Privacy Policy

Introduction

Sentosa Legal ("we", "us", "the firm") is committed to handling personal data responsibly and in accordance with Malaysia's Personal Data Protection Act 2010 (PDPA). This policy explains what data we collect, how we use it, and the rights you hold under Malaysian law.

This policy applies to all individuals who contact us, submit enquiries through our website at sentosal.pro, or engage us for legal services. For data-related enquiries, contact us at [email protected].

Data we collect

We collect personal data only where necessary for the purposes described in this policy. Categories of data collected include:

• Contact information: Name, email address, and phone number provided through our website contact form or direct communication.
• Matter information: Descriptions of legal situations submitted in enquiry forms or discussed during consultations, including details about debts, company affairs, or court proceedings.
• Usage data: Technical information about how visitors interact with our website, collected through cookies and analytics tools (where consent is given).
• Engagement records: Correspondence, notes from consultations, documents provided as part of an engagement, and billing records where applicable.

Legal basis for processing

We process personal data on the following bases under the PDPA:

• Consent — where you have provided it (e.g., analytics cookies)
• Contractual necessity — where processing is needed to fulfil an engagement
• Legal obligation — where required by Malaysian law, court order, or regulatory requirement
• Legitimate interests — for internal administrative purposes, security, and communications directly related to services requested

Retention periods

Client matter files are retained for seven years following the conclusion of an engagement, in line with standard Malaysian legal practice requirements. Website enquiry data that does not proceed to a formal engagement is retained for twelve months. Analytics data is retained for no longer than twenty-six months.

How we use personal data

• Responding to enquiries and arranging consultations
• Providing legal advisory services and related correspondence
• Maintaining records required by the Malaysian Bar Council and under the Legal Profession Act 1976
• Processing payments where applicable
• Improving our website and service delivery (with consent, via analytics)
• Complying with court orders, legal obligations, or requests from regulatory authorities

We do not use personal data for marketing communications without explicit consent. We do not sell, rent, or transfer personal data to third parties for their own marketing purposes.

How we protect personal data

• Secure, encrypted storage for all electronic client files
• Access to matter files restricted to the engagement team and firm principals
• Physical file storage in locked cabinets within secure premises
• Regular review of access rights and security practices
• Data breach notification procedure in place; affected individuals notified promptly in accordance with PDPA requirements

Cookies

Our website uses cookies to improve user experience and, where consent is given, to collect anonymous analytics data. Essential cookies are required for the site to function and cannot be disabled. Optional cookies are only set if you have provided consent through our cookie preference panel. Full details are available in our Cookie Policy.

Third-party services and data sharing

We may share personal data with the following categories of third parties, where necessary:

• Licensed insolvency practitioners, where coordinated referral forms part of your engagement
• Courts and judicial authorities, where required for proceedings
• The Department of Insolvency Malaysia (MdI), where required by statute or process
• Cloud service and IT providers engaged to support firm operations, under appropriate data processing agreements

We do not transfer personal data outside Malaysia except where required by specific legal proceedings or with explicit consent.

Your rights under Malaysian law

Under the Personal Data Protection Act 2010, you have the following rights:

• Right of access: You may request a copy of personal data we hold about you.
• Right of correction: You may request correction of inaccurate or incomplete data.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
• Right to prevent processing for direct marketing: You may notify us at any time that you do not wish to receive marketing communications.
• Right to make a complaint: Complaints about our data handling may be directed to the Personal Data Protection Department (PDPD) of Malaysia.

To exercise any of these rights, contact us at [email protected]. We will respond within 21 days.

Minors

Our services are directed at individuals aged 18 and over. We do not knowingly collect personal data from persons under 18. If you believe we have received data from a minor, please contact us at [email protected] and we will delete it promptly.

Changes to this policy

We may update this policy from time to time. Material changes will be posted on this page with an updated "Last updated" date. Continued use of our website following a change constitutes acceptance of the revised policy.

Contact

For all data-related enquiries: