Rhymin & Partners’ Data Protection Policy

Rhymin & Partners Sdn Bhd ("Company", "we", "us", or "our") is committed to protecting the personal data of individuals who interact with our services, platforms, and operations. This Data Protection Policy ("Policy") explains how we collect, use, disclose, protect, and otherwise process personal data in accordance with the Personal Data Protection Order 2025 ("PDPO").

This Policy applies to all personal data processed by Rhymin & Partners in connection with our services, including our software platforms (Queup, QSports, Trainers-BN), training programmes, and related digital and operational services.

Personal Data: Data, whether true or not, about an individual who can be identified either from the data itself or from the data in combination with other information that we have or are likely to have access to.

Processing: Any operation performed on personal data, including collection, use, disclosure, storage, transfer, and deletion.

Data Subject: An individual whose personal data is collected and processed by Rhymin & Partners.

Data Protection Officer (DPO): The designated individual responsible for overseeing data protection compliance within Rhymin & Partners.

Depending on your interaction with our services, we may collect the following categories of personal data, limited to what is necessary for the purposes described in this Policy:

Identity Data: Full name, identification number (such as national identity card), and professional title (where required).

Contact Data: Telephone number and email address.

Technical Data: IP address, operating system, browser type, and cookies or similar tracking data generated through your use of our platforms.

Profile Data: Training participation records, attendance, feedback, survey responses, and professional background.

We do not ordinarily collect sensitive personal data (such as health, religious, or biometric data). Where such data is incidentally collected in connection with specific service deployments (e.g., healthcare-related queue management), it will be handled with heightened safeguards and only to the extent strictly necessary.

We collect personal data through the following channels:

Online Platforms (Queup, QSports, Trainers-BN)

• Account creation or registration on our platforms

• Interaction with our websites, applications, or training platforms

• Submission of enquiries or customer support requests

• Participation in online features, events, or promotions

Training and Related Services

• Registration for training courses or services

• Completion of enrolment, feedback, or survey forms

• Participation in online or offline training sessions

Third-Party and Public Sources

• Organisations that enrol their employees in our programmes

• Affiliated partners such as training platform providers and service partners

We process your personal data on one or more of the following lawful bases under the PDPO:

Consent: You have given your explicit consent to the processing of your personal data for one or more specific purposes. You may withdraw consent at any time (see Section 9).

Contractual Necessity: Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract (e.g., account registration, service delivery).

Legal Obligation: Processing is necessary for compliance with a legal obligation to which we are subject under Brunei law.

Legitimate Interests: Processing is necessary for our legitimate interests or those of a third party (such as fraud prevention, service improvement, and platform security), provided such interests are not overridden by your fundamental rights and freedoms.

We collect, use, and disclose your personal data for the following purposes:

• To provide our services, including facilitating registrations, bookings, enrolments, and transactions across our training programmes and digital platforms

• To deliver and administer training programmes, including providing course materials, managing participation, conducting assessments, and administering surveys

• To operate, manage, and improve our online platforms and services, including enabling user access, monitoring platform usage, and enhancing functionality and user experience

• To manage your account and our relationship with you, including maintaining records, processing payments, and communicating with you regarding your account, services, updates, or enquiries

• To respond to your requests, enquiries, feedback, or complaints, and to provide customer support

• To conduct administrative, operational, and business activities, including internal reporting, data analysis, service planning, and service improvement

• To support organisations, trainers, and service providers in managing operations, participant management, service coordination, and performance monitoring

• To verify your identity where necessary for service provision, certification, or compliance purposes

• To disclose personal data to third-party service providers, agents, or relevant authorities, whether within or outside Brunei Darussalam, for the purposes described in this Policy and in accordance with the PDPO

• For any other purposes reasonably related to the above or for which you have provided your consent

We will only collect, use, and disclose personal data to the extent necessary for the above purposes and in accordance with the PDPO.

Our websites and platforms (including Queup, QSports, and Trainers-BN) may use cookies and similar tracking technologies to collect Technical Data such as your IP address, browser type, operating system, and usage patterns.

Cookies are small data files stored on your device. We use them for the following purposes:

• Essential cookies: To enable core platform functionality, such as login sessions and security features

• Analytics cookies: To understand how users interact with our platforms and to improve their performance and usability

• Preference cookies: To remember your settings and personalise your experience

You may configure your browser to refuse cookies or to alert you when cookies are being sent. However, disabling cookies may affect the functionality of certain platform features. Where required under applicable law, we will obtain your consent prior to placing non-essential cookies on your device.

We may disclose your personal data to the following categories of third parties:

• Technology and infrastructure service providers (e.g., cloud hosting, database management, email delivery services)

• Professional and administrative service providers (e.g., legal, accounting, or auditing firms)

• Platform and training partners involved in delivering our services

• Regulatory authorities or government bodies where required by law or legal process

All third-party service providers who process personal data on our behalf are required to handle such data in accordance with the PDPO and are bound by contractual obligations to maintain appropriate data protection safeguards. Disclosure is made on a need-to-know basis only.

Where we rely on your consent as the legal basis for processing, you have the right to withdraw your consent at any time by contacting us in writing using the details in Section 14.

Withdrawal of consent does not affect the lawfulness of any processing carried out prior to the withdrawal. Please note that withdrawing consent may affect our ability to provide certain services to you, and we may contact you to discuss the consequences before processing your request.

Under the PDPO, you have the following rights in relation to your personal data:

Right to be Informed: You have the right to be informed about how your personal data is collected and used, as set out in this Policy.

Right to Access: You may request access to the personal data we hold about you, including information on the purposes for which it is being used.

Right to Correction: If you believe that any personal data we hold about you is inaccurate, incomplete, or outdated, you may request that we correct it.

Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time (see Section 9).

Right to Data Portability: Where applicable, you may request that your personal data be provided to you in a structured and commonly used format.

To exercise any of the above rights, please contact our Data Protection Officer using the details in Section 14. We will verify your identity before processing any request and will respond within a reasonable timeframe in accordance with the PDPO.

We make reasonable efforts to ensure that the personal data we use is accurate and complete, particularly where that data is likely to be used to make a decision that affects you or to be disclosed to another organisation. You are encouraged to promptly inform us of any changes to your personal data to help us maintain accuracy.

We implement reasonable technical and organisational security measures to protect personal data in our possession or under our control against loss, unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. These measures include, but are not limited to, access controls, encryption, and regular security assessments.

Where we engage third-party data processors, we require them to implement equivalent security safeguards.

In the event of a data breach that is notifiable under the PDPO and is likely to result in significant harm to you, we will notify the relevant regulatory authority and, where required, the affected individuals within the timeframes prescribed under the PDPO.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, in accordance with our data retention schedule and applicable laws and regulations. Personal data will be securely deleted or anonymised when it is no longer required for these purposes or for any legal or regulatory obligations.

The criteria used to determine our retention periods include: the duration of our relationship with you, our legal obligations, potential disputes or claims, and applicable regulatory guidance.

We generally do not transfer your personal data to countries outside of Brunei Darussalam. However, if such a transfer becomes necessary (for example, in connection with cloud infrastructure or international service providers), we will:

• Obtain your consent for the transfer where required; and

• Ensure that appropriate safeguards are in place so that your personal data continues to receive a standard of protection at least comparable to that under the PDPO, such as through binding contractual obligations or equivalent protective measures.

Some of our platforms may use automated processes to support service delivery (for example, automated queue prioritisation or booking confirmation systems). These automated processes do not produce legally significant decisions about individuals without human oversight.

Where we deploy any form of automated decision-making that may have a meaningful impact on you, we will inform you and provide you with an opportunity to request human review, express your point of view, or contest the decision.

For any queries, requests, notices, or complaints relating to this Policy or your personal data, please contact our Data Protection Officer:

Data Protection Officer

Rhymin & Partners Sdn Bhd

2nd Floor, Block C, Madang Cove, Unit No. 10, Lot 58178

Kg Madang, Bandar Seri Begawan, BC 3715, Brunei Darussalam

Email: enquiries@rhyminpartners.com

Website: www.rhyminpartners.com

We will verify your identity before processing any request and aim to respond within a reasonable timeframe as prescribed by the PDPO.

We may amend or update this Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. The most current version of this Policy will always be available on our website at www.rhyminpartners.com. We encourage you to review this Policy periodically. Material changes will be communicated to you through our platforms or other appropriate channels.