Last Updated: 11.June.2026
Effective Date: 11.June.2026
This Privacy Policy is drafted in compliance with Malaysia’s Personal Data Protection Act, 2010 (PDPA) as amended by the Personal Data Protection (Amendment) Act, 2024 which came into force in three stages on 1st January 2025, 1st April 2025, and 1st June 2025 . This document governs how “ Thrico by PulsePlay Digital Private Limited ” collects, processes, stores, discloses and protects the personal data of users based in Malaysia.
1. INTRODUCTION AND SCOPE
This is a modern, gamified social media community management Software-as-a-Service (SaaS) platform developed and operate by PulsePlay Digital Private Limited (“Thrico”, “we”, “us”, or “our”). Thrico enables organizations of any size to build branded, private social community spaces where members can interact, engage, transact, and earn rewards.
This Privacy Policy applies to all personal data collected from users located in Malaysia (“you” or “your”) who access or use the Thrico platform, mobile applications (IOS and Android) and any associated services (collectively, the Platform).
This Policy is established pursuant to the Personal Data Protection Act, 2010 (Act 709) (PDPA) as amended by the Personal Data Protection (Amendment) Act, 2024 and any subsidiary legislation, regulations, codes of practice, and guidelines issued thereunder.
By registering for, accessing, or using the Platform you acknowledge that you have read, understood, and consented to the collection, processing, and use of your personal data as described in this Policy.
2. IDENTITY OF THE DATA CONTROLLER
(a) For the purposes of the PDPA (as amended), Thrico acts as a Data Controller in respect of personal data collected from Malaysian users directly through the Platform.
Where Thrico provides its Platform to Brand Admins (organization that configure and manage Controllers in respect of their own member data. In such cases, Thrico may act as a Data Processor on their behalf.
| Company Name | PulsePlay Digital Private Limited |
| Platform Name | Thrico (https://thrico.com/) |
| Registered Address | Pune, India (with operational presence in Dubai, Dharamshala, and New Jersey) |
| Data Protection Officer | thrico.dpo@pulseplaydigital.com |
3. PERSONAL DATA WE COLLECT
We collect personal data that is necessary for providing, operating and improving the Platform. “ Personal Data ” has the meaning ascribed to it under the
PDPA, which includes any information that directly or indirectly identifies a living individual.
(a) Data you Provide Directly
(i) Registration and Account Information: full name, email address, mobile number, date of birth, gender, profile photograph, username, and password
(ii) Profile and Community Data: educational background, professional details, employment history, bio, interest, skills, and any other information you voluntarily add to your profile.
(iii) User-Generated Content: posts, comments, photos, videos (moments), stories, replies, poll responses, survey answers, and discussion forum contributions.
(iv) Communications: messages sent via the in-platform chat feature, correspondence with Thrico support, or feedback submitted through the Platform.
(v) Transaction and Shop activity: purchase records, payment information (processes through third-party payment gateways), reward redemptions, and order history.
(vi) Job and Mentorship Applications: CVs, cover letter, references, and related professional information submitted through the Jobs or Mentorship modules.
(vii) Event Registration: attendance records, registrations, and participation details.
(b) Data Collected Automatically
(i) Device and Technical Data: IP Address, device type and model, operating system, browser type and version, unique device identifiers.
(ii) Usage and Log Data: pages visited, features accessed, time and duration of access, search queries, click through data, and session information.
(iii) Location Data: approximate geographic location derived from IP address, precise location is only accessed with your explicit consent
(iv) Cookies and Tracking Technologies:first-party and third-party cookies, web beacons, pixel tags, and similar technologies as described in our Cookies Policy (Section 14).
(v) Gamification and Engagement Data:points earned and redeemed, badges awarded, leaderboard rankings, and engagement metrics.
(c) Senstive Personal Data
(i) The PDPA, as amended in 2024, designates certain categories as “Sensitive Personal Data” requiring express consent before processing. These include:
(a) Physical or mental health or condition
(b) Biometric data (added under the 2024 Amendment Act )
(c) Political opinions
(d) Religious beliefs or similar beliefs
(e) The commission or alleged commission of an offence
(f) Other personal data as may be prescribed
(ii) Thrico does not intentionally collect sensitive personal data unless strictly required for a specific service feature and with your explicit consent. If any such data is voluntarily provided by you (e.g., in a community forum), you consent to its processing for the purposes outlined herein.
4. PURPOSES FOR WHICH WE PROCESS YOUR PERSONAL DATA
We process your personal data only for lawful purposes directly related to our functions and activities as a community management platform operator. The following are the stated purposes as required under
Section 7 of the PDPA.
(a) Primary Purposes
(i) To create, verify and manage your account on the Platform.
(ii) To provide access to all features and modules of the Platform including feeds, communities, chats, events jobs, rewards, gamification, mentorship, listing, and marketplace
(iii) To facilitate communication between users, and between users and organizations, within the Platform
(iv) To administer rewards, points, badges, leaderboards, and gamification elements
(v) To process purchases, transactions, and reward redemption through the Shop module.
(vi) To enable Brand Admin to manage their community, moderate content, and access analytics.
(vii) To send you service-related notifications, alerts, and platform updates.
(b) SECONDARY PURPOSES (Ancillary Activities)
(i) To improve, personalize, and customize your experience on the Platform.
(ii) To conduct research, data analytics, and product development to enhance Platform features.
(iii) To detect, prevent, and respond to fraud, abuse, security incidents, and policy violations.
(iv) To comply with applicable legal obligations, including but not limited to the PDPA communications and Multimedia Act, 1998, and any, order direction or request from a competent authority.
(v) To enforce our Terms of Service, Community Guidelines, and other platform policies.
(vi) To send you promotional and marketing communications where you have consented to receive such communications.
(vii) To facilitate the Campus Ambassador Programme and any other Thrico programmes you voluntarily join.
5. LAWFUL BASIS FOR PROCESSING
(a) Under the PDPA, Thrico processes your personal data on the following lawful bases:
(i) Consent : Where you have given your express informed, and voluntary consent to processing for a specified purpose, including consent for marketing communications and sensitive personal data processing.
(ii) Contract: Where processing is necessary to fulfill a contract with you (e.g., providing the Platform services upon registration) or to take steps at your request prior entering a contract.
(iii) Legal Obligation : Where processing is required to comply with a legal obligation to which Thrico is subject under Malaysian or applicable international law.
(iv) Legitimate Interest : Where processing is necessary for the legitimate interests pursued by Thrico or a third party, provided such interest are not overridden by your data protection rights and interests. Examples include fraud prevention, security monitoring and product improvement.
(v) Vital Interests: In exceptional circumstances, where processing is necessary to protect your vital interests or those of another person.
You may withdraw your consent at any time contacting us at thrico.dpo@pulseplaydigital.com. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal, but may impact your ability to use certain features of the Platform.
6. DISCLOSURE OF PERSONAL DATA
(a) WITHIN THRICO Your personal data may be shared internally within PulsePlay Digital among teams responsible for operating, developing, securing, and improving the Platform on a need-to-now basis.
(b) BRAND ADMINS If you access, the Platform through a community managed by a Brand Admin (an organization using Thrico’s white-label infrastructure) that Brand Admin may access your profile data, engagement data, and community activity within their branded community space. Each Brand Admin is contractually required to handle your data in compliance with the PDPA and Thrico’s data processing agreement.
(c)THIRD-PARTY SERVICE PROVIDERS (DATA PROCESSORS) We engage trusted third-party service providers who processes data on our behalf under data processing agreement. These include:
(i) Cloud hosting and infrastructure providers
(ii) Payment processing gateways
(iii) Analytics and business intelligence platforms
(iv) Email and push notifications service providers
(v) Customer support and help desk platforms
(vi) Cybersecurity and fraud prevention providersAll third-party processors are required to maintain appropriate security standards and process data only in accordance with our instructions.
(d) Legal and Regulatory Disclosures We may disclose your personal data where required by law, court order, or a direction from the Personal Data Protection Commissioner or any other competent authority in Malaysia (including but not limited to the Royal Malaysia Police, the Malaysian Communication and Multimedia Commission, or any court competent jurisdiction)
(e) Business Transfers In the event of a merger, acquisition, restructuring, or sale of all substantially all of our assets, your personal data may be transferred as party of that transaction. You will be notified via a prominent notice on the Platform or by Email prior to such transfer and your rights under this Policy will continue to apply.
(f) No Sale of Personal Data Thrico does not sell, rent or trade your personal data to third parties for their own marketing or commercial purposes.
7. CROSS-BORDER TRANSFER OF PERSONAL DATA
(a) As Thrico is operated by PulsePlay Digital with infrastructure in multiple jurisdictions (including India, the UAE, and USA), your personal data may be transferred to, stored in, or processed in countries outside Malaysia.
Such transfers are conducted in accordance with Section 129 of the PDPA and the cross-border transfer requirements introduced under the 2024 Amendment Act. We ensure that any cross-border transfer is:
(i) Made only to countries or territories approved by the Minister of Digital as providing adequate protection, or
(ii) Subject to data transfer agreements or standard contractual clauses that impose obligations on the recipient equivalent to those under the PDPA , or
(iii) Otherwise complaint with applicable regulations or any Transfer Impact Assessment (TIA) as may be required.
8. RETENTION OF PERSONAL DATA
We retain your personal data only for as long as necessary to fulfill purposes for which it was collected, or as required by law, whichever is longer. Our general retention period are:
| Category of Data | Retention Period |
| Account and Registration Data | Duration of account activity +3 years after account deletion |
| User-Generated Content | Duration of account activity; deleted upon account closure unless retained for legal purposes |
| Transaction Records | 7 years (as required by Malaysian Financial and Tax Regulations) |
| Communications/Support Records | 3 years from last interaction |
| Log and Usage Data | 12 Months (rolling) |
| Marketing Consent Records | Until consent is withdrawn, plus 3 years |
| Gamification and Rewards Data | Duration of account activity +2 years |
At the end of the applicable retention period, we will securely delete or anonymize your personal data so that it can no longer be linked to you.
9. YOUR RIGHTS AS A DATA SUBJECT
Under the PDPA (as amended), you have the following rights in respect of your personal data processed by Thrico. You may exercise any of these rights by contacting us at thrico.dpo@pulseplaydigital.com We will respond to your request within 21 days of receipt.
(a) Right of Access (Section 30, PDPA) You have the right to request access to your personal data held by us and to be informed of the purpose for which it is being processed.
(b) Right of Correction (Section 34, PDPA) You have the right to request that we correct any inaccurate, incomplete, misleading, or outdated personal data we hold about.
(c)Right to withdraw consent (Section 38, PDPA) Where processing is based on your consent, you have the right to withdraw your consent at any time. We will cease processing within a reasonable time of receipt of your withdrawal. Withdrawal does not affect the lawfulness of prior processing.
(d) Right to Limit Processing (Section 43, PDPA) You have the right to request that we limit the processing of your personal data (for example, to storage only) in certain circumstances, such as where you contest the accuracy of the data.
(e) Right to Data Portability (Section 38A, PDPA as amended 2024) You have the right to request that we transmit your personal data to another data controller in a structured, commonly used, and machine-readable format, where technically feasible and where prescribed by regulations issued by the Minister of Digital.
