possible through our consent manager). If you deactivate web-tracking, you will no longer see any personalized contents, offers or ads.
• Direct marketing: If you do not want to receive newsletters from us, you can unsubscribe at any time. In this case, we will not be able to send you any cool offers.

You may also withdraw your consent for the processing of your personal data for certain Purposes (as defined below) (e.g., marketing) by submitting your request via email to support@zbee.my.

3. Your Legal Rights

Right to access

You have the right to be informed which data we store about you and how we process this data.

We will respond to your correction request as soon as practicable.

Right to rectification

If you notice that stored data is incorrect, you can always ask us to correct it.

We will respond to your correction request as soon as practicable.

Right to withdraw your consent to the processing of your personal data

You can withdraw your consent to our collection, use and disclosure of your personal data at any time for any or all of the Purposes. Upon receiving your withdrawal request, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. Please note that depending on the nature and scope of your request, we may not be in a position to continue providing our services to you and we shall, in such circumstances, notify you before completing the processing of your request.

Right to erasure

You have the right to ask us to delete your personal data. Please note that even if you exercise this right, we may be required to retain some of your information if we process it as part of our legal obligations, or in pursuit of our own (or a third party’s legitimate interests) such as the assertion of, or defense against, legal claims, preventing fraud or protecting ourselves or others against abusive behavior.

Right to restriction of processing

If you have requested the deletion of your personal data, but we are legally prevented from immediately deleting it, we will store your data in our archives and retain them for the sole purpose of meeting our legal obligations. However, you will not be able to use our services during this time, as this would require us to de-archive your personal data.

Right to data portability

You can ask us to provide you or another data controller with your personal data in a machine-readable format. However, please note that this right only applies to data that we process based on your consent.

Right to object

You have the right, for reasons arising from your particular situation, to object at any time to any processing of your personal data, which is processed on the basis of our legitimate interests. If you object, we will no longer process your personal data unless we can prove compelling grounds for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise, or defend against legal claims.

You also have the right to object at any time, without giving any explanations, to the process of your personal data for the purposes of direct marketing (including any associated profiling).

Right of complaint

You can raise a complaint about our processing with the data protection authority in the country of your habitual residence, place of work, or the place where you think a violation of data protection laws has occurred. In the case of cross-border data processing, you can also lodge a complaint with our lead supervisory authority in Berlin, Germany.

Right not to be subject to a decision based solely on automated processing

You have the right to object to a fully automated decision (i.e. without any human intervention in the decision-making process) that has legal effects or significantly affects you. To exercise your rights, we encourage you to use the functions available in your account at any time. For example, if you would like to delete your data, or receive a copy of it, you can directly do so by following the relevant steps in your profile. These self-service methods are designed to expedite the process of fulfilling your rights. Alternatively, you may send in your request via email to support@zbee.my at any time and we will process such requests in accordance with this Privacy Policy and our obligations under applicable laws.

We will endeavor to process your request as soon as practicable upon receipt.

We may charge you a reasonable fee for the handling and processing of your requests to access your personal data and will inform you of the amount charged in advance.

You may also delete your account through your user profile on our platform.

4. An overview of the personal data we process and source

I. Process

In this section, you can find general information about the categories of personal data we process about you. For your understanding, personal data is information that directly identifies you (such as your name or photo picture) or enables us to indirectly identify you (for example, on the basis of a user ID linked with the personal information in your profile).

You will find more detailed information on our processing activities below, in the next section. But our data processing activities on the platform can be summarized by reference the main categories of personal data:

a. Profile data (master data)

This includes your name, email address, password, telephone number, country, user ID, language, communication, delivery addresses, interests and age.

Why do we process this category? This data is your master data, which we absolutely need for our services. Without an email address / telephone number and a password, you cannot create a profile. Together with your name, this is your master data. We need your age to ensure that you are not a minor.

b. Order and delivery data

This includes your name, delivery address, phone number, order details, order ID, product names and quantities.

Why do we process this category? In accordance with the principle of data minimization, we only provide our riders, shops and restaurants (as the case may be) with the information that they need from you to prepare and deliver your order and otherwise provide services requested to you.

c. Order history data

This includes your order history, selected shops or restaurants (as the case may be), invoices, order ID, comments on orders, information on payment method, delivery address, successful orders and cancelled orders.

Why do we process this category? Each time you place an order, this information will be added to your profile. You can view all this information in your profile at any time. We will use this information to improve our services and optimize the platform for your interests.

d. Location data

This includes your address, postcode, city, country and your device’s longitude and latitude.

Why do we process this category? We need these data to be able to deliver your orders (or enable the restaurant or shop you have ordered from to deliver it to you). We create the longitude and latitude automatically in order to be able to process your delivery address in our other linked systems, such as our Rider app, and to display your address to our riders or riders of restaurants.

e. Device information and access data

This includes your device ID, device identification, operating system and corresponding version, time of access, configuration settings, IP address and platform interactions such as items added to the cart, and other data obtained through web-trackers (e.g. cookies, SDKs, pixels).

