‌Cube Arts & Media Sdn. Bhd. — Privacy Policy

Effective date: 9 October 2025

Company: Cube Arts & Media Sdn. Bhd. (Company No.: 1226841P)

Registered address: 13A-2, Wangsa 118, Jalan Wangsa Delima, Wangsa Maju, 53300 Kuala Lumpur, Malaysia

Contact (Data Protection Officer): dpo@cubearts.my / +60196054408

1. ‌Introduction

   Cube Arts & Media Sdn. Bhd. respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, transfer, retain, secure and otherwise process personal data in connection with our services, websites, digital products, events and business operations in Malaysia and elsewhere. We process personal data in accordance with the Personal Data Protection Act 2010 (PDPA) and its subsequent amendments and guidelines. PDP+1

   
   

2. ‌Scope / Applicability

   This Policy applies to:

   
   

   • All personal data we collect from individuals (customers, clients, contractors, job applicants, visitors to our website, event attendees and other contacts) in the course of commercial activities; and

   • All personal data processed on behalf of Cube Arts & Media by our service providers.

     
     

     It does not apply to personal data processed for strictly domestic or personal activities or to data processed by government authorities under specific legislation.

     
     

3. ‌Definitions

   • Personal Data / Personal Information: Any information relating to an identified or identifiable natural person (name, NRIC / passport no., email, phone, payment details, photos, etc.).

   • Processing: Any operation performed on personal data (collection, recording, use, storage, disclosure, etc.).

   • Data Controller / Data User: The entity that determines the purposes and means of processing personal data — Cube Arts & Media in relation to its business operations. (These terms follow PDPA usage and the Amendment 2024 terminology.) PDP

     
     

4. ‌Personal data we collect

   Depending on the context, we may collect:

   
   

   • Identity data: name, date of birth, nationality, ID/passport number (if required for verification), photograph.

   • Contact data: postal address, email address, telephone/mobile numbers, emergency contact.

   • Transaction data: booking details, invoices, payment details (note: full card data is processed by our payment provider; we may store masked/last-4 digits and transaction receipts).

   • Professional data: company name, job title, business contact details for B2B interactions.

   • Technical data: IP address, device identifiers, browser type and settings, cookies and analytics data from visits to our websites.

   • Sensitive data: health-related information or special needs only when necessary (e.g., for event accessibility, medical requirements)—we will collect such data only when strictly necessary and with explicit consent.

     We collect data directly from you and, in limited cases, from third parties (payment processors, publicly available sources, our business partners) or from your authorised representatives.

     
     

5. ‌Purposes for processing & lawful bases

   We process personal data for the following purposes and on these legal bases:

   
   

   1. To perform contracts / provide services — deliver products and services you requested (bookings, design services, deliverables). (Performance of contract)

   2. To communicate — confirmations, invoices, customer support, schedule changes. (Performance of contract / legitimate interest)

   3. Marketing and newsletters — to send promotional updates, offers and event invites, where we have your consent (opt-in) or where allowed under legitimate interest and local law; you may opt-out anytime. (Consent / legitimate interest)

   4. Compliance & legal obligations — to meet legal, tax, audit or regulatory obligations in Malaysia. (Legal obligation)

   5. Security & fraud prevention — to detect and prevent fraud, abuse, cyber incidents and to protect our rights and property. (Legitimate interest)

   6. Recruitment & HR — processing job applications and employee records. (Performance of related contract / legal obligations / consent where required)

   7. Analytics & product improvement — aggregated, anonymised data to improve services. (Legitimate interest)

   We will only process personal data for purposes compatible with those described above and as permitted under Malaysian law (PDPA). Kiteworks+1

   
   

6. ‌Consent and withdrawal of consent

   Where we rely on consent (e.g., for marketing, or processing sensitive personal data), we will obtain explicit consent where required. You may withdraw consent at any time by

   contacting our DPO (contact details above) or by using the unsubscribe options provided in communications. Withdrawing consent will not affect the lawfulness of processing carried out prior to withdrawal.

   
   

7. ‌Sharing personal data / third parties

   We may disclose personal data to:

   
   

   • Service providers / processors who perform services for us (payment processors, hosting providers, email and marketing platforms, accountants, legal advisors, courier companies). These processors will only process data on our instructions and are contractually required to protect the data.

   • Group companies and affiliates for business administration.

   • Professional advisers, auditors and regulators where required by law or necessary to enforce our rights.

