# CP4U Platform — Privacy Policy

**Version:** 1.1 (Effective and Published)
**Effective date:** June 2026
**Data controller:** EULA Management Services Sdn Bhd ("CP4U", "we", "us", "our")
**Jurisdictions covered:** Malaysia (PDPA 2010), Singapore (PDPA 2012)
**Last updated:** June 2026

---

## 1. About This Policy

This Privacy Policy explains how CP4U collects, uses, discloses, stores, and protects your Personal Data when you use the CP4U Platform (the "Platform") — including `www.sunriserecruit.com`, the Dollarize-branded Partner sub-domains, the CP4U Academy, Career Fairs, and any CP4U mobile applications.

It applies to all Users in all roles: Guests, Candidates, Employers, Partners, and Admin staff. Where a particular processing activity applies to only one role, we make that clear.

This Policy is part of the **CP4U Terms of Service**. When the two interact, the Terms govern the contractual relationship; this Policy governs the data protection relationship.

We take Personal Data protection seriously. Our handling of Personal Data is one of the foundations of trust on the Platform — for candidates who entrust us with their career data, for employers who entrust us with their hiring data, and for Partners who entrust us with their commercial relationships.

---

## 2. Key Definitions

- **"Personal Data"** — any information relating to an identified or identifiable individual. Includes name, contact details, identity documents, photos, employment history, application history, behavioural data on the Platform, IP address, device identifiers.
- **"Sensitive Personal Data"** — under PDPA Malaysia, includes data about physical or mental health, religious beliefs, political opinions, the commission of any offence, and similar. Under PDPA Singapore, the term is "personal data of a sensitive nature" and is treated with heightened protection. We use the broader interpretation throughout this Policy.
- **"Processing"** — any operation on Personal Data: collection, recording, storage, alteration, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
- **"Consent"** — your indication of agreement to processing, given freely, specifically, and unambiguously. Under PDPA Singapore, certain processing is permitted without express consent ("deemed consent", legitimate interests, public interest) — where we rely on these we say so.
- **"Data Subject"** — you, the individual to whom the Personal Data relates.
- **"Third Party"** — any person or organisation that is not you or CP4U.

---

## 3. Who Is the Data Controller

For the purposes of PDPA Malaysia (where we are a "data user") and PDPA Singapore (where we are an "organisation"):

**EULA Management Services Sdn Bhd**, the operator of the CP4U Platform, is the data controller / data user / responsible organisation for Personal Data processed on the Platform.

**Sunrise Recruit Sdn Bhd**, as a flagship operator on the Platform, is a separate data controller for its own client and candidate relationships that predate or sit outside the CP4U Platform. Where Sunrise Recruit operates within the Platform, EULA Management Services Sdn Bhd is the controller and Sunrise is a data processor on our behalf (under written agreement).

**Employers and Partners** become independent data controllers (data users / organisations) for Personal Data they receive via the Platform, **for their own recruitment purposes**. We tell them this is their responsibility, and the Terms of Service binds them to comply with PDPA in their independent processing.

**Our Data Protection Officer (DPO):** Office of the Managing Director / DPO
**Contact for privacy queries:** `sean@sunriserecruit.com`

---

## 4. What We Collect — By Role

We collect only what we need to operate the Platform. We follow the principle of minimum necessary collection.

### 4.1 Guests (unauthenticated visitors)

| Category | Specifics | How collected |
|---|---|---|
| Technical | IP address, device type, browser, operating system, language preference | Automatically on visit |
| Usage | Pages viewed, search terms used on public marketplace, referrer URL | Automatically on visit |
| Cookies | Session cookie (essential), analytics cookies (with consent), preference cookies (with consent) | See Section 12 |

We do not collect identity information from Guests.

### 4.2 Candidates

When you sign up and use the Platform as a Candidate:

| Category | Specifics |
|---|---|
| **Identity** | Name, email, phone, date of birth, country of residence |
| **Profile** | Photo (if you upload one), nationality, gender (optional), languages spoken |
| **Career** | Resume / CV, work history, education, skills, certifications, expected salary range, availability, preferred locations, target roles |
| **Behavioural** | Jobs viewed, jobs applied to, Career Fairs RSVP'd, courses enrolled in, Tokens earned and spent |
| **Communications** | Messages sent to Employers, Partners, and Admin via the Platform |
| **Ratings and feedback** | Ratings you give to Employers post-interview; ratings Employers give you post-interview |
| **Passport** | The aggregated career credential built from the above, including any employer-verified placements |
| **Technical** | IP, device, browser, login history |

**Strict Compliance Note on National Identifiers:** In accordance with the Singapore PDPC Advisory Guidelines on NRIC Numbers and Malaysia PDPA best practices, CP4U **does not** mandate the collection, processing, or storage of your core national identifiers (such as Singapore NRIC, FIN, or Malaysia MyKad numbers) at the initial registration or profile creation stage. The collection of such identifiers is strictly deferred to, and mandatory only upon: (a) a Candidate being successfully placed and entering the formal onboarding/contractual stage with an Employer, or (b) where identity verification is legally required to prevent systemic recruitment fraud.

Some of the information you voluntarily provide may be **Sensitive Personal Data**, including:
- Any health-related accommodation request you make.
- Information about religion (if relevant to certain roles, e.g., halal certification roles).
- Information about offences (only if specifically required and lawfully requested by an Employer for a regulated role).

### 4.3 Employers

When your business signs up:

| Category | Specifics |
|---|---|
| **Business identity** | Company name, SSM/ACRA registration number, registered address, industry, size, website |
| **Authorised individual** | Name, role, email, phone of the person signing up |
| **Team sub-accounts** | Same identity data as above, for each invited team member |
| **Hiring activity** | Jobs you post, candidates you tag/note/contact, hire decisions, time-to-fill data |
| **Communications** | Messages with candidates and Admin |
| **Verification documents** | Business registration certificate, authorising letter for the signup individual, additional documents we request where the role is regulated |

### 4.4 Partners

When you sign up as a Partner:

| Category | Specifics |
|---|---|
| **Identity (Individual Partners)** | Name, ID document copy (only if manually requested for onboarding), photo, address, tax registration number, bank account for payouts |
| **Identity (Agency Partners)** | SSM/ACRA registration, authorised signatory details, team member roster |
| **Professional** | Specialties, languages, prior experience, Academy progression, tier, ratings from candidates and Employers |
| **Activity** | Jobs you've referred to, referrals you've submitted, clients you've brought in, commissions earned |
| **Public profile (under Dollarize)** | Bio, specialty tags, photo, languages, subdomain (at higher tiers) |
| **Communications** | Messages with candidates, Employers, and Admin |

### 4.5 Admin staff

We also process Personal Data about our own staff who use the Admin role. Their data is governed by our internal employment policies and contracts of employment, which incorporate this Policy for the Platform-related portions.

---

## 5. Why We Collect It — Lawful Bases and Purposes

We process Personal Data for these purposes:

### 5.1 To provide the Platform (contractual necessity / your consent)
- Create and manage your account.
- Match candidates to jobs.
- Display profiles to authorised parties (per your privacy settings).
- Process applications and referrals.
- Send platform notifications (status changes, messages, etc.).
- Generate AI outputs (JD extractions, ad copy, scores) at your request.
- Run Career Fairs & deliver Academy courses.
- Track and pay commissions.
- Provide customer support.

### 5.2 To verify identity and prevent fraud (legitimate interest / legal obligation)
- Detect and prevent fraud, multi-accounting, impersonation, fake job postings, fake candidate profiles.
- Maintain audit logs of privileged actions.
- Comply with anti-money-laundering and counter-terrorism-financing law where it applies.

### 5.3 To improve the Platform (legitimate interest)
- Analyse usage patterns to improve features.
- Test new features and changes.
- Refine matching and AI models on aggregated, de-identified data.

### 5.4 To communicate with you (consent / legitimate interest)
- Transactional emails (account confirmation, system receipts, status changes).
- Service announcements (security incidents, major changes).
- Marketing communications about CP4U features, Career Fairs, and Academy — only with your consent, with easy opt-out.

