Privacy Policy

1. Introduction

Penjuru Advisory ("we", "us", or "our") is a customer journey consulting practice registered in Penang, Malaysia. Our principal address is 47 Lebuh Acheh, 10200 George Town, Penang.

We are a data user as defined under Malaysia's Personal Data Protection Act 2010 (PDPA 2010). This policy sets out our practices in relation to personal data collected via this website and through the ordinary conduct of our advisory work. It governs all interactions with Penjuru Advisory, whether you are an existing client, a prospective client, or a visitor to this site.

We do not process personal data for marketing purposes without first obtaining consent, and we do not sell or share personal data with third parties for commercial benefit.

2. Data We Collect

We collect personal data through the contact form on this website and, where an engagement proceeds, through the ordinary course of client work. The categories of data we may hold are:

• Contact information — name, email address, telephone number, and the organisation you represent
• Enquiry content — the message or context you choose to share when making contact
• Engagement records — correspondence, meeting notes, and documents shared during a consulting engagement
• Website usage data — anonymised information collected via analytics cookies, including pages visited, session duration, and referring source
• Technical data — browser type, device type, and IP address, retained briefly for security purposes

We collect personal data only when you provide it willingly through the website form or in the course of correspondence. We do not collect sensitive personal data (as defined under PDPA 2010) and have no requirement to do so.

Retention periods: Contact enquiries are held for up to 24 months from the date of last contact. Client engagement records are retained for up to 7 years to satisfy professional and legal obligations. Analytics data is held in aggregated, anonymised form and subject to the retention policies of the analytics provider.

Legal basis for processing: We process personal data on the bases of consent (where you submit a contact form), contractual necessity (where an engagement proceeds), and legitimate interest (for security, fraud prevention, and the improvement of our services).

3. How We Use Personal Data

Personal data collected through this website and our engagements is used for the following purposes:

• Responding to enquiries and scheduling initial conversations
• Delivering the advisory services you have engaged us to provide
• Sending information relevant to an active or forthcoming engagement
• Issuing fee proposals, invoices, and engagement correspondence
• Understanding how this website is used so that we may improve it
• Complying with legal and regulatory obligations applicable in Malaysia

We do not use personal data to profile individuals for marketing purposes. We do not share personal data with advertising networks. Where we engage third-party service providers (such as email hosting or analytics platforms), we do so under data processing arrangements that limit the use of your data to the service in question.

Specifically, the third-party services we use include:

• Google Analytics — website usage measurement; data is anonymised before transmission
• Email hosting provider — for the safe transmission and storage of correspondence

4. Data Protection Measures

We take the security of personal data seriously, and have implemented measures appropriate to the scale and nature of our practice:

• Encrypted transmission — this website uses HTTPS throughout; all form submissions are transmitted over encrypted connections
• Access controls — personal data is accessible only to members of the Penjuru Advisory team directly involved in the relevant engagement
• Secure storage — digital records are held in password-protected systems with two-factor authentication where the service supports it
• Physical security — paper records, where retained, are held in a locked office environment
• Minimal retention — we do not retain personal data beyond the periods described in Section 2

In the event of a personal data breach that is likely to result in significant harm to affected individuals, we will notify the relevant parties as required under applicable Malaysian law and in accordance with responsible practice. We will inform you promptly if your personal data is involved in such an incident.

5. Cookies

This website uses cookies to support essential functionality and, where you have consented, to collect anonymised usage data. The cookie categories in use are:

• Essential cookies — necessary for the website to function; cannot be disabled
• Analytics cookies — help us understand how visitors use the site; used only with your consent
• Preference cookies — remember choices you have made, such as cookie consent status

You may review and adjust your cookie preferences at any time through our Cookie Policy page. Your preferences are saved locally in your browser and are not transmitted to us.

6. Your Rights

Under the Personal Data Protection Act 2010 (Malaysia), you have the following rights in relation to personal data we hold about you:

• Right of access — you may request a copy of the personal data we hold about you
• Right of correction — you may ask us to correct inaccurate or incomplete personal data
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time; this does not affect the lawfulness of processing carried out before withdrawal
• Right to prevent processing for direct marketing — you may instruct us not to use your personal data for any direct marketing purpose
• Right to limit processing — in certain circumstances, you may request that we restrict how we use your personal data

To exercise any of these rights, please write to us at [email protected]. We will acknowledge your request within five working days and respond fully within 21 days, as provided for under PDPA 2010. There is no fee for a first request within any 12-month period.

Should you have a concern about our handling of your personal data that we are unable to resolve to your satisfaction, you may refer the matter to the Department of Personal Data Protection (JPDP), the supervisory authority for PDPA 2010 in Malaysia.

7. Third-Party Links

This website may contain references or links to external resources — for example, professional bodies, publications, or client organisations. We are not responsible for the privacy practices of those websites, and this policy does not extend to them. We encourage you to read the privacy policy of any website you visit via a link from this site.

8. Children's Privacy

Our services are directed at organisations and their staff, and are not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently received personal data from a person under 18, please contact us at [email protected] and we will delete it promptly.

9. Policy Updates

We review this privacy policy periodically and may update it to reflect changes in our practices or applicable law. Where material changes are made, we will update the "Last updated" date at the head of this page. Continued use of this website following a policy update constitutes acceptance of the revised terms. We recommend checking this page occasionally if data privacy matters are important to you.

10. Contact the Data Controller

For any questions, access requests, or concerns about this policy, please contact us: