Privacy Notice

Section 01Who we are

Jassy HR Firewall Venture (“we”, “us”, “the Firm”) is the data user responsible for personal data collected through this website, our membership platform, our training programmes, and our advisory engagements with clients in Malaysia.

We act as a data user for personal data collected directly from individuals (members, course participants, advisory client contacts, prospects). In advisory engagements where we process personal data on behalf of a client organisation about its employees, the client remains the data user and we act as a data processor in accordance with the engagement contract and the PDPA.

This Notice applies to all personal data we collect, regardless of the channel (website, email, social media, training registration, payment forms or in-person events).

Section 02The personal data we collect

The categories of personal data we typically collect:

Identification and contact data

• Full name, NRIC or passport number (training certification only), professional title, employer name
• Business email address, business and personal phone number
• Correspondence address

Membership and engagement data

• Account credentials (email and a hashed password)
• Subscription tier and renewal status
• Training programmes attended and certificates issued
• Records of advisory engagements, scopes, deliverables and invoices

Payment data

Payment is processed by accredited third-party payment processors. We do not store full card numbers, CVV codes or full bank account details on our servers. We retain transaction references, billing names and amounts for accounting and tax purposes.

Website behavioural data

• IP address, browser type, referring page
• Pages visited, time on page, downloads requested
• Authentication session data for logged-in members

Sensitive personal data

We do not solicit sensitive personal data (as defined in s.4 of the PDPA — relating to health, political opinions, religious beliefs, criminal record, or similar). Where such data is incidentally shared in an advisory engagement (for example, in a medical certificate disclosed by the client for HR record purposes), we handle it under heightened safeguards and only as instructed by the client data user.

Section 03Why we collect it

We collect and process personal data for the following purposes:

• Service delivery — to operate the membership platform, deliver training, issue certificates, and provide advisory work
• Account administration — to authenticate members, process subscription renewals, manage entitlements
• Billing and accounting — to issue invoices, process payments and maintain statutory accounting records
• Communications — to respond to enquiries, send service notifications, issue training reminders, and (with your consent) send our compliance newsletter and event invitations
• Statutory and regulatory — to comply with applicable Malaysian law (including PDPA, the Income Tax Act 1967, anti-money-laundering legislation, and the HRD Corp scheme rules where training is HRD Corp claimable)
• Quality and improvement — to understand how our content is used, improve our platform, and design future training

Section 04Lawful basis

We rely on the following lawful bases under the PDPA:

1. Consent — where you actively agree, such as opting in to our newsletter or accepting cookies beyond strictly necessary categories
2. Performance of contract — where processing is necessary to deliver a service you have purchased (membership, training, advisory)
3. Compliance with legal obligation — where processing is required by Malaysian law
4. Legitimate interests — for purposes such as fraud prevention, network security, and direct communications to existing clients about substantially similar services, provided these do not override your rights and freedoms

Where you have given consent, you may withdraw it at any time by writing to us at the contact address below. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Section 05Disclosure to third parties

We disclose personal data only where necessary, and to the following categories of recipient:

• Service providers — payment processors, website hosting, email delivery, video conferencing, customer-relationship management and accounting platforms. Each is engaged under a written data processor agreement that binds them to PDPA-equivalent safeguards.
• Professional advisers — our legal, audit, tax and insurance advisers, on a need-to-know basis.
• HRD Corp — for HRD Corp claimable training, the names and NRIC of participants are submitted as required by the scheme.
• Regulators and authorities — where disclosure is required by law, court order, or by a competent regulator (including the Personal Data Protection Commissioner, the Inland Revenue Board (LHDN), or the Royal Malaysian Police in the context of a formal investigation).

We do not sell personal data. We do not share personal data with advertising networks or data brokers.

Section 06Cross-border transfers

Personal data may be transferred to and processed in jurisdictions outside Malaysia where our service providers operate. Following the PDPA (Amendment) Act 2024, cross-border transfers are permitted where the receiving jurisdiction has comparable data protection law, or where appropriate safeguards (such as standard contractual clauses with the processor) are in place, or where one of the statutory exceptions applies.

Where personal data is transferred outside Malaysia, we maintain a register of the destination, the processor, the purpose and the safeguards in place. The register is available to data subjects on written request.

Section 07How long we keep your data

We retain personal data only for as long as necessary for the purpose for which it was collected, subject to any longer retention period imposed by law.

At the end of the applicable retention period, personal data is either securely destroyed or anonymised so that the individual is no longer identifiable.

Section 08Your rights as a data subject

Under the PDPA, you have the following rights in respect of your personal data:

• Right of access — to receive a copy of the personal data we hold about you
• Right of correction — to require us to correct any inaccurate or incomplete personal data
• Right to withdraw consent — for any processing based on consent
• Right to limit processing — for purposes of direct marketing
• Right to data portability — introduced under the 2024 amendments, where the processing is automated and based on consent or contract, you may request a structured, commonly-used and machine-readable copy of your data, and ask us to transmit it to another data user where technically feasible
• Right to lodge a complaint — with the Personal Data Protection Commissioner (Jabatan Perlindungan Data Peribadi, JPDP)

To exercise any of these rights, please write to hello@jassyhrfirewall.com with the subject line “PDPA Data Subject Request”. We will respond within 21 days. We may require you to verify your identity before fulfilling the request.

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commissioner at www.pdp.gov.my.

Section 09Security and breach notification

We maintain technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These include encrypted transmission (HTTPS/TLS), encryption at rest for sensitive fields, role-based access controls, formal access reviews, multi-factor authentication for administrative accounts, and documented incident-response procedures.

Under the PDPA (Amendment) Act 2024, where a personal data breach is likely to result in significant harm to data subjects, we will notify the Personal Data Protection Commissioner without undue delay and, where the threshold applies, notify affected data subjects directly. Our breach-response runbook governs the assessment, containment, notification and remediation steps.

Section 10Cookies and tracking

Our website uses cookies and similar technologies in three categories:

• Strictly necessary — for authentication, session management, and security. These cannot be disabled without breaking site functionality.
• Analytical — anonymised analytics on how the site is used, retained for no longer than 14 months. You may opt out via our cookie preferences panel.
• Functional — to remember your preferences such as language or display settings.

We do not use third-party advertising cookies. Where cookies require consent, you may set or withdraw your preferences at any time using the cookie preferences link in the website footer.

Section 11Children

Our services are directed to professional adult users in HR, finance, legal and management roles. We do not knowingly collect personal data from children under 18 through our website or membership platform. Where we become aware that personal data of a minor has been collected without verifiable parental consent, we will delete it without undue delay.

Section 12Changes to this Notice

We may amend this Notice from time to time to reflect changes in our processing activities, in technology, or in applicable law. The “Effective date” at the top of this Notice indicates the latest version. Where changes are material, we will give you advance notice by email (for members) or by a prominent banner on the website.

This Notice is published in English. A Bahasa Malaysia translation is available on request. In the event of conflict between language versions, the English text prevails.

Section 13Contact and Data Protection Officer

For any privacy enquiry, including data subject requests, complaints, breach reports or consent withdrawal, please contact:

This Notice is issued in accordance with the Personal Data Protection Act 2010 (Act 709) as amended by the Personal Data Protection (Amendment) Act 2024.