Why do we process this category? Each time you access our platform, this information is stored by us for technical reasons. We also use parts of this information to detect suspicious behaviour at an early stage and to protect our platform.

f. Customer care data

This includes your name, address, telephone number, email address, your ID from any social media (if applicable), content of your customer support requests, response from our customer care teams and images attached.

Why do we process this category? If you contact us, we collect this data because we need to know who we are talking to and what we have been talking about so that we can help you with your reason for contacting us. This also applies if you leave comments on social media on our fan pages. We do not combine this data with your profile data on our platform, but we can still identify you by your social media ID.

g. Marketing contact and communications data

This includes your name, email address, telephone number, and device ID.

Why do we process this category? If you would like to receive an email newsletter, an SMS or an in-app push notification from us, we need certain information to send you the messages. Instead of addressing you with "Hey You", we find it more customer friendly to address you with your name. This category of personal data is also used by us to contact you, for example, if a product cannot be delivered and we want to offer you an alternative instead.

h. Payment data

This includes your payment method, encrypted, pseudonymized credit card information, bank account details, credit card data, tax ID, payment method data, payment amount, payment recipient details, refund details and bank receipts.

Why do we process this category? We need this information to initiate your payments and assign them to the orders you have placed. We also need this data to store your payment information for future orders (if you give us your consent to do so).

ii. Source of Personal Data

1. Our website at https://zbee.my or mobile application
2. Online or digital form such as Google Forms
3. Manual forms
4. Cookies
5. Phone calls and live chats
6. Third parties that you have consented and authorized to provide your personal data to us

5. Our detailed processing activities and processing purposes

We process your personal data only in accordance with relevant data protection laws. We pay particular attention to the fact that all principles for the processing of personal data are taken into account. Therefore, we only process your personal data if this is lawful, and you can reasonably expect it to be processed.

In order to be able to offer you our services, the processing of your personal data is essential. You do provide us with some of this data proactively by entering them on your device. Other data we collect automatically when you are using our platforms.

We process your personal data for the following purposes (“Purposes”):

1. i. Creating and operating your account; delivering your orders
   1. a. Account Creation

      When creating a customer account, you will be asked to enter your profile data. This is absolutely necessary, as we cannot create a customer profile without this data. Your email address and telephone number are particularly important, as we can use this information to identify you in our system the next time you want to log in again. Furthermore, we would like to ask you to choose your password carefully. Do not use the same password on multiple websites. Your password should also be at least twelve (12) characters long, at least one (1) lowercase letter, one (1) uppercase letter, one (1) special character (!?#,%& etc.) and one (1) digit.

      Once you have created an account, we will assign you a unique user ID. This measure will allow us to recognize you in our system without needing to use all of your account-related information. This ID cannot be used by any outside parties.

      The information we request during the account creation process is necessary to take the first step in establishing a customer relationship with you so that we can provide you with our services.

      We store this personal data as long as you remain our customer and in the ordinary course of things we delete it after three (3) years of inactivity, or when you close your account.

      Categories of personal data:

      • Profile data (master data)
      • Device information and access data
   2. b. Login to an existing account

      If you already have an existing customer account, you will need to enter your email address and password to log in. If we detect irregularities during registration, such as entering the wrong password several times, we will take appropriate measures to prevent damage to you and us.

      Categories of personal data:

      • Profile data (master data)

      Further information on the Facebook Login can be found at: https://www.facebook.com/privacy/explanation.

      Categories of personal data:

      • Profile data (master data)
      • Facebook profile information
   3. f. Managing Your Profile

      You can log in to your profile at any time and change your personal data, such as name, email address or telephone number, and provide additional information. You can also view your previous orders.

      Your data is also processed to administer your profile, which includes tasks such as ensuring the accuracy of your personal details, processing any modifications you make, and managing technical issues you might have.

      Managing and administering your profile is a fundamental function of our platform. Without this process, we cannot provide our services to you.

      We store this data as long as you remain our customer and in the ordinary course of things we delete it after three (3) years of inactivity, or when you close your account.

      Categories of personal data:

      • Profile data (master data)
   4. g. Order Processing

      Once you have successfully registered and decided to place your order, we will store this information in your profile and process it in further processes so that you can submit your order to us. When you submit your order, your personal data is transferred to our backend where it is transferred to other systems for further processing.

      To process your order, we need your profile data as well as your order and delivery data including your address, postcode, city, country, longitude and latitude, order ID, product names and quantities.

      This information is necessary for us to forward your order for the following steps to ensure the successful delivery of your order. Without this information, we would be unable to take necessary steps to fulfill our contractual obligations to you.

