Privacy Policy

This Privacy Policy explains how Noderight Dental (“Noderight”, “we”, “our” or “us”) collects, uses, discloses and protects personal data when you visit our website, register an account, or use the Noderight Dental platform and related services (the “Service”). It is issued in accordance with the Personal Data Protection Act 2010 of Malaysia (the “PDPA”).

1. Who we are

Noderight Dental is a Malaysia-based provider of cloud software for dental clinics. For the purposes of the PDPA, the data user / data controller for direct user data is:

Noderight Dental
Email: [email protected]
Address: No 77-2 (2nd Floor), Jalan USJ 21/10, USJ 21, 47620 Subang Jaya, Selangor, Malaysia

If you have any questions about how we handle personal data, please use the contact details above to reach our data protection contact.

2. Personal data we collect

We collect the following categories of personal data:

2.1 Account & profile data

• Full name, email address, phone number;
• NRIC / IC number (collected for identity verification at registration);
• Password (stored in hashed form — we cannot read it);
• Profile photo, role and clinic association (where you provide it).

2.2 Subscription & payment data

• Plan, billing cycle, invoices and transaction history;
• Payment instrument details (collected and stored by our payment processors, Stripe and Billplz, not by us);
• Wallet / credit balances and top-up records held in our central database.

2.3 Usage & technical data

• IP address, browser type, device identifiers, operating system;
• Pages visited, features used, timestamps, referring URLs;
• Diagnostic logs, error reports, performance metrics;
• Authentication events (login, password reset, two-factor activity).

2.4 Communications

• Support tickets, emails, chat messages, feedback forms;
• Notification preferences and delivery records.

2.5 Patient Data (processed on behalf of clinics)

When clinics use the Service, they enter information about patients (including identification, dental charts, treatment notes, billings and uploaded files). This data is held in the clinic’s isolated tenant database and is processed by us only on the instructions of the clinic. See section 7.

3. How we use your data

We use personal data for the following purposes:

Purpose	Examples
Provide the Service	Create and authenticate your account, provision your tenant, run features you request
Billing	Issue invoices, collect payment via Stripe / Billplz, manage subscriptions and wallet credit
Communications	Send service notices, security alerts, password resets, and updates to these legal documents
Support	Respond to enquiries, investigate technical issues
Security & abuse prevention	Detect fraud, abuse and attacks; rate-limit suspicious activity; maintain audit logs
Service improvement	Analyse aggregated, de-identified usage to improve features and performance
Legal compliance	Meet tax, accounting, statutory and regulatory obligations

We do not sell personal data, and we do not use personal data for third-party advertising.

4. Lawful basis for processing

Under the PDPA, we rely on the following bases:

• Consent — you provide consent at registration and at specific touchpoints (such as marketing opt-ins);
• Performance of a contract — processing necessary to deliver the Service to you;
• Legal obligation — processing required by Malaysian law (tax, anti-money-laundering, court orders);
• Legitimate interests — protecting our systems, preventing abuse, and improving the Service in ways that do not override your rights.

5. Disclosure to third parties

We disclose personal data only to the following classes of recipient:

• Sub-processors / cloud infrastructure — for hosting, storage, backup, email delivery and similar infrastructure (currently DigitalOcean and equivalent providers);
• Payment processors — Stripe and Billplz, to process subscription payments;
• Communications providers — Pusher (real-time messaging), Zoom (video consultations) and email providers;
• Search and indexing — Typesense for in-app search;
• Professional advisers — lawyers, accountants and auditors bound by confidentiality;
• Authorities — where required by law, court order or in response to a legitimate request from a regulator (including the PDP Commissioner, IRBM, JPN, PDRM);
• Successors — in the event of a merger, acquisition or sale of assets, subject to appropriate confidentiality undertakings.

A current list of material sub-processors is available on request. We bind our sub-processors to confidentiality and data-protection obligations consistent with this Policy and the PDPA.

6. Cross-border transfers

The Service is hosted on cloud infrastructure with primary servers located in the ASEAN region (currently Singapore) and backup storage in equivalent jurisdictions. Personal data may therefore be transferred to and processed in jurisdictions outside Malaysia.

We rely on section 129 of the PDPA to make such transfers, on the basis of your consent (provided by your acceptance of this Policy at registration) and the necessity of the transfer for the performance of our contract with you. We will only transfer to jurisdictions that we reasonably consider to provide an adequate level of protection, or where additional safeguards are in place.

7. Patient data & clinic records

When a clinic enters patient information into the Service:

• the clinic is the data user in respect of that information;
• Noderight is the data processor, processing the data only on the clinic’s instructions;
• patients should direct any access, correction or withdrawal requests to the clinic, not to us;
• we apply technical isolation between tenants so that one clinic cannot see another clinic’s patient data.

If you are a patient and you have a question about how a particular clinic uses your data, please contact that clinic. If you cannot reach the clinic, you may write to us and we will, where reasonable, forward your request.

8. MyKAD data

The Service can read MyKAD via a smart-card reader at the clinic. MyKAD data is collected only with the cardholder’s consent, only for legitimate identification, clinical or billing purposes, and is stored within the clinic’s tenant. We do not aggregate, share or commercialise MyKAD data, and we comply with the National Registration Act 1959 and PDPA in handling such data.

9. Cookies & tracking

We use a small number of cookies and similar technologies, including:

• Strictly necessary cookies — for session authentication, CSRF protection and load balancing;
• Functional cookies — remember preferences such as theme or language;
• Analytics — aggregated, privacy-respecting analytics about usage of the Service;
• Security — Cloudflare Turnstile for bot detection at registration / login.

You can control cookies through your browser settings; disabling strictly necessary cookies may prevent you from using the Service.

10. Data retention

We retain personal data only for as long as necessary for the purposes set out in this Policy, including:

• Active accounts — for the duration of your subscription;
• Closed accounts — up to 30 days after termination, after which tenant data is purged from primary systems;
• Backups — up to 90 days from the date of the backup;
• Billing & tax records — at least seven (7) years to meet Malaysian statutory requirements;
• Audit / security logs — up to 12 months unless a longer period is required for investigation;
• Patient Data — retained on the clinic’s instructions, subject to the clinic’s own retention obligations under healthcare law (typically a minimum of 7 years).

11. Your rights under the PDPA

Subject to the PDPA, you have the right to:

• Access — request a copy of personal data we hold about you (PDPA s.30);
• Correction — request correction of inaccurate or incomplete data (PDPA s.34);
• Withdraw consent — withdraw consent to processing where consent is the basis (PDPA s.38);
• Limit processing — request that we stop processing for direct marketing or for purposes likely to cause damage or distress;
• Lodge a complaint — with the Personal Data Protection Commissioner.

To exercise these rights, email [email protected] from the address registered with your Account. We may need to verify your identity before responding and will reply within the timeframe required by the PDPA. A reasonable fee may apply for repeated or excessive requests, as permitted by law.

12. Security

We apply technical and organisational measures appropriate to the risk, including:

• encryption in transit (TLS) for all connections to the Service;
• password hashing and protection against brute-force attacks;
• role-based access control and the principle of least privilege internally;
• tenant database isolation to prevent cross-tenant data leakage;
• regular backups, monitoring and incident-response procedures.

No system can be guaranteed 100% secure. You play an important role by keeping your credentials confidential and reporting any suspected compromise immediately.

13. Children’s data

The Service is not intended for use directly by children. Where a clinic enters records about a paediatric patient, those records are managed by the clinic under its own consent and parental-authority arrangements. We do not knowingly collect personal data directly from a child for our own purposes.

14. Changes to this Policy

We may update this Policy from time to time. The version number and effective date at the top will change. Material changes will be notified by email or in-app notice at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

15. Contact

For questions, requests, or complaints about this Policy or your personal data:

Noderight Dental — Data Protection Contact
Email: [email protected]
Address: No 77-2 (2nd Floor), Jalan USJ 21/10, USJ 21, 47620 Subang Jaya, Selangor, Malaysia

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commissioner of Malaysia at www.pdp.gov.my.