Privacy Policy
Kinder Hub — operated by Nusra Solutions
Last updated: 13 July 2026
1. Scope of this Policy
This Policy explains how Nusra Solutions collects, uses, discloses, and protects personal data in connection with Kinder Hub, a childcare centre management platform used by childcare centres (“Centres”, “Customers”) and their staff.
Kinder Hub is a business-to-business product. Centres enter and manage personal data belonging to their own staff, guardians, and children within the Service. This Policy covers two relationships:
- Nusra Solutions as data user (controller) — for account, billing, and usage data relating to the Centre and its Authorised Users directly.
- Nusra Solutions as data processor— for personal data about staff, children, and guardians that a Centre inputs into the Service (“Centre Data”). For Centre Data, the Centre is the data user (controller) under the PDPA, and Nusra Solutions processes it only on the Centre’s instructions, to provide the Service.
If you are a parent, guardian, or staff member of a childcare centre using Kinder Hub, please also refer to your Centre’s own privacy notice — see also our Children & Guardian Data Notice, which Centres may adapt and issue to families.
2. Personal Data We Collect
2.1 Centre account data (we are the data user)
- Centre/company name, address, and licensing details;
- Authorised User names, roles, email addresses, and phone numbers;
- Login credentials and authentication data;
- Billing and payment details (processed via our payment provider — we do not store full card numbers);
- Usage data: log-in timestamps, device/browser information, IP address, and in-app activity needed for security and support.
2.2 Centre Data (the Centre is the data user; we process on its behalf)
Depending on how a Centre configures and uses the Service, this may include:
Staff records
- Full name, NRIC/passport number, date of birth, address, contact details;
- Employment details: role, salary, bank account number, EPF number, SOCSO/EIS number, tax reference number;
- Payroll history, payslips, attendance, leave, and overtime records;
- Certifications relevant to childcare licensing (e.g. first aid, training records), and staff medical/health records where a Centre chooses to record them.
Child records
- Full name, date of birth, guardian contact details, emergency contacts;
- Attendance, daily activity, and progress reports;
- Health information: allergies, medical conditions, immunisation records, medication logs, incident/injury records;
- Photographs or other media, where a Centre uploads them for daily reports.
Guardian/parent records
- Name, contact details, relationship to child;
- Billing and invoice history for childcare fees.
Health data relating to staff and children is sensitive personal data under the PDPA and is treated with additional care, as described in Section 7.
3. How We Use Personal Data
We (and, for Centre Data, the Centre acting through the Service) use personal data to:
- Provide, operate, and maintain the Service, including payroll calculation, attendance tracking, billing, and compliance document generation;
- Authenticate Authorised Users and secure accounts;
- Communicate with Centres about their account, billing, and material changes to the Service;
- Provide customer support;
- Improve and troubleshoot the Service;
- Comply with legal obligations, including responding to lawful requests from EPF, SOCSO (PERKESO), LHDN, or JKM where a Centre uses the Service to generate submissions to those bodies;
- Detect, investigate, and prevent fraud, abuse, or security incidents.
We do not sell personal data, and we do not use Centre Data (staff, guardian, or child records) for advertising or marketing purposes.
4. Legal Basis and Consent
Under the PDPA’s General Principle, personal data may only be processed with consent (except in limited circumstances permitted by law, such as performance of a contract or compliance with a legal obligation).
- For Centre account data, processing is necessary to perform our contract with the Centre (these Terms and this Policy) and to comply with legal obligations (e.g. tax and accounting records).
- For Centre Data, the Centre is responsible for obtaining consent from staff, guardians, and (where applicable) children’s guardians before entering their personal data into the Service, and for giving the notices required by the PDPA’s Notice and Choice Principle. We support this by providing the Children & Guardian Data Notice template and by processing Centre Data only as instructed.
5. Disclosure of Personal Data
We disclose personal data only as follows:
- To the Centre’s own Authorised Users, according to the access levels the Centre configures;
- To statutory bodies (EPF, SOCSO/PERKESO, LHDN, JKM), where a Centre uses the Service to generate or submit statutory filings, contributions, or compliance documents — disclosure to these bodies is made by or at the direction of the Centre;
- To sub-processors who host or support the Service on our behalf, under contractual confidentiality and security obligations, currently including cloud infrastructure and database hosting providers (see Section 6);
- To professional advisors (auditors, lawyers) bound by confidentiality, where necessary;
- Where required by law, such as a valid court order or regulatory request;
- In a business transfer (merger, acquisition, or sale of assets), with notice to affected Centres where required by law.
We do not disclose Centre Data to third parties for their own independent marketing purposes.
6. Where Data Is Stored and Cross-Border Transfers
The Service is built on third-party cloud infrastructure, which may store or process data outside Malaysia (for example, on Supabase and Cloudflare infrastructure). The PDPA restricts transfer of personal data outside Malaysia unless certain conditions are met (for example, the recipient jurisdiction has comparable data protection standards, or consent has been obtained).
[TO CONFIRM: hosting regions for Supabase/Cloudflare project, and whether a data-residency-in-Malaysia or equivalent-protection basis applies.] Until confirmed, Centres should treat cross-border transfer as occurring and factor this into their own consent notices to staff and guardians.
7. Sensitive and Health-Related Data
Health, medical, and immunisation data (for staff and children) is sensitive personal data. We apply additional safeguards, including:
- Restricting access within the Service to the access levels a Centre configures for its own staff;
- Encrypting data in transit and at rest where supported by our infrastructure providers;
- Not using health data for any purpose other than providing the Service (record-keeping, compliance, and safety) as directed by the Centre.
Centres remain responsible for obtaining explicit consent for processing sensitive personal data, as required by the PDPA, before entering it into the Service.
8. Data Retention
We retain personal data for as long as the Centre’s account is active, plus a reasonable period afterward to allow data export, resolve disputes, and meet legal/regulatory retention requirements (for example, statutory payroll and employment records, and JKM record-keeping requirements, which may require retention for several years). On request, and subject to legal retention obligations, we will delete or anonymise Centre Data within a reasonable period after account termination — see Terms of Service §13.
9. Data Security
We use reasonable technical and organisational measures to protect personal data, including access controls, encryption in transit, authenticated access, and reliance on infrastructure providers with their own security certifications. No system is completely secure; we will notify affected Centres without undue delay if we become aware of a data breach affecting their Centre Data, as required by law.
10. Your Rights
Under the PDPA, individuals whose data is processed have the right to:
- Access their personal data held about them;
- Correct inaccurate personal data;
- Withdraw consent to processing (which may limit or prevent use of the Service for that individual);
- Limit processing for purposes not disclosed at collection.
Staff, guardians, and (via their guardians) children should direct these requests to their Centre in the first instance, since the Centre controls the data. Centres may contact us at support@kinderhub.thenusra.com for assistance fulfilling these requests within the Service. Centre administrators may contact us directly regarding their own account/billing data.
11. Cookies
The Service uses cookies necessary for authentication and security. See our Cookie Policy for details.
12. Children’s Data
Kinder Hub is not directed at children as end users — it is used by adult Centre staff to record information about children in their care, on behalf of and at the direction of the Centre and the children’s guardians. See our Children & Guardian Data Notice for details specific to child records.
13. Changes to this Policy
We may update this Policy from time to time. We will notify Centres of material changes (for example, by email or in-app notice) before they take effect.
14. Contact Us
For privacy questions or requests:
Nusra Solutions
support@kinderhub.thenusra.com
If you believe your personal data has been mishandled, you may also lodge a complaint with Malaysia’s Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi, JPDP).