GDPR

GDPR Compliance

Your rights under the EU General Data Protection Regulation and UK GDPR.

Last updated: 19 March 2026

This page applies to users based in the European Economic Area (EEA), United Kingdom, or any other jurisdiction where GDPR or equivalent legislation applies. All other users are covered by our Privacy Policy.

1. Data controller

The data controller for personal data processed through PINQ is:

HealthOS Sdn Bhd
Kuala Lumpur, Malaysia
Contact: contact form

As PINQ is a Malaysian company, international data transfers to users in the EEA are conducted under appropriate safeguards including Standard Contractual Clauses (SCCs) where required.

2. Legal basis for processing

We rely on the following legal bases under GDPR Article 6 and Article 9:

Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)) — for processing special category health data. You provide consent when you create your account and each time you authorise a clinic or family member to access your record.

Contract (Art. 6(1)(b)) — for account management and delivering the core service you signed up for.

Legitimate interests (Art. 6(1)(f)) — for anonymised analytics and product improvement, where such interests do not override your fundamental rights.

Vital interests (Art. 6(1)(d) and Art. 9(2)(c)) — in emergency scenarios where processing is necessary to protect life.

3. Special category data

Health data is classified as special category data under GDPR Article 9 and attracts the highest level of protection. We only process your health data with your explicit consent, which you can withdraw at any time.

Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal, and will not affect your access to the basic app features that do not require health data processing.

4. Your GDPR rights

Under GDPR, you have the following rights. To exercise any of them, contact us through our contact form. We will respond within 30 days.

Right of access (Art. 15)

Request a copy of all personal data we hold about you.

Right to rectification (Art. 16)

Ask us to correct or complete inaccurate or incomplete data.

Right to erasure (Art. 17)

Request deletion of your data where there is no compelling reason for continued processing.

Right to restriction (Art. 18)

Ask us to restrict processing of your data in certain circumstances.

Right to portability (Art. 20)

Receive your data in a structured, machine-readable format and transfer it to another controller.

Right to object (Art. 21)

Object to processing based on legitimate interests or for direct marketing.

Rights related to automated decisions (Art. 22)

Not be subject to decisions based solely on automated processing that significantly affect you.

5. International data transfers

PINQ is based in Malaysia. If you are located in the EEA or UK, your data may be transferred to and processed in Malaysia. We ensure appropriate safeguards are in place through Standard Contractual Clauses (SCCs) as approved by the European Commission.

Our cloud infrastructure uses servers located in Malaysia and Singapore, both of which maintain high data protection standards. A copy of the applicable SCCs is available upon request.

6. Data retention

We retain your personal data for as long as your account remains active. Upon account deletion, personal data is erased within 30 days. Anonymised aggregate data may be retained indefinitely for research purposes.

7. Right to lodge a complaint

If you believe your GDPR rights have been violated, you have the right to lodge a complaint with your local supervisory authority. For EEA users, this is the data protection authority in your country of residence. For UK users, this is the Information Commissioner's Office (ICO).

We encourage you to contact us first through our contact form so we can try to resolve any concerns directly.