Privacy Policy

1. Introduction

Cahaya Solutions ("we", "us", "our") is committed to handling personal data carefully and transparently. This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have in relation to it.

This policy applies to personal data collected through our website at https://cahayaso.sbs, through enquiry forms, and in the course of providing our AI integration services to small businesses in Malaysia. If you have questions, contact us at [email protected].

2. Data we collect

We collect the following categories of personal data:

• Contact information — name, email address, and phone number provided through our enquiry form or direct communication.
• Business information — details about your business shared during the service engagement, such as operating hours, common customer enquiries, and sales records, only to the extent needed to complete the agreed service.
• Usage data — basic website analytics, including pages visited and time spent, collected via cookies where you have given consent.

We do not collect sensitive personal data such as identity card numbers, financial account details, health information, or biometric data.

3. Legal basis for processing

Under Malaysia's Personal Data Protection Act 2010 (PDPA), we process personal data on the following bases:

• Consent — for marketing communications and non-essential cookies, where you have given explicit consent.
• Contract performance — for data necessary to deliver the service you have engaged us to provide.
• Legitimate interest — for basic website analytics used to improve our services, provided this does not override your rights and interests.

4. How we use your data

• Responding to your enquiries and communications
• Delivering the AI integration services you have requested
• Sending updates about ongoing projects where relevant
• Improving our website and services using anonymised analytics
• Complying with legal obligations under Malaysian law

We do not sell personal data. We do not use personal data for automated decision-making that produces significant legal effects.

5. Data sharing

We share personal data only in the following limited circumstances:

• Service providers — third-party tools used to deliver our services (such as communication platforms), each selected with data privacy in mind. We ensure these providers have appropriate data handling commitments.
• Legal requirements — where we are required to disclose data by Malaysian law or a lawful authority order.

Business data shared during service delivery — such as sales records or enquiry logs — is used solely for that engagement and is not retained beyond what is needed to complete the project.

6. Data retention

Contact data from enquiries is retained for up to 24 months unless you request earlier deletion. Service engagement data is held for the duration of the project and for up to 12 months following project completion. Website analytics data is retained in anonymised form for up to 26 months.

7. Data protection measures

• Data in transit is protected using TLS encryption
• Access to personal data is limited to team members who need it to perform their role
• Third-party tools are reviewed for data security practices before use
• In the event of a data breach affecting your personal data, we will notify you without undue delay as required by applicable law

8. Cookies

We use cookies to keep our website functioning and, where you consent, to understand how it is used. Essential cookies cannot be disabled. Analytics and preference cookies are optional. For full details, see our Cookie Policy.

9. Your rights

Under Malaysia's PDPA and in line with international good practice, you have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — ask us to correct inaccurate or incomplete data
• Erasure — request deletion of your personal data where we have no continuing lawful basis to hold it
• Withdrawal of consent — withdraw consent for processing at any time, without affecting the lawfulness of prior processing
• Objection — object to processing carried out on the basis of legitimate interest

To exercise any of these rights, contact us at [email protected]. We aim to respond within 21 days.

10. Third-party links

Our website may contain links to other websites. We are not responsible for the privacy practices of those sites and encourage you to review their policies separately.

11. Children's privacy

Our services are directed at business owners and are not intended for individuals under the age of 18. We do not knowingly collect personal data from minors.

12. Changes to this policy

We may update this policy from time to time. Material changes will be noted with a revised "last updated" date at the top of the page. Continued use of our website or services after any change constitutes acceptance of the updated policy.

13. Contact

For any privacy-related queries, contact our data handler at: