GDPR & Privacy Policy

At Hallmark Furniture, we are committed to protecting your personal data and respecting your privacy. This policy explains how we collect, use, store, and protect your information when you visit or make a purchase on our website in accordance with the General Data Protection Regulation (GDPR) and applicable Malaysian data protection laws.

Who We Are

What laws govern this policy?

This Privacy Policy is governed by and compliant with the following legislation:

  • General Data Protection Regulation (GDPR) — EU Regulation 2016/679, applicable to customers in the European Economic Area (EEA)
  • Personal Data Protection Act 2010 (PDPA) — Malaysian federal law governing the processing of personal data in commercial transactions
  • UK GDPR — applicable to customers in the United Kingdom post-Brexit
  • Privacy and Electronic Communications Regulations (PECR) — governing electronic marketing and cookies

Where applicable law provides greater protection than GDPR, we apply that standard to the relevant users.

What personal data do we collect from you?

When you use our website, browse products, or place an order, we may collect the following categories of personal data:

Identity & Contact Data:

  • Full name
  • Email address
  • Phone number
  • Company name (for business orders)
  • Billing and shipping address

Transaction & Order Data:

  • Products purchased, quantities, and order value
  • Payment method (we do not store full card details — see Payment section)
  • Order history and invoice records
  • Delivery and shipment tracking information

Technical & Usage Data:

  • IP address and browser type
  • Device type and operating system
  • Pages visited, time spent, and referral source
  • Cookie identifiers (see our Cookie Policy section)

Communication Data:

  • Messages submitted via our contact form
  • Email correspondence with our sales or support team
  • Product enquiry and quotation request details

Data We Collect

Do we collect data from children?

Our website and services are not intended for children under the age of 16. We do not knowingly collect personal data from anyone under 16 years of age. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete that information without delay.

Do we collect sensitive personal data?

We do not intentionally collect any special category data (also known as sensitive personal data) such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric information through our website. Please do not submit such information through our contact forms or order processes.

How We Collect Your Data

How is your personal data collected?

We collect your personal data through the following methods:

  • Direct interactions — when you create an account, place an order, fill in our contact form, request a catalogue, or communicate with us by email or phone
  • Automated technologies — as you browse our website, we automatically collect technical data via cookies, server logs, and similar tracking technologies
  • Third-party sources — we may receive data from payment processors (such as Stripe or PayPal), shipping partners, analytics providers (such as Google Analytics), and social media platforms if you interact with us through those channels
  • Order fulfilment partners — our logistics and freight partners may share delivery-related information with us to update your order status

What are cookies and how do we use them?

Cookies are small text files placed on your device when you visit our website. We use the following types of cookies:

  • Strictly Necessary Cookies — essential for the website to function, including maintaining your shopping cart and login session. These cannot be disabled.
  • Analytics Cookies — used to understand how visitors use our site (e.g. Google Analytics). These help us improve our website performance. You may opt out.
  • Functional Cookies — used to remember your preferences such as language or region settings.
  • Marketing Cookies — used to show you relevant advertisements. These are only active with your consent.

You can manage or withdraw your cookie consent at any time through your browser settings or our cookie consent banner. Withdrawing consent does not affect the lawfulness of processing before the withdrawal.

How We Use Your Data

For what purposes do we process your personal data?

We process your personal data only for specified, explicit, and legitimate purposes. Here is how we use the data we collect:

  • To process and fulfil your orders — including payment processing, production scheduling, packaging, and delivery arrangement
  • To manage your account — creating and maintaining your customer account on our website
  • To communicate with you — responding to enquiries, sending order confirmations, shipping updates, and after-sales support
  • To send marketing communications — only where you have given explicit consent, we may send promotional emails about new products, offers, or catalogues
  • To improve our website and services — using analytics data to understand usage patterns and optimise the customer experience
  • To comply with legal obligations — including tax record-keeping, anti-fraud checks, and regulatory reporting requirements
  • To protect our business interests — detecting and preventing fraudulent transactions, chargebacks, or abuse of our services

What is the legal basis for processing your data?

Under GDPR, we are required to have a valid legal basis for processing your personal data. We rely on the following bases:

  • Contractual necessity — processing required to fulfil your order or respond to your pre-purchase enquiry
  • Legal obligation — processing required to comply with applicable laws, such as tax legislation and consumer protection regulations
  • Legitimate interests — processing for fraud prevention, website improvement, and business analytics, where your rights do not override our interests
  • Consent — for marketing emails and non-essential cookies, we rely on your freely given, specific, and informed consent. You may withdraw consent at any time.

Do we use your data for automated decision-making or profiling?

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects. Any decisions that affect your orders, accounts, or access to our services are made with human review and oversight.

Data Sharing & Third Parties

Do we share your personal data with third parties?

We do not sell, rent, or trade your personal data. We only share your data with trusted third parties where necessary to operate our business and deliver our services:

  • Payment processors — such as Stripe, PayPal, or local banking partners, to securely process your payment transactions
  • Logistics and shipping partners — freight forwarders and courier companies who deliver your order
  • IT and hosting providers — cloud hosting, website maintenance, and security service providers
  • Email service providers — platforms used to send transactional and marketing emails
  • Analytics providers — such as Google Analytics, to understand website usage (data is anonymised or pseudonymised where possible)
  • Legal and regulatory authorities — where required by law, court order, or regulatory obligation

All third-party processors are required to handle your data securely and in accordance with applicable data protection law. We enter into Data Processing Agreements (DPAs) with all relevant processors.

Do we transfer your data outside of your country?

As an international furniture exporter based in Malaysia, we may transfer your personal data to third-party service providers located outside of Malaysia or the EEA. Where such transfers occur, we ensure appropriate safeguards are in place including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Transfers only to countries with an EU adequacy decision
  • Binding Corporate Rules where applicable

If you are an EEA-based customer and have concerns about international data transfers, please contact us for further information.

Data Retention

How long do we keep your personal data?

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including legal, accounting, and regulatory requirements:

  • Order and transaction records — retained for 7 years in compliance with Malaysian tax and accounting regulations
  • Customer account data — retained for the duration of your account, plus 3 years after account closure
  • Marketing consent records — retained for the duration of your subscription, plus 3 years after unsubscription as evidence of consent
  • Contact form enquiries — retained for 2 years from the date of your enquiry
  • Website analytics data — retained for 26 months in anonymised or aggregated form
  • Cookie data — retained according to the individual cookie’s expiry period (typically 30 days to 2 years)

When data is no longer required, it is securely deleted or anonymised in accordance with our internal data retention policy.

How do we securely delete or destroy data?

When your personal data reaches the end of its retention period, we securely delete or destroy it using appropriate methods:

  • Digital data is permanently deleted from all active systems and backups
  • Physical documents containing personal data are shredded using cross-cut shredders
  • Data on decommissioned hardware is wiped using certified data erasure software

We conduct periodic data audits to ensure our retention schedules are adhered to and that unnecessary data is not held beyond its required period.

Your Data Rights

What rights do you have over your personal data?

Under GDPR and applicable data protection law, you have the following rights regarding your personal data:

  • Right to Access — you have the right to request a copy of the personal data we hold about you (also known as a Subject Access Request or SAR)
  • Right to Rectification — you may request that we correct any inaccurate or incomplete personal data we hold about you
  • Right to Erasure — also known as the “right to be forgotten”, you may request that we delete your personal data where there is no legitimate reason for us to continue processing it
  • Right to Restriction of Processing — you may request that we suspend processing of your data in certain circumstances
  • Right to Data Portability — you have the right to receive your personal data in a structured, machine-readable format and to transfer it to another controller
  • Right to Object — you may object to processing of your data based on legitimate interests or for direct marketing purposes
  • Right to Withdraw Consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing
  • Right to Lodge a Complaint — you have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national data protection authority in the EU)

How do you exercise your data rights?

To exercise any of your rights listed above, please submit a written request to us via:

  • Contact Form: Visit our Contact page and select “Data Privacy Request” as your subject
  • Email: Send your request to our designated email address (available on our Contact page)
  • Post: Write to Hallmark Furniture Sdn. Bhd., Lot 12170, Batu 2, Jalan Bangi, Semenyih, Selangor 43500, Malaysia

We will respond to your request within 30 days of receipt. We may ask you to verify your identity before processing your request. In complex cases, we may extend this period by a further 2 months and will notify you of any such extension.

