SPAO (M) Sdn Bhd takes your privacy seriously. We collect only data necessary to provide foreign worker management services. We never sell your data to third parties. We comply with the Malaysian Personal Data Protection Act 2010 (PDPA).
1. Who We Are
This Privacy Policy applies to the FW Shield application (the "Service") accessible at app.spao.com.my, operated jointly by:
- SPAO (M) Sdn Bhd โ Operating company
- Agensi Pekerjaan SPAO Sdn Bhd โ Licensed foreign worker agency (License JTKSM 854C)
Both entities operate from: No 26, Tingkat 1, Lorong Bukit Kecil Indah, Taman Bukit Kecil Indah, 14000 Bukit Mertajam, Pulau Pinang, Malaysia. Throughout this policy, "we", "us", "our", or "SPAO" refers to these entities collectively.
2. Information We Collect
2.1 Information You Provide
When you use FW Shield, we collect information that you or your authorized representatives enter into the system, including:
- Account information: Name, email address, phone number, company affiliation
- Worker records: Foreign worker name, passport number, nationality, date of birth, gender, photo, contact details, next-of-kin information
- Employment data: Permit details, employment dates, salary, position, employer company
- Compliance documents: Passport copy, permit copy, KDN approval, calling visa, eVisa, employment contract, FOMEMA results, insurance certificates
- Communications: Messages sent through the AI assistant or support channels
2.2 Information Collected Automatically
- Usage data: Pages visited, features used, time spent, action history
- Device data: Device type, browser, operating system, IP address
- Activity log: Login times, actions performed, device fingerprint (for audit trail)
3. How We Use Your Information
We use collected information for the following purposes:
- Provide foreign worker management services
- Track permit, FOMEMA, and document expiry dates
- Send expiry alerts and notifications
- Process AI-assisted document scanning and compliance queries
- Maintain audit trails for accountability and compliance
- Improve and develop the Service
- Communicate updates, security alerts, and support messages
- Comply with legal obligations under Malaysian law
4. How We Share Your Information
We do not sell your personal data. We share information only in these limited circumstances:
4.1 Service Providers
We use trusted third-party services to operate FW Shield:
- Cloudflare (United States) โ Web hosting, DNS, security, content delivery
- Google Firebase (United States) โ Database storage, real-time sync, authentication
- Anthropic Claude API (United States) โ AI document scanning and assistance (only when AI features are used)
These providers process data on our behalf under strict contractual obligations and may not use your data for their own purposes.
4.2 Privacy Isolation Between Clients
Each client company's worker data is strictly isolated. Other client companies on FW Shield cannot see your data. Your worker records are only visible to: (a) authorized users from your own company, and (b) SPAO administrators for service operation.
4.3 Legal Requirements
We may disclose information if required by Malaysian law, court order, or regulatory authorities such as the Ministry of Home Affairs (KDN), Immigration Department, FOMEMA, or other government agencies.
4.4 Business Transfers
If SPAO is involved in a merger, acquisition, or sale, your information may be transferred. We will notify you and ensure the new entity honors this Privacy Policy.
5. International Data Transfers
FW Shield uses cloud infrastructure (Cloudflare, Firebase) that may store data on servers outside Malaysia. By using the Service, you consent to your data being transferred to and processed in countries other than your own. We ensure these transfers comply with PDPA requirements.
6. How We Protect Your Data
We implement appropriate technical and organizational security measures:
- Encryption in transit: All data transmitted using HTTPS (TLS encryption)
- Encryption at rest: Data stored on encrypted infrastructure
- Access controls: Role-based permissions (admin, staff, client)
- Audit trails: Every action logged with user identification
- Privacy isolation: Client data strictly separated by company scope
- Two-step confirmation: Required for destructive actions (delete operations)
However, no system is 100% secure. We cannot guarantee absolute security, but we work hard to protect your data using industry-standard practices.
7. Data Retention
We retain personal data only as long as necessary to provide the Service or as required by Malaysian law:
- Active worker records: Retained while employment is ongoing
- Returned/inactive workers: Retained for 3 years after departure for compliance audit purposes
- Activity logs: Retained for up to 12 months
- Account data: Retained while account is active; deleted within 30 days of account termination upon request
8. Your Rights Under Malaysian PDPA
Under the Personal Data Protection Act 2010, you have the right to:
- Access โ Request a copy of your personal data
- Correction โ Update inaccurate or outdated information
- Withdraw consent โ Opt out of data processing (where consent is the legal basis)
- Limit processing โ Request restrictions on certain uses
- Data portability โ Export your data in Excel format anytime
- Complaint โ Lodge a complaint with the Personal Data Protection Commissioner
To exercise any of these rights, contact us using the details below. We will respond within 21 days as required by PDPA.
9. Foreign Worker Data โ Special Note
FW Shield processes personal data of foreign workers employed by our client companies. We rely on our client companies (the workers' employers) to:
- Obtain necessary consent from workers for data processing
- Inform workers about the purposes of data collection
- Ensure data accuracy
Foreign workers whose data is processed in FW Shield can contact their employer or SPAO directly (see Section 12) to exercise their rights.
10. Cookies and Local Storage
FW Shield uses browser local storage and similar technologies to:
- Keep you logged in across sessions
- Cache data for offline access
- Remember your preferences
We do not use third-party advertising cookies or tracking pixels.
11. Children's Privacy
FW Shield is a B2B business application not intended for use by children under 18. We do not knowingly collect personal data from minors. If you believe a minor's data has been submitted, contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy occasionally. Material changes will be communicated via email or in-app notification. The "Last updated" date at the top of this page indicates when revisions were made.
13. Contact Us
Questions about this policy?
SPAO (M) Sdn Bhd
๐ No 26, Tingkat 1, Lorong Bukit Kecil Indah,
Taman Bukit Kecil Indah, 14000 Bukit Mertajam,
Pulau Pinang, Malaysia
โ๏ธ info@spao.com.my
๐ฑ +60 16-903 8685 (WhatsApp)
License: JTKSM 854C (Agensi Pekerjaan SPAO Sdn Bhd)
If you are not satisfied with our response to your data privacy concern, you may lodge a complaint with the Personal Data Protection Commissioner of Malaysia at www.pdp.gov.my.