### 5.5 To comply with law (legal obligation)
- Respond to lawful requests from regulators, police, or courts.
- Maintain records as required by tax, accounting, employment, and recruitment-regulation law.
- Fulfil PDPA reporting obligations.
- Cooperate with audits.

### 5.6 To protect rights and safety (legitimate interest / public interest)
- Investigate violations of our Terms.
- Defend or assert legal claims.
- Protect users, the Platform, and the public from harm.

Where consent is the basis, we ask for it specifically. **Sensitive Personal Data** is processed only with explicit, separate consent, except where law specifically permits otherwise.

---

## 6. AI-Related Data Processing

AI is core to the Platform. We are transparent about how it interacts with your Personal Data.

### 6.1 What our AI does
- Extracts structured data from uploaded job descriptions and resumes.
- Generates ad copy for jobs (based on Employer-provided info, not candidate data).
- Scores candidate applications against job requirements (advisory, not decisive).
- Checks job postings for discriminatory or non-compliant language.

### 6.2 Whose AI
We use third-party AI providers — primarily **Anthropic Claude** and secondarily **Google Gemini** — via our proprietary AI proxy (`sr-proxy`) which sits between the Platform and the providers. Specifically:
- API keys are vaulted server-side. Browsers never receive them.
- Data sent to AI providers is limited to what is necessary for the specific feature.
- We do not use the AI providers' services in ways that would permit them to train their general models on your Personal Data (we configure provider settings to opt out of training where the provider offers this).
- AI provider servers are typically located outside Malaysia and Singapore.

### 6.3 Who decides
**Humans decide.** AI provides scores, suggestions, and pre-screens. Final hiring decisions, rejections, candidate shortlistings, and Partner approvals are made by Employer, Partner, or Admin humans. If you believe an AI-influenced decision has affected you unfairly, you can ask for a human review by writing to `sean@sunriserecruit.com`.

### 6.4 No automated decision with legal effect
We do not subject you to fully automated decision-making that produces legal effects or similarly significantly affects you, within the meaning of PDPA Singapore and analogous PDPA Malaysia guidance. AI is an aid, not an adjudicator.

---

## 7. Who We Share It With

### 7.1 With other users on the Platform
| Your data | Visible to | When |
|---|---|---|
| Candidate profile (full) | Employer where you applied; Partner who referred you | Always, once application/referral is made |
| Candidate profile (limited) | Partners and Employers searching the pool | Only if you set visibility to allow it |
| Candidate name (masked) | Other recruiters working the same role | Always, as a duplicate-submission signal |
| Candidate Passport | Whomever you choose to share with via your public share URL | Only when you share |
| Employer details | Candidates who apply; Partners assigned to the account | Always |
| Partner identity | Candidates they refer; Employers they bring; Admin | Always |
| Job details | Public (per published filters) | Once admin-approved |

### 7.2 With Sunrise Recruit Sdn Bhd
As the flagship operator on the Platform, Sunrise Recruit staff have access to client and candidate data corresponding to their operating role. This is processing on behalf of CP4U, under written agreement.

### 7.3 With service providers
We use vetted service providers to operate the Platform. Each one signs a data processing agreement.

| Provider category | Examples | What they process |
|---|---|---|
| Cloud infrastructure | Zeabur, Firebase (Google) | Hosting, database, file storage |
| AI inference | Anthropic, Google | AI feature processing |
| Email | Resend or Postmark | Transactional and consented marketing emails |
| Analytics | PostHog (self-hosted) | Anonymised behavioural analytics |
| Error monitoring | Sentry | Crash and error reports |

We disclose only the data each provider needs, and only for the purpose they serve.

### 7.4 With Employers and Partners
When you apply or are referred to a job, your data is shared with the Employer for that role and (if applicable) the Partner who referred you. The Employer and Partner become independent data controllers for that data. We impose on them, via the Terms of Service, an obligation to comply with PDPA in their own processing.

### 7.5 With law enforcement, authorities and successors
We may disclose Personal Data to authorities where required by law or necessary to investigate fraud, security threats, or safety. If we are acquired, merged, or restructured, Personal Data may transfer to the successor entity.

### 7.6 What we do not do
We do not sell your Personal Data. We do not allow advertisers to target you on the Platform. We do not share your data with other recruitment platforms as customer-acquisition leads.

---

## 8. How Long We Keep It

We retain Personal Data only as long as we need it.

| Data | Retention period |
|---|---|
| Active account data | While your account is active, plus 90 days after closure |
| Application history | 5 years from application date (audit, dispute resolution) |
| Placement records | 7 years from placement date (tax, legal, employer warranty) |
| Audit logs | 7 years from event date |
| Manual verification docs | 5 years from verification (or as required by AML law) |
| Commission records | 7 years (tax law in MY and SG requires at least this) |
| Marketing consent | Until you withdraw, plus 6 months |

After the retention period, we delete the data or render it irreversibly anonymous.

---

## 9. Where We Keep It — Cross-Border Transfers

The Platform's primary data residency is **Malaysia**. Firestore data is stored in the asia-southeast1 (Singapore) region; backups replicate within the same Google-defined Asia region.

Some processors (like AI and Email providers) are located outside MY/SG. PDPA Malaysia (Section 129) and PDPA Singapore (Section 26) restrict cross-border transfers. We comply by:
1. Only transferring where the recipient is in a jurisdiction with comparable protection, OR has signed standard contractual clauses with us, OR your explicit consent has been given.
2. Where we rely on consent, we make it clear in the relevant consent flow.

---

## 10. Your Rights and How to Exercise Them

As a Data Subject under Malaysia PDPA 2010 and Singapore PDPA 2012, you possess distinct statutory rights. CP4U is committed to honouring these rights via explicit requests to our Data Protection Officer at `sean@sunriserecruit.com`:

- **Right to Access & Correction:** You have the right to request a copy of your Personal Data held by the Platform and to rectify any inaccuracies.
- **Right to Withdrawal of Consent:** You may withdraw your consent for any specific processing activity (e.g., opting out of marketing communications) at any time.
- **Right to Data Deletion (Account Closure):** Upon requesting account closure, your Active Account Data will be queued for deletion within ninety (90) days across all active databases, subject to the legal retention schedules specified in Section 8.
- **Right to Data Portability (Malaysia Only):** Subject to the technical capabilities of the Platform and prevailing regulatory updates, you may request the transfer of your structured profile data.

**Statutory Response Timelines:** We will acknowledge and respond to all verifiable data subject requests within **twenty-one (21) days** for compliance under Malaysia jurisdictions, and within **thirty (30) days** for compliance under Singapore jurisdictions.

---

## 11. Security and Mandatory Data Breach Notification

We implement robust administrative, technical, and physical safeguards (including encryption at rest and in transit) to secure your data against unauthorised access or alteration.

In the highly unlikely event of a data security incident:
1. **To Regulators:** If a data breach is assessed to pose a risk of significant harm to individuals or involves large-scale personal data, CP4U will notify the Personal Data Protection Commission (PDPC) of Singapore and/or the Personal Data Protection Department (PDPD) of Malaysia within **72 hours** of confirming the breach.
2. **To Affected Users:** Where required under applicable laws, we will notify affected Data Subjects directly via their registered email addresses without undue delay, providing actionable steps to mitigate potential harm.

---

## 12. Cookies and Tracking Technologies

When you visit the Platform, we use minimal necessary tracking technologies:
- **Essential Cookies:** Necessary for the Platform to function (e.g., keeping you logged in securely). Cannot be switched off.
- **Analytics (e.g., PostHog):** We self-host analytics to understand aggregated user flows. This data is anonymised and we do not use third-party advertising trackers (like Meta Pixel or Google Ads) to monitor your activity.
- **Your Choices:** You can instruct your browser to refuse all non-essential cookies. However, restricting essential cookies may limit your ability to use certain features of the Platform.

---
*End of Policy*