How we handle your data.

Opstara Tech is a clinic operating system for dental, aesthetic, and dermatology practices in Malaysia, Singapore, and Hong Kong. This policy describes how we collect, use, and protect personal data when you visit opstaratech.com or use the Opstara Tech platform.

Opstara Tech is operated by Opstara Tech Sdn Bhd. For data-protection enquiries, contact privacy@opstaratech.com.

Opstara Tech processes personal data in three jurisdictions and complies with each applicable statute:

• Malaysia — Personal Data Protection Act 2010 (PDPA), enforced by the Department of Personal Data Protection (JPDP).
• Singapore — Personal Data Protection Act 2012 (PDPA), enforced by the Personal Data Protection Commission (PDPC).
• Hong Kong — Personal Data (Privacy) Ordinance, Cap. 486 (PDPO), enforced by the Office of the Privacy Commissioner for Personal Data (PCPD).

Where these regimes differ, we apply the standard most favourable to the data subject.

For visitors to our marketing pages and prospective merchants, Opstara Tech is the data controller of personal data we collect (your name, email, IP, browsing telemetry).

For data inside the Opstara Tech platform — patients, treatment plans, dental odontograms, clinical photos, appointment records — the merchant clinic is the data controller and Opstara Tech acts as the data processor on the clinic's behalf. The clinic is responsible for obtaining patient consent for collection, processing, and any onward sharing. Opstara Tech processes only on the clinic's documented instructions.

Marketing site (opstaratech.com)

• Email address (if you submit a form or sign up)
• IP address and approximate geographic country (Vercel edge geolocation, used to display the right currency)
• Browser, device, and referrer information
• Cookies for session and preference state

Opstara Tech platform (post-signup)

• Merchant identity: business name, address, phone, registration number, billing currency
• Staff user accounts: name, email, role, login timestamps
• Patient records (entered by clinic staff): name, contact details, date of birth, identifiers (e.g. NRIC / FIN / HKID — at the clinic's discretion), clinical notes, treatment plans, dental odontograms, clinical photos, billing records
• Booking activity, appointment history, no-show events, payment events
• Subscription billing data: payment method on file (tokenised via Stripe — we never see raw card numbers)

Stripe (separately)

Payments are processed by Stripe in two distinct flows: (a) Stripe Connect — patients paying clinics, where the clinic is the merchant of record; and (b) Stripe Billing — Opstara Tech charging the clinic for the subscription. Stripe is the controller for cardholder data and operates under its own privacy notices at stripe.com/privacy.

• To provide the Opstara Tech platform and process clinic operations on the clinic's behalf
• To bill the clinic for the subscription (via Stripe Billing)
• To send service-related notifications (booking confirmations, billing receipts, security alerts)
• To detect and prevent fraud, abuse, and security incidents
• To comply with legal obligations (tax, audit, data-protection authorities)
• To improve the platform — aggregated, anonymised analytics only

We do not sell personal data, share it with advertisers, or use clinical data to train third-party AI models.

We share data only with the following sub-processors, each under contract:

• Stripe — payments (Connect + Billing)
• Twilio / WhatsApp Business API — SMS and WhatsApp message delivery
• SendGrid — transactional email delivery
• Vercel — application hosting and edge delivery
• Neon — managed Postgres database
• Google Cloud Vertex AI — analytics digest generation (clinic-aggregate KPIs and operational metadata for performance attribution; the merchant name is hashed before sending; no patient identifiers leave the platform; prompts are excluded from model training under the Google Cloud DPA)

We may disclose data when required by law, court order, or a valid request from a competent data-protection authority (JPDP, PDPC, PCPD).

Personal data may be processed in countries other than the data subject's home jurisdiction (for example, Vercel edge nodes are global). Where transfers occur outside Malaysia / Singapore / Hong Kong, we apply contractual safeguards equivalent to the standard required by the originating jurisdiction.

We retain personal data for the duration of the merchant's subscription plus the periods required by applicable law:

• Clinical records (patient charts, treatment plans, odontograms): seven (7) years after last clinical activity, aligned with MMC, SDC, MDC, MCHK and equivalent professional-board guidance for medical record retention
• Billing and tax records: seven (7) years
• Marketing-site logs: twelve (12) months
• Account data after subscription cancellation: thirty (30) days grace period for export, then deletion (subject to longer retention where law requires)

Under MY PDPA, SG PDPA, and HK PDPO you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Withdraw consent (where consent is the lawful basis)
• Request deletion (subject to legal retention obligations)
• Object to direct marketing
• Lodge a complaint with the relevant authority (JPDP, PDPC, or PCPD)

Patient data sits with the clinic, not with Opstara Tech — direct access requests for clinical data should be addressed to the clinic. Opstara Tech will assist clinics in fulfilling such requests within the timelines required by law (one calendar month under PDPO; comparable under MY PDPA and SG PDPA).

We protect personal data through encryption in transit (TLS 1.2+), encryption at rest for sensitive fields, role-based access control, audit logging of administrative actions, and tokenised handling of payment data via Stripe (we never see raw card numbers). We do not currently hold ISO 27001 certification — we will state so honestly until audited.

We use a small set of first-party cookies for session state and pricing-region detection. We do not run third-party advertising or cross-site tracking cookies on the marketing site.

We will update this policy as our processing changes. Material changes are notified to active merchants by email at least thirty (30) days before they take effect. The version shown above (Last updated date) is the current binding version.

Questions or data-rights requests: privacy@opstaratech.com.

Statutory complaint authorities: JPDP (Malaysia), PDPC (Singapore), PCPD (Hong Kong).