Privacy Policy

Effective date: 29 April 2026 · Last updated: 29 April 2026 · Jurisdiction: Malaysia · Framework: Personal Data Protection Act 2010 (“PDPA”) and subsidiary regulations as amended

CloneMastery (“we”, “us”, “our”) respects your privacy. This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you visit our websites, purchase or access online courses, participate in communities, receive marketing, or otherwise interact with our digital services (collectively, the “Services”). It should be read together with our Terms and Conditions, Cancellation and Refund Policy, and Shipping Policy.

1. Data controller

The data user responsible for personal data processed in connection with the Services is the CloneMastery operating entity invoicing you (including its affiliates involved in delivery). Where third-party platforms (for example learning management systems, webinar tools, community software, payment processors) act on our instructions, they are our processors; where they determine purposes independently, their policies also apply and we identify them at collection where practicable.

2. Categories of personal data we may collect

• Identity and contact: full name, email address, phone number, address (billing / corporate), job title, agency or brokerage affiliation (if voluntarily provided for industry-specific programmes).
• Account and access: username, password hash, session tokens, IP address, device type, browser version, approximate location derived from IP, login timestamps, security challenge responses.
• Transactional: order identifiers, payment status (not full card numbers—handled by PCI-DSS compliant processors), invoices, SST or tax identifiers you supply, grant or scholarship references.
• Learning activity: lesson progress, quiz scores, assignment uploads you choose to submit, forum posts, chat logs with support, attendance at live sessions, certification metadata.
• Communications: emails, form submissions, survey answers, recorded calls only if you are notified and consent as required.
• Marketing: subscription preferences, campaign engagement metrics, referral or affiliate identifiers.
• Technical: cookies, pixels, local storage keys, crash diagnostics, abuse-prevention signals.

3. Purposes and lawful bases (PDPA)

We process personal data for purposes that are necessary and proportionate, including:

• performing the contract: account creation, delivering courses, issuing credentials, support, billing;
• compliance with law: tax, audit, anti-fraud, responding to lawful government requests subject to review;
• legitimate interests (balanced against your rights): securing systems, analytics to improve learning experience, measuring marketing effectiveness, enforcing terms, protecting users;
• where required, consent: non-essential cookies, certain marketing channels, optional surveys, certain sensitive categories if ever collected with explicit consent.

You may withdraw marketing consent without affecting core Service delivery you lawfully paid for.

4. Disclosure of personal data

We may disclose personal data to:

• payment processors, banks, e-wallet operators, fraud-screening services;
• cloud hosting, email delivery, customer-support ticketing, analytics, error monitoring, video hosting, live session platforms under data processing terms;
• professional advisers (lawyers, auditors, insurers) under confidentiality;
• competent regulators, courts, law enforcement when lawfully required;
• corporate restructuring counterparties under confidentiality assurances;
• affiliates within the CloneMastery group for internal administration consistent with this Policy.

We do not sell personal data for money. Some analytics or ad partners may receive device identifiers under their terms if you accept optional marketing cookies—see Section 8.

5. Cross-border transfers

Our infrastructure or subprocessors may be located outside Malaysia. Where personal data is transferred abroad, we take steps required by the PDPA and applicable guidelines (including appropriate contractual clauses and risk assessments) to ensure comparable protection, subject to lawful exceptions for performance of contract or consent where relevant.

6. Retention

• Account and course progress: retained for the life of the licence and a reasonable period thereafter for dispute resolution, unless longer retention is required by law or legitimate backup rotation cycles.
• Tax and finance records: as prescribed by Malaysian tax law (commonly up to seven years unless directed otherwise by authority guidance).
• Marketing logs: until you withdraw consent or we refresh consent under policy, whichever is shorter, subject to suppression lists needing indefinite retention of minimal identifiers to honour opt-outs.
• Security logs: rolling windows typically 30–180 days unless investigation extends needs.

7. Security

We implement administrative, technical, and organisational measures appropriate to risk—such as encryption in transit, access controls, least-privilege internal access, incident response planning, vendor reviews. No method of transmission or storage is perfectly secure; you should protect credentials and devices.

8. Cookies and similar technologies

We use essential cookies for login sessions, CSRF protection, load balancing, and preference storage where necessary. With your consent where required, we may use analytics or marketing cookies. You can adjust browser controls; blocking essential cookies may degrade functionality.

9. Your PDPA rights

Subject to PDPA conditions and our verification of identity, you may request:

• access to personal data we hold about you;
• correction of inaccurate, incomplete, or outdated data;
• withdrawal of consent for processing based on consent (without affecting prior lawful processing);
• information on sources, purposes, third-party recipients (where applicable);
• limitation of processing in line with PDPA provisions as implemented by us from time to time.

We may charge a reasonable fee for excessive or repetitive access requests not prohibited by law. We respond within timelines consistent with PDPA expectations (often within thirty (30) days for straightforward requests in Malaysia, extensions for complex cases with notice).

10. Minors

Services are directed to adults. If you believe a child under thirteen (13) provided data without guardian consent, contact us and we will delete information not required for legal compliance after verification.

11. Automated decision-making

We do not make solely automated decisions with legal or similarly significant effects on you without human review, except routine fraud screening flagging which may trigger manual review.

12. Third-party links

Our lessons may reference external tools. Their privacy practices govern data you give them directly. Read their policies before submitting personal data.

13. Changes to this Policy

We may update this Policy to reflect legal, technical, or business changes. Material changes will be announced by email or prominent notice on the Services with an updated effective date. Continued use after notice constitutes acceptance where permitted; where consent is required, we seek it.

14. Contact and complaints

Privacy enquiries and requests: support@clonemastery.com (Malaysia Standard Time business hours for first-line triage). If you are unsatisfied with our response, you may escalate to the Personal Data Protection Commissioner of Malaysia in accordance with current PDPA procedures.