1. Introduction

Infoleum, developed and operated by Jidoka Integratech Services, is a SaaS platform that integrates with productivity ecosystems, including Google Workspace (and may expand to other providers in the future). When a client purchases the service, they register using their Google account email. This same account is used to authorize Infoleum via OAuth 2.0 and grant the permissions (“scopes”) listed in Section 2. Upon authorization, Infoleum creates the necessary resources (e.g., forms, spreadsheets, Folder and automation scripts) within a designated folder in the client’s Google Drive, which is shared with Infoleum.
- The client retains full editing rights to all resources in the shared folder. However, editing resources outside the guidance of the user manual may break the automation. If so, recovery is not supported, and a new subscription purchase may be required to re-provision resources.
- The client decides who may enter data and with whom form links are shared.
- The client is the Data Controller and is solely responsible for determining what personal data (if any) is collected, ensuring lawful consent from data subjects, and providing required privacy notices.
- Infoleum acts only as a Data Processor, processing data strictly on client instructions.

Infoleum processes such data through its infrastructure, which may be hosted outside Malaysia. Identifiable raw data is periodically purged; anonymized or de-identified data may be retained indefinitely for service improvement, analytics, or derivative works. Such derivative works remain the property of Jidoka Integratech Services and are outside the scope of PDPA once anonymization is complete. All raw client data remains in the client’s Google Drive under their control. Metadata generated by the service is stored on Infoleum’s SaaS servers and cleared after six (6) months. Certain aggregated metadata may be shared back to clients through reporting dashboards such as Looker Studio, accessible only to the client via their authenticated Google account.

2. Data Access & Scopes

To deliver its services, Infoleum requests the following Google OAuth 2.0 scopes:

- drive.file – To create, read and edit resources (forms, spreadsheets, folder, scripts) within the client’s designated shared Drive folder.
- userinfo.email – To identify the Google user registering the service and granting OAuth access.
- forms.body – To create and edit the structure of Google Forms (not to read responses).
- script.projects – To create and deploy Apps Script projects in the client’s shared folder, automating communication between the client’s resources and Infoleum SaaS.

During setup, clients are required to authenticate the Google Apps Script that accompanies a Sheet. This ensures that form submissions can trigger the intended automation. The script executes entirely under the client’s Google Account.

Clients may revoke Infoleum’s access at any time via their Google Account Permissions. Once revoked, all OAuth-based access ceases immediately.

All resources generated by the Infoleum SaaS platform (including Google Forms, Sheets, and associated scripts) are automatically shared with the primary service account (xxxxxx-compute@developer.gserviceaccount.com) to enable operational automation.

This service account requires read and write access to ensure seamless synchronization and automation of data. Clients retain full ownership and control of all Google Drive assets and may adjust sharing permissions at any time; however, removing the service account’s access will interrupt automation workflows.

3. Data Use

- Data is processed exclusively to deliver services (form creation, spreadsheet linkage, record-keeping enforcement, and automation).
- Data is never sold, rented, or shared with third parties.
- Temporary backend processing may occur within Infoleum’s infrastructure for automation, troubleshooting, and service improvement.

4. Data Storage & Retention

- Raw Data: Stored solely in the client’s Google Drive.
- Temporary Processing: Form submissions may be routed through Infoleum’s infrastructure.
- Anonymized Data: Identifiable data is stripped and purged; anonymized data is retained indefinitely for analytics and service improvement and falls outside PDPA scope.
- Metadata: Logs and metadata on Infoleum servers are automatically deleted after six (6) months.

5. Data Sharing & Disclosure

- Only clients and the users they authorize can access data stored in their Drive.
- Infoleum does not access client files beyond what is explicitly authorized.
- Infoleum complies with Google’s API Services User Data Policy, including the Limited Use requirements.
- Data may be shared only with identified subprocessors (Google Cloud Platform, Looker Studio, Stripe is used for billing).

6. Security

- All authentication is handled through OAuth 2.0.
- Data transfers are encrypted via HTTPS.
- Data and metadata are encrypted at rest and in transit as per Google Cloud Platform standards.
- Internal security controls, including staff confidentiality and access controls, apply.
- Clients remain responsible for managing Drive sharing and access rights.

7. User Rights

- Clients may revoke OAuth permissions at any time.
- Clients may delete resources created by Infoleum in their Google Drive at any time in accordance with the user manual. Deleting resources outside these guidelines may disrupt or permanently break the automation. Clients may also request deletion of metadata or logs from Infoleum servers.

8. Cloud & Infrastructure

Infoleum operates using secure cloud computing infrastructure and on-premise systems.
Currently, cloud services are provided through Google Cloud Platform (e.g., Google Cloud Storage, BigQuery).
Cross-border transfers are carried out using internationally certified environments (ISO 27001, SOC2, etc.) with contractual safeguards, ensuring compliance with PDPA transfer restrictions.
Infoleum may expand to other certified cloud providers in the future.

9. Contact Information

For privacy concerns, data deletion requests, or inquiries:

Jidoka Integratech Services
Email: InfoleumSupport@jidoka-integratech-services.com
Website: jidoka-integratech-services.com

Unresolved matters may be escalated to the Personal Data Protection Commissioner of Malaysia (PDPC).