Introduction
This Privacy Policy explains how Gajee.co, operated by RiverLens Sdn Bhd (Company No. 202401046847 / 1592693-W), a company registered in Malaysia ("Gajee.co", "we", "us", or "our"), collects, uses, discloses, and protects your personal data when you visit our website, sign up for an account, or use our HR SaaS platform (the "Service").
We are committed to protecting your privacy in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia and other applicable data-protection laws. By using the Service, you agree to the collection and use of information in accordance with this Policy.
Two roles to be aware of. When you use Gajee.co as an employer to manage your team's HR data, you are the data controller and we are the data processor acting on your instructions. When you visit our marketing website or contact our sales team, we are the data controller for that interaction.
Information we collect
We collect information in three ways: information you provide, information collected automatically, and information from third parties.
Information you provide
- Account information: full name, work email, phone number, company name, role, and password when you create an account or book a demo.
- Employee records (controlled by your employer): names, identification numbers, salary details, attendance records, leave balances, claims, and bank account information uploaded by HR admins.
- Payment information: billing address and payment-method details processed through our PCI-DSS compliant payment partners. We do not store full card numbers ourselves.
- Communications: any messages you send us through support channels, contact forms, or surveys.
Information collected automatically
- Usage data: pages visited, features used, time spent, click events, and similar product-analytics signals.
- Device & log data: IP address, browser type, operating system, device identifiers, and timestamps of access.
- Cookies and similar technologies: small data files stored on your device — see "Cookies and tracking" below.
Information from third parties
- Integration partners: when you connect Gajee.co to services like Telegram or email providers, we receive the data needed to make those integrations work.
- Identity verification: publicly available business registration details (e.g. SSM data) for KYB checks on Business and Enterprise plans.
How we use your information
We use the information we collect for the following legitimate purposes:
- Provide and operate the Service — process payroll runs, track attendance, manage leave and claims, send broadcasts, and answer AI Assist queries on your data.
- Account management — authenticate users, manage subscriptions, send transactional emails (receipts, password resets, security alerts).
- Customer support — respond to questions, troubleshoot issues, and provide onboarding assistance.
- Product improvement — analyse aggregated usage data to identify which features need improvement. We never look at individual employee salary data for product analytics.
- Security and fraud prevention — detect, investigate, and prevent fraudulent or unauthorised activity.
- Legal compliance — comply with Malaysian law, including statutory record-keeping obligations and lawful requests from authorities.
- Marketing communications — send product updates, newsletters, and offers (only with your consent, easily unsubscribed at any time).
Legal basis for processing
Under the PDPA and equivalent regulations, we rely on the following legal bases to process your personal data:
- Contractual necessity — to deliver the Service you signed up for.
- Consent — for marketing communications and optional features like product analytics cookies.
- Legitimate interests — to improve our product, prevent fraud, and run our business, provided your rights don't override these interests.
- Legal obligation — to comply with Malaysian tax, employment, and statutory record-keeping requirements.
How we share your information
We do not sell your personal data. We share information only in these specific situations:
Service providers (subprocessors)
Trusted vendors who help us run the Service. All providers are contractually bound to use your data only for the services they perform for us. Our current subprocessors include:
- DigitalOcean — cloud hosting and infrastructure
- Cloudflare — CDN, DDoS protection, and bot detection (Turnstile)
- Telegram — broadcast delivery (only if you enable this integration)
Within your organisation
HR admins and authorised users in your company can access employee records based on the permissions configured in your account. Gajee.co does not control these internal access decisions.
Legal & regulatory
We may disclose information when required by law, court order, or to protect the rights, property, or safety of Gajee.co, our customers, or the public.
Business transfers
If Gajee.co is involved in a merger, acquisition, or sale of assets, your information may be transferred — but only under terms that preserve the protections in this Policy. We will notify you before any such transfer.
What we never do. We never sell or rent personal data to third parties. We don't share salary information with advertisers, lenders, or insurers. Your HR data is yours.
How we protect your data
We take security seriously because payroll and HR data are sensitive. Our safeguards include:
- Encryption in transit and at rest using industry-standard TLS 1.3 and AES-256.
- Role-based access control so users only see what they need to see.
- Salary masking for sensitive payroll values, even within authorised dashboards.
- Strong password requirements with bcrypt hashing and common-password rejection at signup.
- Cloudflare Turnstile protection on signup and contact forms.
- CSRF protection on all authenticated requests.
- Tenant isolation — each customer's data lives in its own database. There is no cross-tenant query path.
No system is 100% secure, but we follow the practices that materially reduce risk and respond quickly to anything that does occur. In the unlikely event of a data incident affecting your information, we will notify affected users within 72 hours of becoming aware of the incident.
Cookies and tracking
We use cookies and similar technologies to operate our website and improve the Service. The categories we use:
- Essential cookies — required for login, CSRF protection, and basic site function. Cannot be disabled.
- Analytics & advertising cookies — on our public marketing and sign-up pages (not inside the logged-in app) we use the Meta (Facebook) Pixel and Google Analytics to understand how visitors find and use our website and to measure and improve our advertising. These set cookies and send your interaction with those pages (such as page views) to Meta Platforms, Inc. and Google LLC. They are not used inside the Service and never receive your HR, payroll, or employee data.
- Preference cookies — remember your language, region, and UI choices.
You can manage or block these cookies anytime through your browser settings, control ad personalisation in your Facebook ad preferences, and opt out of Google Analytics with the Google Analytics opt-out add-on. Disabling essential cookies will prevent you from logging in.
Data retention
We keep your information only for as long as we need it to provide the Service, comply with our legal obligations, resolve disputes, and enforce agreements.
- Account data: retained while your account is active and for 90 days after deletion to allow recovery.
- Payroll records: retained for at least 7 years to comply with Malaysian statutory record-keeping requirements (Income Tax Act 1967, Employees Provident Fund Act 1991).
- Marketing data: retained until you unsubscribe or request deletion.
- Support communications: retained for 3 years for quality assurance.
- Contact form submissions: retained indefinitely for record-keeping; you can request deletion at any time.
When data is no longer needed, we delete it securely or anonymise it for statistical purposes.
Your rights
Under the PDPA and applicable laws, you have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete information.
- Right to erasure — request deletion of your data (subject to legal retention obligations).
- Right to restrict processing — limit how we use your data in certain circumstances.
- Right to data portability — receive your data in a structured, machine-readable format (we provide CSV/XLSX exports from your dashboard).
- Right to object — opt out of marketing communications or certain types of processing.
- Right to withdraw consent — at any time, where processing is based on consent.
To exercise any of these rights, email hello@gajee.co. We will respond within 21 days as required by the PDPA.
International transfers
Your data is primarily stored on servers in Southeast Asia. Some of our subprocessors (e.g. Cloudflare, AI service providers) may process data outside Malaysia in line with their own privacy policies and applicable data-transfer mechanisms. We only use providers with appropriate safeguards.
Children's privacy
Gajee.co is intended for use by businesses and is not directed to children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can remove it.
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes to our practices or for legal reasons. We will notify you of significant changes by email (for registered users) or through a notice on our website. The "Last updated" date at the top of this Policy indicates when it was last revised.
Contact us
If you have questions about this Privacy Policy or how we handle your data, contact us at:
- General contact: hello@gajee.co or our contact form
You also have the right to lodge a complaint with the Personal Data Protection Department of Malaysia (www.pdp.gov.my) if you believe your rights have been violated.