1. Who we are

Horizon Hub Consulting is a Malaysia-based business consulting firm providing company registration, licensing, visa, tax, accounting, and related corporate services. We act as the data controller of your personal data as defined under the PDPA (Amendment) Act 2024.

Address: C10-5 Plaza Mont Kiara, Jalan Kiara, 50480 Kuala Lumpur, Malaysia
Email: info@horizonhubconsulting.com

2. Personal data we collect

We may collect the following categories of personal data from you:

Information you provide directly

• Full name, email address, phone number, and country of residence
• Business details such as company name, industry, intended business activity, and nationality of shareholders/directors
• Identification documents (passport or IC copy) where required for company registration, visa applications, or statutory compliance
• Any other information you submit through our contact forms, consultations, or during engagement of our services

Information collected automatically

• Technical data such as IP address, browser type, device information, operating system, and referring URLs
• Usage data such as pages viewed, time spent on pages, and interaction with our content
• Cookies and similar tracking technologies (see Section 8)

Sensitive personal data

In certain cases (for example, visa or MM2H applications), we may need to collect sensitive personal data such as health information or biometric data. Under the PDPA (Amendment) Act 2024, biometric data is classified as sensitive personal data. We will only collect such data with your explicit consent and only where strictly necessary.

3. How we use your personal data

We process your personal data for the following purposes:

• To provide consulting services including company registration, licensing, visa, tax, accounting, and related corporate services
• To communicate with you regarding your enquiries, engagement, or ongoing service matters
• To comply with our legal and regulatory obligations under Malaysian law (for example, submissions to SSM, LHDN, Immigration Department, and other authorities)
• To improve our website, services, and customer experience
• To send you relevant updates or marketing materials, only where you have consented
• To detect, prevent, or investigate fraud or unlawful activity

4. Legal basis for processing

We rely on one or more of the following legal bases to process your personal data:

• Your consent — given when you submit our contact forms, engage our services, or subscribe to communications
• Contractual necessity — where processing is required to perform the services you have engaged us for
• Legal obligations — where we are required to process data to comply with Malaysian statutory requirements
• Legitimate interests — where processing is necessary for our business operations in a manner that does not override your rights

5. Disclosure of personal data

We do not sell your personal data. We may share your personal data with the following parties, only where necessary and in accordance with applicable law:

• Malaysian government agencies and statutory bodies such as SSM, LHDN, Immigration Department, EPF, SOCSO, Bank Negara, and local councils where required for service delivery
• Professional partners such as licensed legal counsel, auditors, tax agents, and banking institutions where engaged to support your matter
• Service providers who assist us with our operations (for example, cloud hosting, email, CRM, and accounting tools) under appropriate confidentiality and data protection obligations
• Courts, regulators, or law enforcement authorities where required by law

6. Cross-border data transfers

In line with the updated cross-border transfer regime under the PDPA (Amendment) Act 2024, we may transfer your personal data outside Malaysia only where:

• The destination country has data protection laws substantially similar to Malaysia’s PDPA, or provides an equivalent level of protection; or
• You have given consent to such a transfer; or
• Appropriate safeguards such as contractual clauses are in place to protect your personal data

Common reasons for cross-border transfer include use of cloud service providers, communication tools, and engagement of foreign legal or tax advisors for matters involving multiple jurisdictions.

7. Your rights under the PDPA

As a data subject, you have the following rights under the PDPA 2010 (as amended):

• Right to access — request a copy of the personal data we hold about you
• Right to correct — request correction of inaccurate or outdated personal data
• Right to withdraw consent — withdraw your consent to processing at any time (this will not affect the lawfulness of any processing carried out before withdrawal)
• Right to object — object to processing of your personal data for direct marketing or where processing may cause you damage or distress
• Right to data portability — introduced under the 2024 Amendment, you may request transfer of your personal data to another data controller, subject to technical feasibility
• Right to limit processing — request that we limit processing of your personal data in certain circumstances

To exercise any of these rights, please contact us using the details in Section 12. We will respond within the period prescribed under the PDPA.

8. Cookies and tracking technologies

Our website uses cookies and similar technologies to improve user experience and understand how the site is used. These may include:

• Essential cookies required for the website to function
• Analytics cookies such as Google Analytics to understand visitor behaviour and improve our content
• Advertising cookies from platforms such as Google Ads or Meta (Facebook/Instagram) where we run advertising campaigns, used to measure effectiveness and deliver relevant ads

You may control or disable cookies through your browser settings. Please note that disabling certain cookies may affect website functionality.

9. Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or to comply with legal, regulatory, tax, or contractual requirements. Typical retention periods include:

• Engagement records — retained for the duration of our services plus a reasonable period thereafter in line with professional and statutory requirements
• Tax and accounting records — retained for at least seven (7) years as required under Malaysian law
• Marketing contacts — retained until you withdraw consent or we determine the data is no longer needed

After the retention period expires, we will securely delete or anonymise your personal data.

10. Data security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, loss, or destruction. These measures include:

• Encrypted storage and secure transmission protocols (HTTPS/SSL)
• Access controls limiting data access to authorised personnel only
• Staff confidentiality obligations and regular training
• Ongoing review of our security practices in line with PDPA standards

In line with the PDPA (Amendment) Act 2024, we will notify the Personal Data Protection Commissioner and, where required, affected individuals in the event of a personal data breach that causes significant harm or affects more than 1,000 individuals.

11. Children’s privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us and we will take steps to delete it.

12. Contact us

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. The updated version will be posted on this page with a revised “Last updated” date. We encourage you to review this page periodically.