1.1 "Authorised Personnel"

Means the consultants, advisors, suppliers, service providers, agents, independent contractors, employees, and/or staff of the Group that are or may be engaged from time to time to undertake, discharge, carry out, and perform any of the purposes set out in Paragraph 4, either wholly or partially. For clarification, Authorised Personnel shall include entities incorporated under the laws of Malaysia or any other jurisdiction.

1.2 "Group"

Means Zenith Marketing and/or its holding company, subsidiaries, related and associated companies, and companies using or that may use the brand "Zenith Marketing", whether incorporated in or outside Malaysia (collectively, "Affiliates"). Any reference to the "Group" in this PDPS shall mean Zenith Marketing and/or any one or more of its Affiliates, as the case may be.

1.3 "Personal Data"

Means personal data as defined under the Act, including without limitation your name, nickname, age, gender, date of birth, address(es), email address(es), telephone number(s), bank account and payment details, voice recordings from customer-service interactions, images and photograph(s) you submit, opinion(s), comment(s), enquiry(s), feedback(s), and information relating to the marketing programmes, campaigns, and/or packages you have participated in.

It also includes sensitive personal data such as religion or health conditions where voluntarily provided, and such other personal data that is, has been, or may be collected, compiled, recorded, received, used, stored, possessed, processed, maintained, kept, disclosed, and/or dealt with by the Group (collectively, "Process" or "Processing") in such manner as the Group may deem fit from time to time.

2.1 Direct Collection

The Group may collect and obtain your Personal Data when you provide it in any way or manner, including pursuant to any transaction, campaign participation, and/or inquiry made with the Group, or upon request from the Group.

The Group will also Process your Personal Data gathered from application forms, registrations, digital bookings, transactional documents, inquiries, cookies, public domains, recorded conversations, correspondence, and any other manner as the Group may deem fit — including when you register at or use the Group's websites, social media accounts, mobile applications, and/or blogs, or when you participate in any events or activities organised by the Group.

2.2 Third-Party Collection

The Group may also Process your Personal Data obtained from the public domain and/or provided by third parties, credit reference bodies, regulatory and law-enforcement authorities, and marketing partners (within or outside Malaysia, including Authorised Personnel), for purposes relevant at the material time.

This includes the delivery of the Group's services (for example, conducting appropriate checks and risk assessments to facilitate the marketing services and facilities offered), performance of contractual agreements, and/or compliance with the Group's standard operating procedures, legal obligations, and regulatory requirements.

3.1 Granting Consent

Your consent for the Group to Process your Personal Data (including sensitive personal data defined under the Act, and including transferring it to jurisdictions other than Malaysia) is deemed given:

1. Upon receipt of your express consent, in writing or verbally;
2. If you voluntarily provide your Personal Data to the Group; or
3. If you do not object to the Processing of your Personal Data.

3.2 Continuous Use

If you proceed to visit or browse our websites, social media accounts, and/or applications; or use, maintain, participate in, or access any of the services or facilities currently offered or that may be offered from time to time — including digital marketing services, advertising solutions, consumer campaigns, loyalty programmes, products, promotional events, tools, and platforms (collectively, "Services & Facilities"):

Save and except where you explicitly notify the Group of your intention to limit its right to Process your Personal Data or to withdraw your consent, it is acknowledged that you have read, understood, consented, and agreed to the Group Processing and/or continuing to Process your Personal Data.

3.3 Protection of Minors

The Group does not knowingly collect Personal Data of children below the age of 18 without consent from their parent, guardian, or the person who has parental responsibility for the child (collectively, "Guardian").

If the Group discovers that Personal Data of a child below 18 was collected without the requisite Guardian consent, the Group will contact the Guardian and/or take steps to obtain proper consent; failing which, the Group will remove that child's Personal Data from its records and databases within a reasonable time.

4.1 Specified Purposes

The Group may Process your Personal Data for any one or more of the purposes listed below (collectively, "Purposes"):

1. To process your application, form, subscription, and/or purchase of any of our Services & Facilities;
2. To communicate with you via SMS, phone calls, email, mail, instant-messaging applications (e.g. WhatsApp), and/or other appropriate channels;
3. To respond to your questions, feedback, and comments;
4. To provide the Services & Facilities and related promotional information that you have requested or may be interested in;
5. For internal administrative and record-keeping purposes;
6. To notify you of updates or changes to our Services & Facilities via appropriate channels;
7. To market and promote products, services, and strategic partnerships that may be of interest to you;
8. To process and analyse your Personal Data, individually or collectively with other datasets, for market research and consumer insights;
9. To monitor, assess, and evaluate your eligibility to join, participate in, or use any of our Services & Facilities, including loyalty or reward programmes;
10. For direct marketing across available digital communication channels;
11. For other purposes the Group may reasonably deem fit or that are set out in specific documents related to your engagement with us;
12. To verify your Personal Data, carry out necessary security or financial checks, and conduct risk assessments with corporate partners, service providers, financial institutions, or regulatory authorities to facilitate transactions;
13. For fraud prevention, investigation, and detection by internal and/or external authorised compliance teams;
14. For account and platform security, including monitoring logins and preventing unauthorised access to your account and our digital systems;
15. For corporate reporting and internal data processing within the Group;
16. To comply with obligations required under the law within or outside Malaysia, such as reporting under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA); and
17. For such other purposes as may be required or permitted by laws within or outside Malaysia, including laws relating to legal evidence.

