Effective Date: 1^st September 2025

This Privacy Policy (“Policy”) is issued by Kumpool Sdn. Bhd. (Registration No. 1493722P / 202201048025) and Kumpool Singapore Pte. Ltd. (UEN No. 202339496Z) (“Company,” “we,” “us,” or “our”) in accordance with the provisions of the Personal Data Protection Act 2010 of Malaysia and Personal Data Protection Act 2012 of Singapore, as amended from time to time (“PDPA”). By accessing or using the website located at www.kummute.com.my (the “Website”) and/or the Kummute mobile application (the “App”) (collectively, the “Platforms”), you acknowledge and consent to the collection, processing, and disclosure of your Personal Data as set forth herein.

Collection of Personal Data

• For purposes of this Policy, “Personal Data” means information in respect of commercial transactions that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in our possession, including but not limited to your name, national registration identity card number, passport number, , address, email address, telephone number, date of birth, bank account details, login information, device identifiers, approximate or precise location data, trip and journey information, and in‑App usage information, and any other information provided to us.

We may also collect and process biometric information, such as fingerprints, facial images, or other unique identifiers, only where it is necessary for security, identification, or verification purposes and permitted by law, and we will obtain your explicit consent before collecting or using such information. We will also apply enhanced safeguards to protect this data against unauthorized access, disclosure, or misuse.

1.2          Personal Data may be collected from you directly, from your use of the Platforms, or from any communications between you and the Company, whether by electronic or other means, including through cookies, web beacons, tracking technologies, software development kits (SDKs), mobile analytics, and similar tools used in the App.

Purposes for Collection and Processing

2.1          The Company may collect, use, process, retain, and disclose your Personal Data for the following purposes:

(a)    To administer and manage your access to and use of the Platforms and the services provided thereon;

(b)            To process transactions, respond to your enquiries, and communicate with you;

(c)    To provide information regarding the Company’s products or services, including marketing and promotional communications, subject always to any requisite consent;

(d)  To comply with any applicable law, regulation, order, or legitimate request by any governmental or regulatory authority;

(e)            For the prevention or detection of crime or fraud;

(f)      Any other purpose for which your consent has been obtained, whether expressly or impliedly.

Disclosure of Personal Data

3.1          The Company may disclose and transfer your Personal Data to:

(a)            Any parent, subsidiary, affiliate, or related entity of the Company;

(b)    Any third-party service providers, agents, auditors, consultants, professional advisors, or contractors engaged to provide services, process data, or perform functions on behalf of the Company, strictly for the purposes stipulated in Section 2 above;

(c)    Any governmental or regulatory authorities, bodies, agencies, or any other party as required or permitted by applicable law, regulation, or order;

(d)    Any party to whom disclosure is required for purposes of legal proceedings or to defend the rights and interests of the Company;

(e)            Any other third parties with your consent.

3.2          The Company will take reasonable steps to ensure that all such third parties observe strict confidentiality and data protection obligations consistent with the PDPA.

Security of Personal Data

4.1          The Company will implement and maintain reasonable security measures, whether physical, administrative, or technical, to safeguard your Personal Data against loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction.

4.2          Notwithstanding the foregoing, the Company does not guarantee the security of any data transmitted via the Internet or through the Platforms, and you acknowledge and accept the inherent risks of providing information online.

4.3          In the event of a Personal Data breach that is likely to result in harm, we will notify you and the relevant authorities as required by law. We maintain a breach register and may retain records of incidents and remedial actions in compliance with PDPA requirements.

Retention of Personal Data

5.1          The Company will retain your Personal Data only for so long as may be reasonably necessary to fulfil the purposes for which it was collected or as required under applicable law.

5.2          Upon the cessation of such necessity or expiry of such retention period, the Company will take reasonable measures to permanently delete or irreversibly anonymize such Personal Data.

Transfers of Personal Data Outside Malaysia or Singapore

6.1          In the event that the Company transfers or permits the transfer of your Personal Data outside Malaysia or Singapore, such transfer will only be effected where necessary for the operation of the Platforms, provision of services, or for the fulfilment of any of the purposes referred to herein, and subject always to compliance with the PDPA and any applicable data protection laws and regulations.

6.2          The Company will procure that recipients located outside Malaysia or Singapore provide a standard of protection over your Personal Data comparable to that provided by the PDPA.

Access, Correction, and Withdrawal

7.1          You have the right to request access to, or correction of, your Personal Data held by the Company, subject to any limitations or exceptions under applicable law.