      Where our platform offers the delivery of prescription medicines, the data we process may include special categories of personal data (i.e. health data). In this case, we will ensure that we clearly inform you, and obtain your prior consent. However, please note that your order of non-prescription (i.e. over-the-counter) products not specifying any particular medical condition is not regarded as involving special categories of personal data.

      We will process the data we process for this purpose for the same duration as your other data.

      Categories of personal data:

      • Profile data (master data)
      • Order data
      • Delivery data
      • Location data
      • Device information and access data

h. Personalized Content and Suggestions

When you browse our platform, we show you a variety of vendors and products. We may customize the content on our platform so that you are shown vendors who are close to you, who you have ordered from in the past, or products we believe may be of interest to you. To make this feature available, we need your profile data, location data, order and delivery data, and device information and access data.

This process may involve customer segmentation based on the data we collect from you. Additionally, we can make predictions about our customers’ demographics (e.g., age, gender) or consumption preferences. As a result, our suggestions may highlight specific products or cuisines, such as Italian restaurants, or vegan products.

Please note that these processes will not have a legal or similar significant effect on you. The only result of this process will be that you will receive suggestions about products or vendors that match your interests and food preferences.

Our activities within personalized content and suggestions form the core of our platform, without which we could not offer you relevant products and therefore we would be unable to facilitate a ground for entering into a contract with you. We would like to highlight that personalized content that is shared in this context is separate from the marketing initiatives carried out on our platform.

We will process the data we process for this purpose for the same duration as your other data.

Categories of personal data:

• Profile data (master data)
• Order and delivery data
• Location data
• Device information and access data

i. Storing your cart for later

After you have logged in to your profile and made your selection, the products will be saved in your profile. If you accidentally close your browser or app, you can continue to the last point of your order. We store this data to provide you with a better ordering experience where you can conveniently continue your order with browsers or apps that are accidentally closed.

The shopping cart function is essential to our platform as it enables us to receive and process your order. Without it, we would not be able to enter into a contract with you.

This data is deleted as soon as we no longer need it, such as once you place your order or soon after you have removed everything from your shopping cart.

Categories of personal data:

• Profile data (master data)
• Device information and access data
• Order and delivery data

j. Delivering your order

Once you have successfully placed your order, a number of processes are running in the background to ensure that your order is delivered quickly. This includes sharing your order data with the restaurant preparing your meal or shops preparing your items (for example zBee mart) as well as with the rider delivering your order.

Categories of personal data:

• Order data

k. Enabling calls from riders, restaurants, or shops to check on your order

If a product of your choice is not available for delivery or our riders cannot reach you at the delivery address you provided, they will receive instructions from us to call you so that the problem can be solved easily. Both the restaurants or shops as well as the riders have no claim whatsoever to your personal data and under no circumstances may they use it for their own purposes. If you should nevertheless be contacted by a restaurant, shop or rider without your prior consent, we ask you to report this to us by sending e-mail to support@zbee.my

Categories of personal data:

• Delivery data

l. Invoicing

If you decide to proceed with your order, we will need to receive the payment for the items you have selected.

When you place an order and select a payment provider, your information will be shared with your selected payment provider to initiate the payment process. As a customer of these payment providers, you can find information on their privacy practices in their separate privacy statements.

Following the payment for your order, we are legally required to provide you with an invoice. To fulfill this requirement and to facilitate your payment, we need to process your profile data, order and delivery data, and payment data including payment method data, payment amount, payment recipient details, refund details and bank receipts.

In some cases, the vendor (e.g. restaurant, shop) that receives your order is responsible for issuing an invoice to you. In this case, personal information necessary to meet the invoicing requirements under applicable law is shared with the vendor for the sole purpose of issuing an invoice.

We store this personal data for ten (10) years after the invoice date.

Categories of personal data:

• Profile data (master data)
• Order and delivery data
• Payment data

m. Saving your payment methods

In order to make the ordering process even more convenient for you, we offer to save your preferred payment method. This means that you do not have to enter your payment details again the next time you place an order. Your payment data will be stored securely, and we’ll make sure it stays encrypted at all times. Restaurants and shops will never receive your payment data.

We will keep this personal information for as long as you choose to share it with us.

Categories of personal data:

• Payment data

n. Preparing Your Order

After receiving your order, we share your order data with the vendor (e.g. restaurants, shops) preparing your order. We minimize the information we share with our vendors so that they only see the information necessary to process your order and hand the order over to couriers. The data we share with the vendors include delivery related data, and order details. In addition, vendors may use our platform’s chat feature or call you by phone to contact you in exceptional cases such as if the items you ordered are out of stock.

Categories of personal data:

• Order data

o. Delivering Your Order

Once your order has been prepared by the vendor, it is handed over to couriers (also called “riders”) who are responsible for delivering your order. In order to enable the delivery of your order, and thus fulfill our contractual obligations to you, we need to process your profile data and share some of that data with the rider who will deliver your order.

This data includes your delivery related data such as your name, telephone number, and delivery address. In addition, riders may use our platform’s chat feature or call you by phone to contact you if there are any exceptional delivery-related issues such as if the rider needs assistance during the delivery process. We will always ascertain that the rider receives as little information about you as possible.

In some cases, our riders will be asked to provide proof of delivery. This proof of delivery may include details such as the time and date of delivery, your name, and in some cases, a signature or photo as evidence. In case of any disputes or issues, having this information helps us investigate and resolve matters efficiently, providing you with a higher level of customer satisfaction.

We will process the data we process for this purpose for the same duration as your other profile data.

Categories of personal data:

• Profile data (master data)
• Order and delivery data
• Location data

p. Customer Care

In case you have questions or issues regarding your order, depending on the nature of your request, we will need your profile data, order and delivery data, payment data, and the data you share with us when submitting your request. This information allows us to understand the specifics of your order, enabling us to provide you with relevant and accurate assistance.

As part of our customer care service, we may use automation for certain functions. For example, actions such as cancelling your order or changing delivery instructions may be automated. In addition, our support agents may utilize algorithmic decision-making processes for the purpose of calculating compensation for any issues you may experience, and for issuing a refund or voucher.

We may use artificial intelligence technology such as chatbots powered by large language models as part of our customer care processes. When we do so, we will ensure that we remain the controller of your data and that your data is not shared with third parties to train their AI models.

We will keep the data we process within the customer care center feature for the duration of the statutory limitation periods for legal claims in your jurisdiction (which might range from three (3) up to six (6) years).

Categories of personal data:

• Profile data (master data)
• Order and delivery data
• Payment data

q. User Reviews

Once your order has been delivered, you can rate and review the vendor you have ordered from. In this case, your first name will be displayed on our platform next to the content of your review. For this purpose, your profile data, and the content of your review will be processed.

We will keep your reviews for as long as you choose to share it with us. If you no longer wish your review to be available, you can delete it at any time.

Categories of personal data:

• Profile data (master data)

ii. Fraud detection, prevention and security of our platform

In order to protect our customers and our platform from possible attacks, we continuously monitor the activities on our websites and mobile applications. To keep the platform secure and guarantee you a safe ordering experience, we use various technical measures to ensure that suspicious behaviour patterns are detected at an early stage and prevented as early as possible. To achieve this goal, several software-based monitoring mechanisms run in parallel and prevent potential attackers from damaging our platform.

To achieve effective fraud detection and prevention, we use this data to apply state-of-the-art fraud detection and prevention measures, which may include algorithmic decision making and machine learning processes. These measures include fraud scoring and flagging, transaction analysis, user behavior modeling, and, in confirmed cases, automated account suspension and blocking. Our fraud assessments will be based on your previous behavior and also sometimes information obtained from third parties (e.g. when you use a credit card which has been reported as stolen by its owner).

The decision-making process is automated and could potentially have an impact on the use of your registered account on our platform.

If any such decision (i) results in a negative, legally binding outcome for you, (ii) similarly significantly affects, or (iii) you believe there has been an error, you can contact us at support@zbee.my. In this case, we will individually assess the circumstances of your case. All of our fraud detection and prevention algorithms are always open to human review. If you think that a mistake has been made, we are happy to look into it and make corrections, if necessary.

We will keep the data we process within fraud detection and prevention purposes for the duration of your account and, after closure, for as long as it is required to clarify if your account is linked to any other fraudulent activity on our platform. This time period will vary depending on the activity in your account. If you are a trusted customer, we will delete your data, as it is no longer required.

Categories of personal data:

• Profile data (master data)
• Device information and access data
• Payment data
• Order and delivery data
• Voucher information

iii. Direct Marketing

a. Newsletters and user surveys by email and/or text message

If you have consented to receiving marketing materials from us when signing up for our platform, we may occasionally send you the materials by email, SMS or other text message regular offers of goods or services similar to those offered on our platform. We are constantly striving to improve our services. Your constructive feedback is very important to us. Therefore, our direct marketing newsletters might also include surveys where we ask for your honest feedback. So, we will occasionally also send you customer surveys and ask you to give us your opinion.

If you did not consent to receiving marketing materials from us when registering your account, you will not receive any direct marketing emails.

You are of course always free to opt out of such emails. In this case, we will store your contact details in a list of customers who have objected to receiving direct marketing, to make sure we can continuously comply with your objection.

You may withdraw your consent for us to send you all marketing materials by submitting your request via email to support@zbee.my at any time, and we will endeavour to affect your request within ten (10) business days or as soon as practicable. Your withdrawal of consent for marketing purposes will not affect your ability to use our services provided on our website and app.

