Privacy Policy

Sproutmint PLT (201804003363) ("Sproutmint", "we", "our", "us") is committed to protecting your personal data in accordance with Malaysia's Personal Data Protection Act 2010 (PDPA) and applicable ASEAN data governance standards. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you engage with our regulatory gateway services, e-commerce platforms, and software solutions.

We process your personal data on the following lawful grounds under PDPA 2010:

• Contractual necessity — to perform services you have engaged us for, including regulatory submissions, import/export operations, and e-commerce fulfilment.
• Legal obligation — to comply with NPRA, Royal Malaysian Customs Department, Companies Commission of Malaysia (SSM), and LHDN requirements.
• Legitimate interests — to operate, improve, and secure our platforms and services.
• Consent — for marketing communications, cookies beyond strictly necessary, and optional data uses where indicated.

• Process and manage NPRA Cosmetic Notification (NOT) submissions and PIF filings
• Act as Responsible Person (RP) / Cosmetic Notification Holder (CNH) on your behalf
• Manage import documentation, tariff classification, and customs declarations
• Process payments, issue invoices, and handle tax remittance (SST) as Merchant of Record
• Operate and fulfil orders via Lazada, Shopee, TikTok Shop, and bespoke storefronts
• Provide warehouse management, 3PL logistics, and fulfilment operations
• Deliver AI automation tools, custom software, and mobile applications
• Send transactional communications related to your services
• Send marketing communications where consent is given
• Comply with legal, regulatory, and audit obligations

We do not sell your personal data. We share data only as follows:

• NPRA and Malaysian regulatory authorities — as required for product notification and compliance
• Royal Malaysian Customs Department — for import/export clearance
• E-commerce platforms (Lazada, Shopee, TikTok) — for marketplace operations
• Payment processors and financial institutions — for transaction processing
• 3PL and logistics partners — for warehousing and delivery
• Cloud infrastructure providers — under data processing agreements
• Professional advisors — lawyers, accountants, auditors bound by confidentiality
• Law enforcement or courts — when legally compelled

Sproutmint may transfer personal data to processors located outside Malaysia in connection with cloud hosting, e-commerce platform operations, and international client engagements. All transfers are conducted under contractual safeguards consistent with PDPA Section 129 and applicable data transfer frameworks. Where you are a foreign brand using our Gateway Model services, your data may be processed in your home jurisdiction in connection with service delivery.

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, including:

• Active client data — duration of engagement plus 7 years (statutory limitation period)
• NPRA regulatory records — minimum 5 years post-notification expiry per NPRA guidelines
• Financial and tax records — 7 years per Income Tax Act 1967 and GST/SST requirements
• Marketing data — until consent is withdrawn
• Website logs — 90 days rolling

As a data subject under Malaysia's PDPA 2010, you have the right to:

• Access your personal data held by us (Section 30)
• Correct inaccurate or incomplete personal data (Section 34)
• Withdraw consent for data processing where consent is the legal basis (Section 38)
• Prevent processing for direct marketing purposes (Section 43)
• Request deletion of data we are not legally required to retain
• Data portability for data provided by you in machine-readable format (where technically feasible)

We use cookies and similar tracking technologies on our websites and storefronts. Categories:

• Strictly necessary — session management, security, checkout (cannot be disabled)
• Functional — language preferences, saved cart, personalisation
• Analytics — aggregate usage statistics via privacy-respecting tools
• Marketing — retargeting and campaign attribution (requires consent)

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These include TLS encryption in transit, AES-256 encryption at rest, role-based access controls, regular penetration testing, and staff data protection training. No transmission over the internet is entirely secure. We will notify affected individuals and relevant authorities promptly in the event of a data breach that poses risk of harm, in accordance with PDPA and applicable guidelines.

Our services are not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that personal data of a minor has been submitted without appropriate consent, we will delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in law, technology, or our operations. We will post the revised policy on this page with an updated effective date. For material changes affecting how we process your data, we will notify you via email or prominent notice on our website at least 14 days before the change takes effect.

For any questions, access requests, or complaints regarding this Privacy Policy or our handling of your personal data, contact our Data Protection Officer: