General privacy information

CorpTopLegal is committed to managing client and user information with professional care. This privacy policy describes the categories of data we handle, the purposes for processing, lawful bases where applicable, data sharing practices and the technical and organisational measures we apply to protect information in our legal advisory operations in Malaysia. The policy is designed to be practical and specific to corporate legal advisory work, covering communications, contract documentation, regulatory filings and client onboarding records.

2026/03/10 CorpTopLegal [email protected]

Key definitions

This section defines terms used in the policy to ensure clarity about the types of information we process and the roles we perform when delivering corporate legal services.

Personal data means any information relating to an identifiable individual, such as name, contact details, identification numbers or any data that can be linked to a natural person. In a corporate context we may process data of company officers, beneficial owners and authorised representatives.
Processing covers any operation performed on data including collection, recording, organising, structuring, storage, retrieval, use, disclosure, erasure and destruction carried out in the delivery of legal services and related administrative tasks.
User refers to an individual who interacts with CorpTopLegal through our website, client intake forms or who is a contact or representative of a corporate client receiving our advisory services.
Service denotes the corporate legal advisory services provided by CorpTopLegal, including governance advice, contract review, compliance support, company secretarial assistance and regulatory liaison.
Cookies are small text files stored on a user's device by the web browser at the request of the website. They support essential functionality and analytics used to improve service delivery.

How we collect data

We collect information necessary to provide legal advice, to meet regulatory obligations and to manage client relationships. Collection channels include direct client submissions, secure onboarding forms, email communications and website interactions.

Data you provide directly

The information you submit when instructing us or contacting us is used to deliver services and maintain an accurate client record. Typical categories include:

  • Company details: registered name, business registration number, registered address and business classification.
  • Representative details: full name, job title, contact telephone number and corporate email address of company officers or authorised contacts.
  • Identification and verification materials: scanned identity documents or corporate documents provided where required for compliance and anti-funds laundering checks.
  • Contractual documents and instructions: copies of agreements, board minutes, resolutions and written instructions necessary for performing the advisory engagement.
  • Correspondence and case notes: emails, meeting notes and other communications platform in connection with the matter.
  • Billing and payment information: invoicing details, billing contact information and transaction records needed for business administration.

Automatically collected data

When you interact with our website or digital services we collect certain technical data to maintain security, ensure functionality and to analyse usage for service improvement.

  • IP address and device characteristics to detect abusive behaviour and for platform security.
  • Browser and operating system data to ensure compatibility and troubleshoot issues.
  • Usage metrics and page visit data to help us understand how our resources are used and to improve content.
  • Referrer and navigation data to monitor service performance and user pathways.
  • Cookie identifiers where cookies are accepted to enable site features and analytics.
  • Timestamped logs for security auditing and incident contribute.

Data received from third parties

In certain circumstances we receive data from third parties to fulfil our obligations or to support client onboarding and compliance checks.

  • Public registries and corporate data providers supplying company verification and registry extracts.
  • Professional advisors or authorised representatives who submit documents on behalf of a client.
  • Payment processors or business institutions providing payment transaction confirmations.

Purposes of processing

We process data for clearly defined operational, legal and administrative purposes necessary to provide competent legal services and to meet regulatory requirements.

  • To perform the contract for legal advisory and related services you have engaged us to provide.
  • To comply with statutory and regulatory obligations, including anti-funds laundering and client due diligence requirements under Malaysian law.
  • To communicate effectively about case progress, deliverables and administrative matters.
  • To maintain accurate billing records, send invoices and process payments.
  • To protect the security and integrity of our systems and client information through monitoring and incident response.
  • To improve our services through aggregated, anonymised analytics and user feedback.
  • To establish, exercise or defend legal claims where retention of information is necessary for legal protection.
  • To fulfill legitimate business administration needs such as recordkeeping and compliance reporting.

Lawful basis for processing

For jurisdictions where specific legal bases apply, we rely on appropriate bases such as contract performance, legal compliance and legitimate interests when processing personal data in the context of legal advisory.

  • Performance of a contract: processing necessary to provide the legal services you have requested.
  • Legal compliance: processing required to meet statutory obligations and regulatory checks under applicable Malaysian law.
  • Legitimate interests: where processing is necessary for our business operations or security, balanced against individual rights and reasonable expectations.
  • Consent: where specific processing activities require explicit consent, for example certain marketing communications, you will be offered a clear choice.

Applicable data protection principles

Where EU or other regional data protection frameworks are relevant, we adopt principles of fairness, transparency and data minimisation consistent with recognized standards and apply appropriate safeguards for cross-border transfers.

  • We limit collection to information necessary for stated purposes and retain data only for the required timeframes.
  • Subject access and rectification processes are available to enable individuals to exercise their data rights where applicable.
  • Security measures are implemented to protect data against unauthorised access, disclosure or destruction.
  • We document processing activities and maintain records relevant to our advisory services and compliance obligations.
  • Where transfers outside the originating jurisdiction occur, we implement contractual and technical safeguards to protect data.
  • We review vendor relationships to ensure third parties maintain appropriate protection measures consistent with legal standards.

Cookies and similar technologies

Cookies are used to enable core website functionality, enhance performance and provide analytics information that helps us improve our content and user experience.

Types used include strictly necessary cookies for site operation, performance cookies for analytics and functional cookies to remember user choices. We do not use cookies for profiling outside essential service improvement needs.

Cookies are categorised as: 1) Essential — required for site operation; 2) Performance — aggregated analytics; 3) Functional — user preferences. We do not deploy advertising cookies.

Users can manage cookie preferences via their browser settings or through the cookie banner on the website. Disabling non-essential cookies may affect certain features and analytics accuracy.

Detailed cookie policy

Disclosure and sharing of data

We share personal data only where necessary to provide services, to meet legal obligations or with trusted service providers acting on our instructions under confidentiality obligations.

  • Service providers: secure vendors performing hosting, document management and payment processing functions governed by data processing agreements.
  • Professional advisors and external counsel engaged on a specific matter, with confidentiality safeguards in place.
  • Regulators and law enforcement: where disclosure is required by law or to respond to lawful requests.
  • Acquirers or advisors in the event of a business reorganisation, sale or transfer, subject to confidentiality and due diligence limitations.
  • Auditors and professional services firms for compliance and oversight purposes under confidentiality terms.
  • Aggregated and anonymised information may be shared for reporting and research without identifying individuals.

International transfers

Where transfers of data outside Malaysia are necessary we implement contractual safeguards and technical controls to ensure an adequate level of protection consistent with applicable law and the sensible handling of confidential legal information.

Safeguards may include standard contractual clauses, tailored data processing agreements and restricted access protocols with third-party providers to ensure confidentiality and security when data is transferred internationally.

Retention and deletion

We retain personal data only as long as necessary for the purpose for which it was collected, to meet legal and regulatory obligations or to resolve outstanding matters related to the provision of legal services.

Client account records and corporate files are retained in accordance with professional retention guidance and regulatory requirements relevant to legal practice in Malaysia.

Communications and case correspondence are retained for the period required to manage the matter and to address potential future enquiries or disputes, subject to statutory limitation periods.

System logs and security records are kept for a defined period necessary for incident contribute and compliance monitoring, then securely disposed of.

When retention periods expire or upon verified request where lawful, we securely delete or anonymise personal data in a manner appropriate to its sensitivity and regulatory obligations.

Security of information

CorpTopLegal applies a combination of organisational policies, access controls and technical safeguards to protect client and user data. Security measures are reviewed periodically to respond to evolving threats and to maintain confidentiality appropriate to legal practice.

  • Role-based access controls and secure credentials for staff handling client information.
  • Encrypted transmission and storage of sensitive files and secure document repositories for client matter data.
  • Regular backups, monitoring and incident response procedures to detect and address security events promptly.

Your rights

Individuals have rights regarding their personal data where applicable under relevant laws. We provide clear channels to exercise these rights while ensuring requests are handled with appropriate verification and within lawful constraints.

  • Access and rectification: request access to personal data we hold and ask for correction of inaccuracies.
  • Restriction, objection and erasure: where lawful grounds exist, individuals may request restriction of processing, object to certain processing activities or request deletion consistent with legal obligations.
  • Data portability and withdrawal of consent: where applicable, request portability of data or withdraw consent for specific processing activities and marketing communications.
  • Right to restrict processing of personal data in specific circumstances, such as where accuracy is contested or processing is unlawful but retention is requested for legal claims.
  • Right to data portability: where processing is based on consent or contract and carried out by automated means, you may request a copy of your personal data in a commonly used, machine-readable format.
  • Right to withdraw consent at any time for processing activities that rely on consent, without affecting the lawfulness of processing based on consent before its withdrawal.
  • Right to object to processing that is based on legitimate interests or for direct marketing purposes; objections will be assessed in light of legal requirements and business obligations.
  • Right to lodge a complaint with a supervising authority in Malaysia if you consider that processing of your personal data infringes applicable law.

How to exercise your data rights

To exercise any of the data subject rights described, submit a written request to our Data Protection Officer at the contact details below. Please include sufficient information to verify your identity and to locate the requested records (for example, account reference, email used for correspondence). Requests will be handled in accordance with applicable law and proportionate verification procedures to protect personal data and prevent fraud.

[email protected]

We will acknowledge receipt of your request within 10 business days and provide a substantive response within 30 calendar days where feasible. Complex requests or requests that require further verification may take longer; you will be informed of any reasonable extension and the reasons for it.

Marketing communications

We may send marketing communications about legal products, seminars, or updates relevant to corporate governance and compliance where you have opted in or where permitted by law. Marketing messages will clearly identify CorpTopLegal and include information on the type of communications you can expect and lawful bases for processing your contact details.

You can opt out of marketing communications at any time by using the unsubscribe link in any marketing email, or by contacting our Data Protection Officer. Opting out will not affect processing necessary for the performance of a contract or other legal obligations.

Children and personal data

Our services are intended for corporate clients and professionals. We do not knowingly collect personal data from children under the age of 18 in the course of providing corporate legal advisory services. If you believe we have collected personal data about a minor in error, please contact us so we can take steps to delete such data where appropriate.

Third-party links

Our website may include links to third-party sites and resources. CorpTopLegal does not control third-party sites and is not responsible for their privacy practices, content, or security. We recommend reviewing the privacy policies and terms of any external site before submitting personal data.

Changes to this privacy policy

We review and may update this privacy policy from time to time to reflect legal, regulatory, or operational developments. Material changes will be published on our website with an updated effective date. We encourage clients and visitors to review this policy periodically for the latest information on our privacy practices.