Privacy Policy

Last Updated: 21 May 2026

Effective Date: 21 May 2026

Nelvyx Sdn. Bhd. ("Nelvyx", "we", "us", or "our") operates the Deltern platform, a cloud-based enterprise resource planning (ERP) solution designed for Fast-Moving Consumer Goods (FMCG) distribution businesses in Southeast Asia. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your personal data when you use our mobile applications (Deltern Field, Deltern Go, Deltern Command), web portals (Deltern Hub), and all associated backend services (collectively, the "Services").

This policy is issued in compliance with the Personal Data Protection Act 2010 (PDPA) of Malaysia, including the 2024 amendments concerning biometric and sensitive data. This notice is provided in both English and Bahasa Malaysia as required under the PDPA.

Important: If you are an employee user, your employer (the "Tenant") has engaged Deltern as a workforce management tool. Certain data collection — including location tracking and attendance verification — is a condition of your employment as determined by your employer.

---

The data controller responsible for your personal data is:

Nelvyx Sdn. Bhd.

Email: dpo@nelvyx.io

Website: https://deltern.com

Kuala Lumpur, Malaysia

Your employer (the Tenant) acts as a joint data controller for work-related data processed through the platform.

---

We collect different categories of personal data depending on which Deltern application you use and your role within the platform.

2.1 Personal Data

• Identity information — Full name, employee ID, role/job title, profile photo or avatar
• Contact information — Email address (AES-256 encrypted), phone number (AES-256 encrypted)
• Authentication credentials — Password (Argon2id hashed; never stored in plain text), optional biometric enrolment status
• Employment information — Company affiliation, department, assigned routes or territories

2.2 Location Data

Applicable to: Deltern Field and Deltern Go only

• GPS coordinates — Latitude, longitude, and accuracy radius, collected continuously during work hours (approximately every 3–5 seconds)
• Speed and heading data — Used for route compliance and anti-fraud verification
• Geofence detection — Automatic detection of shop proximity within a 200-metre radius
• Real-time streaming — Location data is streamed via WebSocket to your employer's management dashboard during active work sessions

Disclosure: GPS tracking is mandatory during work hours. The application will require location permission to function. Tracking begins at clock-in and stops at clock-out. Anti-fraud measures include: velocity exceeding 200 km/h is flagged for review, and GPS accuracy readings greater than 50 metres are rejected as unreliable.

2.3 Biometric and Visual Data

Under the PDPA 2024 amendments, biometric data is classified as sensitive personal data and receives enhanced protection.

• Attendance selfies — Front-camera photograph taken at clock-in (mandatory for Deltern Field)
• Liveness detection — Blink detection (2 blinks required) to prevent spoofing with static photographs
• Device-local biometric authentication — Fingerprint or facial recognition used for app unlock. This data is processed and stored exclusively on your device using Android EncryptedSharedPreferences and is never transmitted to our servers
• Proof-of-delivery photographs — Photos captured during delivery completion (Deltern Go)
• Digital signatures — Storekeeper and driver signatures captured on-screen for delivery confirmation
• Expense receipt photographs — Images of receipts attached to expense claims
• Product photographs — Images uploaded for catalogue management (Deltern Command)

2.4 Business Data

• Shop/customer details — Shop name, phone number (encrypted), email (encrypted), physical address, GPS coordinates, SSM registration number (encrypted), tax identification number (encrypted)
• Orders — Order numbers, line items, quantities, unit prices, total amounts
• Deliveries — Route data, stop locations, proof-of-delivery photos, signatures, timestamps
• Collections — Cheque numbers, bank reference numbers, payment amounts, payment method
• Payroll information — Basic salary, EPF contributions, SOCSO contributions, tax deductions, net salary amounts, payslip PDFs (accessible only to the employee and authorized HR personnel)
• Expense claims — Claim amounts, categories, receipt photographs
• Leave records — Leave type, date range, reason, medical certificate attachments

2.5 Device and Technical Data

• Device identifiers — Device ID, device model, manufacturer, OS version
• Application data — App version, build number, FCM push notification token
• Connectivity status — Online/offline state, network connection type
• Device health — Battery level, charging state, GPS accuracy, sync queue backlog count
• Heartbeat data — Device health signals transmitted every 30 seconds via WebSocket during active sessions

---

We collect your personal data through three primary channels:

• Directly from you — When you register an account, complete your profile, upload photographs, submit forms, or interact with the application
• Automatically from your device — GPS coordinates, device information, network status, and application usage data are collected automatically when you use the Services
• From your employer (Tenant) — Your employer provides your name, role, contact details, and employment information when creating your user account

---

We process your personal data for the following specific purposes:

1. Service delivery — Operating core ERP features including order management, delivery tracking, invoicing, attendance recording, inventory management, and payroll processing
2. Authentication and security — Verifying your identity through password, PIN, or biometric authentication; managing trusted devices; detecting and preventing unauthorized access
3. Location verification and workforce management — Confirming attendance clock-in/out locations, tracking delivery routes, enforcing geofence compliance, and providing real-time location visibility to your employer's management dashboard
4. Attendance fraud prevention — Using selfie capture with liveness detection to verify physical presence; detecting GPS spoofing, mock location apps, and time manipulation
5. Communication — Sending push notifications for work assignments, delivery updates, and system alerts; sending WhatsApp messages for invoice delivery to shop owners; sending transactional emails for password resets and account alerts
6. Employee performance monitoring — Providing your employer with sales performance data, route compliance metrics, visit frequency reports, and leaderboard rankings
7. Financial processing — Processing SaaS subscription billing, generating invoices, managing collection records, and producing payroll calculations
8. Analytics and service improvement — Aggregated and anonymized analytics to improve features, forecast demand, optimize delivery routes, and monitor platform performance
9. Legal compliance — Fulfilling obligations under Malaysian law including tax reporting, employment regulations, and responding to lawful requests from regulatory authorities
10. Error monitoring and platform stability — Collecting crash reports and performance metrics to identify, diagnose, and resolve technical issues

---

Under the PDPA 2010, we process your personal data based on the following legal grounds:

• Consent — You provide consent when you agree to this Privacy Policy, enable location services, or opt into optional features such as biometric app unlock
• Contractual necessity — Processing required to deliver the Services under the subscription agreement between Nelvyx and your employer (Tenant)
• Legitimate interest — Security monitoring, fraud prevention, service improvement, and error diagnostics, where such interests are not overridden by your fundamental rights
• Legal obligation — Compliance with the Companies Act 2016, Employment Act 1955, Income Tax Act 1967, and other applicable Malaysian legislation
• Employer direction — For employee users, certain processing (including continuous GPS tracking and attendance selfies) is carried out at the direction of your employer as part of their legitimate workforce management. Your employer is responsible for obtaining any necessary consents under employment law

Note on sensitive data: Attendance selfie photographs and liveness detection data are classified as sensitive personal data under the PDPA 2024 amendments. We process this data based on your explicit consent and/or at the direction of your employer for the purpose of attendance verification.

---

This section provides specific disclosure about continuous location tracking, as required for transparency.

What is tracked

• GPS coordinates (latitude, longitude) with accuracy radius
• Speed, heading, and altitude where available
• Shop proximity (automatic geofence triggers within 200m)

When tracking is active

• Tracking begins when you clock in and stops when you clock out
• Tracking operates continuously during work hours at intervals of approximately 3–5 seconds
• Location data is streamed in real time to your employer's management dashboard via WebSocket

Anti-fraud measures

• Velocity check: Movement exceeding 200 km/h is automatically flagged for manual review
• Accuracy threshold: GPS readings with accuracy greater than 50 metres are rejected
• Mock location detection: The application detects and blocks mock location or GPS spoofing tools
• NTP time synchronization: Device time is verified against network time to prevent clock manipulation

Who sees your location

• Your employer's administrators and managers via the Deltern Command or Hub dashboards
• Location data is not shared with any third party except Google Maps Platform for geocoding and routing purposes (see Section 9)

Opting out

• GPS tracking is mandatory for Deltern Field and Deltern Go during work hours as a condition set by your employer
• You may disable location permissions outside of work hours via your device settings
• If you wish to permanently opt out of location tracking, please discuss with your employer, as this may affect your ability to use the application

---

Attendance selfies and liveness detection

• A front-camera photograph is captured each time you clock in via Deltern Field
• Liveness detection requires you to blink twice to confirm you are a live person (not a photograph)
• These images are transmitted to and stored on our servers in Singapore (see Section 10)
• Images are associated with your attendance record and accessible to your employer's HR and management personnel

Device-local biometric authentication

• If you enable fingerprint or facial recognition for app unlock, this biometric processing occurs entirely on your device
• Biometric templates are managed by Android's BiometricPrompt API and stored in your device's secure hardware enclave
• Nelvyx does not receive, transmit, or store any biometric template data
• This feature is optional — you may use PIN or password authentication instead

