CoverBox Privacy Notice

Section 1

Definitions.

• "Privacy Notice" means this Privacy Notice including any schedules and any amendments from time to time.
• "CB" means Coverbox Malaysia Sdn Bhd established under the laws of Malaysia, with its business address at CSE Building, Pat Square, Jalan Pelukis U1/46, Temasya Industrial Park, Glenmarie, 40150 Shah Alam, Selangor Darul Ehsan, Malaysia.
• "CSE Group" means Coverbox Malaysia Sdn Bhd and its subsidiaries, associates and affiliated companies.
• "Service" or "Services", used interchangeably, shall refer to our websites, mobile applications and their web-versions that CB operates.
• "Use of the Service" means the use of applications or their web versions, as well as visiting, navigating or interacting with websites or other applicable uses in relation to the Service.
• "Account" means an account that provides access to the Service for the User, where authorisation is required.
• "Profile" means a profile of the User who has the account, and may include additional information about the User beyond their Account information.
• "Personal Data" means any information relating to an identified or identifiable natural person, including name, identification number, location data, online identifier or factors specific to their identity.
• "Data Protection Law" means all applicable laws and regulations relating to privacy, data security, consumer protection and the use, collection, retention, storage, security, disclosure, transfer and disposal of Personal Data, in respect of the Personal Data Protection Act 2010 of Malaysia.

Section 2

What and How We Collect Information.

We may collect several types of information, including but not limited to Personal Data, from and about you ("Collected Information").

2.1 Types of Collected Information

• Information by which you may be personally identified, such as name, email address, postal address, telephone number or any other identifier by which you may be contacted online or offline.
• Information that is about you but individually does not identify you.
• Information about your internet connection, the equipment you utilise to use the Service and your usage details.

2.2 Sources of Collected Information

• Directly from you.
• Automatically through our platforms.
• From insurers, takaful operators, brokers, payment providers, or business partners.
• From regulatory or authorised databases where permitted by law.

2.3 Mandatory and Voluntary Information

Certain information is mandatory for insurance quotations, underwriting, policy issuance, claims processing, fraud prevention, payment processing and regulatory compliance. Failure to provide required information may affect our ability to provide services. We will clearly indicate which data fields are mandatory and which are voluntary at the time of collection.

Section 3

Information You Provide to Us Directly.

This includes information provided at the time of using the Service, purchasing enhanced features or requesting further services.

• Account Information: When you sign up for an Account, we require certain information such as your name and email address.
• Additional Profile Information: You may choose to provide additional information as part of your Profile to get more from the Service.
• Device Data: You may need to configure your devices (e.g. trackers) to transfer data—such as device identifiers, location coordinates and speed of movement—to our servers or those of our sub-processors.
• Content Data: Information that relates to User Content as defined in the applicable Terms of Use.
• Other Information: You may provide information when you fill in a form, conduct a search, update your Account, respond to surveys, post to community forums, participate in promotions or use other features of the Service.
• Correspondence: We retain records and copies of your correspondence, including email addresses and phone numbers, if you contact us or report a problem with the Service.

Section 4

Information We Collect Through Automatic Data Collection Technologies.

• Usage details: Details of your use of the Service, including traffic data, location data, logs and other communication data and resources you use through the Service.
• Device information: Information about your device including IP address, platform/OS and version, device model, and device ID or browser ID.

We may use automatically collected information in combination with Personal Data we collect in other ways or receive from third parties, to improve the Service rendered to you. If information is aggregated or de-identified so it is no longer reasonably associated with an identifiable person, we may use it for any business purpose.

Technologies we use for automatic data collection may include third-party analytics, cookies, similar technologies, log file information and device identifiers.

Section 5

Information We Collect From Third Parties.

When you use our Service that requires authorisation, we may collect certain data from third parties.

• Third-party sources may include insurers, takaful operators, brokers, payment providers, business partners, regulators, or authorised databases where permitted by law.
• The types of data we may receive include insurance policy information, claims history, payment status, and other data relevant to your use of our Service.
• We use third-party data to verify eligibility, provide quotations, process claims, prevent fraud, and for other insurance-related purposes. We may also send you promotional communications where permitted by law or with your consent.

Section 6

How We Use Collected Information.

We use Collected Information in a variety of ways to operate, provide, improve and personalise the Service. This includes using your information to:

• Communicate with you and process transactions.
• Provide customer support.
• Conduct research and development.
• Detect and prevent fraud.
• Comply with legal obligations.
• For other purposes described in this Privacy Notice.

Section 7

Insurance and Sensitive Personal Data.

As an insurance technology platform, we may process sensitive personal data including:

• Health-related information.
• Accident records.
• Telematics and location data.
• Financial information.
• Vehicle usage information.

Such data will only be processed where necessary for insurance-related purposes and protected with reasonable security safeguards. We process sensitive personal data only when necessary for insurance underwriting, claims processing, fraud prevention or as otherwise permitted by law. Where your explicit consent is required, we will obtain it before processing such sensitive data.

Section 8

AI and Automated Recommendations.

We may use artificial intelligence ("AI"), analytics and automated technologies to:

• Recommend insurance products.
• Generate quotations.
• Improve fraud detection.
• Personalise user experiences.
• Improve our services.

We do not base insurance eligibility, underwriting or premium decisions solely on automated processing without meaningful human oversight. You may request that any decision based solely on automated processing be reviewed by a human and obtain an explanation of the decision.

You may contact us for more information regarding automated processing or to request correction of inaccurate information.

Section 9

Cookies and Tracking Technologies.

We use cookies and similar technologies to:

• Operate and improve our services.
• Remember preferences.
• Analyse website traffic.
• Improve security.
• Personalise user experiences.

You may manage cookie settings through your browser settings.

Section 10

Marketing Communications.

• We may send service updates, renewal reminders, product information or promotional communications.
• You may opt out of marketing communications at any time.
• If you object to or withdraw your consent to our use of your personal data for direct marketing, we will cease processing your data for such purposes.

Section 11

Sharing of Collected Information.

• We may disclose aggregated information about our users that does not identify any individual without restriction.
• We will not rent or sell your Personal Data to third parties outside CB without your consent, except as described in this Privacy Notice.
• We may share your Personal Data with businesses that are legally part of the same group of companies, including our subsidiaries.
• If we sell or transfer part or all of CB or our assets to another organisation, your Personal Data may be among the items transferred. The buyer or transferee will be required to honour the same commitments made in this Privacy Notice.
• We may access, preserve and share your information in response to legal, government or regulatory requests, or when necessary to detect fraud, protect users or prevent harm.

We may share your personal data with the following categories of recipients:

• Insurers and takaful operators.
• Insurance intermediaries.
• Regulators and authorities.
• Payment processors.
• Our affiliates within the CSE Group.
• Service providers who perform services on our behalf.

Section 12

Sub-Processors.

CB may engage its associates, affiliates or third parties to process Personal Data in order to assist CB to deliver the Service on your behalf ("Sub-processors"). The current sub-processors for the Service are as follows:

Section 13

How We Store, Process and Transfer Collected Information.

• General: CB is based in Malaysia and the information we collect is governed by Malaysian laws.
• Data security: We use reasonable and appropriate information security safeguards to help keep the Collected Information secure and to protect it from accidental loss and from unauthorised access, use, alteration and disclosure. Unfortunately, transmission of information via the internet is not completely secure, so any transmission is at your own risk.
• User responsibility: The safety and security of your information also depends on you. You are responsible for controlling access to your contact details, shared data and account access provided to third parties.
• Third-party security: Any third party receiving personal data is expected to implement reasonable security and confidentiality measures.

Section 14

International Data Transfers.

• Your personal data may be transferred outside Malaysia where our service providers, insurers or business partners operate. We take reasonable steps to ensure appropriate safeguards are in place to protect your personal data.
• When transferring personal data outside Malaysia, we will ensure that the destination country provides a level of protection equivalent to the PDPA or that contractual safeguards (such as standard contractual clauses) are in place to protect your data.

Section 15

Retention Period for Collected Information.

• We retain personal data only for as long as necessary for insurance servicing, legal and regulatory compliance, fraud prevention, dispute resolution and audit and recordkeeping purposes.
• Insurance and transaction records may be retained for up to seven (7) years or longer where required by law.
• We apply specific retention periods tailored to the type of data we collect. Telematics data is retained for the duration of the policy plus any additional period required for legal or regulatory purposes.
• Once personal data is no longer required, we will anonymise or securely destroy it.

Section 16

Your Rights Under PDPA.

Subject to applicable laws, you may:

• Request access to your personal data.
• Request correction of inaccurate data.
• Withdraw consent where applicable.
• Opt out of marketing communications.
• Request deletion of personal data where legally permissible.

In addition, you also have the right to:

• Object to processing that may cause damage or distress.
• Request data portability.
• Prevent processing for direct marketing.
• Lodge a complaint with the Personal Data Protection Commissioner.

Requests may be submitted to our Personal Data Protection Officer via the contact information in Section 20.

Section 17

Data Security.

• We implement reasonable technical, organisational and administrative safeguards to protect your personal data.
• In the event of a personal data breach, we will take reasonable steps to investigate, mitigate and notify affected parties and authorities where required by law. We will notify the Personal Data Protection Commissioner and affected individuals as soon as practicable in accordance with the PDPA.

Section 18

Children's Privacy.

• The Service is not intended for or directed at children under 18, and we do not knowingly collect or solicit any information from anyone under the age of 18 or knowingly allow such persons to use the Service.
• If we learn that we have collected or received any Personal Data from a child under 18 without verification of parental consent, we will delete that information as quickly as possible.
• If we discover that we have inadvertently collected personal data from a child under 18, we will delete such data promptly unless we obtain verifiable consent from a parent or guardian.

Section 19

Other Websites and Services.

• We are not responsible for the practices employed by any websites or services linked to or from the Service, including the information or content contained within them, excluding websites or services controlled by CB.
• We encourage you to read the privacy notice of any linked site or service before providing information through it.

Section 20

How to Contact Us.

If you have any questions about this Privacy Notice or the Service, please contact us:

Section 21

Changes to Our Privacy Notice.

• CB may modify or update this Privacy Notice from time to time, so please review it periodically. Your continued use of the Service after we make changes is deemed to be acceptance of those changes.
• Latest Version: Version 2.0  |  Effective Date: 1 June 2026.
• We will communicate any material changes to this Privacy Notice via email or through our Service at least fourteen (14) days before the changes take effect, giving you an opportunity to review and object if necessary.