(f) Right to Lodge a Complaint If you are not satisfied with our handling of personal data or our response to any request you have the right to lodge a complaint with the Personal Data Protection Department of Malaysia:
(i) Website: www.pdp.gov.my
(ii) Email: pdpd@kkm.gov.my
(ii) Address: Jabatan Perlidungan Data Peribadi Aras 3, Blok D, Kompleks D, Pusat Pentadbiran Kerajaan Persekutuan, 62546 Putrajaya, Malaysia.
10. SECURITY OF PERSONAL DATA
Thrico is committed to the Security Principle under Section 9 of the PDPA and has implemented appropriate technical, organizational, and administrative safeguards to protect your personal data from:
(a) Unauthorized access, acquisition, use or disclosure
(b) Loss, Destruction or damage
(c) Modification or alteration without authorization Our Security measures include, but are not limited to:
(d) End-to-end encryption of data in transit using TLS/HTTPS protocols.
(e) Encryption of sensitive data at rest.
(f) Role-based Access Controls (RBAC) and Multi-Factor Authentication (MFA) for administrative accounts.
(g) Regular security audits, vulnerability assessments, and penetration testing.
(h) Strict data access policies and employee training on data protection.
(i) Contractual security obligations imposed on all third-party standard certifications.
Notwithstanding the above, no method of transmission over the interment or method of electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.
11. DATA BREACH NOTIFICATION
In accordance with mandatory data breach notification requirements introduced by the Personal Data Protection (Amendment) Act, 2024 (Section 6 of the Amendment Act), Thrico will:
(a) Notify the Personal Data Protection Officer (PDPC) as soon as practicable upon becoming aware of a personal data breach that has caused, or is to cause, significant harm to affected data subjects.
(b) Notify affected Malaysian data subjects of a breach where such breach is likely to result in significant harm (including identity theft, financial loss, physical harm, significant humiliation, or significant harm damage to reputation).
(c) Provide notification in a prescribed form and manner as directed by the Commissioner’s guidelines.
(d) Maintain a data breach register and conduct root-cause analysis and remediation following any confirmed breach.
If you believe your personal data has been compromised through Thrico, you should contact us immediately at
thrico.dpo@pulseplaydigital.com
12. DATA PROTECTION OFFICER (DPO)
(a) In compliance with Section 12A of the PDPA (as amended), Thrico has appointed a Data Protection Officer (DPO) who is accountable for ensuring our compliance with PDPA and this Policy. The DPO is registered with the Personal Data Protection Commissioner.
The DPO’s responsibilities include:
(i) Monitoring compliance with PDPA and Thrico’s data protection policies
(ii) Advising on Data Protection Impact Assessments (DPIA’s) for high-risk processing activities.
(iii) Acting as the primary point of contact for data subjects exercising their rights
(iv) Acting as the contact point for the Personal Data Protection Commissioner
(v) Training and awareness programmes for Thrico employees
You may contact our DPO directly at thrico.dpo@pulseplaydigital.com
13. CHILDREN’s PRIVACY
(a) The Thrico Platform, including Thrico social (a freemium community brand on the Platform) is not directed at individuals under the age of 18. We do not knowingly collect personal data from children under 18 years of age without parental consent.
(b) The Thrico campus Ambassador Programme is open only to students aged 18 years and above, consistent with the eligibility criteria publicly stated by Thrico.
(c) If you are a parent or guardian and believe your child (under 18) has provided personal data to Thrico without your consent, please contact us at
thrico.dpo@pulseplaydigital.com and we will take prompt steps to delete such data.
14. COOKIES AND TRACKING TECHNOLOGIES
Thrico uses cookies and similar tracking technologies to operate and improve the Platform. A “ cookie ” is a small text file placed on your device when you access the Platform.
(a) Types of Cookies We Use
(i) Strictly Necessary Cookies: Required for the Platform to function properly. These cannot be disabled. Examples include authentication tokens and session identifiers.
(ii) Functional Cookies: Enable personalized features such as remembering your preferences, languages settings, and community preferences.
(iii) Analytics Cookies: Help us understand how users interact with the Platform, allowing us to improve performance an user experience. Data collected is aggregated and anonymized where possible
(iv) Marketing and tracking cookies: Used to deliver relevant advertisements and measure campaign effectiveness. These are only enabled with your explicit consent.
(b) Managing Cookies : You can manage, disable, or delete cookies through your device or browser settings. You may also opt out of marketing cookies via the Platform’s Privacy Settings. Please note that disabling certain cookies may affect the functionality of the Platform.
15. THIRD-PARTY LINKS AND INTERGRATIONS
(a) The Platform may contain links to third-party websites, services, or application. Thrico is not responsible for the privacy policies of such third parties. We encourage you to review the privacy policies of any third-party services you access through Platform.
Where Thrico integrates with third-party services (e.g., social login Via Google or LinkedIn), the information shared with such third parties is governed by their respective privacy policies and your settings with those providers.
16. DIRECT MARKETING AND PROMOTIONAL COMMUNCIATIONS
(a) We will only send you promotional communications (including newsletters, product updates, offers, and event invitations) where you have provided explicit, opt-in consent to receive such communications
You have the right to opt-out of receiving marketing communication at any time by:
(i) Clicking the “ Unsubscribe ” link in any marketing email you receive from us
(ii) Adjusting your notification preferences in the Platform’s account settings
(iii) Contacting us at thrico.dpo@pulseplaydigital.com
Please allow us 25 business days for your opt-out to take effect. Note that even after opting out of marketing communications, you will continue to receive essential service-related communications from us.
17. COMPLIANCE WITH SEVEN PRINCIPLES OF THE PDPA
Thrico is committed to upholding all seven data protection principles as prescribed under the PDPA:
| PRINCIPLE | HOW THRICO APPLIES IT |
| General Principle | Personal Data is processed only for lawful purposes and in a manner consistent with this Policy |
| Notice & Choice Principle | You are informed of the purposes of data processing and given the choice to opt out of non-essential processing |
| Disclosure Principle | Personal Data is not disclosed without consent except as permitted by the PDPA. |
| Security Principle | Technical and organizational measures protect personal data against loss, misuse, and unauthorized access. |
| Retention Principle | Personal data is retained only as long as necessary for the stated purposes or as required by law. |
| Data Integrity Principle | We take reasonable steps to ensure personal is accurate, complete, and up to date |
| Access Principle | You have the right to access and correct your personal data as described in Section 9 of this Policy |
18. CHANGES TO THIS PRIACY POLICY
(a) Thrico reserves the right to update or amen this Policy at any time to reflect changes in law, regulatory guidance, our data processing practices. We will notify you of material changes by:
(i) Posting the revised Policy on our website at https://thrico.com/ with an updated effective date.
(ii) Sending an in-app notification or email to registered users at least 14 days before major changes take effect.
Your continued use of the Platform after the effective date of any amendment constitutes your acceptance of the revised Policy. If you do not agree to the changes, you should discontinue use of the Platform and may request deletion of your account.
19. GOVERNING LAW AND JURISDICTION
This Policy and all matters relating to the Processing of personal data of Malaysian users shall be governed by and construed in accordance with the laws of Malaysia, including but not limited to:
(i) Personal Data Protection Act, 2010 (as amended)
(ii) Personal Data Protection (Amendment) Act, 2024
(iii) Communication and Multimedia Act 1998 (Act 588)
(iv) Computer Crimes Act, 1997 (Act 563)
(v) Electronic Commerce Act, 2006 (Act 658)
(vi) Any subsidiary regulations, guidelines, and codes of practice issued under the PDPA.
Any disputed arising out of or in connection this Policy shall be subject to the exclusive jurisdiction of the courts of Malaysia.
20. HOW TO CONTACT US
If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data, please contact us through any of the following channels:
| Data Protection Officer | thrico.dpo@pulseplaydigital.com |
| Platform Website | https://thrico.com/ |