---

Mobile applications (Field, Go, Command)

• SQLite database — Business data is stored locally for offline functionality. This database is not encrypted at rest but is cleared upon logout
• FlutterSecureStorage — Authentication tokens are stored using Android EncryptedSharedPreferences with hardware-backed encryption
• SharedPreferences — Non-sensitive settings (language preference, theme) are stored locally

Web portal (Hub)

• Session cookies — Essential cookies to maintain your authenticated session
• JWT tokens — Stored in secure, HTTP-only cookies
• We do not use advertising cookies or third-party tracking cookies

---

We share limited data with the following third-party service providers to operate the Services. We do not sell your personal data to any third party.

Service	Provider	Data Shared	Purpose	Data Location
Firebase Cloud Messaging	Google LLC	FCM device token, device type	Push notifications delivery	USA (Google Cloud)
Cloudflare R2	Cloudflare Inc.	Photographs, PDFs, receipt images	File storage for uploaded media	Singapore
Stripe	Stripe Inc.	Tenant billing information (card data handled solely by Stripe)	SaaS subscription payment processing	PCI-DSS compliant environment
Brevo	Brevo (Sendinblue)	Email address, full name	Transactional emails (password reset, account alerts)	EU
WhatsApp Cloud API	Meta Platforms Inc.	Shop owner phone numbers	Invoice and delivery notifications to shop owners	USA (Meta servers)
Google Maps Platform	Google LLC	GPS coordinates, destination addresses	Geocoding, directions, distance matrix calculations	USA (Google Cloud)
Sentry	Functional Software Inc.	Stack traces, request context (may contain user IDs)	Application error monitoring and crash reporting	USA
OpenTelemetry	Self-hosted collector	Request paths, timing data, performance metrics	Application performance monitoring	Singapore

Note: Redis is used for internal session caching and real-time pub/sub messaging. It operates within our own infrastructure and no data is shared externally through Redis.

Each third-party provider is bound by their respective data processing agreements and privacy policies. We only share the minimum data necessary for each service to function.

---

Your personal data is transferred from Malaysia to Singapore, where our primary servers and cloud infrastructure are located.

This cross-border transfer is carried out in compliance with Section 129 of the PDPA 2010, which permits transfer of personal data outside Malaysia provided that the receiving jurisdiction offers an adequate level of data protection or appropriate safeguards are in place.

Safeguards we maintain:

• Data processing agreements with all infrastructure providers
• TLS 1.3 encryption for all data in transit between Malaysia and Singapore
• AES-256-GCM field-level encryption for sensitive personal data
• Schema-per-tenant database isolation ensuring no cross-tenant data exposure
• Access controls limiting data access to authorized personnel only

Some third-party services may process data in the United States or European Union (see Section 9). Where applicable, these transfers are subject to the provider's standard contractual clauses or equivalent safeguards.

---

We implement comprehensive technical and organizational measures to protect your personal data:

Encryption

• In transit: All data transmitted between your device and our servers is encrypted using TLS 1.3
• At rest: Server-side storage uses AES-256 encryption
• Field-level encryption: Sensitive personal data fields (email, phone, SSM number, tax number) are individually encrypted using AES-256-GCM with a dedicated FIELD_ENCRYPTION_KEY managed separately from other system secrets
• Blind indexes: HMAC-SHA256 blind indexes enable searching on encrypted fields without decrypting the underlying data

Authentication security

• Password hashing: Argon2id algorithm with timeCost=3, 64 MB memory, parallelism=4
• Account lockout: Accounts are locked after 5 consecutive failed login attempts
• JWT token security: Access tokens with short expiry, refresh tokens with 30-day TTL, family-based token revocation to detect token theft
• Key separation: Encryption keys and JWT signing secrets are stored and rotated independently

Infrastructure security

• Multi-tenant isolation: Each tenant's data is stored in a separate PostgreSQL schema, ensuring complete logical separation
• Role-based access control (RBAC): Users can only access data relevant to their assigned role
• Tenant-scoped file storage: Uploaded files in Cloudflare R2 are scoped per tenant
• Device data wipe: All locally stored data is wiped from the device upon logout

---

Data Type	Retention Period	Justification
Active account data	Duration of employment/subscription	Service delivery
Refresh tokens	30 days (daily cleanup)	Authentication
Password reset tokens	1 hour	Security
Attendance records and GPS logs	Retained per tenant policy (no automatic purge)	Employment compliance
Selfie and delivery photographs	Retained per tenant policy (no automatic purge)	Audit trail
Geocoding cache	7 days	Performance optimization
Route calculation cache	1 hour	Performance optimization
Business records (orders, invoices, deliveries)	Minimum 7 years from creation	Companies Act 2016 compliance
Payroll and financial records	Minimum 7 years from creation	Income Tax Act 1967 compliance
Soft-deleted records	Retained indefinitely until tenant requests hard deletion	Data recovery and compliance
Deleted account personal data	Purged within 30 days of deletion request	Account deletion policy

Your employer (Tenant) may configure additional retention policies through the Deltern administration panel.

---

As a data subject under the Personal Data Protection Act 2010, you have the following rights:

1. Right of access — You may request a copy of the personal data we hold about you. We will respond within 21 days of receiving your request. A nominal fee may apply as permitted under the PDPA.
2. Right of correction — You may request correction of any personal data that is inaccurate, incomplete, misleading, or not up to date. We will process correction requests within 14 days.
3. Right to withdraw consent — You may withdraw your consent for processing at any time by contacting us. However, please note:

• Withdrawing consent for core features (e.g., GPS tracking during work hours) may affect your ability to use the Services as required by your employer
• Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal

1. Right to prevent processing likely to cause damage or distress — You may request that we cease processing your data in circumstances where it causes or is likely to cause substantial damage or distress
2. Right to complain — You may lodge a complaint with the Personal Data Protection Commissioner of Malaysia if you believe your data has been mishandled

How to exercise your rights

• Email: dpo@nelvyx.io
• In-app: Deltern Hub > Settings > Privacy > Data Request
• Support: support@nelvyx.io

We will verify your identity before processing any data subject request. If your request relates to data controlled by your employer, we may refer you to your employer's data protection contact.

---

Deltern is a business-to-business (B2B) enterprise platform designed exclusively for use by adults in a professional employment context. The Services are not intended for use by individuals under 18 years of age.

We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a person under 18, we will take immediate steps to delete that data from our systems.

---

Deltern includes workforce monitoring features that your employer may enable. We are committed to transparency about these capabilities:

• Continuous GPS tracking — Real-time location monitoring during work hours (every 3–5 seconds)
• Device health heartbeat — Battery level, GPS accuracy, and connectivity status every 30 seconds
• Mandatory attendance selfie — Front-camera photograph with liveness detection at clock-in
• Shop visit tracking — Automatic check-in/out logging with GPS verification
• Real-time location dashboard — Live map view of field employees available to management
• Route compliance monitoring — Comparison of actual routes against planned routes
• Performance analytics — Sales performance leaderboards, visit frequency metrics, and achievement badges

These features are configured and controlled by your employer. If you have concerns about the scope of monitoring, please contact your employer's HR department or data protection officer.

---

Nelvyx is committed to complying with all seven (7) principles of the Personal Data Protection Act 2010:

1. General Principle — We process personal data only with the data subject's consent or as otherwise permitted by law
2. Notice and Choice Principle — This Privacy Policy serves as our written notice, provided in both English and Bahasa Malaysia
3. Disclosure Principle — Personal data is disclosed only for the purposes stated in this policy or as consented to by the data subject
4. Security Principle — We implement robust technical and organizational measures to protect personal data (see Section 11)
5. Retention Principle — Personal data is retained only for as long as necessary for its purpose (see Section 12)
6. Data Integrity Principle — We take reasonable steps to ensure personal data is accurate, complete, and up to date
7. Access Principle — Data subjects may request access to and correction of their personal data (see Section 13)

Penalties: Non-compliance with the PDPA 2010 may result in a fine of up to RM 1,000,000.00 and/or imprisonment for a term not exceeding 3 years.

---

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. Material changes will be communicated via:

• In-app notification to all active users
• Email notification to Tenant administrators
• Banner notice on the Deltern Hub web portal
• Updated "Last Updated" date at the top of this document

Where material changes affect the processing of sensitive personal data, we will seek fresh consent where required by law.

---

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

Nelvyx Sdn. Bhd.

• Data Protection Officer: dpo@nelvyx.io
• General Support: support@nelvyx.io
• Website: https://deltern.com
• Address: Kuala Lumpur, Malaysia

For complaints that cannot be resolved directly with us, you may contact the Jabatan Perlindungan Data Peribadi (Department of Personal Data Protection) Malaysia at https://www.pdp.gov.my.