Privacy Policy

Tellus — ESG data & assurance platform, a product of Joshua Rayan Communications (“JRC”).

Version 2.0 · Effective 20 June 2026

🌐 Bahasa Malaysia: Baca Dasar Privasi dalam Bahasa Malaysia

This Privacy Policy explains how JRC collects, uses, discloses and protects personal data in connection with the Tellus platform (the “Platform”). It is written to align with the Malaysian Personal Data Protection Act 2010 (the “PDPA”, as amended) and, where the Platform is used by people in the European Union or European Economic Area or to monitor their behaviour, with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”). By using the Platform you acknowledge the practices described here. Capitalised terms used but not defined here (such as Client, Controller, Processor and Commercial Agreement) have the meanings given in our Terms of Service and Data Processing Agreement. In this Policy, “personal data” includes “personal information” under the PDPA and “personal data” under the GDPR; “data user” (PDPA) and “controller” (GDPR) are used interchangeably, as are “data processor” (PDPA) and “processor” (GDPR).

1. Who we are — controller, processor and contacts

Joshua Rayan Communications (“JRC”) is the provider of the Platform. JRC is established in Malaysia and can be contacted at tom@jr.com.my. For matters within the scope of this Policy, JRC is the controller of account, usage and security data, and acts as processor for the ESG and operational data it handles on behalf of Client organisations (see below).

Data-protection contact / Data Protection Officer: JRC has appointed a data-protection contact who also performs the data-protection officer function for the Platform. You can reach this contact at tom@jr.com.my for any privacy question, to exercise your rights, or to raise a concern.
EU/EEA representative (GDPR Article 27): JRC is established in Malaysia, not in the EU/EEA, and does not offer the Platform to, or monitor the behaviour of, individuals located in the EU/EEA. On that basis we consider that Article 27 GDPR does not require JRC to designate an EU/EEA representative, and none is currently appointed. If a Client’s particular use brings the processing within the scope of the GDPR, please contact us at tom@jr.com.my and we will address the matter, including appointing a representative if and when one is required.

Where JRC acts as a processor for a Client’s ESG data, the Client organisation is the controller and you should direct controller-level requests to that organisation; JRC will support it as set out in the Data Processing Agreement.

2. Controller and processor roles

The Platform serves two kinds of data:

Account & usage data (the details of the people who log in and how they use the Platform): JRC is the data user / controller and is responsible for it under this Policy.
Your organisation’s ESG and operational data, including any personal data contained within it (for example, employee headcounts or health-and-safety figures): the Client organisation is the data user / controller and JRC acts as a data processor on the Client’s behalf, under the Data Processing Agreement.

3. Personal data we collect

Category	Examples	Purpose
Account data	Name, work email address, role, and the Client and entities you are assigned to	Authentication, access control, and maintaining the audit trail
ESG & operational data	Energy, emissions, water, waste, social and governance figures, and the supporting evidence files your organisation uploads	To provide the reporting and assurance service to your organisation
Usage & security data	Sign-in events, the record of who changed what and when, and session activity	Security, the in-app audit log, and prevention of misuse

The Platform is designed to process aggregated ESG figures (including aggregated health-and-safety statistics), not individual-level health data. Client organisations must not upload sensitive personal data (as defined in the PDPA) or special categories of personal data (GDPR Article 9 — such as data concerning health) without first obtaining the explicit consent or other lawful condition that the PDPA and the GDPR require. We do not use your ESG data to train artificial-intelligence models, and we do not sell personal data.

4. How we use personal data

We process personal data to: operate, secure and support the Platform; authenticate users and enforce role-based access; maintain the audit log required for assurance; communicate service and account information (such as invitations, password resets and deadline reminders); and comply with our legal obligations. We process ESG data only to provide the service to the Client organisation and on its documented instructions.

5. Lawful bases for processing

The PDPA is principally a consent-based regime, supplemented by the conditions in section 6(2) of the PDPA. The GDPR requires a lawful basis under Article 6 for each processing activity. The table below maps each purpose to its PDPA basis and its GDPR lawful basis.

