Privacy & Personal Data Protection Policy

Last Updated: November 20, 2025

1. Introduction

StoryArc Media ("we", "us", "our", or "the Company") is committed to protecting your privacy and personal information. This Privacy and Personal Data Protection Policy ("the Policy") outlines how we collect, use, disclose, store, and protect your personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia and other applicable data protection laws.

By using our website, engaging our services, or providing us with your personal data, you acknowledge that you have read, understood, and agreed to the practices described in this Policy.

Important Notice: The Company reserves the right to amend this Policy at any time. Any amendments will be reflected on this webpage with an updated "Last Updated" date. We encourage you to review this Policy periodically. Material changes will be communicated to existing clients via email where practicable.

2. Personal Data We Collect

2.1 Definition of Personal Data

Personal Data means any information that relates directly or indirectly to you as an identifiable individual, whether collected online or offline.

2.2 Types of Personal Data We Collect

We may collect the following categories of personal data:

Contact Information:

• Full name
• Email address
• Phone number
• Mailing address
• Company name and position/job title

Business and Project Information:

• Company information and registration details
• Project briefs and requirements
• Brand assets and marketing materials
• Campaign information and objectives
• Social media account access credentials (when authorized)
• Website analytics and performance data

Financial Information:

• Billing address
• Bank account details (for payments)
• Payment card information (processed securely through third-party payment processors)
• Transaction history and invoices

Technical and Usage Data:

• IP address
• Browser type and version
• Device information
• Pages visited and time spent on our website
• Referring website addresses
• Cookie identifiers and similar tracking data

Communications:

• Email correspondence
• Chat messages
• Phone call records (for quality and training purposes, when disclosed)
• Feedback and survey responses

Studio Rental Information:

• Equipment usage records
• Booking history
• Emergency contact information

Other Information:

• Any other information you voluntarily provide to us through forms, inquiries, or during the course of our business relationship

3. How We Collect Personal Data

3.1 Direct Collection

We collect personal data directly from you when you:

• Fill out contact forms or inquiry forms on our website
• Request a quote or proposal
• Book our services or rent our studio
• Sign service agreements or contracts
• Subscribe to our newsletter or marketing communications
• Communicate with us via email, phone, or in person
• Participate in surveys or provide feedback
• Attend our events or workshops

3.2 Indirect Collection

We may collect personal data indirectly from:

• Your employers, agents, or legal representatives (when you engage us on behalf of an organization)
• Our vendors and service providers
• Publicly available sources (e.g., business directories, social media profiles)
• Website tracking technologies (cookies, pixels, analytics tools)
• Third-party platforms (e.g., social media advertising platforms)

3.3 From Customers and Potential Customers

We collect personal data from individuals or organizations who:

• Inquire about our services
• Request quotations or consultations
• Engage us for projects
• Visit our website or social media pages

3.4 From Vendors and Partners

We collect personal data from:

• Freelancers and contractors who work with us
• Suppliers and service providers
• Business partners and collaborators

3.5 Data Submission Requirements

• All personal data requested in any form or agreement is mandatory unless explicitly marked as optional
• All personal data submitted to StoryArc Media is deemed to be true and accurate
• If you fail to provide required personal data, we may not be able to provide you with our services or fulfill our contractual obligations
• You are responsible for ensuring that any personal data you provide about third parties (e.g., employees, models) is provided with their knowledge and consent

4. Purpose of Collection and Use

4.1 Processing of Personal Data

"Processing" means any operation performed on personal data, including collecting, recording, holding, storing, organizing, adapting, altering, retrieving, using, disclosing, transmitting, combining, blocking, erasing, or destroying data.

4.2 Purposes

We process your personal data for the following purposes:

Service Delivery:

• To provide, maintain, and improve our creative and marketing services
• To communicate with you about your projects and bookings
• To deliver final work products and project files
• To manage studio rentals and equipment usage
• To process payments and issue invoices

Contract Performance:

• To develop, comply with, and fulfill purchase orders, service agreements, and contracts
• To manage project timelines, deliverables, and revisions
• To handle customer support and service requests

Communication:

• To contact you via email, telephone, SMS, WhatsApp, or other communication channels regarding your projects
• To respond to your inquiries and requests
• To send administrative information, updates, and service notifications
• To provide customer support and technical assistance

Marketing and Promotional Activities:

• To send you newsletters, promotional offers, and marketing communications about our services, events, and special offers (only with your consent or where permitted by law)
• To inform you about services similar to those you have purchased or inquired about
• To conduct market research and surveys

Business Operations:

• To manage and administer our business operations
• To maintain accurate business records
• To conduct internal audits and quality control
• To train our staff and improve service quality
• To evaluate and improve our services, products, and user experience

Analytics and Optimization:

• To analyze website usage patterns and trends
• To measure the effectiveness of our marketing campaigns
• To optimize our website performance and user experience
• To understand customer preferences and behavior

Legal and Compliance:

• To comply with legal obligations, regulations, and government requests
• To enforce our Terms of Service and other agreements
• To protect our rights, property, and safety, and that of our users and the public
• To prevent fraud, security breaches, and other illegal activities

Business Transactions:

• To evaluate or conduct mergers, acquisitions, divestitures, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets

Other Purposes:

• For any other purposes with your explicit consent
• For purposes that are reasonably related to the above

5. Legal Basis for Processing

We process your personal data based on one or more of the following legal grounds:

• Consent: You have given clear consent for us to process your personal data for specific purposes
• Contract: Processing is necessary for the performance of a contract with you
• Legal Obligation: Processing is necessary to comply with legal or regulatory obligations
• Legitimate Interests: Processing is necessary for our legitimate business interests, provided these do not override your fundamental rights and freedoms

6. Disclosure and Sharing of Personal Data

6.1 When We Share Personal Data

Your personal data will be kept confidential. However, you hereby consent to and authorise StoryArc Media to disclose your personal data to the following parties:

Government and Regulatory Bodies:

• Government agencies, statutory authorities, regulatory bodies, and law enforcement agencies where we are legally required to disclose personal data pursuant to any law, regulation, court order, or government request

Service Providers and Business Partners:

We may share your personal data with carefully selected third-party service providers who assist us in operating our business, including:

• Cloud Storage Providers: Google Workspace, Dropbox, Microsoft OneDrive (for file storage and collaboration)
• Payment Processors: Banks, payment gateways, and financial institutions (to process transactions)
• Email and Communication Services: Mailchimp, SendGrid, or similar platforms (for email marketing and communications)
• Website and Analytics Providers: Google Analytics, Facebook Pixel, Meta Business Suite (for website analytics and advertising)
• Advertising Platforms: Meta Ads Manager, Google Ads, TikTok Ads (for marketing campaigns)
• Project Management Tools: Asana, Trello, Monday.com (for project coordination)
• Freelancers and Contractors: Videographers, photographers, editors, designers, copywriters (who work on your projects)
• Studio Equipment Suppliers: For maintenance and technical support
• Professional Advisors: Lawyers, accountants, auditors, insurers (for professional services)
• Stock Media Platforms: Getty Images, Shutterstock, Epidemic Sound (for licensing content)

Business Transfers:

• In the event of a merger, acquisition, sale of assets, or business restructuring, your personal data may be transferred to the acquiring entity

With Your Consent:

• Any other parties with your explicit consent or as directed by you

6.2 Safeguards for Third-Party Disclosure

When we share your personal data with third parties, we ensure that:

• Only the necessary personal data required for the specific purpose is disclosed
• Third parties are contractually obligated to protect your personal data and use it only for authorized purposes
• Access to and disclosure of personal data is restricted to authorized personnel who need it to perform their duties
• Third parties comply with applicable data protection laws and maintain appropriate security measures

6.3 We Do Not Sell Personal Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes without your explicit consent.

7. Your Rights

Under the Personal Data Protection Act 2010 and applicable laws, you have the following rights regarding your personal data:

7.1 Right of Access

You have the right to request access to your personal data held by us. This includes:

• Confirmation of whether we are processing your personal data
• Access to your personal data in our records
• Information about how your personal data is being used
• Information about third parties to whom your data has been disclosed

7.2 Right to Correction

You have the right to request correction of your personal data. You may:

• Request that we correct any inaccurate, incomplete, or misleading personal data
• Request that we update personal data that has become out-of-date
• Provide updated information for our records

7.3 Right to Withdraw Consent

You have the right to withdraw your consent to the processing of your personal data at any time. This includes:

• Withdrawing consent for marketing communications
• Withdrawing consent for specific types of data processing
• Opting out of non-essential services

Please note that withdrawing consent may affect our ability to provide certain services to you.

7.4 Right to Limit Processing

You have the right to request that we limit or restrict the processing of your personal data in certain circumstances, such as:

• When you contest the accuracy of your personal data
• When processing is unlawful but you prefer restriction over deletion
• When we no longer need the data but you need it for legal claims

7.5 Right to Data Portability

You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format for your own purposes or to transfer to another service provider (where technically feasible).

7.6 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data in certain circumstances, including:

• When the personal data is no longer necessary for the purposes it was collected
• When you withdraw consent and there is no other legal basis for processing
• When you object to processing and there are no overriding legitimate grounds
• When personal data has been unlawfully processed

Please note that we may need to retain certain data for legal, regulatory, or contractual obligations.

7.7 Right to Object

You have the right to object to:

• Processing of your personal data for direct marketing purposes (we will stop immediately upon request)
• Processing based on legitimate interests (we will stop unless we can demonstrate compelling legitimate grounds)

7.8 Right to Raise Concerns or Complaints

You have the right to:

• Raise concerns or complaints about how we handle your personal data
• Lodge a complaint with the Personal Data Protection Commissioner of Malaysia if you believe we have violated your data protection rights

7.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: [email protected]
Subject Line: "Data Subject Rights Request"

Please include:

• Your full name and contact information
• Description of your request
• Proof of identity (for security purposes)

We will respond to your request within 21 days as required by the PDPA, or inform you if additional time is needed.

7.10 Verification and Fees

• We may need to verify your identity before processing your request to ensure the security of your personal data
• We do not charge a fee for most requests, but may charge a reasonable administrative fee for excessive, repetitive, or manifestly unfounded requests
• We may refuse requests that are manifestly unfounded, excessive, or could adversely affect the privacy rights of others

8. Data Retention

8.1 Retention Period

StoryArc Media will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

Specific Retention Periods:

• Active Clients: Personal data is retained for the duration of our business relationship and for 7 years after the last transaction or project completion (for accounting, tax, and legal compliance purposes)
• Prospective Clients: Personal data from inquiries is retained for 2 years from the last contact, after which it will be deleted unless you request otherwise
• Marketing Communications: Contact information for marketing purposes is retained until you unsubscribe or request deletion
• Financial Records: Invoices, payment records, and tax-related information are retained for 7 years as required by Malaysian tax laws
• Studio Rental Records: Booking and equipment usage records are retained for 3 years
• Website Analytics: Aggregated and anonymized usage data may be retained indefinitely for statistical and analytical purposes
• Legal Holds: Personal data subject to legal proceedings or investigations will be retained until the matter is resolved

8.2 Secure Deletion

When personal data is no longer required, we will securely delete, destroy, or anonymise it in accordance with our data retention and disposal procedures to prevent unauthorised access or use.

8.3 Archival and Backup

Some personal data may remain in our backup systems for a limited period after deletion for disaster recovery purposes. This data is not actively used and will be permanently deleted according to our backup retention schedule.

9. Cookies and Tracking Technologies

9.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our website. They help us recognise your device, remember your preferences, and improve your browsing experience.

9.2 Types of Cookies We Use

Essential Cookies:

• Required for the website to function properly
• Enable basic features like page navigation and access to secure areas
• Cannot be disabled without affecting website functionality

Performance and Analytics Cookies:

• Google Analytics (to analyze website traffic and user behavior)
• Help us understand how visitors interact with our website
• Allow us to improve website performance and user experience

Functionality Cookies:

• Remember your preferences and settings
• Provide enhanced features and personalization

Marketing and Advertising Cookies:

• Facebook Pixel (to measure ad performance and deliver targeted ads)
• Google Ads (for remarketing and conversion tracking)
• Used to deliver relevant advertisements and measure campaign effectiveness
• May track your activity across different websites

9.3 Third-Party Cookies

Some cookies are placed by third-party services that appear on our pages, including:

• Social media platforms (Facebook, Instagram, LinkedIn)
• Video embedding services (YouTube, Vimeo)
• Analytics providers

These third parties may collect information about your online activities over time and across different websites.

9.4 Managing Cookies

You can control and manage cookies through your browser settings:

Browser Settings:

• Most browsers allow you to refuse or accept cookies
• You can delete cookies that have already been set
• You can set your browser to notify you when cookies are being sent

Opt-Out Tools:

• Facebook Pixel Opt-out: Through your Facebook Ad Preferences
• Your browser's "Do Not Track" setting

Important Note: Disabling certain cookies may affect your experience on our website and limit functionality.

9.5 Other Tracking Technologies

We may also use:

• Web beacons/pixels: Small transparent images embedded in emails or web pages to track opens and clicks
• Local storage: HTML5 local storage for storing preferences and settings
• Session recording: Tools that record user interactions to improve website usability (personally identifiable information is masked)

10. Data Security and Safeguards

10.1 Our Commitment to Security

StoryArc Media takes the security of your personal data seriously. We implement appropriate technical, physical, and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, loss, misuse, or destruction.

10.2 Security Measures We Implement

Technical Safeguards:

• Encryption of data in transit (SSL/TLS certificates)
• Encryption of sensitive data at rest
• Secure authentication protocols and password policies
• Regular security updates and patches
• Firewall protection and intrusion detection systems
• Regular data backups with secure storage

Physical Safeguards:

• Restricted access to physical offices and studio
• Secure storage of physical documents containing personal data
• Proper disposal of physical documents through shredding

Organizational Safeguards:

• Access controls limiting data access to authorized personnel only
• Employee training on data protection and security practices
• Confidentiality agreements with employees and contractors
• Regular security audits and assessments
• Incident response procedures
• Data protection policies and procedures

10.3 Third-Party Security

We require all third-party service providers and partners who have access to your personal data to:

• Implement appropriate security measures
• Comply with applicable data protection laws
• Use personal data only for authorized purposes
• Maintain confidentiality

10.4 Limitations

While we strive to protect your personal data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we continuously work to improve our security practices and respond promptly to any security incidents.

10.5 Your Responsibility

You also play a role in protecting your personal data:

• Keep your passwords confidential
• Do not share login credentials with others
• Use secure networks when accessing our services
• Report any suspected security breaches to us immediately
• Keep your contact information up to date

11. International Data Transfers

11.1 Cross-Border Transfers

In the course of our business operations, we may transfer your personal data to third-party service providers located outside of Malaysia. This may include transfers to:

• United States: Google (Google Workspace, Google Analytics), Meta/Facebook (advertising platforms), cloud storage providers
• Singapore: Regional cloud data centers
• European Union: Some SaaS platforms and service providers
• Other jurisdictions: As required for specific services

11.2 Safeguards for International Transfers

When we transfer personal data internationally, we ensure appropriate safeguards are in place:

• Standard contractual clauses or data processing agreements
• Verification that the recipient country has adequate data protection laws
• Additional security measures as required by PDPA
• Ensuring third parties comply with privacy standards equivalent to or better than those required by Malaysian law

11.3 Your Consent

By using our services and providing your personal data, you consent to the transfer of your personal data outside Malaysia under the safeguards described above.

12. Children's Privacy

12.1 Age Restrictions

Our services are not intended for individuals under the age of 18. We do not knowingly collect personal data from minors without parental or guardian consent.

12.2 Parental Consent

If we need to collect personal data from a minor (e.g., for a project featuring young models or participants), we will:

• Obtain verifiable parental or guardian consent
• Collect only the minimum necessary information
• Provide parents/guardians with the ability to review, update, or delete their child's information

12.3 If You Are a Parent or Guardian

If you believe we have inadvertently collected personal data from a minor without proper consent, please contact us immediately at [email protected], and we will take steps to delete such information.

13. Data Breach Notification

13.1 Our Commitment

We are committed to protecting your personal data and have implemented security measures and incident response procedures to prevent data breaches.

13.2 In the Event of a Breach

If we become aware of a data breach that poses a risk to your rights and freedoms, we will:

• Investigate the breach immediately
• Take steps to contain and mitigate the breach
• Notify the Personal Data Protection Commissioner of Malaysia within 72 hours (where required by law)
• Notify affected individuals without undue delay if the breach poses a high risk to your rights
• Provide information about the nature of the breach, the likely consequences, the measures taken to address it, and steps you can take to protect yourself

13.3 Your Actions

If you suspect a security breach or unauthorized access to your data, please notify us immediately at [email protected] with the subject line "Security Incident Report."

14. Changes to This Policy

14.1 Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or services, changes in applicable laws and regulations, technological developments, or feedback from users and regulators.

14.2 Notification of Changes

When we make changes to this Policy:

• We will update the "Last Updated" date at the top of this page
• Material changes will be highlighted or communicated via email to existing clients
• Continued use of our services after changes constitutes acceptance of the updated Policy

14.3 Review

We encourage you to review this Policy periodically to stay informed about how we protect your personal data.

15. Contact Us

15.1 Data Protection Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact:

StoryArc Media
Data Protection Officer / Privacy Contact

Email: [email protected]
Phone: +60 11-1530 5942
Website: storyarc-media.com

15.2 Response Time

We aim to respond to all privacy-related inquiries within 21 days as required by the Personal Data Protection Act 2010. If your request is complex, we may require additional time and will inform you of the extension.

16. Language

16.1 Bilingual Policy

In accordance with Section 7(3) of the Personal Data Protection Act 2010 (PDPA), this Privacy Policy is issued in both Bahasa Malaysia and English.

16.2 Conflict Resolution

In the event of any conflict, inconsistency, or ambiguity between the English language version and the Bahasa Malaysia language version of this Policy, the terms in the English language version shall prevail and shall be used to interpret and govern the rights and obligations of all parties.

Acknowledgment

By using our services, website, or providing your personal data to StoryArc Media, you acknowledge that you have read, understood, and agreed to this Privacy and Personal Data Protection Policy.