Privacy Policy

1. Introduction

Onyrra Group ("we", "us", "our") is committed to handling the personal data of those who engage with our website and services with care and in accordance with Malaysia's Personal Data Protection Act 2010 (PDPA). This policy describes what personal data we collect, why we collect it, how we use it, and what rights you have in relation to it.

This policy applies to all personal data collected through our website at onyrragrea.world and through our consulting engagements. If you have questions about how we handle your data, write to us at [email protected].

2. Data we collect and why

We collect the following categories of personal data:

• Contact information — name, email address, telephone number. Collected when you submit the enquiry form on our website or contact us directly. Used to respond to your enquiry and, where an engagement begins, to administer that engagement.
• Engagement-related information — details you share with us in the course of a consulting engagement, including commercially sensitive information about your firm, your counterparts, and the nature of the relationship we are working on. This information is treated as strictly confidential and is not used for any purpose other than delivering the engagement.
• Website usage data — anonymised browsing data collected via analytics cookies (where consent has been given). Used to understand how the website is used and to improve it.
• Correspondence — emails and messages exchanged with us. Retained as part of our client records for the duration of our engagement and for a reasonable period after.

The legal bases for processing under Malaysia's PDPA are: (a) your consent, given when you submit our contact form or accept analytics cookies; (b) the performance of a contract, where an engagement agreement exists between us; and (c) our legitimate interest in maintaining appropriate business records.

3. How we use personal data

We use the personal data we collect for the following purposes:

• To respond to enquiries submitted through our website
• To conduct consulting engagements you have commissioned
• To send engagement-related correspondence and deliverables
• To send occasional communications about our practice, where you have given consent — you may withdraw this consent at any time by writing to us
• To maintain our internal business records and accounts
• To understand how our website is used, in order to improve it (analytics cookies only, where consent has been given)

We do not sell personal data to third parties. We do not use personal data for automated decision-making or profiling.

4. Sharing personal data

We share personal data only in the following circumstances:

• Service providers — we may share data with trusted third parties who assist in operating our website or delivering our services (for example, website hosting providers). These parties are bound by appropriate data handling obligations.
• Legal requirements — we may disclose data if required to do so by law or by a competent authority in Malaysia.
• Counterpart consultation — in Counterpart Relationship Review engagements, we may with your explicit consent share limited information about the engagement with the ASEAN counterpart, in order to conduct the counterpart consultation that is part of that service. This will always be agreed with you in advance.

Beyond the above, we do not share personal data with third parties.

5. Data retention

We retain contact information submitted through our website for as long as it is relevant to an active enquiry or engagement, and for up to two years thereafter for our internal records. Engagement-related data is retained for five years after the close of an engagement, consistent with normal business record-keeping practice in Malaysia. You may request deletion of your data at any time, subject to any legal or contractual obligations that require us to retain it.

6. Data protection measures

We take reasonable technical and organisational measures to protect the personal data we hold against unauthorised access, disclosure, or loss. These include access controls limiting who within our practice can view client data, secure email practices, and regular review of the data we hold. In the event of a data breach that is likely to affect your rights or interests, we will notify you in accordance with our obligations under the PDPA.

7. Cookies

Our website uses cookies to support its basic functioning and, where consent is given, to collect anonymous analytics data. We do not use advertising or tracking cookies. Details of the cookies we use and how to manage your preferences are set out in our Cookie Policy.

8. Your rights

Under Malaysia's PDPA, you have the following rights in relation to your personal data:

• Right of access — to request a copy of the personal data we hold about you
• Right of correction — to request that inaccurate or incomplete data be corrected
• Right to withdraw consent — to withdraw consent to processing at any time, where processing is based on consent
• Right to cease processing — to request that we stop processing your data for direct marketing purposes
• Right to complain — to lodge a complaint with the Personal Data Protection Commissioner of Malaysia if you believe your data has been mishandled

To exercise any of these rights, write to us at [email protected]. We will respond within 21 days.

9. Third-party links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites and recommend that you read their privacy policies before sharing any personal data with them.

10. Children's privacy

Our services are directed at business professionals and are not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has submitted personal data to us, please contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. Where changes are material, we will make reasonable efforts to notify those who have engaged with us. The date at the top of this page reflects when the policy was last amended. Continued use of our website following a change constitutes acceptance of the updated policy.