Skip links

Register and receive a 50% bonus discount before 31/08/2025.

scroll
NueroHR - Empowering Smarter HR Minds

Privacy Policy

Last Modified: 10th June 2025

CM HORIZON CONSULTANCY PLT [Registration No.: 202004003156 (LLP0025940-LGN)] (“Company”, “we”, “us”, or “our”) is committed to protecting your personal data in accordance with the Personal Data Protection Act 2010 (“PDPA”). This Privacy Policy explains how we collect, use, disclose, store, and safeguard your personal data when you visit our website https://www.neurohr.com.my or engage our consultancy services.

By interacting with us, you are deemed to have read, understood, and agreed to the terms of this Privacy Policy, including any updates posted on our website. Where required, we will obtain your explicit consent separately in accordance with the PDPA.

SECTION 1 – DEFINITIONS

For the purpose of this Privacy Policy, the following definitions apply:

“Act” or “PDPA” refers to the Personal Data Protection Act 2010 (Act 709), including the Personal Data Protection (Amendment) Act 2024, and all subsidiary legislation, regulations, and guidelines issued by the Personal Data Protection Commissioner (PDPC).

“Personal Data” means any information that relates directly or indirectly to a natural person (data subject), who is identified or identifiable from that information, or from that and other information in our possession. This includes but is not limited to names, identification numbers, contact information, employment details, and technical identifiers such as IP addresses or device IDs.

“Sensitive Personal Data” includes any information about an individual’s physical or mental health, political opinions, religious beliefs, the commission or alleged commission of any offence, biometric or genetic data, or any data classified as sensitive under PDPC regulations.

“Data Subject” refers to the individual who is the subject of the personal data.

“Data User” refers to a person or organization that has control over or authorises the processing of any personal data in respect of commercial transactions. For the purposes of this policy, CM Horizon acts as the Data User.

“Data Processor” is any person or entity that processes personal data on behalf of a data user, but does not process the data for its own purposes.

“Processing” encompasses a wide range of operations including the collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure or destruction of personal data.

“Third Party” means any individual or entity other than the data subject, data user, or data processor.

“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or clear affirmative action, signify agreement to the processing of personal data. Passive consent or pre-ticked boxes are not considered valid.

“Anonymisation” is the process of removing personal identifiers from data sets so that individuals cannot be identified, either directly or indirectly.

“Pseudonymisation” means the processing of personal data in such a way that it can no longer be attributed to a specific individual without the use of additional information.

“Breach Notification” refers to the requirement to notify both the PDPC and affected individuals in the event of a data breach that may result in harm, as stipulated under the 2024 amendments.

“Cross-Border Transfer” involves the movement of personal data to jurisdictions outside of Malaysia and is subject to specific controls under Section 129 of the PDPA.

“Direct Marketing” refers to the communication of promotional material to individuals based on their personal data. Under the amended law, such communication requires prior explicit consent.

“Data Portability” provides data subjects with the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit those data to another controller.

SECTION 2 – TYPES OF PERSONAL DATA COLLECTED

In the course of our operations, we may collect a variety of personal data either directly from you or through other legitimate means. This includes your full name, national identification number or passport number, date of birth, gender, and other identity-related information. Contact information such as your residential or business address, email address, and telephone number may also be collected.

We may gather professional or employment-related data, including your job title, company name, professional credentials, and curriculum vitae. Financial and transactional information may also be obtained, especially when billing or invoicing is involved, although sensitive payment data like full credit card numbers is never stored by us but rather processed through secure, compliant gateways.

In the digital realm, we may collect technical data such as IP addresses, browser types, time zone settings, operating system details, and information about your usage of our website. Communications data, such as records of emails, phone conversations, video calls, and meeting summaries, may be kept for service quality assurance and compliance purposes.

SECTION 3 – METHODS OF DATA COLLECTION

Personal data may be collected through several means, including information you provide when filling out our online or offline forms, engaging with our consultants, entering into contracts or service agreements, corresponding with us via email or messaging platforms, or responding to our surveys and feedback forms.

Additionally, data is automatically collected through your interaction with our website, including through cookies, server logs, tracking pixels, and analytics tools, depending on your browser settings. From time to time, we may also obtain data from third-party sources, such as publicly available registries (e.g., SSM), referral partners, or business affiliates, subject to legal and ethical standards.

SECTION 4 – PURPOSE OF PROCESSING PERSONAL DATA

We collect and process your personal data to fulfill specific and lawful purposes. This includes the performance of contractual obligations in providing our consultancy services, responding to inquiries or requests, managing client relationships, and communicating essential information regarding your engagement with us.

We also process your data for billing and tax compliance, including the issuance of payment receipts and tax-compliant invoices under applicable Malaysian laws. With your explicit consent, we may use your contact information for direct marketing, to share updates, newsletters, or insights relevant to your business or industry.

Furthermore, your data may be processed to meet statutory and regulatory obligations under laws such as the Anti-Money Laundering Act 2001 and the Limited Liability Partnerships Act 2012. Internally, we may use data analytics to improve our services, ensure security, and manage operational risks.

SECTION 5 – LEGAL BASIS FOR PROCESSING

The legal grounds for processing your personal data are rooted in the principles established by the PDPA. Where data processing is necessary to enter into or perform a contract with you, it will be conducted on the basis of contractual necessity. In situations where we are required by law to process your data, for tax reporting or anti-money laundering compliance, our basis is legal obligation.

In instances where you voluntarily provide data for non-essential purposes, such as subscribing to newsletters or participating in promotional events, we will seek your clear and affirmative consent. Additionally, some processing activities may be based on our legitimate interests, such as preventing fraud or improving service quality, provided these do not override your fundamental rights and freedoms.

SECTION 6 – DATA SHARING & DISCLOSURE

We may disclose your personal data to third parties where such disclosure is necessary for the purposes outlined above. These may include government agencies and regulators such as the Personal Data Protection Commissioner, the Royal Malaysian Police, the Inland Revenue Board of Malaysia, and Bank Negara Malaysia, where disclosure is mandated by law.

Your information may also be shared with trusted service providers that support our business operations, such as IT service vendors, cloud hosting providers, document storage vendors, auditors, legal advisors, and payment processors. These entities are contractually bound to maintain confidentiality and safeguard your data under terms consistent with this Policy.

In the event of a business restructuring, merger, or acquisition, your data may be transferred to the successor entity, subject to the principles of the PDPA.

SECTION 7 – INTERNATIONAL TRANSFERS

If it becomes necessary to transfer your personal data outside Malaysia, we will ensure such transfers comply with PDPA requirements. We will assess whether the recipient country offers an adequate level of data protection and enter into binding agreements with the recipient that include standard contractual clauses approved by the PDPC.

Transfers will only occur for legitimate business purposes and, where applicable, your explicit consent will be obtained before any such transfer. Data transferred abroad will be subject to the same level of protection as within Malaysia.

SECTION 8 – DATA SECURITY MEASURES

We are committed to protecting your personal data through robust technical and organizational measures. All data stored on our systems is protected with advanced encryption standards such as AES-256, and any data transmitted electronically is secured using transport-layer encryption protocols such as TLS 1.2 or higher.

We employ strict access controls, including role-based permissions and multi-factor authentication for systems containing personal data. Routine security audits, penetration testing, and vulnerability assessments are conducted to identify and mitigate risks. Employees and contractors handling personal data undergo regular training to ensure compliance with data protection standards and are required to sign confidentiality agreements.

In the event of a data breach that may cause harm to you, we will notify both the PDPC and affected individuals without undue delay and within the timeline mandated by the PDPA.

SECTION 9 – DATA RETENTION

Personal data is retained only as long as necessary to fulfill the purposes for which it was collected, or to comply with legal and regulatory requirements. For active clients, we retain data for the duration of the engagement and an additional period of seven years thereafter, in accordance with the Limitation Act 1953 and tax laws.

Marketing-related data will be retained until you withdraw your consent or after three years of inactivity, whichever comes first. Technical logs and digital access records are generally retained for 12 months unless required for security monitoring or compliance investigations. Upon expiry of the retention period, personal data will be securely erased using industry-standard methods.

SECTION 10 – YOUR RIGHTS UNDER PDPA

As a data subject, you are entitled to exercise a range of rights under the PDPA. These include the right to access your personal data held by us, the right to request corrections of inaccurate or outdated information, and the right to withdraw previously granted consent, especially in relation to marketing communications.

You also have the right to object to the processing of your personal data for direct marketing purposes and to request, where applicable, the transfer of your personal data to another service provider in a structured, machine-readable format. All such requests must be submitted in writing to our Data Protection Officer, and we are committed to responding within 21 working days.

SECTION 11 – COOKIES AND TRACKING

Our website uses cookies and other tracking technologies to enhance your user experience. Essential cookies are used to maintain core site functionality, such as session persistence and user authentication. Non-essential cookies, such as those for analytics and advertising, will only be used if you provide consent via our cookie banner.

You may manage or disable cookies at any time through your browser settings. However, please note that disabling certain cookies may affect the functionality of the website.

SECTION 12 – THIRD-PARTY LINKS

This website may contain hyperlinks to third-party websites. These sites operate independently of us and may have their own privacy policies and practices. We are not responsible for the content, accuracy, or privacy practices of external sites, and users are advised to review the respective policies before providing any personal data.

SECTION 13 – MINORS

Our services are not directed toward individuals under the age of 18. We do not knowingly collect personal data from children. If we discover that we have inadvertently collected data from a minor, we will take immediate steps to delete such data upon notification by a parent or guardian.

SECTION 14 – POLICY UPDATES

This Privacy Policy may be amended periodically to reflect changes in legal requirements or our internal practices. Material updates will be posted on our website with a revised effective date. Where feasible, we will also notify active clients via email. Continued use of our website or services following such updates constitutes your acceptance of the revised policy.

SECTION 15 – CONTACT DETAILS & COMPLAINTS

If you have any questions, requests, or complaints regarding your personal data, please contact our Data Protection Officer at dpo@cmglobal.com.my.

If your concerns remain unresolved, you have the right to lodge a complaint with Personal Data Protection Commissioner Malaysia (PDPC).

By using this website, you agree to our Privacy Policy.
Explore
Drag