PRIVACY POLICY & USER AGREEMENT

This Agreement is made on 16th April 2026 between Vamitch Creative Enterprise and Website Users & Visitors.

Parties

(1) Vamitch Creative Enterprise: a creative services business operating in Malaysia, providing brand strategy, creative direction, photography, video/film production, visual storytelling, copywriting, website design, and brand identity design services ("Business", "we", "us", "our");

(2) Website Users & Visitors: any individual who visits, accesses, or uses the website, submits contact forms, subscribes to newsletters or waitlists, or otherwise interacts with our online platform ("Users", "you", "your").

Background

(A) The Business operates a website built using Google Sites to promote and deliver creative services including brand strategy, creative direction, photography, video/film production, visual storytelling, copywriting, website design, and brand identity design to clients in Malaysia and internationally.

(B) In the course of providing these services and operating the website, the Business collects, processes, and stores personal data from Users who visit the website, submit inquiries through contact forms, subscribe to newsletters or waitlists, or engage our services.

(C) The Business is committed to protecting the privacy and personal data of all Users in accordance with Malaysia's Personal Data Protection Act 2010 (PDPA) and, where applicable, respecting the principles of the General Data Protection Regulation (GDPR) for international visitors.

(D) The website utilises third-party services including Google Analytics for website traffic analysis, Tally for contact and sign-up forms, Brevo for newsletter management, and Pixieset for contracts and galleries where applicable.

(E) Personal data is collected through various means including contact forms, newsletter subscriptions, waitlist registrations, and formal project contracts, with different categories of information collected depending on the User's interaction with our services.

(F) The Business processes personal data for legitimate purposes including responding to inquiries, delivering contracted services, processing payments for confirmed projects, and conducting marketing communications where appropriate consent has been obtained.

(G) This Privacy Policy sets out the Business's commitment to data protection, explains how personal data is collected, used, stored, and protected, and informs Users of their rights regarding their personal data under applicable Malaysian law.

1. Definitions

1.1. Business means Vamitch Creative Enterprise, a creative services business operating in Malaysia providing brand strategy, creative direction, photography, videography, visual storytelling, website design, and brand identity design services.

1.2. Consent means any freely given, specific, informed and unambiguous indication of a data subject's wishes by which he signifies his agreement to the processing of personal data relating to him, including through a statement or clear affirmative action.

1.3. Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

1.4. Data Controller means the Business as the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data.

1.5. Data Processor means a natural or legal person who processes personal data on behalf of the data controller, including third-party service providers such as Google Analytics, Tally, Brevo, and Pixieset.

1.6. Data Protection Officer means the person designated by the Business to monitor compliance with data protection laws and serve as point of contact for data protection matters, if applicable under PDPA requirements.

1.7. Data Subject means an identified or identifiable natural person who is the subject of personal data, including website visitors, users, clients, and newsletter subscribers.

1.8. GDPR means the General Data Protection Regulation (EU) 2016/679, the principles of which are respected for international visitors to the website.

1.9. Google Analytics means the web analytics service provided by Google LLC used to analyse website traffic and user behaviour.

1.10. Google Sites means the website building platform provided by Google LLC on which the Business's website is built and hosted.

1.11. International Data Transfer means the transmission of personal data from Malaysia to a country outside Malaysia or to an international organisation.

1.12. Marketing Communications means promotional materials, newsletters, service updates, and other commercial communications sent to Users who have provided appropriate consent.

1.13. PDPA means the Personal Data Protection Act 2010 (Act 709) of Malaysia and any regulations made thereunder, as amended from time to time.

1.14. PDPD means the Personal Data Protection Department established under the PDPA to oversee compliance and enforcement of data protection laws in Malaysia.

1.15. Personal Data means any information in respect of commercial transactions which relates directly or indirectly to a data subject who is identified or identifiable from that information or from that and other information in the possession of a data user, including name, email address, phone number, service preferences, budget information, message content, referral sources, and any other identifying information.

1.16. Pixieset means the third-party platform used by the Business for managing contracts, galleries, and client project deliverables where applicable.

1.17. Processing means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction.

1.18. Brevo means the third-party email marketing platform used by the Business for managing newsletter subscriptions, marketing communications, and email campaign delivery.

1.19. Sensitive Personal Data means personal data consisting of information relating to physical or mental health, political opinions, religious beliefs, criminal records, or other categories specified under the PDPA requiring enhanced protection.

1.20. Tally means the third-party service used by the Business for managing contact forms and waitlist registrations.

1.21. Third-Party Services means external platforms, tools, and service providers used by the Business including but not limited to Google Analytics, Tally, Brevo, and Pixieset.

1.22. Users means any individual who visits, accesses, or uses the website, submits forms, subscribes to communications, or otherwise interacts with the Business's online platform.

1.23. Website means the Business's online platform built using Google Sites and any associated domains, subdomains, or web properties operated by the Business.

2. Legal Basis and Compliance

2.1. This Privacy Policy is designed to comply with Malaysia's Personal Data Protection Act 2010 (PDPA) and any regulations made thereunder.

2.2. The Business acts as a Data Controller under the PDPA in respect of all Personal Data collected through the Website and in the course of providing services.

2.3. For international Users, particularly those from the European Union, this Privacy Policy has been structured to respect the principles of the General Data Protection Regulation (GDPR) where applicable, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security, and accountability.

2.4. The Business is registered with the Personal Data Protection Department (PDPD) as required under Malaysian law for entities processing Personal Data for commercial purposes.

2.5. All Processing of Personal Data by the Business is conducted in accordance with the data protection principles set out in the PDPA, including:

(a) Processing Personal Data lawfully and fairly;

(b) Processing Personal Data only for purposes that are lawful and directly related to the Business's functions or activities;

(c) Collecting Personal Data that is adequate but not excessive in relation to the purposes for which it is collected;

(d) Ensuring Personal Data is accurate and kept up to date;

(e) Retaining Personal Data only for as long as necessary for the fulfilment of the purposes for which it was collected; and

(f) Taking practical steps to protect Personal Data from loss, misuse, modification, unauthorised access, disclosure, alteration or destruction.

2.6. Where this Privacy Policy refers to rights or procedures that may differ between Malaysian and international Users, the Business will apply the standard that provides the highest level of protection to the Data Subject.

3. Data Controller Information

3.1. The Data Controller for this Website is Vamitch Creative Enterprise, a sole proprietorship registered in Malaysia.

3.2. For all data protection inquiries, Users may contact the Business through email at hello@vamitch.com

3.3. The Business does not meet the thresholds requiring formal Data Protection Officer appointment under the PDPA. All data protection inquiries and requests may be directed to the Business through the contact details provided in Section 20 of this Privacy Policy.

4. Types of Personal Data Collected

4.1. The Business collects personal data from Users through various channels and interactions with the Website and our services.

4.2. Contact Form Data: When Users submit inquiries through contact forms powered by Tally, we collect the following personal data:

(a) Name (first and last name)

(b) Email address

(c) Phone number (optional field)

(d) Services requested

(e) Budget range information

(f) Message content and inquiry details

(g) Referral source information

(h) Newsletter subscription consent status

4.3. Newsletter and Waitlist Data: When Users subscribe to newsletters or join waitlists through Tally forms and Brevo, we collect:

(a) First name

(b) Last name

(c) Email address

(d) Topic of interest selections

(e) Marketing communication consent preferences

4.4. Email Marketing Platform Data: Through Brevo email marketing services, we may collect email engagement metrics, delivery statistics, and subscriber interaction data.

4.5. Contractual and Billing Data: Following project confirmation and contract execution, we collect:

(a) Full billing and invoicing details

(b) Payment information and transaction records

(c) Project specifications and requirements

(d) Contract execution data through PDF agreements or Pixieset platform

4.6. Website Analytics Data: Through Google Analytics and Website operations, we automatically collect:

(a) IP addresses and location data

(b) Browser type and device information

(c) Website usage patterns and page views

(d) Session duration and interaction data

(e) Referral sources and traffic patterns

4.7. Third-Party Platform Data: When using Pixieset for contracts and galleries, additional data may be collected as specified in that platform's terms of service.

4.8. The Business does not intentionally collect Sensitive Personal Data as defined under the PDPA unless specifically required for service delivery and with explicit User consent.

5. Sources of Personal Data Collection

5.1. The Business collects Personal Data from Users through multiple sources and platforms as detailed in this section.

5.2. Website Platform Collection

(a) Personal Data is collected directly through the Website, which is built and hosted using Google Sites.

(b) Google Sites may automatically collect certain technical information including IP addresses, browser types, device information, and website usage patterns in accordance with Google's privacy policies.

5.3. Contact Forms and Newsletter Subscriptions

(a) Personal Data is collected through contact forms and newsletter waiting list forms powered by Tally, including:

(i) Name and contact information provided by Users;

(ii) Service inquiries and related information;

(iii) Marketing consent preferences; and

(iv) Any additional information voluntarily provided by Users in form submissions.

5.4. Website Analytics

(a) The Website uses Google Analytics to collect anonymous and aggregated data about website traffic, user behaviour, and website performance.

(b) Google Analytics may collect information including page views, session duration, geographic location data, referral sources, and device information through cookies and similar tracking technologies.

5.5. Project Management and Client Services

(a) For confirmed projects, additional Personal Data may be collected through Pixieset for contract management, gallery access, and project delivery purposes.

(b) Pixieset collection includes client contact information, project preferences, and any data necessary for service delivery and client communication.

5.6. Direct Communication

(a) Personal Data may be collected through direct email communications, phone calls, or other direct contact initiated by Users or required for service delivery.

5.7. Third-Party Service Integration

(a) All Third-Party Services used by the Business operate under their respective privacy policies and data protection measures.

(b) The Business ensures that Third-Party Services maintain appropriate data protection standards consistent with PDPA requirements.

6. Purposes of Data Processing

6.1. The Business processes Personal Data for the following lawful purposes under the PDPA:

(a) Service Inquiry and Response: To respond to inquiries submitted through contact forms, assess service requirements, and provide information about our creative services.

(b) Service Delivery: To deliver contracted services including brand strategy, creative direction, photography, videography, visual storytelling, website design, and brand identity design.

(c) Contract Management: To process and manage formal project contracts, including terms negotiation, project specifications, and service delivery coordination.

(d) Payment Processing: To process payments for confirmed projects, manage billing details, handle invoicing, and maintain financial records for completed transactions.

(e) Marketing Communications: To send newsletters, service updates, promotional materials, and other marketing communications to Users who have provided explicit Consent.

(f) Website Analytics: To analyse website traffic, user behaviour, and site performance through Google Analytics to improve our services and website functionality.

(g) Legal Compliance: To comply with applicable laws, regulations, and legal obligations under Malaysian law and international requirements where applicable.

(h) Business Operations: To maintain business records, conduct internal administration, and fulfil legitimate business interests in operating our creative services business.

6.2. All Personal Data processing activities are conducted with appropriate legal basis under the PDPA, including Consent where required, contractual necessity, legal obligation, or legitimate business interests.

6.3. The Business does not process Personal Data for purposes beyond those specified in this section without obtaining additional Consent from Data Subjects where required by law.

6.4. Marketing Communications are only sent to Users who have explicitly consented to receive such communications through newsletter subscription or contact form consent checkboxes.

7. Legal Basis for Processing

7.1. The Business processes personal data under the following lawful bases as provided under the Personal Data Protection Act 2010:

7.2. Consent: Where Users have provided explicit consent for specific processing activities, including:

(a) Subscribing to newsletters or marketing communications;

(b) Providing optional contact information such as phone numbers;

(c) Consenting to receive information about specific topics of interest.

7.3. Contractual necessity: Where processing is necessary for the performance of a contract or to take steps at the User's request prior to entering into a contract, including:

(a) Responding to service inquiries submitted through contact forms;

(b) Delivering contracted creative services;

(c) Processing payments for confirmed projects;

(d) Managing project timelines and deliverables.

7.4. Legal obligation: Where processing is required to comply with legal obligations under Malaysian law, including:

(a) Retaining business records for taxation purposes;

(b) Maintaining financial records as required by law;

(c) Complying with court orders or regulatory requests.

7.5. Legitimate interests: Where processing is necessary for legitimate business interests that do not override the User's fundamental rights and freedoms, including:

(a) Website analytics and performance monitoring through Google Analytics;

(b) Protecting the Business's intellectual property rights;

(c) Preventing fraud and ensuring website security;

(d) Improving service delivery and User experience.

7.6. The Business will clearly identify the legal basis for processing at the time of data collection and will not process personal data for purposes incompatible with the original collection purpose without obtaining appropriate consent or establishing a new lawful basis.

8. Data Sharing and Third-Party Services

8.1. The Business may share Users' Personal Data with Third-Party Services and data processors as necessary to provide our services and operate the Website effectively.

8.2. Google Sites Integration: Personal Data may be processed through Google Sites as the Website hosting platform, subject to Google's privacy policies and data processing agreements.

8.3. Google Analytics: The Business uses Google Analytics to analyse Website traffic and user behaviour, which may involve sharing anonymised and aggregated data with Google in accordance with Google's privacy policy.

8.4. Tally Forms Processing: Contact form submissions and newsletter subscriptions are processed through Tally, which acts as a Data Processor for collecting and managing User inquiries and communications.

8.5. Brevo Email Marketing: Newsletter subscriber data and marketing communication preferences are processed through Brevo, which acts as a Data Processor for managing email campaigns, subscriber lists, and marketing analytics.

8.6. Pixieset Services: For contracted projects, Personal Data may be shared with Pixieset for contract management, gallery hosting, and client collaboration purposes.

8.7. All Third-Party Services used by the Business are required to:

(a) Process Personal Data only for the specific purposes outlined in this Privacy Policy.

(b) Implement appropriate technical and organisational security measures to protect Personal Data.

(c) Comply with applicable data protection laws including PDPA requirements.

(d) Not use Personal Data for their own marketing or commercial purposes without explicit User Consent.

8.8. The Business does not sell, rent, or trade Users' Personal Data to any third parties for marketing purposes.

8.9. Personal Data may be disclosed to professional advisors, legal counsel, or regulatory authorities where required by law or to protect the Business's legitimate interests.

8.10. In the event of a business transfer, merger, or acquisition, Personal Data may be transferred to the acquiring entity, subject to the same privacy protections outlined in this Privacy Policy.

9. International Data Transfers

9.1. The Business may transfer Personal Data outside Malaysia to Third-Party Services and data processors located in other jurisdictions for the purposes outlined in this Privacy Policy.

9.2. International Data Transfers occur primarily through the following Third-Party Services:

(a) Google Analytics and Google Sites, which may transfer data to servers located in the United States and other countries where Google operates;

(b) Tally, which processes form submissions and may store data on servers outside Malaysia;

(c) Brevo, which manages newsletter subscriptions and email marketing communications and may store data on servers in the European Union or other countries where Brevo operates;

(d) Pixieset, which hosts contracts and galleries and may transfer data internationally.

9.3. Before transferring Personal Data internationally, the Business ensures that:

(a) the receiving country or organisation provides adequate protection for Personal Data as recognised under the PDPA;

(b) appropriate contractual safeguards are in place with Third-Party Services to protect transferred Personal Data;

(c) Data Subjects have been informed of the international transfer and its purposes.

9.4. Where International Data Transfers are made to countries not recognised as providing adequate protection under Malaysian law, the Business implements additional safeguards including:

(a) standard contractual clauses approved by data protection authorities;

(b) verification that Third-Party Services maintain appropriate technical and organisational security measures;

(c) regular review of transfer arrangements to ensure ongoing compliance.

9.5. Data Subjects have the right to:

(a) be informed about International Data Transfers involving their Personal Data;

(b) object to transfers where they have legitimate grounds;

(c) request information about the safeguards implemented for their transferred data.

9.6. The Business will not transfer Personal Data internationally without implementing appropriate safeguards or obtaining necessary approvals as required under the PDPA.

10. Data Retention Policy

10.1. The Business retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce contractual agreements.

10.2. Contact Form Data submitted through Tally forms, including names, email addresses, phone numbers, service requests, budget ranges, message content, and referral sources, shall be retained for a period of three (3) years from the date of initial submission or last contact, whichever is later.

10.3. Newsletter and Waitlist Data collected through Tally forms and Brevo, including first names, last names, email addresses, and topics of interest, shall be retained until the Data Subject withdraws consent or unsubscribes from marketing communications, plus an additional period of twelve (12) months to maintain unsubscribe records and prevent accidental re-enrollment.

10.4. Brevo Email Marketing Analytics: Email engagement metrics, delivery statistics, and subscriber interaction data collected through Brevo shall be retained for a period of twenty-four (24) months from the date of collection to enable marketing performance analysis and campaign optimisation, after which such data shall be automatically deleted or anonymised.

10.5. Active Client Data for confirmed projects, including billing details, contractual information, and project deliverables, shall be retained for a period of seven (7) years following project completion to comply with Malaysian tax and business record requirements.

10.6. Google Analytics Data collected through website tracking shall be automatically deleted after twenty-six (26) months in accordance with Google's data retention settings configured by the Business.

10.7. Pixieset Data for contracts and galleries shall be retained for the duration specified in individual project contracts, typically three (3) years following project delivery, unless extended retention is agreed upon in writing.

10.8. Where Personal Data is processed for multiple purposes with different retention periods, the longest applicable retention period shall apply until all purposes have been fulfilled.

10.9. Upon expiration of the applicable retention periods, Personal Data shall be securely deleted or anonymised unless retention is required by law, ongoing legal proceedings, or unresolved disputes.

10.10. The Business shall conduct annual reviews of stored Personal Data to ensure compliance with this retention policy and shall delete or anonymise data that has exceeded its retention period.

10.11. Data Subjects may request early deletion of their Personal Data in accordance with their rights under the PDPA, subject to any overriding legal or contractual obligations requiring continued retention.

11. Data Subject Rights

11.1. Under the PDPA, Data Subjects have the following rights regarding their Personal Data:

(a) Right of Access - to request confirmation of whether Personal Data concerning them is being processed and to obtain a copy of such Personal Data;

(b) Right of Correction - to request correction of inaccurate Personal Data or completion of incomplete Personal Data;

(c) Right of Withdrawal of Consent - to withdraw consent for Processing at any time where Processing is based on consent;

(d) Right to Limit Processing - to request limitation of Processing in certain circumstances;

(e) Right to Complain - to lodge a complaint with the PDPD regarding the Processing of their Personal Data.

11.2. To exercise any of these rights, Data Subjects may contact the Business using the contact details provided in Section 20 of this Privacy Policy.

11.3. The Business will respond to requests to exercise Data Subject rights within thirty (30) days of receiving a valid request, or such other timeframe as may be prescribed under the PDPA.

11.4. The Business may require reasonable identification and verification before processing any request to exercise Data Subject rights.

11.5. Where a request is manifestly unfounded, excessive, or repetitive, the Business may charge a reasonable administrative fee or refuse to act on the request, in accordance with the PDPA.

11.6. Data Subjects have the right to withdraw consent for Marketing Communications at any time by using the unsubscribe link provided in marketing emails or by contacting the Business directly.

11.7. Withdrawal of consent will not affect the lawfulness of Processing based on consent before its withdrawal.

12. Cookies and Tracking Technologies

12.1. Cookies Defined: Cookies are small text files that are placed on Users' devices when they visit the Website to help analyse web traffic and improve user experience.

12.2. Types of Cookies Used: The Website uses both session cookies (which expire when the browser is closed) and persistent cookies (which remain on the device for a set period or until manually deleted).

12.3. Google Analytics: The Website uses Google Analytics, a web analytics service provided by Google LLC, which uses cookies to collect and analyse information about Website usage including:

(a) Pages visited and time spent on each page

(b) Geographic location of visitors (country and city level)

(c) Device and browser information

(d) Traffic sources and referral websites

(e) User behaviour patterns and interactions with Website content

12.4. Brevo Email Tracking: The Business uses Brevo for email marketing communications, which employs tracking technologies including:

(a) Tracking pixels embedded in marketing emails to monitor email opens and delivery status;

(b) Link tracking to measure click-through rates and subscriber engagement with email content;

(c) Cookies placed when subscribers click through from marketing emails to the Website to track campaign effectiveness and attribute website visits to specific email campaigns.

12.5. Purpose of Tracking: Cookies and tracking technologies are used solely for:

(a) Understanding Website traffic patterns and user preferences

(b) Improving Website functionality and user experience

(c) Analysing the effectiveness of marketing efforts

(d) Generating anonymous statistical reports about Website usage

12.6. Data Anonymisation: Google Analytics data is anonymised and aggregated, meaning individual Users cannot be personally identified from the analytics data collected.

12.7. Cookie Consent: By continuing to use the Website, Users consent to the use of cookies as described in this Policy.

12.8. Managing Cookies: Users can control cookie settings through their browser preferences and may:

(a) Block all cookies from being set

(b) Delete existing cookies from their device

(c) Set their browser to notify them when cookies are being used

12.9. Impact of Disabling Cookies: Disabling cookies may affect the functionality of the Website and prevent the Business from analysing Website performance, but will not prevent Users from accessing Website content.

12.10. Third-Party Cookies: The Website may contain links to external websites that use their own cookies, which are governed by those websites' respective privacy policies and are not covered by this Policy.

13. Data Security Measures

13.1. The Business implements appropriate technical and organisational security measures to protect Personal Data against unauthorised access, disclosure, alteration, destruction, or loss.

13.2. Technical security measures include:

(a) Secure data transmission using encryption protocols where technically feasible;

(b) Regular security updates and patches for website platforms and third-party services;

(c) Access controls limiting data access to authorised personnel only;

(d) Regular backup procedures for critical data systems.

13.3. Organisational security measures include:

(a) Staff training on data protection requirements and security protocols;

(b) Clear data handling procedures and access authorisation protocols;

(c) Regular review and assessment of security measures and procedures;

(d) Incident response procedures for potential Data Breaches.

13.4. The Business relies on the security measures implemented by Third-Party Services including Google Sites, Google Analytics, Tally, Brevo, and Pixieset, and regularly reviews their security certifications and compliance standards.

13.5. Brevo Security Measures: The Business relies on Brevo's security infrastructure for email marketing data, which includes:

(a) Encryption of subscriber data both in transit and at rest;

(b) Secure authentication protocols for account access;

(c) GDPR-compliant data processing and storage practices;

(d) Regular security audits and compliance certifications maintained by Brevo as a data processor.

13.6. While the Business implements reasonable security measures, Users acknowledge that no method of electronic transmission or storage is completely secure, and the Business cannot guarantee absolute security of Personal Data.

13.7. The Business will notify the PDPD and affected Data Subjects of any Data Breach in accordance with PDPA requirements and the procedures set out in Section 16 of this Privacy Policy.

14. Marketing Communications

14.1. The Business may send Marketing Communications to Users who have provided explicit consent through newsletter subscription forms, contact forms, or other designated opt-in mechanisms on the Website.

14.2. Marketing Communications may include information about new services, promotional offers, industry insights, creative resources, and other content related to the Business's services.

14.3. Consent Collection: Users provide consent for Marketing Communications by:

(a) Checking the designated consent checkbox on contact forms or newsletter subscription forms;

(b) Selecting their areas of interest when subscribing to newsletters or waitlists; or

(c) Explicitly requesting to receive marketing updates during service inquiries.

14.4. The Business maintains records of when and how consent was obtained for Marketing Communications, including the date, method, and scope of consent provided by each User.

14.5. Opt-Out Rights: Users may withdraw consent and unsubscribe from Marketing Communications at any time by:

(a) Clicking the unsubscribe link included in all marketing emails;

(b) Contacting the Business directly using the contact information provided in Section 20;

(c) Updating their preferences through any preference centre or account management system made available; or

(d) Submitting a written request for removal from all marketing lists.

14.6. Upon receiving an opt-out request, the Business will process the unsubscribe within seven (7) business days and confirm the removal to the User.

14.7. Users who opt out of Marketing Communications will continue to receive essential service-related communications necessary for any ongoing contractual relationships with the Business.

14.8. The Business will not share User email addresses or marketing preferences with third parties for their own marketing purposes without obtaining separate explicit consent.

15. Third-Party Links

15.1. The Website may contain links to external websites, social media platforms, and third-party services that are not owned, operated, or controlled by the Business.

15.2. This Privacy Policy applies solely to the Website and does not extend to any external websites or third-party platforms accessible through links on the Website.

15.3. The Business is not responsible for the privacy practices, data collection methods, or content of any external websites or third-party services.

15.4. Users are advised to review the privacy policies and terms of use of any external websites before providing personal data to such sites.

15.5. The Business does not endorse, guarantee, or assume responsibility for the accuracy, completeness, or reliability of information available on external websites.

15.6. Any personal data shared with external websites through links from the Website is subject to the privacy policies and terms of the respective external sites.

15.7. Users access and use external websites at their own risk and discretion.

16. Data Breach Notification

16.1. The Business will implement appropriate procedures to detect, investigate, and respond to any Data Breach that may compromise the security, confidentiality, or integrity of Personal Data.

16.2. Upon becoming aware of a Data Breach, the Business will conduct an immediate assessment to determine the nature, scope, and potential impact of the incident.

16.3. Where the Data Breach is likely to result in a risk to the rights and freedoms of Data Subjects, the Business will notify the PDPD within seventy-two (72) hours of becoming aware of the breach, unless such notification is not reasonably feasible.

16.4. The notification to the PDPD will include:

(a) A description of the nature of the Data Breach and the categories and approximate number of Data Subjects and Personal Data records affected;

(b) The contact details of the Data Protection Officer or other designated contact point for further information;

(c) A description of the likely consequences of the Data Breach and the measures taken or proposed to address the breach and mitigate its adverse effects.

16.5. Where the Data Breach is likely to result in a high risk to the rights and freedoms of Data Subjects, the Business will notify affected individuals without undue delay unless:

(a) Appropriate technical and organisational protection measures have been implemented that render the Personal Data unintelligible to unauthorised persons;

(b) Subsequent measures have been taken to ensure the high risk is no longer likely to materialise; or

(c) Notification would involve disproportionate effort, in which case public communication will be made instead.

16.6. Notification to affected Data Subjects will be communicated in clear and plain language and include the information specified in clause 16.4 and advice on steps individuals may take to protect themselves.

16.7. The Business will maintain records of all Data Breaches, including the facts surrounding the breach, its effects, and remedial action taken, for review by the PDPD upon request.

16.8. For international Users whose data may be subject to GDPR, the Business will comply with applicable European data breach notification requirements where necessary.

17. Children's Privacy

17.1. The Business does not knowingly collect personal data from children under the age of 18 years without appropriate parental or guardian consent.

17.2. If the Business becomes aware that personal data has been collected from a child under 18 years without verified parental consent, we will take immediate steps to delete such information from our records.

17.3. Parents or guardians may contact the Business to:

(a) Request access to their child's personal data held by us;

(b) Request correction or deletion of their child's personal data;

(c) Withdraw consent for the processing of their child's personal data.

17.4. Where the Business provides services that may be of interest to minors, additional safeguards will be implemented including:

(a) Clear and age-appropriate privacy notices;

(b) Enhanced data security measures;

(c) Limited data collection practices focused only on essential information.

17.5. The Business will not use children's personal data for marketing communications or share such data with third parties for marketing purposes.

17.6. If you are under 18 years of age, you must obtain permission from your parent or guardian before submitting any personal data through our Website or engaging our services.

18. Policy Updates

18.1. The Business reserves the right to update, modify, or amend this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or business operations.

18.2. All updates to this Privacy Policy will include a revised "Last Updated" date at the beginning of the policy document.

18.3. For material changes that significantly affect how personal data is collected, processed, or shared, the Business will provide notice to Users through one or more of the following methods:

(a) Prominent notice on the Website homepage for a period of at least thirty (30) days.

(b) Email notification to Users who have subscribed to our newsletter or provided contact information, where technically feasible.

(c) Pop-up notification or banner on the Website upon the User's next visit.

18.4. For non-material changes such as clarifications, formatting updates, or contact information changes, the Business may update this Privacy Policy without prior notice to Users.

18.5. Users are encouraged to review this Privacy Policy periodically to stay informed about how their personal data is being protected and processed.

18.6. Continued use of the Website after any updates to this Privacy Policy constitutes acceptance of the revised terms, except where additional consent is specifically required under the PDPA.

18.7. Where changes require new or additional consent under Malaysian data protection law, the Business will obtain such consent before implementing the changes that affect the relevant Users.

18.8. Previous versions of this Privacy Policy will be archived and made available upon request for a period of three (3) years from the date of supersession.

19. Complaints and Enforcement

19.1. Right to File Complaints: Data subjects have the right to file complaints regarding the Business's data protection practices with the Personal Data Protection Department (PDPD) of Malaysia.

19.2. Internal Complaint Process: Before filing a complaint with the PDPD, Users are encouraged to first contact the Business directly using the contact information provided in Section 20 to allow for resolution of data protection concerns.

19.3. PDPD Contact Information: Complaints may be filed with the Personal Data Protection Department through the following channels:

(a) Online complaint portal at the official PDPD website

(b) Written complaint submitted to the PDPD office address

(c) Telephone complaint through the PDPD hotline

19.4. Required Information for Complaints: When filing a complaint, Users should provide:

(a) Clear description of the alleged data protection violation

(b) Evidence supporting the complaint where available

(c) Details of any attempts to resolve the matter directly with the Business

(d) Contact information for follow-up by the PDPD

19.5. Business Cooperation: The Business will fully cooperate with any investigation conducted by the PDPD and will implement any corrective measures required by the regulatory authority.

19.6. International Users: Users located outside Malaysia may also contact their local data protection authority in addition to or instead of the PDPD, particularly EU residents who may file complaints with their national supervisory authority under GDPR.

19.7. No Retaliation: The Business will not retaliate against any User who files a legitimate complaint regarding data protection practices.

20. Contact Information

20.1. For all inquiries, requests, or complaints relating to this Privacy Policy or the processing of your Personal Data, you may contact the Business using the following details:

(a) Email: hello@vamitch.com

(b) Business Hours: Monday–Friday, 10:00 AM – 5:00 PM (UTC+8, Malaysian Time)

20.2. The Business will acknowledge receipt of your inquiry or request within seven (7) working days and provide a substantive response within twenty-one (21) days of receipt, or such other timeframe as may be required under the PDPA.

20.3. If you have appointed a representative to act on your behalf regarding Personal Data matters, such representative must provide written authorisation and proof of identity before the Business will process any requests.

20.4. For complaints that cannot be resolved directly with the Business, you may lodge a complaint with the Personal Data Protection Department of Malaysia at:

(a) Website: www.pdp.gov.my

(b) Email: aduan@pdp.gov.my

(c) Call Centre (JPDP): +603-7456 388

(d) MyGCC: +603-8000 8000

(e) Address: 8th Floor, Galeria PjH, Jalan P4W, Persiaran Perdana, Presint 4, 62100 W.P. Putrajaya.

20.5. When contacting the Business regarding Personal Data matters, please provide sufficient information to enable us to identify you and process your request, including your full name, contact details, and a clear description of your inquiry or request.

This Privacy Policy is effective as of 1 March 2026 and has been authorised by Vamitch Creative Enterprise, a sole proprietorship registered in Malaysia with registration number 202003197106 (CT0075175-P).

By using this Website, submitting personal data through contact forms, subscribing to newsletters, or engaging our services, Users acknowledge that they have read, understood, and agree to be bound by the terms of this Privacy Policy.

This Privacy Policy may be updated from time to time in accordance with Section 18 (Policy Updates). Users are encouraged to review this Privacy Policy periodically to stay informed of any changes.

For any questions regarding this Privacy Policy or data protection matters, Users may contact the Business at hello@vamitch.com

Authorised by: Sharon G. M. M.

Title: Founder & Owner of Vamitch Creative Enterprise

Date: 16th April 2026