Privacy policy

SOTHYS Malaysia Privacy Notice (PDPA 2010)

Last updated: 18 November 2025
This Privacy Notice explains how SOTHYS Group of Companies in Malaysia (“SOTHYS Malaysia”, “we”, “us”) collects, uses, discloses, and protects your Personal Data in accordance with the Personal Data Protection Act 2010 (PDPA).


1. What is Personal Data?

“Personal Data” means any information about you that identifies you directly or indirectly, including sensitive information. Examples include (but are not limited to):

  • Identity & contact: name, NRIC/passport, date of birth, gender, email, phone number, address.

  • Health & service info: skin condition, medical history, medication (only where relevant to treatments).

  • Transactional: orders, payment details, delivery records, appointment bookings.

  • Technical: IP address, cookies, browsing history, device information.

  • Recruitment (if applicable): CV, work history, qualifications, references.

If you provide us with another person’s Personal Data (e.g. gift recipient, referee), you confirm that you have informed them and obtained consent where required.


2. Why we collect your data (Purposes)

We process your Personal Data for purposes including:

  • To fulfil orders, bookings and services you request.

  • To create and manage your account and loyalty membership.

  • To personalise skincare recommendations and monitor treatment results.

  • To communicate with you regarding promotions, events, product launches, or newsletters (only if you have given consent; you may withdraw at any time).

  • To improve our services through surveys, feedback, and analytics.

  • To comply with legal or regulatory requirements, including fraud detection, audits, and tax obligations.

  • For recruitment and HR purposes (if you apply for employment).

If you do not provide sufficient Personal Data, we may not be able to provide the requested services.


3. Disclosure of Personal Data

We may share your Personal Data only where necessary, with:

  • Companies within the SOTHYS Group (including affiliates outside Malaysia).

  • Service providers under contract, such as couriers, payment processors, IT/website hosts, marketing platforms, and salon booking systems.

  • Professional advisers, auditors, and regulators as required by law.

  • Law enforcement or government authorities where legally required.

All third parties are bound by confidentiality and must process your data only for the agreed purposes.


4. Cross-Border Transfers

Your Personal Data may be transferred or stored outside Malaysia (e.g. cloud servers, Shopify hosting, loyalty systems). Where this occurs, we ensure adequate safeguards are in place or obtain your consent, consistent with PDPA requirements.

 


5. Security of Your Data

We implement strict security measures, including:

  • SSL/HTTPS encryption on our website.

  • Restricted staff access on a need-to-know basis.

  • Multi-factor authentication for admin systems.

  • Secure storage and disposal procedures.

  • Regular monitoring and staff training.


6. Retention of Data

We keep Personal Data only as long as necessary for the purposes stated, or to meet legal/tax obligations.

  • Customer records: up to 7 years after last transaction.

  • Recruitment records: retained only as long as necessary.
    After retention, we securely delete or anonymise data.


7. Your Rights

Under the PDPA, you have the right to:

  • Request access to your Personal Data.

  • Request correction of inaccurate or outdated data.

  • Withdraw consent for marketing or specific processing activities.

  • Request deletion or restriction of your data, subject to legal limitations.

We aim to respond to all valid requests within 21 days.


8. Cookies & Digital Tracking

We use cookies and similar technologies to:

  • Ensure website functionality.

  • Analyse browsing behaviour to improve user experience.

  • Deliver personalised marketing (with your consent).

You can manage cookie preferences via your browser settings or our cookie banner.


9. Children’s Privacy

Our services are intended for individuals 18 years and above. If we discover that we have collected data from a minor without parental consent, we will promptly delete it.

 

 

10. Contact Us

If you have any questions, wish to exercise your rights, or withdraw consent, please contact our 
Data Protection Officer (DPO):

Email: pdpa.flagship@sothys.com.my
Post: Operations Department,
SOCIETE FRANCAISE DE COSMETIQUES SDN BHD
D4-06-10, Solaris Dutamas,
No. 1, Jalan Dutamas 1,
50480 Kuala Lumpur, Malaysia


11. Updates

We may update this Privacy Notice from time to time. The latest version will always be published on our website with the updated “Last updated” date.




Notis Privasi SOTHYS Malaysia (PDPA 2010)

Kali terakhir dikemas kini: 18 November 2025
Notis Privasi ini menerangkan bagaimana Kumpulan Syarikat SOTHYS di Malaysia (“SOTHYS Malaysia”, “kami”) mengumpul, menggunakan, mendedahkan dan melindungi Data Peribadi anda selaras dengan Akta Perlindungan Data Peribadi 2010 (PDPA).


1. Apa itu Data Peribadi?

“Data Peribadi” bermaksud apa-apa maklumat mengenai anda yang mengenal pasti anda secara langsung atau tidak langsung, termasuk maklumat sensitif. Contoh termasuk (tetapi tidak terhad kepada):

  • Identiti & hubungan: nama, NRIC/pasport, tarikh lahir, jantina, alamat emel, nombor telefon, alamat rumah.

  • Kesihatan & perkhidmatan: keadaan kulit, sejarah perubatan, ubat-ubatan (hanya berkaitan dengan rawatan).

  • Transaksi: pesanan, maklumat pembayaran, rekod penghantaran, tempahan janji temu.

  • Teknikal: alamat IP, kuki, sejarah pelayaran, maklumat peranti.

  • Pengambilan pekerja (jika berkaitan): CV, rekod kerja, kelayakan, rujukan.

Jika anda memberikan Data Peribadi individu lain (contoh: penerima hadiah, rujukan), anda mengesahkan bahawa anda telah memaklumkan individu tersebut dan mendapat persetujuan mereka.


2. Tujuan Pengumpulan Data

Kami memproses Data Peribadi anda untuk tujuan berikut:

  • Menyediakan produk/perkhidmatan yang diminta (pesanan, tempahan, rawatan).

  • Membuka dan mengurus akaun serta keahlian kesetiaan anda.

  • Menyediakan cadangan penjagaan kulit yang diperibadikan dan memantau hasil rawatan.

  • Berkomunikasi dengan anda tentang promosi, acara, pelancaran produk, atau surat berita (hanya jika anda telah memberi persetujuan; anda boleh menarik balik pada bila-bila masa).

  • Meningkatkan perkhidmatan kami melalui tinjauan, maklum balas, dan analitik.

  • Memenuhi keperluan undang-undang / kawal selia termasuk pengesanan penipuan, audit, dan cukai.

  • Tujuan pengambilan pekerja dan Sumber Manusia (jika anda memohon pekerjaan).

Jika anda tidak memberikan Data Peribadi yang mencukupi, kami mungkin tidak dapat menyediakan perkhidmatan yang diminta.


3. Pendedahan Data Peribadi

Kami hanya berkongsi Data Peribadi anda jika perlu, dengan:

  • Syarikat dalam Kumpulan SOTHYS (termasuk syarikat gabungan di luar Malaysia).

  • Penyedia perkhidmatan di bawah kontrak, seperti kurier, pemproses pembayaran, penyedia IT/hosting, platform pemasaran, dan sistem tempahan salon.

  • Penasihat profesional, juruaudit, dan pengawal selia seperti yang dikehendaki undang-undang.

  • Pihak berkuasa kerajaan/penguatkuasa undang-undang jika dikehendaki.

Semua pihak ketiga tertakluk kepada kerahsiaan dan hanya boleh memproses data bagi tujuan yang dipersetujui.


4. Pemindahan Rentas Sempadan

Data Peribadi anda mungkin dipindahkan atau disimpan di luar Malaysia (contoh: pelayan awan, Shopify, sistem kesetiaan). Apabila ini berlaku, kami akan memastikan perlindungan mencukupi atau mendapatkan persetujuan anda selaras dengan PDPA.


5. Keselamatan Data

Kami melaksanakan langkah keselamatan ketat, termasuk:

  • Penyulitan SSL/HTTPS di laman web.

  • Akses kakitangan yang terhad (berdasarkan keperluan kerja).

  • Pengesahan berbilang faktor untuk sistem pentadbir.

  • Penyimpanan & pelupusan selamat.

  • Pemantauan berterusan & latihan kakitangan.


6. Tempoh Penyimpanan Data

Kami menyimpan Data Peribadi hanya selama perlu untuk tujuan di atas atau bagi keperluan undang-undang/cukai.

  • Rekod pelanggan: sehingga 7 tahun selepas transaksi terakhir.

  • Rekod pengambilan pekerja: hanya selama yang diperlukan.
    Selepas tamat tempoh, data akan dipadam atau dianonimkan dengan selamat.


7. Hak Anda

Di bawah PDPA, anda berhak untuk:

  • Meminta akses kepada Data Peribadi anda.

  • Meminta pembetulan data yang tidak tepat atau tidak terkini.

  • Menarik balik persetujuan untuk pemasaran atau pemprosesan tertentu.

  • Meminta penghapusan atau sekatan data anda, tertakluk kepada had undang-undang.

Kami akan memberi maklum balas dalam tempoh 21 hari bekerja.


8. Kuki & Penjejakan Digital

Kami menggunakan kuki/teknologi serupa untuk:

  • Menyokong fungsi laman web.

  • Menganalisis tingkah laku pelayaran.

  • Menyediakan pemasaran yang diperibadikan (dengan persetujuan anda).

Anda boleh mengurus pilihan kuki melalui tetapan pelayar atau sepanduk kuki kami.


9. Data Kanak-kanak

Perkhidmatan kami ditujukan untuk individu berumur 18 tahun ke atas. Jika kami mendapati kami mengumpul data kanak-kanak tanpa persetujuan ibu bapa/penjaga, data tersebut akan dipadam.


10. Hubungi Kami

Untuk pertanyaan, permintaan akses, pembetulan, atau penarikan balik persetujuan, sila hubungi Pegawai Perlindungan Data (DPO):

Emel: pdpa.flagship@sothys.com.my
Pos: Jabatan Operasi
SOCIETE FRANCAISE DE COSMETIQUES SDN BHD
D4-06-10, Solaris Dutamas,
No. 1, Jalan Dutamas 1,
50480 Kuala Lumpur, Malaysia


11. Kemas Kini

Kami mungkin mengemas kini Notis Privasi ini dari semasa ke semasa. Versi terkini akan dipaparkan di laman web kami dengan tarikh “Kali terakhir dikemas kini”.