Personal Data Protection
PDPA Notice
Last updated: 3 July 2026
Issued by: IOT SOLUTIONS
Legal Note: This notice is provided for transparency and should be reviewed by a qualified legal adviser before commercial launch. This does not constitute formal legal compliance advice.
This PDPA Notice is prepared in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia. As the data controller / operator of Course Architect Workflow, IOT SOLUTIONS is committed to handling your personal data responsibly and transparently.
1. Data User
The data user is IOT SOLUTIONS, the developer and operator of Course Architect Workflow, an AI-powered learning design productivity tool.
2. Personal Data We Collect
- Full name
- Email address
- Mobile / WhatsApp number
- Role and job title
- Company or training provider name
- Country
- Main training area
- IP address (for consent logs and security)
- Browser / device metadata
- Usage data and generation history
- Feedback and support messages
- Images you upload to assessments (and an upload log: uploader, organisation, timestamp, IP)
3. Purposes of Collection
- To create and manage your user account
- To provide the Course Architect Workflow service
- To generate and save AI-assisted course materials on your behalf
- To manage usage limits and plan entitlements
- To improve the platform based on usage patterns
- To provide customer support
- To send transactional account messages (required for service delivery)
- To send marketing and promotional communications — only when explicit consent has been given
- To comply with applicable laws and regulations
4. Third-Party Service Providers and Subprocessors
To deliver our services, we use third-party service providers and subprocessors who may process personal data only where necessary for service delivery, security, hosting, authentication, database storage, AI generation, email delivery, analytics, support, billing or compliance. Current providers may include:
- Supabase — database and authentication infrastructure
- Vercel — application hosting and deployment
- AI service providers, including Google AI / Gemini API and other AI model providers that may be introduced for paid or premium features
- Email service providers — transactional and marketing communications, where applicable
- Payment providers — payment processing, where applicable in future paid plans
These providers are bound by their own privacy policies and data processing agreements. We only share data necessary for service delivery, and we may update this list from time to time when new providers are added or replaced.
4A. AI Processing and Model Providers
Course Architect Workflow uses AI service providers to generate course outlines, training proposals, assessments, lab exercises, trainer scripts, evaluation forms and other learning design materials based on the information provided by users.
When you use our AI generation features, the following information may be sent to our AI service providers for processing:
- course titles
- course descriptions
- training requirements
- target audience information
- user prompts and instructions
- generated draft outputs
- related usage metadata required for service delivery and troubleshooting
Currently, we use Google AI Studio / Gemini API for AI-assisted content generation. We may introduce additional AI model providers in the future for paid or premium features. Where this happens, we will update this notice or our list of third-party service providers accordingly.
Users should not enter unnecessary personal data, sensitive personal data, confidential client information, student records, financial data, medical data, identity documents, passwords, or proprietary information into the AI generation forms unless they have the proper authority and consent to do so.
AI-generated outputs are draft materials only. Users are responsible for reviewing, editing and verifying all generated content before using it for training, client submission, certification, grant, compliance or commercial purposes.
5. Data Retention
We retain your personal data for as long as your account is active or as needed to provide the service. Consent logs are retained for compliance purposes. Images you upload are retained only while the related assessment exists and are deleted when that assessment is deleted (and may be purged after closure or a maximum period). Where uploaded images contain personal data of identifiable individuals, you are responsible for obtaining any required consent. You may request deletion of your data by contacting us.
6. Your Rights Under PDPA
Under the Personal Data Protection Act 2010, you have the right to:
- Access your personal data held by us
- Request correction of inaccurate personal data
- Request deletion of your personal data (subject to legal requirements)
- Withdraw consent for marketing communications at any time
- Lodge a complaint with the Department of Personal Data Protection (JPDP)
7. Marketing Communications
We only send marketing or promotional emails when you have given explicit consent during signup or account settings. You can withdraw marketing consent at any time by:
- Clicking the unsubscribe link in any marketing email
- Visiting /unsubscribe and entering your email
- Updating your preferences in Account Settings
- Contacting us directly
Withdrawing marketing consent will not affect your ability to use the service or receive transactional service emails.
8. Transactional vs Marketing Communications
We track these two types of communication separately:
Transactional: account access, usage limits, security notices, support responses, system updates. These are sent as part of service delivery.
Marketing: promotional offers, plan announcements, educational content campaigns. Only sent with your explicit consent.
9. Data Security
We use industry-standard security measures including encrypted data storage (Supabase), HTTPS, server-side API key management, and access controls. While we take reasonable precautions, no internet transmission is 100% secure.
10. Contact for Data Requests
To exercise your rights, request data access, correction, or deletion, or withdraw consent, please contact:
IOT SOLUTIONS Email: enquiry@iotsolutions.my
We will respond to data requests within 21 days as required under the PDPA.
Also see: Privacy Notice • Terms of Use