   • Buyers or prospective buyers in the event of a sale, merger, reorganisation or asset transfer (subject to confidentiality and lawful transfer safeguards).

     We require contractual and technical safeguards from all third parties to ensure personal data is protected to standards at least equivalent to ours and in compliance with PDPA.

     
     

8. ‌Cross-border transfers

   If we transfer personal data outside Malaysia, we will ensure such transfers are made only where adequate safeguards are in place (e.g., contractual clauses, binding corporate rules, or where the receiving country provides adequate protection) or as permitted under PDPA guidance and applicable cross-border transfer rules. We will take reasonable steps to ensure overseas recipients provide adequate protections. (See PDPA guidance on cross-border transfers.) PDP

   
   

9. ‌Data retention

   We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal or tax obligations, to resolve disputes, and for legitimate business purposes. Retention periods vary by data type (e.g., transaction records: typically 7 years for tax purposes; marketing consents: until withdrawn; recruitment records: a defined period after hiring decision). When no longer required, personal data will be securely deleted or anonymised.

   
   

10. ‌Your rights (Data subject rights)

    Under PDPA and our internal policies you have rights in relation to your personal data, including:

    • Access — request confirmation whether we process your personal data and request a copy of that data.

    • Correction — request correction of inaccurate or incomplete personal data.

    • Erasure or restriction — where a legal basis permits, request deletion or restriction of processing.

    • Object — object to direct marketing or processing based on legitimate interest.

    • Data portability — to the extent provided by law or applicable guidance (the 2024 PDPA amendments strengthen data subject rights — we will comply to the extent required).

      To exercise your rights, contact our DPO at dpo@cubearts.my. We may need to verify your identity before responding. We will respond within the timeframes required by applicable law; if we refuse a request we will explain the reasons and how to complain to the regulator.

      
      

11. ‌Complaints to regulator

    If you are not satisfied with our handling of your personal data, you may contact our DPO first. You also have the right to lodge a complaint with the Personal Data Protection Commissioner / Department of Personal Data Protection (JPDP) in Malaysia. The JPDP’s website provides guidance on complaints, enforcement and remedies under PDPA. PDP

    
    

12. ‌Data security

    We use industry-standard technical, physical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. Measures include access controls, encryption where appropriate, network security, staff training and contractual controls with processors. However, no security system is impenetrable — if a personal data breach occurs, we will follow the PDPA breach notification guidelines and notify the regulator and affected individuals where required. Privacy Matters+1

    
    

13. ‌Data breach notification

    In accordance with PDPA amendments and guidance, we will assess and, where required, notify the Personal Data Protection Commissioner and affected data subjects of any personal data breach without undue delay when the breach is likely to cause significant harm. Our breach response plan documents roles, containment, investigation, remediation and required notifications. Sidley Austin+1

    
    

14. ‌Cookies and tracking technologies

    Our websites use cookies and similar technologies for essential site functions, analytics, personalization, and marketing. You can manage cookie preferences via your browser settings and any cookie preference tools we provide on our websites. Detailed cookie information (types, purpose, retention) is available in our Cookie Notice [link to Cookie Notice].

15. ‌Children’s data

    We do not knowingly collect personal data from children under 16 without parental or guardian consent. If you believe we have collected such data, contact us and we will take steps to remove it.

    
    

16. ‌Direct marketing

    Where we send marketing communications, we will do so in accordance with your consent and applicable law. You may opt-out of marketing communications at any time via unsubscribe links or by contacting our DPO.

    
    

17. ‌Automated decision-making and profiling

    We generally do not carry out automated decision-making that has legal or similarly significant effects on individuals. If we do so in future, we will notify data subjects and provide meaningful information about the logic involved and rights to contest decisions as required by law.

    
    

18. ‌Changes to this Policy

    We may update this Policy from time to time to reflect legal or business changes. Where required by law we will notify data subjects of material changes. The “Effective date” at the top is the date of the latest revision.

    
    

19. ‌Contact & DPO

If you have questions, requests, or complaints about this Policy or our data practices, please contact:

Data Protection Officer

Cube Arts & Media Sdn. Bhd.

Email: dpo@cubearts.my

Phone: +60196054408

Address: 13A-2, Wangsa 118, Jalan Wangsa Delima, Wangsa Maju, 53300 Kuala Lumpur, Malaysia

If you are not satisfied with our response, you have the right to file a complaint with the Personal Data Protection Commissioner (JPDP).

‌