Privacy Policy

Altream Sdn Bhd ("Altream", "we", "us", "our") operates NeurometriX, a neuroscience-based talent assessment platform accessible at neurometrix.io. Altream Sdn Bhd (formerly known as Streamz Holding Sdn Bhd) is a company incorporated in Malaysia, registered with the Companies Commission of Malaysia (SSM Registration No: 202501005010 (1606424-P)).

For the purposes of the Malaysian Personal Data Protection Act 2010 (as amended in 2024) ("PDPA"), the EU General Data Protection Regulation ("GDPR"), and the California Consumer Privacy Act ("CCPA"), Altream Sdn Bhd is the data controller responsible for your personal data processed through the NeurometriX platform.

This Privacy Policy describes how we collect, use, store, share, and protect your personal data when you interact with our platform, website, and related services (collectively, the "Services"). By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not access or use our Services.

2.1 Employers & Hiring Managers

• Account Information: Full name, work email address, company name, job title, phone number, and profile avatar.
• Billing Data: Payment details are collected and processed securely by our payment processor, Stripe. We do not store full credit card numbers on our servers. We retain only the last four digits, card brand, and expiration date for reference purposes.
• Usage Data: IP address, browser type and version, operating system, pages visited, features used, access timestamps, referral URLs, and session duration.

2.2 Candidates

• Identity Information: Full name and email address as provided by the employer or entered during assessment onboarding.
• Assessment Behavioral Data: Interaction data captured during neuroscience-based cognitive games, including response times (millisecond precision), click patterns, accuracy metrics, error rates, task-switching behaviour, and decision sequences.
• Derived Trait Scores: Cognitive and behavioural trait scores computed by our proprietary scoring engine, including but not limited to working memory, cognitive flexibility, emotional regulation, attention control, risk tolerance, and processing speed.
• Device Information: Device type, screen resolution, browser fingerprint (hashed), operating system, and language settings. This information helps us ensure assessment integrity and optimise the experience.

We share personal data only with trusted third parties who assist us in operating our platform, and only to the extent necessary. All third-party processors are bound by data processing agreements (DPAs) that require them to protect your data.

Service Providers

• Anthropic:We use Anthropic's AI models to generate natural-language assessment reports and candidate insights. Anonymised trait scores and job context are sent for report generation. No raw behavioural data or candidate names are shared with Anthropic.
• Resend: We use Resend for transactional email delivery, including assessment invitations, result notifications, and account communications. Recipient email addresses and message content are processed by Resend.
• Stripe: We use Stripe for payment processing. Billing details are collected directly by Stripe and are subject to Stripe's Privacy Policy.
• Amazon Web Services (AWS): Our infrastructure is hosted on AWS. All data is stored and processed within AWS data centres with enterprise-grade physical and network security.

What We Do NOT Do

NeurometriX operates infrastructure across multiple AWS regions to serve our global user base:

• US-East (us-east-1): North American customers.
• EU-West (eu-west-1): European Economic Area customers.
• APAC (ap-southeast-1): Asia-Pacific customers, including Malaysia and Southeast Asia.

Data originating from Malaysian users is stored in the APAC region (ap-southeast-1, Singapore) by default, ensuring proximity and compliance with PDPA requirements regarding cross-border data transfers.

Where personal data is transferred outside the originating region (for example, when utilising global service providers), we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (SCCs) and executed Data Processing Agreements (DPAs) with all sub-processors. For transfers from Malaysia, we comply with Section 129 of the PDPA 2010 regarding cross-border data transfers and ensure the receiving jurisdiction provides an adequate level of data protection.

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy or as required by law. Our specific retention periods are:

Upon expiration of the applicable retention period, personal data is securely deleted or anonymised. Anonymised data that can no longer be linked to an individual may be retained indefinitely for research, statistical analysis, and platform improvement purposes.

You may request early deletion of your data at any time by contacting us at privacy@neurometrix.io, subject to any legal obligations that require us to retain certain records.

Depending on your jurisdiction, you may have the following rights regarding your personal data. We honour these rights under the PDPA 2010 (as amended 2024), GDPR, and CCPA:

• Right of Access: You may request a copy of the personal data we hold about you and information about how it is processed.
• Right to Correction: You may request that we correct inaccurate or incomplete personal data.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
• Right to Erasure (NEW under PDPA 2024): You may request the deletion of your personal data where it is no longer necessary for the purpose for which it was collected, or where you have withdrawn consent. This right is now recognised under the PDPA 2024 amendments in addition to the GDPR.
• Right to Data Portability (NEW under PDPA 2024): You may request to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV) and have it transmitted to another data controller where technically feasible.
• Right to Object: You may object to the processing of your personal data where processing is based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to Restrict Processing: You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or have objected to processing pending verification.

We use cookies and similar tracking technologies to operate our platform, remember your preferences, and understand how our Services are used. For complete details on the cookies we use, their purposes, and how to manage your preferences, please refer to our Cookie Policy.

In summary:

• Essential Cookies: Always active. Required for core platform functionality including authentication, session management, security, and load balancing. These cannot be disabled.
• Analytics Cookies: Optional. Used to understand usage patterns and improve the platform. You may opt out via the cookie consent banner or your browser settings.
• Marketing Cookies: Optional. Used only on our marketing website (not within the assessment platform) to measure campaign effectiveness. You may opt out at any time.

We implement comprehensive technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

• Encryption at Rest: All personal data is encrypted using AES-256 encryption at rest across all storage systems, including databases, backups, and file storage.
• Encryption in Transit: All data transmitted between your browser and our servers is protected using TLS 1.3 encryption. We enforce HTTPS across all endpoints with HSTS headers.
• SOC 2-Aligned Controls: Our security programme is aligned with SOC 2 Type II standards covering security, availability, and confidentiality. We conduct regular penetration testing and vulnerability assessments.
• Access Controls: Role-based access control (RBAC), multi-factor authentication for administrative access, and the principle of least privilege across all internal systems.

Our Services are designed for professional hiring and talent assessment purposes and are not intended for individuals under the age of 18. We do not knowingly collect, solicit, or process personal data from minors.

If you are a parent or guardian and believe that your child has provided personal data to NeurometriX, please contact us immediately at privacy@neurometrix.io. We will promptly investigate and delete any such data from our systems.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Notify registered users via email and/or a prominent notice within the platform at least 14 days before the changes take effect.
• Where required by law, obtain your renewed consent before applying the updated terms to your data.

Your continued use of the Services after the updated Privacy Policy becomes effective constitutes your acceptance of the changes. If you do not agree with the updated terms, you should discontinue use of the Services and contact us to exercise your rights regarding your personal data.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us using the details below: