Privacy Policy

This Privacy Policy explains how Herblumi (“we”, “us”, “our”) collects, uses, discloses, and protects personal data in connection with our website and online services. It is written with reference to the Malaysian Personal Data Protection Act 2010 (PDPA).

This Policy applies to personal data collected online from visitors and customers located in Malaysia. It does not cover information collected offline unless stated otherwise.

Consent

By using our website, submitting forms, creating an account, or contacting us, you consent to the collection and processing of your personal data in accordance with this Policy and the PDPA.

Information We Collect

We may collect and process the following categories of personal data:

  • Identity & contact details (e.g., name, email address, phone number, billing / shipping address).
  • Account information (e.g., username, order history, saved preferences).
  • Communications (e.g., enquiries, support messages, attachments you send us).
  • Technical data (e.g., IP address, browser type, device information, pages visited, timestamps, referrer URLs).
  • Marketing preferences and consent records.
  • Any other information you voluntarily provide to us.

When you create an account or place an order, we may request additional information necessary to fulfil your purchase and provide after-sales support.

How We Use Your Information

We use personal data for purposes including:

  • Providing, operating, and maintaining our website and services.
  • Processing orders and payments, and delivering products or services.
  • Responding to enquiries and providing customer support.
  • Improving and personalising the website, including analytics and performance monitoring.
  • Sending service messages (e.g., order updates, security notices) and, where consented, marketing communications.
  • Detecting, preventing, and addressing fraud, abuse, and security incidents.
  • Complying with legal obligations and PDPA requirements.

Legal Basis & PDPA Principles

We process personal data in line with PDPA principles (Notice & Choice, Disclosure, Security, Retention, Data Integrity, Access). Where required, we will provide a Personal Data Protection Notice at or before the time of collection and seek your consent for optional uses (e.g., marketing).

Log Files

Like many websites, we use log files for analytics. The information collected may include IP address, browser type, Internet Service Provider, date/time stamps, referring/exit pages, and click counts. These are used to analyse trends, administer the site, track aggregate usage, and gather demographic information. Log data is not used to directly identify individuals.

Cookies & Similar Technologies

We use cookies and similar technologies to remember preferences, improve performance, and measure campaign effectiveness. You can manage cookies through your browser settings. Disabling cookies may affect certain website features.

For general information about cookies, refer to your browser’s help pages.

Advertising & Analytics Partners

We may work with selected third-party tools (e.g., analytics, advertising networks). These parties may use cookies, pixels, or scripts to measure performance and personalise content. They may automatically receive your IP address or device information when content is served. We do not control third-party cookies once set; please review each provider’s privacy policy for details and opt-out options where available.

Third-Party Links & Websites

Our website may contain links to third-party sites. Their privacy practices are not covered by this Policy. We encourage you to review the privacy policies of any site you visit.

Disclosure of Personal Data

We may disclose personal data to: (i) our service providers (e.g., hosting, payment, logistics, email delivery) under confidentiality obligations; (ii) professional advisors; (iii) authorities where required by law; or (iv) other parties with your consent. We do not sell personal data.

International Transfers

Some service providers may be located outside Malaysia. Where personal data is transferred internationally, we take reasonable steps to ensure a level of protection comparable to PDPA requirements (e.g., contractual safeguards). By using our services, you consent to such transfers where applicable.

Security

We implement reasonable technical and organisational measures to protect personal data against loss, misuse, and unauthorised access. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

Retention

We retain personal data only as long as necessary for the purposes stated in this Policy, to comply with legal, tax, or accounting requirements, or to resolve disputes. When no longer needed, data will be securely deleted or anonymised.

Your Rights (Malaysia PDPA)

Subject to PDPA and exceptions, you may:

  • Access your personal data we hold.
  • Request correction of inaccurate or incomplete data.
  • Withdraw consent for optional processing (e.g., marketing), which will not affect prior processing.
  • Object to processing that is likely to cause damage or distress, where applicable.

To exercise these rights, please contact us using the details below. We may require information to verify your identity. A reasonable administrative fee may apply for access requests as permitted by PDPA.

Children’s Information

Our website is not intended for children under 13. We do not knowingly collect Personal Identifiable Information from children. If you believe a child has provided personal data, please contact us and we will promptly remove it.

Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated “Last updated” date. Your continued use of the website after changes constitutes acceptance of the revised Policy.

Contact Us

For questions about this Policy or to exercise your PDPA rights, please contact:

Herblumi
Email: hello@herblumi.com
Phone: +6013-2906 968

Last updated: 06 Oct 2025