Privacy Policy

Last updated: 5 May 2026

ClaimHub Services ("we", "us", "our") operates the ClaimHub reconciliation service. This Privacy Policy explains how we collect, use, and protect your information in compliance with the Malaysian Personal Data Protection Act 2010 (PDPA 2010).

Two deployment modes — different data flows. ClaimHub is offered as (a) a Windows installer that processes data entirely on your clinic PC ("LocalInstall"), and (b) an optional web upload path ("Web SaaS"). The retention periods below apply only when data physically reaches our servers. Under LocalInstall, patient and AR data never leave your clinic premises — only license validation and credit accounting touch the cloud.

1. Information We Collect

Data Type	Purpose	Retention
Clinic name, address, Borang B ID	Account registration and verification	Duration of account
Admin name, email, phone	Account management and communication	Duration of account
Uploaded billing/TPA files (Web SaaS only)	Reconciliation processing	90 days after processing, then permanently deleted
Patient names, visit dates, bill amounts (Web SaaS only)	Reconciliation matching	90 days after processing, then permanently deleted
Patient/AR data under LocalInstall	Reconciliation matching on your PC	Never transmitted to ClaimHub — your local retention applies
Payment transaction records	Credit purchase and billing	7 years (tax compliance)
IP address, browser info	Security and audit logging	30 days

2. How We Use Your Data

To provide the reconciliation service you requested
To process credit purchases and payments
To send service-related communications (account verification, license keys)
To maintain security and audit logs
To improve the Service based on usage patterns (aggregated, non-personal)

3. Data Controller and Data Processor

Under PDPA 2010, the clinic is the Data User (Controller) for patient information processed through ClaimHub. ClaimHub Services is the Data Processor, acting only on documented instructions from the clinic. We do not determine the purposes or means of processing patient data — the clinic does.

As Data Processor, we commit that patient data is:

Used only for matching clinic records against TPA payment records
Never shared with third parties (other than sub-processors named in §6)
Never used for marketing, profiling, or model training
Transmitted over encrypted HTTPS connections (TLS 1.2+)
Stored in tenant-isolated database partitions (your data is invisible to other clinics)
Deleted permanently 90 days after processing (Web SaaS) or never transmitted (LocalInstall)

4. Data Storage and Security

Website (SaaS): Data is stored on secured servers in Malaysia with firewall protection, encrypted connections (TLS/HTTPS), and role-based access control.
LocalInstall (Desktop): Data is stored locally on your Windows PC. License keys are encrypted using Windows DPAPI. No data leaves your machine unless you use the online features.
We implement audit logging for all data access and administrative actions.
Database access is restricted to the application layer only (no direct external access).

5. Multi-Tenancy Isolation

Each clinic operates in an isolated tenant environment. Database queries are automatically scoped to your tenant. No clinic can access another clinic's data, records, or reconciliation results.

6. Sub-Processors and Third-Party Services

We use a small number of vetted sub-processors to deliver the Service. We share only the minimum information required for each one to perform its function. Patient and AR data are not shared with any sub-processor.

Stripe Payments Malaysia Sdn Bhd: Payment processing for credit purchases (cards, FPX online banking, e-wallets). We share email, name, and transaction amount. Stripe's privacy policy applies to payment data they process. Stripe is PCI DSS Level 1 certified.
OneWaySMS: SMS OTP delivery for account verification. We share only the phone number being verified.
Cloudflare, Inc.: DNS, TLS termination, and DDoS protection for claimhub.cc. Cloudflare may briefly process IP addresses in transit.
Hostinger International Ltd.: VPS infrastructure hosting our cloud database (license keys, credit ledger, account records).
Email service provider: For account verification and license delivery. We share only your email address and the message content.

We do not sell, rent, or share your data with any other third parties.

6.1 Cross-Border Data Transfer

Most processing occurs in Malaysia (Hostinger Singapore-region VPS) or on the clinic's own PC (LocalInstall). Limited transactional data may be transferred to Stripe (US, Singapore) and Cloudflare (global edge network) as part of payment and web-traffic delivery. We rely on these processors' contractual safeguards (PCI DSS, SOC 2, EU Standard Contractual Clauses where applicable) to maintain protection equivalent to PDPA 2010 standards. By using ClaimHub, you consent to these limited cross-border transfers.

7. Your Rights (PDPA 2010)

Under the Malaysian PDPA 2010, you have the right to:

Access: Request a copy of your personal data we hold
Correction: Request correction of inaccurate data
Withdrawal: Withdraw consent for data processing (this may affect your ability to use the Service)
Data export: Request export of your data in a standard format

To exercise these rights, email contact@claimhub.cc.

8. Data Breach Notification

In the event of a data breach affecting your personal data, we will notify you and the relevant authorities as required by PDPA 2010, within a reasonable timeframe.

9. Cookies

ClaimHub uses essential cookies for authentication and session management only. We do not use tracking cookies, analytics cookies, or advertising cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date.

11. Contact and Data Protection Officer

For privacy-related inquiries, to exercise your PDPA 2010 rights, or to report a suspected data incident, contact our designated point of contact:

ClaimHub Services
Email: contact@claimhub.cc
Address: Shah Alam, Selangor, Malaysia
Response time: within 5 business days for routine requests; within 24 hours for suspected breaches.