C Cahaya Group

Legal

Privacy Policy

Last updated: 1 January 2025  ·  Effective date: 1 January 2025

This Privacy Policy explains how Cahaya Group ("we", "us", or "our") collects, uses, stores, and protects personal data that you provide to us or that we collect in the course of providing our services or operating this website.

This policy is issued in accordance with the Personal Data Protection Act 2010 (PDPA 2010) of Malaysia and applies to all personal data processed by Cahaya Group.

By using this website or engaging our services, you acknowledge that you have read and understood this Privacy Policy.

1. Who we are

Cahaya Group is a corporate restructuring and organisational advisory consultancy registered and operating in Malaysia. Our registered business address is:

Cahaya Group
Tower B, Level 9, Jalan Kerinchi
Bangsar South, 59200 Kuala Lumpur
Malaysia

Telephone: +60 3 2284 7163
Email: [email protected]

For the purposes of the PDPA 2010, Cahaya Group is the data user in respect of personal data processed through this website and in the course of our consulting engagements.

2. Personal data we collect

We collect personal data only where it is necessary for a legitimate purpose. The categories of personal data we may collect include:

  • Contact information: name, business email address, telephone number, company name, and job title — provided when you submit an enquiry form or communicate with us directly.
  • Correspondence data: the content of emails, messages, or other communications you send to us.
  • Engagement data: information you share with us during the course of a consulting engagement, which may include business, financial, or operational information about your organisation and, where relevant, information about your employees and personnel.
  • Website usage data: IP address, browser type, device type, pages visited, referring URLs, and session duration — collected automatically via cookies and analytics tools when you visit our website.

We do not collect sensitive personal data (as defined under the PDPA 2010) through this website. Where sensitive personal data is necessarily involved in a consulting engagement, this is governed by a separate engagement agreement with appropriate data handling provisions.

3. How we use your data

We use personal data that we collect for the following purposes:

  • To respond to enquiries submitted through this website or by other means.
  • To assess whether our services are appropriate to your situation, and to propose and provide consulting services.
  • To fulfil our obligations under consulting engagement agreements.
  • To send you communications directly related to an active or prospective engagement.
  • To comply with legal and regulatory obligations applicable to our business.
  • To analyse website usage and improve the performance and content of our website.

We do not use your personal data for unsolicited marketing communications. If we wish to send you materials of a promotional nature, we will seek your consent before doing so.

Under the PDPA 2010, we are required to process personal data based on one or more of the following:

  • Consent: Where you have provided your consent, including by submitting an enquiry form on this website.
  • Contract: Where processing is necessary for the performance of a contract to which you are a party, or to take pre-contractual steps at your request.
  • Legal obligation: Where processing is necessary to comply with a legal obligation applicable to us as a data user.
  • Legitimate interests: Where processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights and interests.

5. Sharing of personal data

We do not sell, rent, or trade personal data to third parties. We may share personal data in the following limited circumstances:

  • Service providers: Third-party providers who assist us in operating our website or delivering our services (such as cloud hosting, analytics, or email delivery providers), under contractual confidentiality obligations.
  • Legal requirements: Where disclosure is required by applicable law, regulation, court order, or at the request of a regulatory authority.
  • Professional advisers: Lawyers, auditors, or insurers, under duties of professional confidentiality, where necessary in connection with their services.
  • Business transfers: In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred as part of that transaction, subject to appropriate confidentiality protections.

Where personal data is transferred outside of Malaysia, we take steps to ensure that the receiving jurisdiction provides a level of protection substantially similar to that required under the PDPA 2010, or we put in place appropriate contractual safeguards.

6. Data retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law:

  • Enquiry records not resulting in an engagement: up to 12 months from the date of enquiry, unless you have asked us to retain your contact information for future reference.
  • Engagement-related records: for the duration of the engagement and for a period of seven (7) years thereafter, consistent with standard record-keeping obligations under Malaysian law.
  • Website analytics data: retained in aggregated or anonymised form; identifiable session data is retained for up to 14 months.

At the end of the applicable retention period, personal data will be securely deleted or anonymised.

7. Your rights

Under the PDPA 2010, you have the following rights in respect of your personal data:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right of correction: You may request that inaccurate or incomplete personal data be corrected.
  • Right to withdraw consent: Where we are processing your data on the basis of your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
  • Right to limit processing: In certain circumstances, you may request that we limit the processing of your personal data.

To exercise any of these rights, please contact us at [email protected]. We will respond to all requests within the timeframes required by applicable law (generally within 21 days of a verified request).

We may need to verify your identity before processing a request. Where a request is manifestly unfounded or excessive, we reserve the right to charge a reasonable fee or decline to act on it, as permitted by the PDPA 2010.

8. Cookies and tracking technologies

This website uses cookies and similar tracking technologies. For detailed information about the cookies we use, the purposes for which we use them, and how to manage your preferences, please see our Cookie Policy.

9. Data security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure. These measures include encrypted data transmission (HTTPS), access controls, and regular review of our security practices.

While we take reasonable steps to protect your personal data, no method of transmission over the internet is entirely secure, and we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and interests, we will notify you and, where required, the relevant authorities, in accordance with applicable law.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable legal requirements. When we do so, we will revise the "Last updated" date at the top of this page. We encourage you to review this page periodically.

Where changes are material, we will take reasonable steps to bring them to your attention.

11. Contact us

If you have any questions, concerns, or complaints about this Privacy Policy or our handling of your personal data, please contact us:

Cahaya Group — Data Privacy Enquiries
Tower B, Level 9, Jalan Kerinchi
Bangsar South, 59200 Kuala Lumpur
Email: [email protected]
Telephone: +60 3 2284 7163

If you are not satisfied with our response, you may lodge a complaint with the Department of Personal Data Protection Malaysia (JPDP) at www.pdp.gov.my.