Privacy Policy

1. Who We Are

The data controller for this website is Cahaya Systems, an AI integration consultancy based at 27 Jalan Wong Ah Fook, 80000 Johor Bahru, Johor, Malaysia. We can be reached at [email protected] or by telephone at +60 7-3314 8265 during normal business hours.

This policy applies to personal data collected through our website at cahayasystems.world and through any related correspondence, service engagements, or training programmes we provide.

2. Personal Data We Collect

We collect only the information that is genuinely necessary for the purpose at hand.

Information you provide directly

• Full name and job title (when you submit an enquiry form or register for a training programme)
• Email address (for correspondence and service delivery)
• Phone number (when voluntarily provided)
• Organisation name and industry sector (where relevant to a service engagement)
• Content of messages you send to us through the contact form

Information collected automatically

• IP address and general geographic location (country or city)
• Browser type and operating system
• Pages visited, time spent on pages, and referring URLs
• Cookie preferences and session identifiers

We do not collect sensitive categories of personal data such as health information, financial account details, or identity document numbers.

3. How We Use Your Data

We use your personal data only for purposes that are reasonable and proportionate:

• Responding to your enquiries and providing the services or training you have requested
• Managing programme enrolments, scheduling, and post-engagement follow-up
• Sending service-related communications such as booking confirmations or invoice documents
• Improving the quality and content of our website and service offerings
• Complying with legal obligations applicable in Malaysia
• Sending occasional updates about relevant programmes or resources — only where you have agreed to receive such communications

We do not use your data for fully automated decision-making that has legal or similarly significant effects on you.

4. Legal Basis for Processing

Our processing of your personal data is governed by the Personal Data Protection Act 2010 (PDPA) of Malaysia. We process data on the following bases:

• Consent — when you submit a contact form or opt in to receive updates, you provide us with consent to process the data provided
• Contractual necessity — when data processing is required to deliver a service you have engaged us for
• Legitimate interests — for website analytics and security, where these interests do not override your rights
• Legal obligation — where Malaysian law requires us to retain or process certain records

5. Data Retention

We keep personal data only for as long as it serves the purpose for which it was collected:

• Enquiry and contact form data: up to 24 months from last contact
• Training programme records: up to 5 years from programme completion, for audit and certificate purposes
• Financial and invoice records: 7 years, in accordance with Malaysian tax and accounting requirements
• Website analytics data: up to 26 months (rolling)
• Cookie consent records: 12 months

After the applicable retention period, data is securely deleted or anonymised.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We may share it only in the following limited circumstances:

• Service providers — such as email delivery platforms or analytics tools, who process data strictly on our instructions and under confidentiality obligations
• Training venue partners — where a programme is delivered at a third-party facility, minimal participant data may be shared for access and logistics
• Legal requirements — if disclosure is required by a Malaysian court, regulatory body, or law enforcement agency
• Business transfers — if Cahaya Systems undergoes a merger or acquisition, data may be transferred as part of that transaction, with prior notice to affected individuals where practicable

Third-party services we currently use may include Google Analytics (traffic measurement), Facebook Pixel (advertising performance), and standard email infrastructure. Each operates under its own privacy framework.

7. Data Security

We maintain appropriate technical and organisational measures to protect your data against unauthorised access, loss, or disclosure:

• HTTPS encryption across all website pages
• Access to personal data restricted to authorised staff only
• Regular internal reviews of data handling practices
• Secure disposal of data no longer required

In the event of a data breach that poses a risk to individuals, we will notify affected parties and relevant authorities in accordance with applicable Malaysian regulations.

8. Cookies

This website uses cookies to support basic functionality, measure traffic, and remember your preferences. You can manage your cookie choices at any time through our Cookie Policy page, or by adjusting your browser settings. Essential cookies cannot be disabled as they are required for the site to function.

9. Your Rights Under the PDPA

Under the Personal Data Protection Act 2010, you have the following rights in relation to your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to correction — request that inaccurate or incomplete data be corrected
• Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting processing done prior to withdrawal
• Right to object — object to processing carried out for direct marketing purposes
• Right to limit processing — request that we restrict how we use your data while a query is being resolved

To exercise any of these rights, please contact us at [email protected]. We will respond within 21 days. We may need to verify your identity before acting on a request.

If you believe your data rights have not been respected, you may direct a complaint to the Department of Personal Data Protection (JPDP), the Malaysian supervisory authority for personal data matters.

10. International Data Transfers

In most cases, your data is processed within Malaysia. Where a third-party service provider is based outside Malaysia, we take steps to ensure that adequate data protection measures are in place, consistent with the requirements of the PDPA and relevant guidelines from JPDP.

11. Children

Our website and services are directed at business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted data to us, please contact us and we will arrange for its prompt removal.

12. Third-Party Links

Our website may contain links to external sites or resources. Once you leave our website, this Privacy Policy no longer applies and we are not responsible for how those third-party sites handle your data. We encourage you to review the privacy policies of any external sites you visit.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or in applicable law. When we do, we will revise the "Last Updated" date at the top of this page. We encourage you to review this page periodically to stay informed. Continued use of our website after a policy update constitutes acceptance of the revised terms.

14. Contact Us About This Policy

If you have any questions, concerns, or requests related to this Privacy Policy or the way we handle personal data, you are welcome to reach us: