Privacy Policy

01

Who We Are

Cahaya Firm is a law firm registered and practising in Malaysia, operating from Unit 5-02, Menara KEN TTDI, No. 37 Jalan Burhanuddin Helmi, 60000 Kuala Lumpur. For the purposes of the PDPA, Cahaya Firm is the data user in respect of personal data collected through our website, contact forms, and client engagements. You may contact our team regarding data matters at [email protected].

02

What Personal Data We Collect

We collect personal data in the following circumstances:

• Contact form submissions: name, email address, phone number, and the contents of your message.
• Client engagements: identification documents, contact details, employment records, correspondence, and information relevant to the legal matter we are instructed on.
• Website usage: technical data collected via cookies, including IP address, browser type, pages visited, and session duration. See our Cookie Policy for details.

We collect only what is necessary for the stated purpose and do not request sensitive personal data unless it is directly relevant to a legal matter you have instructed us to handle.

03

How We Use Your Personal Data

We use personal data for the following purposes:

• To respond to enquiries submitted through our website contact form.
• To carry out the legal services you have instructed us to perform.
• To manage our client relationship and maintain accurate records of instructions and correspondence.
• To comply with legal and regulatory obligations, including professional obligations under the Legal Profession Act 1976.
• To analyse website usage in aggregate form for the purpose of improving our online presence (analytics cookies, where consent is given).

We do not use your personal data for direct marketing without your explicit consent, and we do not sell personal data to third parties under any circumstances.

04

Legal Basis for Processing

Under the PDPA, we process personal data on the following grounds:

• Consent: where you have submitted a contact form or agreed to optional cookies, processing is based on your consent, which you may withdraw at any time.
• Contractual necessity: where you have engaged our services, processing is necessary to fulfil our obligations under the engagement.
• Legal obligation: where we are required to retain records for regulatory or professional compliance purposes.
• Legitimate interests: for general website analytics and internal administration, where those interests are not overridden by your rights.

05

Data Retention

Client matter files are retained for a minimum of seven years following the conclusion of an engagement, in accordance with standard legal professional practice in Malaysia. Contact form enquiries that do not proceed to a formal engagement are retained for up to twelve months. Website analytics data is retained in accordance with the cookie periods specified in our Cookie Policy. After the applicable retention period, data is securely deleted or anonymised.

06

Data Sharing

We share personal data only where necessary:

• Courts and tribunals: where required by the legal proceedings we are instructed to conduct on your behalf.
• Opposing parties or their representatives: as required by the conduct of your matter.
• Service providers: including cloud storage and case management systems, under contractual data protection obligations.
• Regulatory bodies: the Malaysian Bar and other regulatory authorities, where required by professional obligations.

We do not transfer personal data outside Malaysia except where strictly necessary for the conduct of a specific legal matter, and only with appropriate safeguards in place.

07

Data Protection Measures

Personal data is stored on secured systems with access restricted to relevant practitioners and administrative staff. Electronic files are protected by password controls and encrypted where transmission is required. Physical documents are held in secured storage. We review our data security practices regularly and take reasonable steps to protect against unauthorised access, disclosure, or loss. In the event of a data breach that is likely to result in a high risk to your rights, we will notify you as required under applicable law.

08

Cookies

Our website uses cookies. Essential cookies are necessary for the website to function and are always active. Optional cookies — including analytics and preference cookies — are only placed with your consent. For full details, including how to manage your cookie preferences, see our Cookie Policy.

09

Your Rights

Under the PDPA and applicable data protection principles, you have the following rights in respect of your personal data:

• Access: to request a copy of the personal data we hold about you.
• Correction: to request correction of inaccurate or incomplete data.
• Withdrawal of consent: to withdraw consent for processing where processing is based on consent.
• Erasure: to request deletion of your personal data, subject to our retention obligations.
• Restriction: to request that we limit processing in certain circumstances.
• Objection: to object to processing based on legitimate interests.

To exercise any of these rights, contact us at [email protected]. We will respond within 21 days. Where a request cannot be fulfilled, we will explain the reason. You also have the right to lodge a complaint with the Personal Data Protection Commissioner of Malaysia.

10

Third-Party Links

Our website may contain links to external websites. We are not responsible for the privacy practices of those sites and recommend that you review their privacy policies independently.

11

Children

Our website and services are not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has submitted personal data to us, please contact us at [email protected] and we will take appropriate steps.

12

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The date of the most recent revision appears at the top of this page. Continued use of our website following a material update constitutes acceptance of the revised policy. Where changes are significant, we will take reasonable steps to bring them to your attention.

13

Contact

For any questions or requests relating to this Privacy Policy or how Cahaya Firm handles personal data, please contact: