Privacy Policy

1.Introduction

Padu Works ("we", "us", "our") is a business consulting firm registered in Malaysia, operating from Level 8, Menara TH Perdana, Jalan Sultan Ismail, 50250 Kuala Lumpur. This Privacy Policy describes how we collect, use, store, and protect personal data in connection with our website and consulting services.

This policy applies to all personal data collected through our website at paduwad, through our contact form, through email correspondence, and during the delivery of consulting engagements. It is prepared in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia.

By submitting the website contact form or entering into an engagement agreement with us, you acknowledge that you have read and understood this policy.

2.Data Controller

The data controller for all personal data collected by Padu Works is:

3.Personal Data We Collect

3.1 Through the Website Contact Form

• Full name (required)
• Email address (required)
• Phone number (optional, if provided)
• Message content submitted via the form (optional)

3.2 During Consulting Engagements

When you engage Padu Works for a consulting service, we may collect additional data relevant to the service being delivered:

• Business name, registration number, and address
• Financial records provided for analysis (Cash Flow Review)
• Names and roles of team members participating in workshops
• Business correspondence and documents shared with us
• Notes from interviews and facilitation sessions

3.3 Automatically Collected Data

Our website may automatically collect the following technical data:

• IP address and approximate geographic location
• Browser type and version
• Pages visited and time spent on pages (via analytics tools, subject to cookie consent)
• Referring website or source

We do not collect sensitive personal data as defined under the PDPA (such as health information, religious beliefs, or political opinions) and do not request or process such data in the course of our services.

4.Legal Basis for Processing

We process personal data on the following bases under the PDPA and applicable data protection principles:

• Consent: When you submit the website contact form, you provide consent for us to use your data to respond to your enquiry. Cookie-based analytics data is processed only with your consent, as managed through our cookie consent tool.
• Contractual necessity: When you enter into a consulting engagement with us, processing of relevant personal and business data is necessary for the performance of that contract.
• Legitimate interests: We may process limited contact data to manage our business relationship with you, including sending engagement-related correspondence and administrative communications.
• Legal obligation: In some circumstances we may be required to process or retain data to comply with applicable Malaysian laws or respond to a lawful request from a regulatory authority.

5.How We Use Your Personal Data

We use personal data collected through our website and engagements for the following purposes:

• Responding to enquiries submitted via the contact form
• Assessing whether our services are suitable for your situation
• Delivering contracted consulting services (analysis, facilitation, documentation)
• Communicating with you about your engagement, including scheduling, deliverables, and follow-up
• Preparing written reports, frameworks, and other deliverables under the engagement scope
• Meeting our legal and tax obligations as a Malaysian-registered business
• Improving our website and service delivery (using anonymised analytics data)

We do not use your personal data for unsolicited marketing communications. If you have previously engaged with us and we believe a service update is relevant to you, we may contact you once — you may opt out at any time by replying to that correspondence.

6.Sharing of Personal Data

Padu Works does not sell personal data. We share personal data only in the following limited circumstances:

• Service providers: We use a small number of third-party tools to operate our website and communications (email hosting, analytics). These providers process data on our behalf and are selected for their compliance with applicable data protection requirements.
• Legal requirements: We may disclose personal data if required to do so by Malaysian law, court order, or a government or regulatory authority with appropriate jurisdiction.
• Business transfers: In the unlikely event of a merger, acquisition, or sale of Padu Works, personal data held by us may be transferred as part of that transaction. We would notify affected individuals before their data is transferred and becomes subject to a different privacy policy.

Third-party services currently used that may process limited personal data include Google Analytics (website analytics, subject to cookie consent) and email service infrastructure. These parties are not permitted to use your data for their own purposes.

7.Data Retention

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, or as required by law:

• Contact form submissions: Retained for up to 12 months. If no engagement follows, data is deleted or anonymised after this period.
• Engagement records: Retained for 7 years from the conclusion of the engagement, consistent with Malaysian accounting and commercial record-keeping requirements.
• Financial documents provided by clients: Returned to the client or securely deleted within 30 days of engagement completion, unless retention is required by law or agreed otherwise in writing.
• Website analytics data: Aggregated and anonymised on a rolling 26-month basis.

8.Data Security

We take reasonable technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These measures include:

• Encrypted storage of client documents and correspondence
• Access controls limiting data access to personnel involved in the relevant engagement
• Use of reputable, compliance-oriented third-party service providers
• Regular review of data handling practices

In the event of a personal data breach that poses a risk to your rights and interests, we will notify affected individuals promptly and take steps to limit any harm. Breaches reportable under applicable law will be reported to the relevant authority accordingly.

9.Cookies

Our website uses cookies to provide essential functionality and, with your consent, to collect analytics data. We use the following categories of cookies:

• Essential cookies: Necessary for the website to function. These cannot be disabled.
• Analytics cookies: Used to understand how visitors interact with the website. Active only with your consent.
• Preference cookies: Used to remember your cookie consent choices.

You can manage your cookie preferences at any time through our Cookie Policy page, which includes instructions for adjusting browser settings.

10.Your Rights Under the PDPA

As a data subject under Malaysia's Personal Data Protection Act 2010, you have the following rights regarding your personal data:

• Right of access: You may request confirmation of whether we hold personal data about you and obtain a copy of that data.
• Right of correction: You may request that inaccurate or incomplete personal data we hold about you be corrected.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw consent at any time. This does not affect the lawfulness of processing carried out before the withdrawal.
• Right to limit processing: In certain circumstances, you may request that we limit how we use your personal data.
• Right to object: You may object to processing based on our legitimate interests.

To exercise any of these rights, please contact us at privacy@paduwad. We will respond within 21 days. If you are not satisfied with our response, you may direct a complaint to the Personal Data Protection Commissioner of Malaysia, who oversees compliance with the PDPA.

11.Third-Party Links

Our website may contain links to external websites. We are not responsible for the privacy practices of those sites. We recommend reviewing the privacy policy of any external site you visit through a link from our website.

12.Children's Privacy

Our services are intended for business owners, directors, and management professionals. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected such data, please contact us at privacy@paduwad and we will delete it promptly.

13.Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The updated version will be posted on this page with a revised "last updated" date. If changes are material, we will make reasonable efforts to notify active clients by email. Continued use of our website or services after the date of the updated policy constitutes acceptance of those changes.

14.Contact Us About This Policy

For questions, access requests, or complaints relating to this Privacy Policy or your personal data, please contact: