Privacy Policy

1. Data Controller

Mosswick ("we", "our", "us") is the data controller responsible for your personal data. We are a business advisory practice registered and operating in Malaysia.

Registered address: 22 Jalan Bukit Bintang, 55100 Kuala Lumpur, Malaysia
Phone: +60 3-2117 4862
Email: [email protected]

2. Data We Collect

Depending on how you engage with us, we may collect the following categories of personal data:

• Identity data: full name, job title, and the name of your organization.
• Contact data: email address, telephone number, and mailing or business address.
• Communication data: the content of messages, enquiries, or correspondence you send to us.
• Engagement data: notes from discovery calls or meetings, where relevant to scoping an engagement.
• Technical data: IP address, browser type and version, time zone, operating system, and pages visited, collected via our website and analytics tools.
• Usage data: information about how you interact with our website, including the pages you view and the time spent on them.
• Cookie data: preferences and session identifiers stored via cookies and similar technologies — see Section 9.

We do not intentionally collect sensitive personal data (such as health, financial, or biometric data) through our website or general enquiry channels.

3. How We Collect Data

We collect personal data through the following means:

• Direct interactions: when you submit an enquiry form, send us an email, or call our office.
• Automated technologies: our website collects technical and usage data automatically using cookies, analytics scripts, and server logs.
• Third parties: on occasion, we may receive data from referral sources, event organisers, or professional networks in the course of business development.

4. Purposes of Processing

We process your personal data only for defined purposes, which include:

• Responding to enquiries and managing pre-engagement communications.
• Delivering contracted advisory services and fulfilling our obligations under a client agreement.
• Sending relevant practice updates, event invitations, or thought leadership pieces — where you have given consent or where we have a legitimate interest.
• Improving our website and service offering through aggregated usage analysis.
• Complying with applicable laws, regulations, or professional obligations.
• Administering our internal records and business operations.

5. Legal Basis for Processing

Under the PDPA 2010, we process your personal data on the following bases:

• Consent: where you have clearly agreed to a specific use, such as receiving our newsletter or accepting non-essential cookies.
• Contractual necessity: where processing is necessary to perform or prepare for a consulting engagement with you or your organisation.
• Legal obligation: where we are required by Malaysian law or regulation to retain or disclose certain records.
• Legitimate interests: where we have a genuine business reason that does not override your rights — for example, improving our website or maintaining professional relationships.

6. Retention

We retain personal data only for as long as necessary to fulfil the purposes set out in this policy, or as required by applicable law. Our general retention periods are as follows:

• Website enquiries (no engagement initiated): 12 months from the date of last contact.
• Client engagement records: 7 years from engagement completion, in line with standard commercial record-keeping practice in Malaysia.
• Marketing consent records: for as long as the consent remains active, or 3 years after the last engagement, whichever is shorter.
• Technical and server logs: 90 days on a rolling basis.

When data is no longer required, we securely delete or anonymise it.

7. Sharing and Disclosure

We do not sell, rent, or trade your personal data. We share data only where necessary and with appropriate safeguards in place:

• Service providers: technology vendors who assist us with website hosting, email delivery, analytics, and CRM tools, who are bound by confidentiality and data processing agreements.
• Professional advisors: legal counsel, auditors, or accountants engaged to support our business, under duties of confidentiality.
• Legal authorities: where required by law, court order, or regulatory direction.

We do not share client engagement data with any third party without your explicit written authorisation, except where disclosure is legally compelled.

8. Cross-Border Data Transfers

Where we use service providers located outside Malaysia, your data may be transferred to and processed in other countries. In such cases, we ensure that appropriate safeguards are in place — such as standard contractual clauses or equivalent protections — consistent with the requirements of the PDPA 2010 and guidance issued by the Personal Data Protection Commissioner.

9. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to function correctly and to help us understand how visitors use the site. Categories of cookies we may use include:

• Essential cookies: required for the website to operate — these cannot be disabled.
• Analytics cookies: help us understand visitor behaviour in aggregate, without identifying individuals.
• Marketing cookies: used to measure the effectiveness of outreach — only placed with your consent.
• Preference cookies: remember your choices and settings across visits.

You can manage your cookie preferences at any time using the consent tool on our website. For more detail, please see our Cookie Policy.

10. Your Rights

Under the PDPA 2010, you have the following rights in relation to your personal data:

• Right of access: to request a copy of the personal data we hold about you.
• Right of correction: to request that inaccurate or incomplete data is corrected.
• Right to withdraw consent: where processing is based on consent, to withdraw it at any time without affecting the lawfulness of prior processing.
• Right to limit processing: to request that we restrict how we use your data in certain circumstances.
• Right to object: to object to processing based on our legitimate interests, including direct marketing.

To exercise any of these rights, please contact us at [email protected]. We will respond within a reasonable timeframe and no later than 21 days. In some cases, we may need to verify your identity before acting on a request.

11. Security

We take reasonable and appropriate steps to protect your personal data from unauthorised access, disclosure, alteration, or loss. These measures include access controls, encrypted data transmission (HTTPS), and limited internal access on a need-to-know basis.

While we take security seriously, no method of transmission over the internet or electronic storage is entirely without risk. We encourage you not to transmit sensitive data through unencrypted channels.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The revised version will be published on this page with an updated effective date. Where changes are material, we will make reasonable efforts to notify relevant individuals.

We encourage you to review this policy periodically.

13. Contact Us

If you have questions about this policy, wish to exercise your data rights, or have a concern about how we have handled your personal data, please reach out:

• Email: [email protected]
• Phone: +60 3-2117 4862
• Post: 22 Jalan Bukit Bintang, 55100 Kuala Lumpur, Malaysia

If you are not satisfied with our response, you have the right to refer a complaint to the Department of Personal Data Protection Malaysia (JPDP): www.pdp.gov.my.