Privacy Policy

1. Who we are

The data controller is Kemuning, a business consulting practice registered in Malaysia, operating from No. 42, Jalan Sultanah Zainab, 15000 Kota Bharu, Kelantan. For data-related enquiries, contact us at [email protected].

2. What personal data we collect

We collect personal data in the following ways:

• Contact form submissions: name, email address, phone number (if provided), and message content.
• Consulting engagements: business details and other information shared during sessions, captured in session notes.
• Website analytics: anonymised usage data including pages visited and time on site, collected via analytics cookies if you have consented.
• Email correspondence: any personal information you include when communicating with us by email.

We do not collect sensitive personal data (such as financial account details or government identity numbers) through our website. Any sensitive business information shared during consulting sessions is treated as strictly confidential.

3. Legal basis for processing

Under Malaysia's PDPA and internationally recognised data protection principles, we process your personal data on the following bases:

• Consent: when you submit a contact form or accept analytics cookies.
• Contract performance: when processing data is necessary to deliver a consulting engagement you have engaged us for.
• Legitimate interest: for internal record-keeping and improving our services, where this does not override your rights.

4. How we use your personal data

• To respond to enquiries submitted through our contact form
• To deliver consulting sessions and follow-up summaries as part of an engagement
• To maintain internal records of client interactions
• To send service-related communications (not marketing) where you are an active or recent client
• To analyse website usage in aggregate (only with your cookie consent)

We do not send unsolicited marketing emails. We do not sell, rent, or trade your personal data with third parties.

5. Data retention

Contact form submissions are retained for up to 12 months. Client session notes and related documents are retained for up to 3 years from the end of an engagement, after which they are securely deleted. Analytics data is retained according to the terms of our analytics provider and is not linked to identifiable individuals.

6. Third-party services

We may use the following third-party services, each with their own privacy policies:

• Google Analytics (website usage analytics — only if cookies accepted)
• Email hosting provider (for processing contact form messages)

We do not use advertising networks or social media tracking pixels that collect your data for third-party advertising purposes.

7. Data security

We use reasonable technical and organisational measures to protect your personal data from unauthorised access, disclosure, or loss. These include access controls, secure email, and password-protected storage. In the event of a data breach that affects your personal information, we will notify you and the relevant authorities where required by law.

8. Cookies

Our website uses cookies. Essential cookies are required for the site to function. Optional analytics and preference cookies are only set if you give your consent. For full details of the cookies we use, please see our Cookie Policy.

9. Your rights

Under Malaysian data protection law, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data where there is no longer a lawful basis for retaining it
• Withdraw consent at any time where processing is based on consent
• Object to processing based on legitimate interest
• Lodge a complaint with Malaysia's Personal Data Protection Department (JPDP)

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. Third-party links

Our website may contain links to external websites. We are not responsible for the privacy practices of those sites and encourage you to review their policies directly.

11. Children

Our services are intended for business owners and adults aged 18 and above. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this policy from time to time. The date at the top of this page shows when it was last revised. Significant changes will be communicated to active clients by email. Continued use of our website after an update constitutes acceptance of the revised policy.