Privacy Policy

Effective date:
This Privacy Policy sets out how Citadel Group Sdn. Bhd. (collectively, “Citadel”, “we”, “us”, or “our”) collects, uses, discloses, stores and protects personal data strictly in accordance with the Personal Data Protection Act 2010 of Malaysia (“PDPA”), its subsidiary legislation, binding codes of practice, guidelines and directives issued by the Personal Data Protection Commissioner (“PDPC”) and all other applicable data protection and regulatory requirements.


By accessing or using our websites, submitting information to us, registering for events or otherwise engaging with Citadel, you acknowledge that you have read, understood and agreed to this Policy. Where required under law, your continued engagement constitutes deemed consent for the processing of personal data in accordance with this Policy, subject always to your statutory rights under the PDPA.

1) Scope
This Privacy Policy applies to:

  • Visitors to Citadel websites and landing pages
  • Individuals who contact us via forms, email, phone, WhatsApp or social media
  • Individuals who subscribe to marketing updates or register for events/webinars
  • Business contacts and representatives of partners, vendors and corporate clients

This Policy does not apply to employees, former employees or job applicants, whose personal data are governed by separate internal employment and human resources policies. Nothing in this Policy limits any statutory powers of the PDPC or obligations imposed on Citadel under the PDPA.

2) Personal Data We Collect
We may collect personal data (information that identifies you directly or indirectly), including:

  • Identity & contact details: name, email, phone number, company, job title, address (if provided)
  • Enquiry/relationship data: messages, feedback, support requests, meeting notes, correspondence
  • Marketing preferences: subscriptions, consent records, communication preferences, opt-in/opt-out status
  • Technical & usage data: IP address, device identifiers, browser type, operating system, pages visited, referral source, session duration, clickstream data
  • Cookie/analytics data: cookie identifiers and tracking data
  • Event data: attendance, dietary requirements (if provided), recordings/photos where applicable

*Sensitive personal data: We do not intentionally collect sensitive personal data unless you voluntarily provide it and it is necessary for a legitimate purpose. Where required, we will obtain explicit consent.

3) How We Collect Your Data
We collect data when you:

  • Fill in forms (contact, enquiry, partnership, careers, newsletter)
  • Subscribe to communications
  • Register for or attend events/webinars
  • Correspond with us via email, phone, messaging platforms or social media
  • Browse our website (automatically via cookies and similar technologies)
  • Engage with our ads or campaigns

4) Purposes of Processing
We use your personal data to:

  • Respond to enquiries and provide requested information
  • Provide services, manage relationships and maintain business communications
  • Administer registrations, events, invitations and attendance
  • Improve website performance, user experience, content and security
  • Conduct analytics, traffic measurement and platform optimisation
  • Send relevant updates, announcements, newsletters, invitations or marketing (subject to consent and applicable law)
  • Conduct internal reporting and business planning (aggregated where possible)
  • Comply with legal, regulatory, audit, governance and risk management obligations
  • Prevent fraud, misuse and unauthorised access

5) Legal Basis and Consent (PDPA)
Under the PDPA, we process personal data on the basis of:

  • Your consent (e.g., marketing subscriptions, certain cookies/trackers, event media where applicable)
  • Performance of a contract or steps you request prior to entering a contract
  • Legitimate interests (e.g., responding to B2B enquiries, improving services, securing systems), where not overridden by your rights
  • Legal obligations (e.g., compliance, record-keeping)

*Where consent is required, you may withdraw it at any time

Where processing is based on consent, you may withdraw such consent at any time by written notice to us. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal and may result in our inability to continue providing certain services or engagements where such processing is necessary.

6) Marketing and Communications
If you opt in (or where otherwise permitted by law), we may send you:

  • Company updates, newsletters, event invitations, product/service announcements and relevant communications

You may opt out of marketing communications at any time using the unsubscribe mechanism or by contacting us directly. Operational or service‑related communications may still be sent where necessary

7) Disclosure to Third Parties
We may disclose personal data to:

  • Group entities within the Citadel corporate group (as relevant to the purpose)
  • Service providers acting on our instructions
  • Professional advisers *subject to confidentiality
  • Authorities/regulators where required by law or to protect rights and safety

All third parties and data processors are contractually required to implement appropriate technical and organisational security measures, to process personal data strictly in accordance with our written instructions and to refrain from any unauthorised or unlawful processing. Citadel remains committed to ensuring accountability in line with PDPC guidance.

8) Cookies and Similar Technologies
We use cookies and similar technologies to:

  • Enable core website functionality
  • Analyse traffic and usage patterns
  • Improve performance and content relevance
  • Remember preferences (where applicable)
  • Support marketing/retargeting (where enabled and permitted)

You can manage cookies by:

  • Adjusting your browser settings to refuse or delete cookies and/or
  • Using any cookie banner/preferences tool on our site (if implemented)

*Disabling cookies may affect site functionality

9) Events, Webinars and Media
For events/webinars, we may:

  • Collect registration details and attendance records
  • Take photos/videos or record sessions for documentation, training, marketing or compliance purposes (where applicable)

Where required, we will obtain consent or provide notice at the event. You may object to being photographed/recorded by informing the organiser in advance or on-site.

10) Cross-Border Data Transfers
Your personal data may be transferred to, stored in or processed in locations outside Malaysia Where cross-border transfers occur, we take reasonable steps to ensure:

  • Comparable levels of protection to PDPA standards
  • Appropriate contractual safeguards and security controls are in place

11) Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy, including:

  • Ongoing business relationship management
  • Legal, regulatory and audit requirements
  • Dispute resolution and enforcement of rights

We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy or as required by law, regulation or legitimate business needs. Thereafter, data will be securely deleted, anonymised or archived.

12) Your Rights (PDPA)
Subject to applicable laws, you may have the right to:

  • Request access to your personal data
  • Request correction of inaccurate or incomplete data
  • Withdraw consent (where processing is based on consent)
  • Object to or request limitation of certain processing (including marketing)

We reserve the right to verify identity, request additional information reasonably required to process a request and to refuse or limit requests where permitted under the PDPA, including where compliance would be unreasonable, disproportionate, technically impracticable or contrary to legal or regulatory obligations.

13) Security
We implement reasonable administrative, technical and physical safeguards to protect personal data against loss, misuse, unauthorised access, disclosure, alteration or destruction. However, no method of transmission over the internet is completely secure and we cannot guarantee absolute security. To the fullest extent permitted by law, Citadel disclaims liability for unauthorised access, loss or disclosure arising from factors beyond our reasonable control including cyberattacks, system failures or third‑party misconduct.

14) Third-Party Links
Our website may contain links to third-party sites. We are not responsible for the privacy practices or content of those sites. Please review the relevant third-party privacy policies.

15) Children
Our websites are not intended for children and we do not knowingly collect personal data from individuals under 18. If you believe a child has provided us personal data, please contact us so we can take appropriate action.

16) Changes to this Privacy Policy
We may amend this Policy from time to time. Updates will be published on our websites with an effective revised date. Continued use of our websites or engagement with Citadel after publication of updates constitutes acceptance of the revised Policy. In the event of any inconsistency between this Policy and applicable law, the PDPA and directives issued by the PDPC shall prevail.

17) Contact Us (Data Protection)
For questions, requests or complaints relating to this Policy or your personal data, contact:

Group Legal and Compliance
Citadel Group Sdn. Bhd.