7.2          Any request for access, correction, or withdrawal of consent may be made in writing to the Privacy Officer at the contact details set out below. The Company reserves the right to impose a fee for access as permitted under the PDPA.

7.3          The Company may decline to comply with any such request if the request is manifestly unfounded, vexatious, or otherwise unreasonable, or if the Company is otherwise entitled or required to do so under applicable law.

Cookies and Similar Technologies

8.1          The Platforms may use cookies or similar technologies to collect or store data for the purposes of optimizing your browsing experience and for analytical, advertising, or security purposes. You may configure your browser to disable cookies; however, certain functionality of the Platforms may be impaired as a result. For the App, you may manage certain permissions (e.g., location, notifications, camera, photos/media, motion/activity) in your device settings; disabling permissions may affect App functionality. The App may also use third‑party SDKs and mobile analytics as described in this Policy.

Third Party Sites

9.1          The Platforms may contain links to websites or content operated by third parties. The Company does not control and will not be held responsible or liable for the content, privacy practices, or security of such third party websites or services.

Amendments

10.1       The Company reserves the right, at its sole discretion, to modify or amend the terms of this Policy from time to time. Any such amendments will be notified to you by posting the revised Policy on the Platforms, together with an updated effective date. Your continued use of the Platforms after such posting constitutes acceptance of those changes.

Additional App‑Specific Terms

11. Location Data. If you enable location services in the App, we may collect and process precise or approximate location data (including GPS, Wi‑Fi and mobile network data) to provide location‑based features such as nearby services, matching with drivers, routing, and safety or anti‑fraud checks. You may disable location permissions in your device settings at any time; however, certain App functionalities may be limited as a result.

11.1       Push Notifications and In‑App Communications. With your consent (which may be obtained via your device settings or the App), we may send push notifications, in‑App messages, or alerts for service updates, transactional communications, and marketing (subject to Section 2.1(c)). You may withdraw consent by adjusting your device or App notification settings or by using the unsubscribe options provided.

11.2       Device Information and Identifiers. When you use the App, we may collect device and technical data, such as device model, operating system and version, App version, mobile network information, device settings, crash logs, performance diagnostics, and device identifiers (including advertising identifiers). We use this information for security, analytics, troubleshooting, and service improvement.

11.3       SDKs and Mobile Analytics. The App may include third‑party SDKs, analytics tools, and ad‑tech partners that process Personal Data for analytics, performance monitoring, attribution, and (where applicable) personalized marketing. These third parties are engaged as described in Section 3.1(b) and are subject to confidentiality and data protection obligations consistent with the PDPA. Where required, we will seek your consent (including via in‑App consent prompts) before enabling processing for marketing or advertising purposes.

11.4       In‑App Payments. If you make payments in the App, payment processing is provided by third‑party processors. We do not store full payment card details on our systems. We receive limited transaction metadata for reconciliation, fraud prevention, and customer support. Your payment data will be processed in accordance with Section 3 (Disclosure) and the payment processor’s privacy terms.

11.5       Account Registration and Management. To use certain App features, you may need to create an account or authenticate using third‑party sign‑in. You are responsible for maintaining the confidentiality of your credentials. You may update or delete certain account information via the App. Upon account deletion, we will retain Personal Data only as permitted by Section 5 (Retention) and applicable law.

11.6       Permissions. Certain App features require permissions (e.g., location, camera, photos/media, contacts, Bluetooth, motion/activity). You may grant or revoke permissions in your device settings at any time. Disabling permissions may affect feature availability or performance.

11.7       Children’s Data. The App is not intended for children under the age of 18. We do not knowingly collect Personal Data from children under this age without verifiable parental consent. If you believe a child has provided Personal Data to us, please contact us as set out in Section 11 and we will take appropriate steps to delete such data.

11.8       Security for Mobile. In addition to Section 4 (Security), we implement measures appropriate for mobile environments, including encryption in transit, secure session management, least‑privilege access, and mobile‑specific fraud monitoring. No mobile application can be fully secure; please keep your device’s operating system and the App updated.

11.9       Consent and Withdrawal via App. Where we rely on consent (including for marketing, location, analytics, or device permissions), you may withdraw consent at any time via in‑App controls, device settings, or by contacting us per Section 11. Withdrawal will not affect the lawfulness of processing before withdrawal, but may limit certain App functionalities.

Ride Booking–Specific Terms

• Trip and Journey Data. When you request or take a ride, we collect and process trip‑related data, including pickup and drop‑off locations, route and GPS traces, distance, duration, fare, payment method, driver and vehicle identifiers, and timestamps. We use this data to provide services, calculate fares, optimize routing, enable customer support, resolve disputes, and for safety, security, analytics, and service improvement.
• Matching and Availability. To match you with nearby drivers, we process your approximate or precise location, search radius, trip preferences, and real‑time driver availability. Location processing is subject to your device/App permissions as described in “Additional App‑Specific Terms.”
• Driver–Rider Communications. To facilitate a ride, the App may enable in‑App calls or messaging between you and the driver (using phone number masking where available). Communications may be logged or recorded in metadata form (time, duration, participants) for safety, fraud prevention, and support. Content of communications is not routinely monitored but may be accessed where permitted by law to investigate safety incidents or complaints.
• Safety Features and Incident Reporting. The App may include safety features (for example, live trip sharing, SOS or emergency assistance, driver/rider verification, selfie checks, and safety prompts). If you report an incident, we will process the information you provide (including photos, descriptions, location, and contact details), and may share relevant details with emergency services, insurers, legal counsel, or regulators as permitted by law and necessary to respond.
• Telematics and Device Signals. With your consent where required, we may collect telematics and device signals (for example, accelerometer, gyroscope, motion/activity, speed, and driving behavior indicators) to support safety reviews, fraud detection, trip verification, and service quality. You may disable certain signals by revoking permissions in your device settings, noting this may affect App functionality.
• Ratings, Reviews, and Feedback. You may rate rides and provide feedback. We process ratings and reviews to maintain service quality, detect abuse, and improve the platform. Aggregated ratings may be shown to users. We may take action (including temporary suspension or permanent deactivation) based on safety or policy violations supported by feedback and investigations.
• Identity and Verification. For safety and compliance, we may request identity verification (for example, NRIC/passport details, selfies, or verification via a trusted third party). Where applicable, we will use liveness and anti‑spoofing checks. Verification data will be used only for verification, safety, fraud prevention, and compliance purposes and retained in line with Section 5 (Retention).
• Fraud and Platform Integrity. We use automated and manual methods to detect and prevent fraud, abuse, and suspicious activity (including duplicate accounts, payment fraud, GPS spoofing, or incentive abuse). Where we make a decision with legal or similarly significant effects based solely on automated processing, you may contact us to request human review, subject to applicable law.
• Insurance, Claims, and Regulatory Disclosures. In the event of an accident, claim, or investigation, we may share relevant Personal Data (for example, trip data, contact details, statements, and photos) with insurers, adjusters, legal advisors, law enforcement, and regulators as required or permitted by law and to handle the claim or investigation.
• Third‑Party Maps and Navigation. The App uses third‑party maps, geocoding, and navigation services (for example, Google Maps, Apple Maps, or other providers). These providers may process device location, IP address, and usage data pursuant to their own terms and privacy policies.
• Contact Sharing for Pickup and Safety. If you choose to share trip status with trusted contacts, we will process the contacts you select and send them trip information and live updates. You can stop sharing at any time within the App. We do not use your address book for any purpose other than the sharing action you initiate.
• Promotions and Incentives. If you participate in promotions, referral programs, or incentive schemes, we will process your participation data, referral codes, and performance metrics to administer these programs, prevent abuse, and fulfil rewards. Program‑specific terms may apply.
• Vehicle and Driver Information Visibility. For each confirmed ride, we may display to you certain driver and vehicle information (for example, first name, profile photo, rating, vehicle make/model/color, and license plate) for identification and safety purposes. Drivers may see your first name, pickup/drop‑off points, and any optional notes you provide to facilitate the trip.
• Data Minimization for Pickups and Drop‑Offs. To protect privacy, we may generalize or obfuscate precise pickup or drop‑off points in historical receipts and trip history, where feasible, without affecting billing accuracy or regulatory compliance.
• Service Communications and Receipts. We will send you essential service communications (for example, ride confirmations, driver arrival updates, receipts, and safety notices). These are transactional and not subject to marketing opt‑out.

Contact and Complaints

13.1       Should you have any queries, complaints, or requests in relation to your Personal Data or this Policy, please contact:

Attn.: Data Protection Officer

Kumpool Sdn. Bhd. / Kumpool Singapore Pte. Ltd.

Email: cs@kummute.com.my

By accessing or using the Platforms, you confirm that you have read, understood, and agreed to the terms of this Privacy Policy as may be amended from time to time.