This Privacy Statement aims to clarify what personal data we process, why we process it, who receives your data and how you can exercise your legal rights. Accordingly, in this Privacy Statement, “personal data” means any information which directly identifies you as a person (like the combination of your full name and address), or can be used to identify you as a person (like a user ID connected to your identity). Similarly, “processing” refers to any operation performed on your personal data, for example the collection, storage, use, disclosure, or destruction of your personal data.

Who are we?

We are DELIVERY HERO MALAYSIA SDN BHD (“DHMY”) and we are located at 36-01, Level 36, Tower B, The Vertical Corporate Office Towers, Avenue 10, Bangsar South, No 8 Jalan Kerinchi, 59200 Kuala Lumpur.

As regards your privacy, it’s us who decide how and for what purposes your personal data is processed. In data protection language that makes us a so-called “Data Controller” (the party responsible for how your personal data is processed.

If you have any questions related to your personal data, you can reach DHMY’s data protection officer for any privacy- related questions or feedback by mailing to support@foodpanda.my or dataprotection@foodpanda.my.

What categories of personal data do we process?

Data Categories & Explanation

• Company Information CCM business profile (such as Full Name, Business Registration Number, Date of Incorporation, and Address), Tax ID, Geolocation Data, Order Data, Trading License, Contact Data, Order History.

• Proprietor Information Name, Surname, Address, NRIC ID Data and number, Contact Information.

• Technical Information Device Data, Language Settings, Usage Data.

• Order Information Order IDs, Product Names and Quantities, Order History, Delivery-related Data.

• Financial Information Bank Account, Tax ID, Payment Recipient Data.

• Customer Support Information Content of Support Chat.

What do we do with your personal data?

In order to provide services on our vendor portal, we use various tools and systems that are necessary for the operation of the app. Accordingly, we collect, process and store the following categories of personal data when you use the app:

We process the above categories of personal data for the following purposes:

Purpose: Account Creation and Maintenance Description and Legal Basis: The information we request during the account creation process is necessary to take the first step in establishing a business relationship with you so that we can provide you with our services. We only ask for data that is necessary for this purpose. Categories of personal data:

• Company Information
• Proprietor Information
• Technical Information The legal basis for this processing is ‘entering into or performance of a contract’ under Art. 6(1)(b) GDPR.

Purpose: Order Processing & Delivery Description and Legal Basis: The following information is necessary for us to conclude your order and ensure successful delivery. Categories of personal data:

• Order Information
• Company Information
• Customer Support Information The legal basis for this processing is ‘entering into or performance of a contract’ under Art. 6(1)(b) GDPR.

Purpose: Payment Description and Legal Basis: On a regular basis, your information will be shared with payment providers to facilitate the payment process. Categories of personal data:

• Company Information
• Financial Information The legal basis for this processing is ‘entering into or performance of a contract’ under Art. 6(1)(b) GDPR.

Purpose: Product Analytics Description and Legal Basis: We analyse the usage of the Vendor Portal in order to ensure its security, optimization, and effectiveness. Accordingly, the Vendor Portal generates and uses anonymous information about the device you use to access it. Categories of personal data:

• Technical Information The legal basis for this processing is ‘legitimate interest’ under Art. 6(1)(f) GDPR.

Purpose: Communication Description and Legal Basis: Different tools are used for communication between you and the partnering entity via email, pushes, SMS or messaging platforms such as WhatsApp, etc. The purpose of the processing is the communication of necessary information between the parties involved to ensure we can adequately process your order. Categories of personal data:

• Company Information
• Proprietor Information
• Order Information The legal basis for this processing is ‘entering into or performance of a contract’ under Art. 6(1)(b) GDPR.

Purpose: Direct Marketing/ Online Marketing Description and Legal Basis: We may send you newsletters and promotions via email, pushes, SMS or messaging platforms such as WhatsApp, etc. informing you about new offers, deals or campaigns that are available for you on our platform. We may use the contact details you provided to us when registering as a partner to send you such communications. Opt-Out: You can opt out at any time, free of charge and with future effect, by updating your message preferences, and using the unsubscribe possibility offered in connection with any direct marketing messages or by contacting us via the email address provided at section 1. Categories of personal data:

• Company Information
• Proprietor Information
• Proprietor Information such as email and phone number The legal basis for processing of your data for the purpose of direct marketing as described above is ‘legitimate interest’ under Art. 6(1)(f) GDPR and ‘consent’ under Art. 6(1)(a) GDPR, if required by applicable laws.

Our legal basis for processing your personal data are the legal provisions in your jurisdiction permitting the data processing or the purpose of performance of a contract or in order to take steps at your request prior to entering such a contract.

Who will receive your data and under what circumstances?

You can trust that, within our company, only those staff members will receive access to your personal data who need them in order to fulfill their professional duties, such as providing you with a great online experience, or looking into your support request. In certain scenarios, we also need to share your personal data with recipients outside of our company. Please be assured that your data is shared with these recipients only to the extent necessary for the specified purposes and only as we are legally permitted to do so.

Delivery Hero group companies

We are part of an international group of companies with legal entities in many parts of the world, including our group’s headquarters located with Delivery Hero SE in Berlin, Germany. In order to utilize our resources efficiently and ensure that our business processes function properly, we utilize our group-wide shared technological support services that sometimes necessitate sharing personal data with our parent company, Delivery Hero SE, or with the locations of our global tech hubs. In certain situations, we might also share limited data with other group companies, for example, to assist with payment collection or to implement platform security measures.