Processing purpose	PDPA basis	GDPR lawful basis (Art. 6)
Creating and managing your account; authenticating you; enforcing role-based access; providing the Platform you were invited to use	Consent given on registration; and s.6(2) processing necessary for performance of the agreement between JRC and your organisation	Art. 6(1)(b) — performance of a contract (or steps prior to it); and, for account data of the Client’s personnel, Art. 6(1)(f) legitimate interests in providing a service to the Client that authorised your account
Service and account communications (invitations, password resets, deadline reminders)	Consent; and s.6(2) performance of the agreement	Art. 6(1)(b) — performance of a contract; Art. 6(1)(f) — legitimate interests in administering the service
Security, the append-only audit log, fraud and misuse prevention, and protecting the integrity of the reporting/assurance record	S.6(2) — processing necessary for JRC’s legitimate interests and for compliance with legal obligations; consent to the Platform’s operation	Art. 6(1)(f) — legitimate interests in securing the Platform and preserving an auditable record; Art. 6(1)(c) — compliance with a legal obligation, where applicable
Processing ESG & operational data on behalf of the Client	Client (as data user) is responsible for the lawful basis; JRC processes on instructions under the DPA	The Client controller relies on its own Art. 6 basis (typically Art. 6(1)(c) legal obligation or Art. 6(1)(f) legitimate interests); JRC processes as processor under Art. 28
Complying with legal, regulatory, tax and accounting obligations; establishing, exercising or defending legal claims	S.6(2) — compliance with a legal obligation; legitimate interests	Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interests in defending claims

Where we rely on legitimate interests (Art. 6(1)(f)), we have balanced those interests against your rights and freedoms; you may object as described in section 11, and you may ask us for more detail about that balancing. Where we rely on consent, you may withdraw it at any time without affecting processing carried out before withdrawal; withdrawal may mean we can no longer provide the service to you.

6. Disclosure and sub-processors

We do not disclose personal data except to the service providers below (who act as our processors / sub-processors on our instructions and under written contract), to your own organisation in accordance with its access controls, or where required by law or to protect rights and safety. Our sub-processors are:

Provider	Role	Data location
Supabase / Amazon Web Services (AWS)	Database (PostgreSQL), authentication and evidence-file storage	Singapore (AWS ap-southeast-1)
Cloudflare	Application hosting and content delivery	Global edge network
Resend	Transactional email (invitations, password resets, reminders)	Tokyo, Japan

We will update this list and notify Client administrators before adding or changing a sub-processor that materially affects the processing. Each sub-processor is bound by data-protection terms consistent with the PDPA and, where applicable, GDPR Article 28.

7. International data transfers

The Platform’s primary data store is hosted in Singapore (AWS ap-southeast-1). In addition, limited personal data — account email addresses and the content of invitation, password-reset and reminder emails — is processed by our email provider in Japan, and our hosting/CDN provider operates a global network. This means personal data is transferred outside Malaysia and, for data in scope of the GDPR, outside the EU/EEA.

Under the PDPA: where personal data is transferred outside Malaysia, we transfer only where the data will receive protection consistent with the PDPA, relying on appropriate contractual safeguards with our sub-processors and on the conditions and the applicable Cross-Border Transfer Guideline.
Under the GDPR: for transfers of EU/EEA personal data to sub-processors in countries without an EU adequacy decision — our database and hosting (Singapore) and our email provider (whose sending infrastructure is in Japan; engaged as a non-EEA entity) — we rely on the European Commission’s Standard Contractual Clauses (SCCs) incorporated into our data-processing agreement with each sub-processor, together with supplementary technical and organisational measures (including encryption in transit) where appropriate. You may request a copy of the relevant transfer safeguards by contacting us at tom@jr.com.my.

8. Retention

We keep personal data only for as long as necessary for the purposes set out in this Policy:

ESG data and evidence: retained for as long as your organisation’s account is active, and thereafter in accordance with the Data Processing Agreement (return or deletion on termination, typically within 30 days of termination unless a longer period is required by law).
Account data: retained while your account is active and for a reasonable period afterwards to handle queries and disputes, then deleted or anonymised.
Audit-log entries: retained for the life of the account to preserve the integrity of the reporting and assurance record, after which they are deleted or anonymised in line with the DPA.
Email and security logs: retained for a limited period proportionate to security and troubleshooting needs.

Evidence files that are deleted in the Platform are removed from storage on a scheduled basis. Where we are required to keep certain records to meet a legal obligation, we retain them for the period the law requires and no longer.

9. Security

We apply technical and organisational measures appropriate to the data, including: encryption in transit; role-based access that is enforced on the server and scoped to each user’s assigned entities; an append-only audit log of changes; validation of uploaded evidence files (checking the true file type and rejecting files with macros or active content); and the ability to lock a reporting year so that assured figures cannot be changed. No system is perfectly secure, but we work to protect your data and to improve our controls over time.

10. Automated decision-making and profiling

JRC does not use the Platform to make decisions about you based solely on automated processing, including profiling, that produce legal or similarly significant effects within the meaning of Article 22 GDPR. The Platform performs calculations on the figures your organisation enters (for example, greenhouse-gas estimates using published emission factors) as a reporting aid; these are not automated decisions about individuals.

11. Your rights

Subject to the PDPA and, where it applies, the GDPR, you have the following rights in relation to your personal data:

Access — to obtain confirmation of whether we process your personal data and a copy of it;
Rectification / correction — to have inaccurate or incomplete data corrected;
Erasure (“right to be forgotten”) — to have your personal data deleted where one of the GDPR grounds applies (this is a GDPR right and may not be available where retention is required by law or to defend legal claims);
Restriction of processing — to ask us to limit how we process your data in defined circumstances;
Data portability — where technically feasible and your data is held in a structured, commonly used, machine-readable format and is processed by automated means on the basis of consent or contract, to receive it or have it transmitted to another controller / data user;
Objection — to object to processing based on legitimate interests (Art. 6(1)(f)), and to object at any time to processing for direct-marketing purposes;
Withdraw consent — where processing relies on your consent, to withdraw it at any time without affecting the lawfulness of processing before withdrawal;
Lodge a complaint — to complain to a supervisory authority, as described in section 13.

For ESG data we hold on behalf of a Client organisation, please direct your request to that organisation (the controller); JRC will assist it as set out in the Data Processing Agreement. For your account data, contact us using the details in section 14. We will respond within the time required by the applicable law — under the GDPR, normally within one month (extendable by two further months for complex requests, with notice). We do not charge for exercising your rights except where a request is manifestly unfounded or excessive, as the law permits.

12. Data-breach notification

For personal data for which JRC is the data user / controller (such as account and usage data):

Under the PDPA: if a personal-data breach occurs, JRC will notify the Personal Data Protection Commissioner of Malaysia as soon as practicable, and will notify affected individuals without unnecessary delay where the breach is likely to cause significant harm, in accordance with the PDPA and applicable guidelines.
Under the GDPR: JRC will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal-data breach that is likely to result in a risk to individuals’ rights and freedoms, and will inform affected individuals without undue delay where the breach is likely to result in a high risk to them.

For ESG data processed on behalf of a Client organisation, JRC will notify the Client controller without undue delay after becoming aware of a breach so that the controller can meet its own notification obligations; JRC’s breach obligations are set out in the Data Processing Agreement.

13. Complaints and supervisory authorities

If you have a concern about how your personal data is handled, please contact us first at tom@jr.com.my so we can try to resolve it. You also have the right to lodge a complaint with a supervisory authority:

Malaysia: the Personal Data Protection Commissioner (Jabatan Perlindungan Data Peribadi / Department of Personal Data Protection, Malaysia).
EU/EEA: the data-protection supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement.

14. Cookies and local storage

The Platform uses browser storage that is strictly necessary to keep you signed in and to remember basic preferences (such as light/dark mode). It does not use advertising or third-party tracking cookies, so no separate cookie consent is required for these strictly necessary functions.

15. Children

The Platform is a business tool and is not directed at children. We do not knowingly collect personal data from children.

16. Contact

For privacy and data-protection matters — including to exercise your rights or raise a concern — contact JRC’s data-protection contact at tom@jr.com.my. We will respond within the time required by the applicable law.

17. Changes to this Policy

We may update this Policy from time to time. We will post the updated version here, change the version and effective date above, update the Bahasa Malaysia version, and notify Client administrators of material changes.