← Back to home

Privacy Notice

Last updated: July 2026

This Privacy Notice explains how Clavis ("we", "us", "our") handles personal data in connection with Stasis. It is written to reflect the Personal Data Protection Act 2010 of Malaysia (as amended), including its seven Personal Data Protection Principles.

1. Who we are & how to contact us

Clavis operates Stasis. For any privacy question, or to exercise your rights, contact our data-protection contact at [email protected].

2. The two roles we play

Stasis handles personal data in two distinct roles:

  • As a data controller — for the account and contact data of the people who sign up, subscribe and administer a workspace (for example an owner's name, email and billing details). We decide how this data is used.
  • As a data processor — for the personal data our customers put into their workspace about their own staff (names, work emails, roles, schedules, leave, task notes and related work data). The customer is the controller of that data; we process it on the customer's behalf and on their instructions. Our commitments as processor are set out in our Data Processing Addendum.

3. What we collect

  • Account & contact data — name, email, company name, role, and login credentials (passwords are stored only as salted hashes by our authentication provider).
  • Billing data — subscription plan and seat counts; card details are handled by our payment processor and are not stored on our servers.
  • Customer workspace data — the staff and work data a customer enters (see the processor role above).
  • Usage & technical data — logs, device and browser information, and security events needed to run and protect the service.

4. Why we use it (purposes)

  • to provide, operate, secure and support the service;
  • to authenticate users and manage accounts and subscriptions;
  • to send transactional messages such as notifications, digests and service emails;
  • to bill for the service and comply with financial and legal obligations;
  • to detect, prevent and respond to fraud, abuse and security incidents;
  • to improve reliability and develop the service, using aggregated or de-identified data where possible.

5. Consent & the seven PDPA principles

We process personal data in line with the seven principles of the PDPA:

  • General Principle — we process personal data only with consent or as otherwise permitted by law, and only for lawful purposes connected to our activities.
  • Notice & Choice Principle — this Notice tells you what we collect, why, and your choices; where we rely on consent you may withdraw it.
  • Disclosure Principle — we disclose personal data only for the purposes described here, or with consent, or as required by law.
  • Security Principle — we take practical steps to protect personal data against loss, misuse, unauthorised access, alteration or destruction (see Security below).
  • Retention Principle — we keep personal data only for as long as needed for the purposes above, then delete or anonymise it.
  • Data Integrity Principle — we take reasonable steps to keep personal data accurate, complete and up to date; you can help by keeping your details current.
  • Access Principle — you may request access to, and correction of, your personal data (see Your rights below).

6. Disclosure & sub-processors

We do not sell personal data. We share it only with service providers ("sub-processors") who help us run the service, under contracts that require them to protect it and use it only on our instructions, and with authorities where required by law. Our current sub-processors are:

Sub-processorPurposeLocation
SupabaseDatabase & authenticationSingapore
CloudflareHosting, CDN & file storageGlobal (incl. Singapore)
ResendTransactional emailUnited States
StripePayment processingGlobal

7. Cross-border transfer

Stasis is hosted primarily in Singapore, and some sub-processors operate globally, so personal data may be processed outside Malaysia. Where personal data is transferred abroad we rely on contractual safeguards with our sub-processors that are equivalent to recognised standards such as the EU Standard Contractual Clauses and the ASEAN Model Contractual Clauses, so that the data continues to be protected to a comparable standard.

8. Retention

We keep account and workspace data for as long as your account is active. After an account is closed we retain data for a reasonable wind-down and back-up period and then delete or anonymise it, except where a longer period is required by law (for example tax and accounting records). Customers can export or request deletion of their workspace data as described in our DPA.

9. Security

We apply organisational and technical measures appropriate to the risk, including encryption of data in transit, tenant isolation enforced at the database row level, access controls and least-privilege access, encrypted end-to-end push notifications, and logging of security-relevant events. No system is perfectly secure, but we work to reduce risk and to respond quickly to incidents.

10. Your rights

Subject to the PDPA, you may:

  • access the personal data we hold about you;
  • correct data that is inaccurate, incomplete or out of date;
  • withdraw consent to processing where we rely on consent (this may limit our ability to provide the service);
  • obtain a portable copy of your data in a commonly-used machine-readable format (data portability).

To exercise any of these, email [email protected]. If your personal data sits inside a customer's workspace (where we are the processor), we will refer your request to that customer as the controller and assist them in responding.

11. Data-breach handling

We maintain procedures to detect, assess and respond to personal-data breaches. Where a breach is likely to cause significant harm, we will notify the relevant authority and affected individuals or, where we act as processor, the affected customer, without undue delay and in line with our obligations under the PDPA.

12. How to complain

Please contact us first at [email protected] so we can try to resolve your concern. You also have the right to complain to the Personal Data Protection Commissioner of Malaysia (Jabatan Perlindungan Data Peribadi) at pdp.gov.my.

13. Updates

We may update this Notice from time to time. Material changes will be reflected in the "Last updated" date above and, where appropriate, notified in the app or by email.

Questions about this document? Contact us at [email protected].