Delivery Hero group companies are bound by strict intra-group data transfer agreements ascertaining compliance with data protection requirements whenever sharing personal data with group companies.

Data processors

We use various third-party service providers to perform our operations. Many of these providers process your personal data as so-called “data processors”. This means they are only allowed to process your personal data under our instructions and have no claims whatsoever to process your personal data for their own, independent purposes. Our processors are strictly monitored and we only engage processors who meet our high data protection standards.

Our user platforms and databases run on cloud resources provided by the EU subsidiaries of Google Cloud Platform and Amazon Web Services. We use marketing and communications tools by companies such as SalesForce or Braze. Our finance and accounting platforms are provided by SAP.

Other third parties and service providers

In addition to data processors, we also work with third parties, to whom we share your personal data, but who are not bound by our instructions and instead will process your data independently. These may be our consultants, lawyers or accountants who receive your data from us under a contract and process your personal data for legal reasons, or to protect our own interests. Under no circumstances will we sell or rent your personal information to third parties without your explicit, informed consent.

Mergers & acquisitions, change of ownership

In the event of a merger with, or acquisition by, another company or group of undertakings, we may need to disclose limited information to that company and their advisors who are under professional obligations to maintain the confidentiality of your personal data. This may occur in circumstances such as mutual due diligence assessments and regulatory disclosures.

In any event, we will ensure that we only disclose the minimum amount of information necessary to conduct the transaction, while also carefully considering the feasibility of removing or anonymising any data that could identify individuals.

Prosecuting authorities, courts and other public authorities

From time to time we may be requested to disclose personal data to public authorities. In some circumstances, we may disclose personal data with public bodies in order to bring or defend legal claims, to protect our rights and interests, or to address security concerns.

Examples of such situations include cooperating in the detection and prevention of crime, responding to legal processes such as court orders or subpoenas, or sharing data with tax authorities for tax-related purposes. The public authorities involved in these scenarios may include law enforcement agencies, courts, tax authorities, or other government officials.

How do we transfer your personal data to other countries?

We and the parties we share your personal data with may transfer personal data to countries other than the country in which you use our services. Where such transfers take place, we take appropriate measures to ensure that your data is always afforded an adequate level of protection in the countries to which it is transferred.

For example, if we transfer your personal data from a country within the European Economic Area (EEA) to a country outside of the EEA, we take appropriate safeguards to ensure that these transfers provide a level of protection that complies with data protection requirements. If there are specific further requirements of the law of the country in which you use our services, we will abide by them as well.

Specifically, as far as transfers from the EEA to countries outside the EEA are concerned, we rely on a number of appropriate safeguards:

• Adequacy decisions by the EU Commission (e.g. for Argentina or the United States, to the extent recipients have certified under the EU-US Privacy Framework, or other applicable mutual agreement between the EU and the US);
• Standard contractual clauses mutually agreed in our contract with the data recipient (including any supplementary measures, if required).
• Further appropriate safeguards in accordance with Art. 46 GDPR (for example Binding Corporate Rules).

What are your legal rights?

Under the data protection laws, you are entitled to the following rights:

Right to Access You have the right to access your personal data and obtain additional information on how we process it. You may also request a copy of your personal data.

Right to Rectification If you notice that your personal data is incorrect, you can request that we correct it.

Right to Withdraw Consent You can withdraw your consent to our collection, use, and disclosure of your personal data at any time. Upon receiving your withdrawal request, we may require a reasonable amount of time (depending on the complexity of the request and its impact on our relationship with you) to process it and to notify you of the consequences of acceding to your request, including any legal consequences, if applicable, which may affect your rights and liabilities to us. Please note that depending on the nature and scope of your request, we may not be able to continue the application process, in which case we will notify you before completing the processing of your request.

How long do we keep your data?

We retain your personal data for as long as it is necessary to achieve the purposes we described above. The duration for which we retain your personal data is determined by factors such as the scope, nature and purposes of the personal data processing, and whether we have legitimate interests or legal obligations that require us to retain your personal data.

How do we use Artificial Intelligence (AI)?

We may use artificial intelligence (AI) to improve our services and vendor experience. Artificial Intelligence may be used, for example, to provide personalized content, recommend products, AI Agent chatbot or support customer service. These technologies may collect and process personal data provided by you.

Our intention is not to collect sensitive personal data through the usage of AI. We therefore ask that you avoid providing any type of sensitive personal data.

In some cases, we may use third-party AI services to power certain features. When we do, we ensure that these partners comply with applicable laws and the highest data privacy standards. We may share your data with these third parties only to the extent necessary for them to perform their services, and we require them to protect your data in a manner consistent with this privacy statement.

We will let you know when you are interacting with AI. If you have any inquiries regarding this process, you have the right to contact support agents and request human intervention. Furthermore, you have the right to opt out of AI related data processing at any time.

Changes to this Privacy Statement

We may update this Privacy Statement to reflect our new processes, new technologies, and legal obligations. We are committed to keeping you informed of any changes to our privacy practices, so we encourage you to review this privacy statement to keep updated.

Last modified: 6 March 2026