Privacy Policy

Kemuncak Advisory is a technology vendor selection consultancy registered and operating in Malaysia. Our registered business address is Plaza Mont Kiara, 2 Jalan Kiara, 50480 Kuala Lumpur. We act as the data controller for personal information we collect in connection with our services and website.

Any queries regarding this policy or your personal information may be directed to us at [email protected] or by post to our Kuala Lumpur address above.

We use the information we collect for the following purposes:

• —To respond to enquiries you submit through our website or by other means.
• —To deliver advisory services under a confirmed engagement, including preparing written deliverables, conducting evaluation sessions, and corresponding during the project.
• —To fulfil our invoicing and record-keeping obligations.
• —To improve the content and usability of our website, using aggregated and anonymised data only.
• —To send occasional practice updates where you have given consent and where you may withdraw that consent at any time.
• —To comply with legal obligations applicable to our practice in Malaysia.

We do not use personal information for automated profiling or decision-making that produces legal or similarly significant effects.

We process personal information on the following legal bases under Malaysia's Personal Data Protection Act 2010 (PDPA) and applicable data protection principles:

• —Consent — where you have expressly agreed to our collection and use of your information, including by submitting our contact form.
• —Contractual necessity — where processing is required to fulfil an advisory engagement you have engaged us to perform.
• —Legitimate interests — where we have a genuine business interest in processing the information and that interest is not outweighed by your rights, such as maintaining our records and improving our website.
• —Legal obligation — where we are required by law to retain or disclose certain records.

We treat the information shared with us as confidential. We do not sell, rent, or trade personal information with third parties.

We may share information with third parties only in the following limited circumstances:

• —Service providers — including our website host, email service, and accounting software, who process data on our behalf under appropriate agreements.
• —Legal requirements — where we are required to disclose information by law, court order, or regulatory authority.
• —With your consent — in any other case where you have given express permission.

We do not share client information with candidate vendors during an evaluation engagement without the client's explicit instruction.

We retain personal information only for as long as is necessary for the purposes set out in this policy, or as required by law.

• —Enquiry records are held for twelve months from the date of the enquiry, unless the enquiry leads to an engagement.
• —Engagement records, including correspondence and deliverables, are retained for seven years following the close of the engagement, in line with Malaysian business record-keeping requirements.
• —Website analytics data is held in aggregated and anonymised form, and is not tied to individual identities after ninety days.

Under the Personal Data Protection Act 2010 and applicable privacy principles, you have the following rights in relation to your personal information:

• —Access — to request a copy of the personal information we hold about you.
• —Correction — to request that inaccurate or incomplete information be corrected.
• —Withdrawal of consent — to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing prior to withdrawal.
• —Limitation — to request that we restrict processing of your information in certain circumstances.
• —Objection — to object to processing based on legitimate interests, in circumstances where your particular situation warrants it.

To exercise any of these rights, please write to us at [email protected]. We will respond within thirty days. We may need to verify your identity before processing your request.

We take reasonable technical and organisational measures to protect personal information against unauthorised access, loss, or disclosure. These include encrypted transmission for online communications, access controls limiting who within our practice may access personal data, and secure storage arrangements.

No transmission over the internet can be warranted as entirely secure. If you have concerns about a specific transmission, you may contact us by telephone instead.

We may update this policy from time to time to reflect changes in our practice, applicable law, or the services we provide. The revised date at the top of this page will reflect any material changes.

We encourage you to review this policy periodically. Continued use of our website or services after an update constitutes acceptance of the revised policy.