4.2 Voluntary Processing Voluntary

Provision of your Personal Data for the purposes listed in Paragraph 4.1(a) to 4.1(k) is voluntary and optional. However, failure to provide the requested data, or placing limitations on its Processing, may result in the Group being:

• Unable to process your application or request;
• Unable to provide our Services & Facilities continuously or fully;
• Unable to deliver services to the extent stated in our promotional materials; or
• Required to discontinue, cancel, or terminate the provision of Services & Facilities to you without prior notice.

4.3 Mandatory Processing Mandatory

Provision of your Personal Data for the purposes listed in Paragraph 4.1(l) to 4.1(q) is mandatory. Your failure or refusal to provide Personal Data for these verification, security, fraud-prevention, legal, and regulatory purposes may constitute an offence under the law, and/or the Group may suspend, restrict, or immediately terminate its services or business relationship with you without prior notice.

5.1 Authorised Disclosures

To facilitate the provision of our Services & Facilities, the Group may share and/or transfer your Personal Data to:

1. Other entities and subsidiaries within the Group;
2. The Group's Authorised Personnel, agencies, and vendors;
3. Any person or entity under a strict duty of confidentiality to the Group;
4. Any actual or proposed assignee, transferee, nominee, or participant of the Group created pursuant to corporate restructuring, transactions, or business contracts; and
5. Regulatory, judicial, law-enforcement, and government authorities to comply with statutory requirements.

5.2 Legal Obligations

The Group may also disclose your Personal Data where required by law, or where disclosure is necessary to comply with legal processes, court orders, or queries from official regulatory authorities.

6.1 Cross-Border Processing

Your Personal Data may be transferred to, stored in, and/or Processed in jurisdictions other than Malaysia by the Group and/or its Authorised Personnel for the purposes stipulated in Paragraph 4.

6.2 Limitations

Subject to Paragraph 4.2 and Paragraph 4.3, you may submit a request to limit the Processing of your Personal Data in jurisdictions outside Malaysia.

7.1 Data Protection Requests

Subject to legal and mandatory Processing restrictions, you may submit a written request to the address or email in Paragraph 11 if you:

• Wish to change or limit the manner in which the Group Processes your Personal Data;
• Wish to withdraw your consent entirely;
• Do not wish to receive marketing communications; or
• Wish for the Group to stop Processing your data for direct-marketing purposes.

7.2 Technical Data & Analytics

When you visit the Group's websites or digital applications, certain information is automatically collected (such as your IP address, web-browser software, and referring website). This data is used strictly to enhance the user experience and improve our digital platforms.

7.3 Cookie Policy

You may be assigned a permanent cookie file on your device. You can choose to reject cookies or configure your browser to prompt you before accepting them. Please note that disabling cookies may limit your access to certain tools, features, and services on our websites.

8.1 Accuracy of Data

The Group takes all reasonable steps to ensure your Personal Data is Processed accurately based on the details you update, amend, or correct from time to time.

8.2 Access Requests

You may request to access, correct, or update your Personal Data by contacting us via the details in Paragraph 11.

8.3 Rights of Refusal & Fees

In line with the Act, the Group reserves the right to:

1. Refuse access or correction requests where the expense of doing so is disproportionate to the risk to your privacy, or where it would violate the rights and privacy of others;
2. Refuse access or correction requests where your Personal Data is being Processed to discharge regulatory or compliance functions, and granting access would prejudice those functions;
3. Charge a lawful administrative fee for processing formal data-access requests; and
4. Maintain the validity of this PDPS regardless of any data access or corrections performed.

The Group enforces strict security controls, organisational measures, and technical safeguards to protect Personal Data against unauthorised access, loss, or misuse. These measures apply to data stored within Malaysia and data transferred cross-border, and are subject to regular internal reviews.

10.1 Retention Period

Your Personal Data will be retained by the Group for as long as necessary to fulfil the Purposes outlined herein, or to comply with applicable regulatory, financial, legal, and accounting requirements.

10.2 Processing Time

Where applicable, retention periods for restricted or withdrawn data will begin from the date your formal request is officially received and processed by the Group.

10.3 Secure Destruction

Upon expiry of the applicable retention period, the Group will take secure technical measures to permanently remove, delete, anonymise, or destroy your Personal Data.

To limit Processing, withdraw consent, access or correct your data, or lodge an inquiry or complaint regarding your personal-data privacy, please contact:

Additional Conditions

Revisions. The Group reserves the right to amend this PDPS from time to time to align with legislative updates and changing corporate regulations. Continued engagement with the Group implies acceptance of any revised terms. The latest version can always be requested via our official platforms.

Language Precedence. In the event of any conflict or discrepancy between the English version and any translated version of this statement, the English version shall apply and prevail.

Scope of Email. The designated email address above is exclusively for personal-data-protection inquiries. For standard business and marketing enquiries, please visit www.zenithmarketing.com.my.

Updated and effective from: 15 January 2026