Privacy Policy

Introduction

Cipher Bloom ("we", "our", or "us") is committed to protecting the privacy and personal data of individuals who engage with our services. This Privacy Policy explains how we collect, use, process, and protect personal information in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia and other applicable data protection regulations.

This policy applies to personal data collected through our website, during service delivery, and through any communications with Cipher Bloom. By using our services or providing your personal information, you acknowledge that you have read and understood this Privacy Policy.

What Personal Data We Collect

We collect personal data necessary for delivering our AI integration services and maintaining professional relationships with clients. The types of personal data we may collect include:

• Contact information: name, email address, phone number, job title, organisation name
• Professional information: role, department, technical background, areas of responsibility
• Communication records: correspondence via email, phone, or in-person meetings
• Project-specific information: technical requirements, capability assessments, organisational context
• Website usage data: IP address, browser type, pages visited, time spent on pages (via analytics)
• Payment information: billing details for service delivery (processed through secure payment providers)

We collect personal data directly from you when you contact us, engage our services, or interact with our website. We may also collect information from your organisation when you are designated as a contact person for our services.

How We Use Your Personal Data

We use personal data for the following purposes, based on legitimate business interests and contractual requirements:

• Service delivery: providing AI integration reviews, programmes, and initiatives as contracted
• Communication: responding to inquiries, scheduling consultations, providing project updates
• Client relationship management: maintaining records of engagements and supporting ongoing work
• Documentation: creating reports, assessments, and deliverables as part of our services
• Invoicing and payment processing: managing financial transactions for services rendered
• Website improvement: analysing usage patterns to enhance user experience
• Legal compliance: meeting regulatory requirements and responding to legal requests
• Marketing communications: sharing relevant information about our services (with consent)

We process personal data only when we have a lawful basis to do so, including consent, contractual necessity, legitimate interests, or legal obligation.

Data Sharing and Third Parties

We do not sell personal data to third parties. We may share personal data with the following categories of recipients when necessary for service delivery or legal compliance:

• Service providers: payment processors, email service providers, cloud storage providers (under strict data processing agreements)
• Professional advisors: lawyers, accountants, auditors (bound by professional confidentiality)
• Regulatory authorities: when required by law or to comply with legal processes
• Your organisation: sharing project deliverables and communications with designated stakeholders

All third-party service providers are required to implement appropriate technical and organisational measures to protect personal data and use it only for the purposes we specify.

Data Security Measures

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, or destruction:

• Encryption: sensitive data is encrypted in transit and at rest using industry-standard protocols
• Access controls: personal data is accessible only to authorised personnel on a need-to-know basis
• Secure storage: cloud storage providers meeting international security standards
• Regular backups: data backed up securely to prevent loss
• Staff training: team members trained on data protection principles and procedures
• Incident response: procedures in place to detect, respond to, and report data breaches

While we take data security seriously, no method of transmission or storage is completely secure. We cannot absolutely guarantee the security of information transmitted to us.

Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements:

• Client data during engagement: retained for the duration of service delivery and project completion
• Financial records: retained for seven years to comply with Malaysian taxation requirements
• Project documentation: retained for three years after engagement completion for reference and follow-up
• Marketing communications: retained until consent is withdrawn or contact becomes inactive
• Website analytics: aggregated data retained indefinitely; individual data retained for 26 months

After retention periods expire, personal data is securely deleted or anonymised so it can no longer be associated with an individual.

Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance user experience and analyse website usage. For detailed information about how we use cookies, please refer to our Cookie Policy.

You can manage cookie preferences through your browser settings or our cookie consent interface when you first visit our website.

Your Rights

Under the Personal Data Protection Act 2010 and other applicable laws, you have the following rights regarding your personal data:

• Right to access: request confirmation of whether we process your personal data and obtain a copy
• Right to rectification: request correction of inaccurate or incomplete personal data
• Right to erasure: request deletion of personal data in certain circumstances
• Right to restrict processing: request limitation of how we process your personal data
• Right to data portability: receive your personal data in a structured, commonly used format
• Right to object: object to processing based on legitimate interests or for marketing purposes
• Right to withdraw consent: withdraw consent for processing where consent is the legal basis
• Right to complain: lodge a complaint with the Personal Data Protection Commissioner of Malaysia

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 21 days as required by the PDPA.

Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a person under 18 without parental consent, we will take steps to delete that information promptly.

International Data Transfers

We primarily process personal data within Malaysia. However, some of our service providers may process data outside Malaysia, including in jurisdictions with different data protection standards.

When we transfer personal data internationally, we ensure appropriate safeguards are in place, such as standard contractual clauses, adequacy decisions, or explicit consent where required.

Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, services, or legal requirements. The "Last Updated" date at the top of this policy indicates when it was most recently revised.

We will notify you of material changes by posting a notice on our website or sending an email to registered contacts. Continued use of our services after policy changes constitutes acceptance of the updated policy.

Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle personal data, please contact us: