Privacy Policy

1. Introduction

Heirlight ("we", "us", "our") is committed to protecting the personal information of the people who use our website and enquire about or engage our services. This Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have in relation to it.

This Policy applies to personal data collected through our website at heirligh.pro, through our contact form, and in the course of providing our heritage documentation and archival services.

Our services are offered in Malaysia. We operate under Malaysian law, including the Personal Data Protection Act 2010 (PDPA). If you are located outside Malaysia, different data protection laws may apply in your jurisdiction. We apply reasonable care in any case.

2. What Personal Data We Collect

We collect personal data only where it is necessary for the purposes set out below. The types of data we may collect include:

• Contact information: name, email address, telephone number — collected when you submit an enquiry through our website contact form or contact us directly.
• Service-related information: details you share with us about the nature of the materials you hold or the service you are seeking — collected in the course of correspondence and appointments.
• Website usage data: anonymised analytics data about how visitors use our website, collected via cookies and analytics tools (see Section 5).

Legal basis for processing

• Processing enquiry and appointment information: consent (you submit the form) and legitimate interest (responding to your enquiry).
• Service delivery: contract performance (where you have engaged our services).
• Website analytics: consent (where you accept cookies).

Retention periods

Enquiry correspondence is retained for up to 12 months. Service engagement records are retained for up to 3 years for administrative purposes. Analytics data is held in anonymised form for up to 26 months. We do not retain any copies of the physical or digital materials you bring to our studio after a project is completed.

3. How We Use Your Data

• To respond to your enquiry — we use your contact details to reply to your message.
• To arrange and conduct appointments — we use your contact details to confirm, reschedule, or follow up on studio appointments.
• To deliver services — where you have engaged a Heirlight programme, we use the information you have provided to carry out that work.
• To improve our website — anonymised analytics data helps us understand which parts of the website are useful and where improvements may be needed.
• To comply with legal obligations — we may retain or disclose data where required by Malaysian law.

We do not sell, rent, or otherwise share your personal data with third parties for marketing purposes. We do not send marketing communications without your explicit consent.

4. How We Protect Your Data

• Our website is served over HTTPS. Data submitted through the contact form is encrypted in transit.
• Electronic correspondence and records are stored on password-protected systems with access limited to Heirlight staff who need them.
• Physical records are held in locked storage at our studio and are not accessible to third parties.
• In the event of a personal data breach that is likely to result in a risk to your rights, we will notify affected individuals as soon as practicable.

5. Cookies

Our website uses cookies to support basic functionality and, where you consent, to collect anonymised analytics data about website usage. Cookies do not identify you personally.

For full details of how we use cookies and how to manage your preferences, see our Cookie Policy.

6. Your Rights

Under the Malaysian Personal Data Protection Act 2010 and applicable data protection principles, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — request that we correct inaccurate or incomplete data.
• Withdrawal of consent — withdraw consent to data processing at any time, where consent is the basis for processing. This will not affect processing carried out before withdrawal.
• Erasure — request deletion of your personal data, subject to any legal obligations that require us to retain it.
• Objection — object to processing carried out on the basis of legitimate interest.

To exercise any of these rights, contact us at [email protected]. We will respond within 21 days.

7. Third-Party Links

Our website may contain links to other websites. We are not responsible for the privacy practices of those sites. We encourage you to read the privacy policies of any external sites you visit.

8. Children's Privacy

Our services are directed at adults aged 18 and over. We do not knowingly collect personal data from individuals under 18. If we become aware that we have collected data from a minor without appropriate consent, we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a revised "Last updated" date. We encourage you to review this Policy periodically. Continued use of our website after an update constitutes acceptance of the revised Policy.

10. Contact Us

For any questions about this Policy, or to exercise your data rights, please contact: