Legal
Privacy Policy
Last Updated: 28 April 2025 · Effective Date: 28 April 2025
This Privacy Policy explains how Lumenroot Sdn Bhd ("Lumenroot", "we", "us") collects, uses, and protects personal data in connection with our advisory services and website. It applies to all individuals who contact us, engage our services, or visit our website at lumenroot.site.
1. Data Controller
The data controller responsible for personal data collected through this website and in the course of our advisory engagements is:
Lumenroot Sdn Bhd
Level 18, Menara Citibank, 165 Jalan Ampang, 50450 Kuala Lumpur, Malaysia
Email: [email protected]
Phone: +60 3-2174 8639
2. Legal Framework
We handle personal data in accordance with Malaysia's Personal Data Protection Act 2010 (PDPA 2010) and its associated regulations. This policy describes our practices in compliance with the seven data protection principles set out under the PDPA 2010: General, Notice and Choice, Disclosure, Security, Retention, Data Integrity, and Access.
3. What Personal Data We Collect
3.1 Data collected through our website contact form
- Full name (required)
- Email address (required)
- Phone number (optional)
- Message content (optional)
3.2 Data collected during advisory engagements
- Business name and company registration details
- Names and contact information of founder and key staff
- Business operational and strategic information shared during sessions
- Written notes, documents, and planning materials produced during the engagement
3.3 Data collected automatically
- Browser type and version
- IP address (anonymised where possible)
- Pages visited and time spent on the website
- Referring URL
4. How We Collect Personal Data
Personal data is collected through the following channels:
- Website contact form submissions
- Email correspondence
- Telephone conversations
- In-person or video-based advisory sessions
- Website cookies and analytics tools (see Section 8)
Legal basis for processing
- Consent — where you have submitted a contact form or agreed to our cookie policy
- Contract — where processing is necessary to deliver an advisory engagement you have commissioned
- Legitimate interest — for website analytics, improving service quality, and record-keeping
- Legal obligation — where required to comply with Malaysian law
5. How We Use Personal Data
We use personal data for the following purposes:
- To respond to enquiries submitted through our contact form
- To schedule, conduct, and follow up on advisory sessions
- To produce written deliverables as part of contracted engagements
- To issue invoices and maintain business records
- To improve our website and services based on usage patterns
- To comply with legal and regulatory requirements under Malaysian law
We do not use personal data for automated decision-making or profiling. We do not send marketing communications without explicit consent. You may withdraw consent for marketing communications at any time by contacting us at [email protected].
6. Data Sharing and Third Parties
We do not sell, rent, or trade personal data with third parties for commercial purposes. Personal data may be shared in the following limited circumstances:
- Service providers — third-party services used for website hosting, email, and analytics, operating under data processing agreements
- Legal requirements — if required by Malaysian law, court order, or regulatory authority
- Business continuity — in the event of a merger, acquisition, or sale of business assets, with appropriate confidentiality protections
Business information shared during advisory engagements is kept strictly confidential and is not shared with any third party without explicit client consent.
7. Data Retention
- Contact form enquiries that do not lead to an engagement: up to 12 months
- Client engagement records and documents: up to 7 years from engagement close, in line with standard business record-keeping requirements
- Website analytics data: up to 26 months in anonymised form
- Invoice and financial records: up to 7 years as required under Malaysian tax law
Where retention is no longer necessary, data is securely deleted or anonymised.
8. Cookies
Our website uses cookies to function properly and to understand how visitors use the site. Cookie categories include:
- Essential cookies — required for basic site functionality
- Analytics cookies — used to understand page visits and usage patterns (optional)
- Preference cookies — used to remember user settings (optional)
You can manage cookie preferences through the banner on our homepage or by visiting our Cookie Policy page.
9. Data Security
We take reasonable and appropriate steps to protect personal data against loss, misuse, and unauthorised access, including:
- SSL/TLS encryption for data transmitted through our website
- Password-protected access to systems holding personal data
- Access limited to staff members with a legitimate need
- Regular review of data handling practices
In the event of a data breach that may affect your rights or interests, we will notify affected individuals and the relevant authority in accordance with PDPA 2010 requirements.
10. Your Rights Under PDPA 2010
As a data subject under Malaysian law, you have the following rights:
- Access — request a copy of personal data we hold about you
- Correction — request that inaccurate or incomplete data be corrected
- Withdrawal of consent — withdraw consent for processing based on consent at any time
- Objection to processing — object to processing for direct marketing purposes
- Complaint — lodge a complaint with the Department of Personal Data Protection (JPDP) Malaysia if you believe your data has been handled unlawfully
To exercise any of these rights, contact us at [email protected]. We will respond within 21 days in accordance with PDPA 2010 requirements.
The supervisory authority in Malaysia is the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi), Ministry of Digital.
11. Third-Party Links
Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies independently. This policy applies only to Lumenroot's website and services.
12. Children's Privacy
Our services are intended for business owners and professionals aged 18 and above. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided us with personal data, please contact us at [email protected] and we will delete it promptly.
13. Policy Updates
This Privacy Policy may be updated from time to time to reflect changes in our practices or in applicable law. The "Last Updated" date at the top of this page indicates when the current version was published. Continued use of our website or services following an update constitutes acceptance of the revised policy. Where changes are material, we will notify existing clients by email.
14. Contact for Data Matters
For any questions, requests, or complaints relating to personal data, please contact:
Lumenroot Sdn Bhd — Data Protection
Level 18, Menara Citibank, 165 Jalan Ampang, 50450 Kuala Lumpur
Email: [email protected]
Phone: +60 3-2174 8639