There is no charge for exercising your rights unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

What happens if you withdraw your consent to marketing?

You may withdraw your consent to receive marketing communications at any time by:

  • Clicking the unsubscribe link in any marketing email we send
  • Contacting us directly via our Contact page
  • Updating your communication preferences in your account settings

Withdrawal of marketing consent will not affect the processing of your data for order fulfilment or legal compliance purposes. You will continue to receive transactional emails related to active orders.

Security & Payment Data

How do we protect your personal data?

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure:

  • SSL/TLS Encryption — all data transmitted between your browser and our website is encrypted using 256-bit SSL technology
  • Access controls — personal data is accessible only to authorised personnel who require it to perform their duties
  • Secure hosting — our website and data are hosted on secure, reputable servers with regular backups and security patches
  • Password security — account passwords are stored using industry-standard one-way hashing and are never stored in plain text
  • Regular security audits — we conduct periodic reviews of our data security practices and systems

While we take every reasonable precaution, no method of internet transmission or electronic storage is 100% secure. We encourage you to use strong passwords and to notify us immediately if you suspect any unauthorised access to your account.

How is your payment data handled?

We take payment security extremely seriously. When you make a purchase on our website:

  • Payment transactions are processed by PCI DSS-compliant third-party payment processors
  • We do not store your full credit or debit card number, CVV code, or card expiry date on our servers
  • Payment pages are served over encrypted HTTPS connections
  • We retain only the last four digits of your card number and payment reference for order records

For full details on how your payment data is handled, please refer to the privacy policy of the respective payment processor used at checkout.

What happens in the event of a data breach?

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  • Document all breaches in our internal breach register, including breaches that do not require notification
  • Take immediate steps to contain, investigate, and remediate the breach

We have an internal Data Breach Response Plan in place and train our staff to identify and escalate potential breaches promptly.

E-Commerce & Online Orders

What data is collected when I place an order?

When you place an order on our website, we collect and process the following data specifically for order fulfilment:

  • Full name and contact details (email, phone)
  • Billing address and shipping address
  • Order contents, quantities, and total value
  • Payment confirmation details (reference number and partial card info)
  • Delivery preferences and special instructions
  • IP address and device information at time of purchase (for fraud prevention)

This data is retained for 7 years to comply with our financial and legal record-keeping obligations.

Do you use my data for remarketing or targeted advertising?

We may use anonymised and aggregated data from your website visits to display relevant advertisements on third-party platforms such as Google Ads or Meta (Facebook/Instagram). This is only done where you have consented to marketing cookies.

You can opt out of personalised advertising at any time by:

  • Updating your cookie preferences on our website
  • Visiting www.youronlinechoices.com to manage ad preferences
  • Using your browser’s privacy settings to block third-party cookies

We do not share your personal order data with advertising networks.

Are there links to third-party websites on your site?

Our website may contain links to third-party websites, social media platforms, or partner pages. This Privacy Policy applies only to the Hallmark Furniture website. We are not responsible for the privacy practices of any external sites. We encourage you to read the privacy policy of any third-party website you visit via links on our platform.

How do you handle account registration data?

When you create an account on our website, we collect your name, email address, and a password (stored in encrypted form). Your account data is used to:

  • Allow you to view order history and track shipments
  • Save your delivery addresses for faster checkout
  • Manage your marketing preferences
  • Provide personalised customer support

You may request deletion of your account at any time. Please note that order records may be retained for legal and accounting purposes even after account deletion.

Policy Updates & Contact

How will we notify you of changes to this policy?

We review and update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or business operations. When we make material changes, we will:

  • Update the “Last Updated” date at the top of this page
  • Display a prominent notice on our website homepage or banner
  • Send an email notification to registered customers where the changes significantly affect how we process their data

We encourage you to review this policy periodically. Your continued use of our website after any changes constitutes your acknowledgement of the updated policy.

How can you contact us about data privacy matters?

For any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, please contact us:

Hallmark Furniture Sdn. Bhd.

We aim to respond to all data privacy enquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection supervisory authority.