You may also unsubscribe to our marketing newsletter sent via emails by clicking on the “unsubscribe” button at the end of our emails.

Not only do the contents of our newsletters and surveys vary, but so do the technologies and criteria we use to design our newsletters and segment customer groups. For example, a group of customers may receive a special newsletter promoting special deals from restaurants where customers have ordered. Other newsletters may refer to specific products that relate to a particular flavour, such as sushi, Indian cuisine or pizza. We use different information from your order history and delivery addresses to create these tailor-made offerings for you. Please be also aware that we are recording, in a pseudonymous manner, key performance indicators to assess the effectiveness of our direct marketing campaigns. This includes aggregated information about the opening and click-through rate for our direct marketing messages.

This is a profiling process in which we automatically process your data. The specific customer segmentation will not have a legal effect on you, nor will it similarly significantly affect you. The only effect you will notice are interesting offers on our platforms, bespoke to your interests and meal preferences.

Nonetheless, if this automated decision-making leads to a negative result for you and you do not agree with this, you can contact us at support@zbee.my. In this case, we will opt you out of customized newsletter communications and you will no longer receive any such messages going forward.

Categories of personal data:

• Profile data (master data)
• Location data
• Order data
• Device information and access data

ATTENTION:

As already mentioned, you are entitled to object to the use of your email address for the aforementioned advertising purposes at any time, and free of charge, with effect for the future by changing your message preferences, using the “unsubscribe” button at the end of a newsletter, or by contacting us at support@zbee.my.

b. App Notifications

We have a strong interest in informing you about new restaurants or deals when using our app. We are always working to give you an amazing customer experience. To achieve this, we negotiate very good deals for you with our restaurant partners. To inform you about these deals, we may send you in-app-notifications or push-notifications, if you have chosen to activate this feature on your end devices.

You are always free to opt-out from such communications. To ensure we comply with your choice to opt-out, we will keep your contact details on a separate list of customers who prefer not to receive direct marketing communications. In this case, we will unsubscribe you from customized communications and you will not receive such communications in the future.

We will process the data we process within this purpose for the duration of your account with us. The information if you have opted in to or out of receiving such communications we will store for the duration of the statutory limitation periods for legal claims in your jurisdiction (which might range from three (3) up to six (6) years).

Categories of personal data:

• Location data
• Profile data (master data)
• Order information

IV. Online Marketing

a. Targeting

In principle, targeting means simply showing online advertisements (e.g., by showing banners on websites, or delivering ads on social media service timelines) tailored to specific target groups. We strive to deliver to you only advertisements that are in fact relevant for your interests and bring added value to your online experience.

In our targeting process, as a first step, we define a target group based on certain criteria such as location, age or meal preferences and, secondly, we commission our service providers to show our advertising to the defined target group, both on our own websites/apps as well as on online properties owned and operated by third-party publishers. To better define the intended target groups, we segment customer types and place different ads on different portals. We will use pseudonymous data for this purpose only. That means we will not be able to identify individual persons within the defined target groups.

Categories of personal data:

• Device information and access data
• Location data

b. Retargeting

As soon as you have visited our platform and, for example, have already placed an order in your shopping cart, we store this information through cookies and other web-tracking technologies. If you continue to surf other websites, our advertising partners will remind you on our behalf that you have not completed your order. We don't want you to miss out on our amazing customer experience.

Categories of personal data:

• Device information and access data
• Location data

c. Cookies and web-tracking

In the context of our online marketing activities, we also use cookies and other web-tracking technologies. As stated above, these technologies help us to facilitate the functioning of our platform, improve its performance and security, understand how our users interact with our platform, recognize your device and deliver to you only the type of advertisements relevant to your interests.

Categories of personal data:

• Device information and access data

d. Bonus programs

We want to reward our customers' loyalty with attractive deals and points. For this reason, we offer our customers the opportunity to participate in such bonus programs. Participation in a bonus program requires consent. You can revoke your consent at any time for the future. Please send us an email to support@zbee.my for this purpose.

Categories of personal data:

• Profile data (master data)

e. Sweepstakes

We sometimes run sweepstakes to provide our customers with the chance of winning prizes in relation to our platform (this might be a voucher, special offer or other cash-value award). Before you participate, we will ask you to grant us your consent to process your personal data for the purpose of signing you up for the campaign. If you refuse to grant your consent, we cannot offer you to take part in the sweepstake.

If you have already given your consent and would like to revoke it for the future, you can do so at any time by sending an email to support@zbee.my. In this case, we will exclude you from participating in our sweepstakes and you will not receive any further invitations to sweepstakes.

Categories of personal data:

• Profile data (master data)

f. User interviews for market research purposes

We always develop new products and try to adapt our services to the wishes of our customers. In order to measure the effectiveness of these changes, we regularly offer interviews with our User Experience team. In these interviews, we record your usage behavior and ask you for possible optimization possibilities.

Participation in the interviews requires your consent. If you have already given your consent and would like to revoke it for the future, you can do so at any time by sending an email to support@zbee.my. In this case, we will exclude you from participating in our interviews and you will not receive any further invitations for them.

Categories of personal data:

• Profile data (master data)
• Delivery data
• Order history data

g. Helping Business Advertising Partners Promote Their Goods and Services on Our Platform

We display various types of advertisements on our platform. Our objective is to provide you with advertisements that are truly relevant to your interests and that add value to your online experience. For this purpose, we process profile data, location data, order and delivery data, and device information and access data.

To ensure the relevance of ads, we may use user segmentation involving automated processing of your personal data. Additionally, we may make predictions about your demographics (e.g., age, gender) or your consumption preferences. These processes will not have a legal or similarly significant effect on you. The only result of this process will be that you will receive advertisements that match your interests and food preferences.

Using these insights, our platform may display both our own ads and ads from third parties (such as restaurants and food brands). These ads may take the form of standard display ads, 'featured restaurants' that appear on top of a list, or special promotions that offer you limited time deals.

We do not share your personal data with third parties who promote their products on our platform. However, in some cases, we can share advertising performance insights to these third parties. These insights are typically aggregated and anonymized, ensuring that your personal data remains protected. These insights may relate to the effectiveness of their advertisements, such as the number of clicks or engagement metrics.

We will keep this personal information for as long as you choose to share it with us but in any case we will delete the data we process within this purpose after deletion of your account.

Categories of personal data:

• Profile data
• Location data
• Order and delivery data
• Device information and access data

h. Vouchers/Giftcards

We often offer vouchers for our platforms. The reasons can vary. The purpose of these vouchers is to reward our loyal customers and to encourage them to continue to lead our loyal customers. In order to be able to check the number, the value and the frequency of use of the vouchers, but also to avoid misuse of these vouchers, we collect various personal data.

We also sell gift cards on our platforms. In order to be able to check the number, the value and the frequency of use of the gift cards, but also to avoid misuse of these gift cards, we collect various personal data.

Categories of personal data:

• Profile data (master data)
• Voucher/Gift card information

V. Social Media Sites

a. Responsibilities

We and the respective operators of the social media platforms act as joint controllers with respect to the collection of your personal data on our social media sites, as well as the analysis of the use of our social media sites by social media users. For this purpose, we and Meta Platforms, Inc have agreed on a joint controllership agreement in accordance with Art. 26 GDPR.

Also, the operators of the social media platforms themselves are data controllers for the general use of their social media services and interactions outside our profiles and social media sites. This sole responsibility also applies to any processing of your social media profile data for purposes other than analyzing the traffic on our social media sites.

b. Data processing

Facebook provides page administrators with aggregated statistics and insights that help them understand the types of actions people take on their pages ("Page Insights"). Please be informed that we only receive aggregated user reports from Facebook. At no point can we attribute any page visit or other interaction to individual social media profiles.

When you visit or interact with one of our social media sites or its content, information such as the following may be collected and used to create Page Insights:

• Viewing a page, or a post or video from a page
• Following or unfollowing a page
• Liking or un-liking a page or post
• Recommending a page in a post or comment
• Commenting on, sharing or reacting to a page post (including the type of reaction)
• Hiding a page's post or reporting it as spam
• Clicking a link to a page from another page on Facebook or from a website off Facebook
• Hovering over a page's name or profile picture to see a preview of the page's content
• Clicking on the website, phone number, Get Directions button or other button on a page
• Whether you're on a computer or mobile device while visiting or interacting with a page or its content

c. Your data subject rights

As part of our agreement with Facebook, with respect to our social media sites, we have determined that Facebook is primarily responsible for fulfilling its information obligations in connection with the Page Insight data. For more information about your data subject rights on Facebook, please see Facebook's Page-Insights Privacy Policy.

VI. Customer Relationship Management

(a) Your requests

Your satisfaction is our biggest goal. Therefore, we are very keen to be available for all your questions and to answer them. In order to be able to answer these questions and understand the overall problem, we store the conversation content in our Customer Relationship Management System when you contact us.

The content of the information we store depends on the information you provide to us as part of our communications.

Categories of personal data:

• Contact information
• Order history and information

(b) Call Centre

If you contact us by phone, we store the conversation for quality assurance purposes. In individual cases, we also use the recordings for quality improvement in customer service, i.e., for training purposes (coaching) with our employees. The content of the information we store depends on the information you provide to us as part of our communications.

Categories of personal data:

• Contact information
• Order history and information

VII. Mergers & acquisitions, change of ownership

Prior to disclosure, we will ensure that the recipient company undertakes to protect your personal data to a comparable standard to that under the Malaysia Personal Data and Protection Act 2010 (“PDPA”) and this privacy policy, and also that the company complies with applicable data protection laws and regulations. We will endeavor to keep the extent of the data shared with the other company to the absolute minimum required in order to conclude the transaction.

Categories of personal data:

• Delivery data
• Location data
• Profile data (master data)
• Device information and access data
• Order data
• Customer care data
• Marketing contact and communications data
• Payment data
• Voucher information

6. When we ensure the security of our platform

We use state of the art servers, network equipment and cloud services to deliver our platform, to ensure high performance and uninterrupted service. All types of personal information you provide and the information we collect about you is stored and protected within the secure environment of our platform. We also use tools such as two (2)-factor authentication, endpoint security detection, traffic monitoring, backup systems and data loss prevention solutions to keep your data secure at all times.

We delete daily backups after ninety (90) days.

7. When we improve our services

I. User Surveys and Interviews

We are always aiming to improve our services, and your valuable feedback is an important part of that process. As such, we sometimes include surveys in our newsletters, asking for your feedback or inviting you to a user experience interview.

Participation in the surveys and interviews require your ‘consent’. After you provide your consent to participate in our user surveys, we will contact you through your preferred communication channels, which may include email, SMS, or social communication platforms such as WhatsApp.

If you have already given your consent and would like to revoke it for the future, please let us know by contacting us. In this case we will exclude you from participating in interviews and ensure that you don't receive any further invitations.

We will keep the data we process within user surveys and interviews for as long as you grant us consent to do so. At the latest, when you delete your account, we will consider your declaration of consent to have been withdrawn.

Categories of personal data:

• Profile data (master data)
• Order and delivery data
• Device information and access data

II. Data Analytics

We perform data analytics to improve our platform in terms of user experience, product development, pricing, promotions, and customer engagement. For instance, to analyze and optimize our user experience, we may show our customers different versions of our platform interface in the context of so-called A/B testing. Analyzing how users interact with different versions enables us to define which version performs better. Similarly, by analyzing customer responses to different pricing models, we are able to determine the right pricing strategies.

To achieve this, we process order and delivery data and device information and access data. These insights are typically aggregated (meaning processed fully anonymously, so you can never be identified as a person by anybody) or pseudonymized (meaning it will be very hard to identify you as a person).

Categories of personal data:

• Order and delivery data
• Device information and access data

III. Business Intelligence, Insights & Group-level Statistics Reporting

We process customer data in an aggregated form to identify market trends, and make informed decisions about our market strategy. This analysis involves processing various types of data, including profile data, device information and access data, as well as order and delivery data.

Utilizing this data, we create statistical reports at group level, such as our market statements and trading updates. Creating business insights and statistical reports allows us to draw meaningful conclusions from a wide range of customer interactions.

Similarly, as part of our business intelligence, we provide our vendors (e.g., restaurants, shops) with access to certain general information regarding sales and engagement rates (so-called vendor insights). These insights are generated by aggregated analysis of the order and delivery data and device information of our users. The purpose of this analysis is to provide vendors with recommendations to improve their services. For instance, vendor insights provide information on potential reasons why users might have chosen a different vendor. The insights are aggregated and anonymized, which means that vendors cannot identify users individually.

Categories of personal data:

• Profile data (master data)
• Order and delivery data
• Device information and access data

8. When we are required to comply with laws and regulations

I. Legal Proceedings and Authority Requests

As with any organization, there are instances when we are required to share personal data with public authorities. Additionally, there might be instances where we have to process your personal data to initiate or defend legal claims and uphold our rights and interests. For this purpose, we may disclose and process certain data we hold about you, to the extent strictly necessary to conclude these legal proceedings and investigations.

We retain this information for as long as necessary to comply with legal obligations related to ongoing proceedings and investigations. After the final closing of the respective legal proceedings we will delete your data immediately.

II. Responding to Data Subject Requests

Data protection laws grant you various legal rights. We are committed to respecting them at all times. When you exercise these rights, we must process your data to effectively address your request. For instance, if you choose to exercise your right to access, we need to gather all of the information we hold about to meet our obligation to provide a response. To achieve this, we may process any type of data we hold about you, only to the extent necessary to comply with our obligations.

We retain this information for as long as necessary to comply with our legal obligations.

III. Regulatory Compliance in the EU

Under various regulatory frameworks in the EU such as financial services regulations, antitrust and competition laws, the Digital Services Act (DSA) or the Platform-to-Business Regulation we are required to share certain aggregated data with the parties specified in these laws (for example, the vendors on our platform, or the regulating bodies under the DSA). While this data will originate from personally identifiable customer data, we are generally not required to share personal data with third parties under these laws.

9. Who we share your personal data with and where will the personal data be transferred to

We never give your data to unauthorized third parties. You can trust that, within our company, only those staff members will receive access to your personal data who need them in order to fulfill their professional duties, such as providing you with a great online experience, or looking into your support request.

However, in order to run our business efficiently, we obtain the services of selected service providers and give them limited and strictly monitored access to some of your data, in order to fulfil the Purposes. Before we forward personal data to these partner companies for processing on our behalf, each individual company undergoes an audit. All data recipients must meet the legal data protection requirements and undertake to protect your personal data to a comparable standard as required under the PDPA and other relevant data protection laws.

a. Service Providers and data processors

We use different service providers and data processors for our daily processing activities. These service providers and data processors process your personal data in accordance with the applicable local data protection laws and requirements and are permitted to process personal data only according to our instructions. Our services providers and data processors have no claims whatsoever to process your personal data for their own, independent purposes. We also monitor our processors and include only those who meet our data protection standards.

You have already learned about some of the parties we use as service providers above and can also find information on data recipients in our Cookies, SDKs and Web-Tracking Policy. Our user platforms and databases run on cloud resources provided by the EU subsidiaries of Google and Amazon Web Services (AWS). Because we use different data processors and change them from time to time, it is not possible for us to identify all individual recipients of personal data in this Privacy Policy. However, if you are interested, we will be happy to disclose the name of the processor(s) in use at that time upon request.

b. Third parties

In addition to data processors, we also work with third parties, to whom we also transmit your personal data, but who are not bound by our instructions. These are, for example, our consultants, lawyers or tax consultants who receive your data from us on the basis of a contract and process your personal data for legal reasons or to protect our own interests. We do not sell or rent your personal data to third parties under any circumstances. This will never take place without your explicit, informed consent.

d. Prosecuting authorities, courts and other public bodies

From time to time we may be requested to disclose personal data to public authorities. In some circumstances, we may disclose personal data with public bodies in order to bring or defend legal claims, to protect our rights and interests, or to address security concerns.

Examples of such situations include cooperating in the detection and prevention of crime, responding to legal processes such as court orders or subpoenas, or sharing data with tax authorities for tax-related purposes. The public authorities involved in these scenarios may include law enforcement agencies, courts, tax authorities, or other government bodies.

We may also share your personal data with law enforcement agencies, government and regulatory bodies to meet applicable legal or regulatory obligations.

e. Transfer of Personal Data

Your personal data may also be transferred to locations outside Malaysia and stored in any server located in Malaysia or outside Malaysia, for any of the Purposes as stated in this Privacy Notice.

10. How long we store your data

We generally delete your data after the Purposes have been fulfilled. The exact deletion rules are defined in our global policies and supporting local retention schedules. Different deletion rules apply depending on the purpose of the processing. Within our deletion concepts we have defined various data classes and assigned regular maximum retention and deletion periods to them. When the retention period has expired, the stored data will be deleted accordingly. If you have not used your user account on our platform for a period of more than three (3) years, we will delete your account to make sure to comply with the principle of storage limitation. Before this happens, you will receive a separate notification from us to the email address registered for your user account.

In addition to the deletion rules, we have defined ourselves, there are other legal retention periods which we must also observe. For various legal documents, such as invoices or business letters, applicable laws define minimum retention periods. For example, tax data must be kept for a period of between six (6) to ten (10) years or even longer in some cases. These special retention periods vary according to local legal requirements.

Furthermore, we will continue to store your data if we have a right to do so in accordance with applicable local laws. This applies in particular if we need your personal data for the establishment, exercise or defence of legal claims.

11. How do we use algorithmic decision making

Some of our processes include the use of algorithmic decision making and machine learning. We consistently strive to implement methods that ensure a significant level of human oversight in the decision making process, enabling us to modify or reverse decisions as needed.

In many cases, the algorithmic decision making processes without human oversight will not have legal or similar significant effects on you. Where they do, we will ensure that you have the right not to be subject to the algorithmic decision making processes, unless those processes are authorized by applicable law or are necessary for the entering into or performance of a contract. In these cases, you can always oppose the decision and request for a human evaluation by contacting us.

For detailed information about the specific instances in which algorithmic decision making processes are used, please visit the sections above that explain how we use your personal information.

12. Personal data of other individuals

If you provide us with personal data of other individuals through your use of our platform (e.g. providing us with your friend’s name, contact details and residential address when placing a food delivery order for your friend or providing the sender’s / recipient’s delivery address and contact details through your use of on demand, you hereby undertake that you are authorised by these individuals to disclose their personal data to us and that these individuals have consented for their personal data to be collected, used and disclosed by us for such Purposes.

13. Right of modification

We reserve the right to change this privacy notice to ensure compliance with relevant legal and statutory provisions, including the PDPA, and also to reflect our new processes and new technologies. We will inform you of any significant changes, such as changes of purpose or new purposes of processing, so we encourage you to review this privacy statement to keep updated.

The privacy notice was last updated and effective from May 2024.