Collective Wisdom
Legal

Privacy Policy

Last updated: May 2026

1. Who We Are

This website is operated by CWH Advisory Sdn. Bhd. (Company No. 1656399-M), trading as Collective Wisdom (“CW”, “we”, “us”). Our registered address is in Malaysia. You can reach us at connect@collectivewisdom.asia.

2. What Data We Collect

When you use this website, we may collect the following:

Information you provide directly

  • Full name
  • Company or organisation name
  • Email address
  • Phone number
  • Message content submitted via our contact form
  • Email address submitted via our newsletter signup
  • Messages, prompts, and any information you choose to type into our AI chat assistant

Information collected automatically

  • Browser type and version
  • Pages visited and time spent on each page
  • Device type and operating system
  • IP address (anonymised where possible)
  • Cookie data (see Section 6)

3. Why We Collect This Data

  • To respond to your enquiries submitted through the contact form
  • To operate the AI chat assistant and respond to questions you submit through it
  • To send you newsletters or updates you have opted into
  • To understand how visitors use our website so we can improve it
  • To comply with applicable legal and regulatory obligations

We do not sell, rent, or trade your personal data to third parties.

4. Legal Basis for Processing

We process your personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia. We rely on your explicit consent as the legal basis for collecting and using your data. Consent is obtained through a clear opt-in mechanism (such as a checkbox) at the point of collection, including when you submit the contact form or sign up for our newsletter. For the AI chat assistant, consent is given by your act of opening the chat window and submitting a message after viewing the in-chat notice summarising how your messages will be processed.

You may withdraw your consent at any time by contacting us at connect@collectivewisdom.asia. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

5. Data Security

We take reasonable technical and organisational measures to protect your personal data from unauthorised access, loss, misuse, or alteration, in accordance with the Security Principle under the PDPA. These measures include:

  • Encrypted connections (SSL/TLS) across this website
  • Access controls limiting who within our organisation can view personal data
  • Use of reputable, security-certified hosting and service providers

While no method of transmission over the Internet is 100% secure, we are committed to safeguarding your information and regularly review our security practices.

We also take reasonable steps to ensure that the personal data we hold is accurate, complete, and up to date.

6. Cookies

We use cookies to support website analytics (such as Google Analytics). Cookies are small text files stored on your device. They help us understand traffic patterns and improve your experience.

Types of cookies we use

  • Essential cookies. Required for the basic functioning of this website. These cannot be disabled.
  • Analytics cookies. Used to understand how visitors interact with our website (e.g., pages visited, time spent). These are non-essential and are only set with your consent.

When you first visit this website, a cookie consent banner will ask you to accept or reject non-essential cookies. You may change your cookie preferences at any time through the banner or through your browser settings. Please note that disabling cookies may affect some features of the website.

7. How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfil the purposes stated in this policy, or as required by law, in accordance with the Retention Principle under the PDPA.

  • Contact form submissions are retained for up to 24 months.
  • Newsletter subscribers’ data is retained until you unsubscribe.
  • AI chat assistant conversations are retained for up to 12 months on our chat workflow infrastructure for service-quality, follow-up, and audit purposes, after which they are deleted or anonymised.
  • Automatically collected data (such as analytics and cookie data) is retained in accordance with the default retention settings of the relevant third-party tools. For example, Google Analytics data is retained for 14 months. We periodically review retention periods to ensure they remain appropriate.

8. Your Rights Under the PDPA

You have the right to:

  • Access the personal data we hold about you
  • Correct any inaccurate or incomplete data
  • Withdraw your consent to our use of your data
  • Request that we stop processing your data for direct marketing purposes
  • Lodge a complaint with the Personal Data Protection Commissioner if you believe your personal data has been mishandled. More information is available at www.pdp.gov.my

To exercise any of these rights, contact us at connect@collectivewisdom.asia.

9. Third-Party Services and Cross-Border Data Transfers

Our website uses third-party service providers who may process your personal data outside Malaysia. These include:

  • Netlify (web hosting) — servers located in the United States and global edge network
  • Supabase (database infrastructure) — primary database located in Japan (Tokyo, ap-northeast-1)
  • Google Analytics (website analytics) — servers located in the United States
  • Google (Gemini API) — generates responses to messages sent to our AI chat assistant; servers located in the United States
  • Exabytes (VPS hosting for our chat workflow engine, n8n) — servers located in Malaysia. This infrastructure is operated by CW; Exabytes acts solely as the underlying hosting provider
  • jsDelivr (content delivery network) — delivers chat widget assets to your browser via a global edge network

We rely on Standard Contractual Clauses (SCCs) incorporated in our Data Processing Agreements with Netlify and Supabase as the lawful mechanism for these cross-border transfers, in accordance with Section 129 of the Personal Data Protection Act 2010. For Google Analytics and the Google Gemini API (which we access via Google AI Studio), data is transferred under Google’s published data processing terms applicable to those services, which incorporate Standard Contractual Clauses for cross-border transfers. Under Google’s current terms applicable to our paid Gemini API tier, inputs are not used to train Google’s foundation models. For details on Google’s data protection commitments, please refer to Google’s privacy policy.

These service providers have their own privacy policies and security certifications. We are not responsible for their independent data practices beyond what is covered under our respective Data Processing Agreements.

10. Data Breach Notification

In the event of a personal data breach that is likely to affect your rights or interests, we will notify you and the Personal Data Protection Commissioner without undue delay, as required under Malaysian law. We maintain internal procedures to detect, report, and investigate personal data breaches.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The latest version will always be available on this page.

For material changes that affect how we collect or use your personal data, we will notify you by email or by a prominent notice on this website before the changes take effect, and will seek your consent where required under the PDPA. Continued use of the website after non-material changes are posted constitutes your acceptance of the updated policy.

12. Contact Us

CWH Advisory Sdn. Bhd.

Email: connect@collectivewisdom.asia

Website: collectivewisdom.asia

See also our Terms of Use.