Privacy Policy
Last Updated: 14 February 2026 | Effective: 14 February 2026
Aman Retreats is committed to protecting the personal data of everyone who contacts us, enquires about our properties, or uses our website. This policy explains what data we collect, how we use it, and what rights you have as a data subject under Malaysian law — specifically the Personal Data Protection Act 2010 (PDPA).
1. Who We Are
The data controller for this website and all associated communications is Aman Retreats, a company registered in Malaysia, with offices at 3 Jalan Tun Fuad Stephens, 88000 Kota Kinabalu, Sabah, Malaysia. For any privacy-related enquiry, you may contact us at [email protected].
2. What Personal Data We Collect
We collect personal data in the following ways:
- Contact enquiries: Name, email address, phone number, and any message content submitted through our contact form.
- Rental arrangements: Name, identification documents, payment information, and correspondence relating to the rental agreement.
- Website analytics: IP address, browser type, pages visited, and session duration — collected through analytics cookies where consent has been given.
- Communications: Any correspondence by email or phone that you initiate with us.
3. Legal Basis for Processing
We process personal data under the following legal bases:
- Consent: For marketing communications and analytics cookies — you may withdraw consent at any time.
- Contract performance: To process rental enquiries, prepare agreements, and manage the rental relationship.
- Legitimate interests: To respond to enquiries, improve our service, and maintain appropriate records.
- Legal obligation: Where required by Malaysian law, including tax and regulatory compliance.
4. How We Use Your Data
- To respond to your enquiry and provide information about our properties
- To prepare and manage rental agreements
- To coordinate property access, staff arrangements, and logistics for your stay
- To send relevant communications about your booking or enquiry
- To improve our website and understand how visitors interact with it (where consent is given)
- To comply with applicable legal requirements
5. Data Retention
We retain personal data for the following periods:
- Enquiry data (no booking made): 12 months from the date of enquiry, then deleted.
- Rental agreement records: 7 years from the end of the rental period, as required for financial record-keeping under Malaysian law.
- Marketing communications: Until consent is withdrawn.
- Analytics data: Anonymised or deleted after 26 months.
6. Data Sharing
We do not sell personal data. We may share personal data in the following limited circumstances:
- Property staff: Relevant logistical information (arrival time, group size, special requirements) shared with on-site staff for the purpose of your stay.
- Service providers: Analytics and email service providers operating under data processing agreements.
- Legal requirements: Where required by Malaysian law or a lawful order from a competent authority.
7. Cookies
Our website uses cookies as described in our Cookie Policy. You may manage cookie preferences at any time through that page or your browser settings.
8. Data Security
We take reasonable and appropriate technical and organisational measures to protect personal data from unauthorised access, disclosure, or loss. These include password-protected systems, limited staff access, and secure email communications. In the event of a data breach that poses a risk to your rights, we will notify affected individuals and relevant authorities as required by the PDPA.
9. Your Rights Under the PDPA (Malaysia)
Under the Personal Data Protection Act 2010, you have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Withdraw consent for data processing where consent is the legal basis
- Request that we stop processing your data for direct marketing purposes
- Lodge a complaint with the Department of Personal Data Protection (JPDP) Malaysia
To exercise any of these rights, please contact us at [email protected]. We will respond within 21 days.
10. International Guests
For guests based in the European Union, Aman Retreats processes personal data in a manner consistent with the principles of the General Data Protection Regulation (GDPR), including maintaining a clear legal basis for processing, honouring data subject rights, and limiting data transfers. Our primary legal basis for EU guest data is contract performance and, where applicable, your explicit consent.
11. Third-Party Links
Our website may contain links to third-party services or resources. We are not responsible for the privacy practices of those third parties and encourage you to review their policies independently.
12. Children's Privacy
Our website and rental services are intended for use by individuals aged 18 and over. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a person under 18, please contact us immediately.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via a notice on this page. Continued use of our website or services after a change constitutes acceptance of the updated policy.
14. Contact
For any privacy-related question, request, or concern:
- Email: [email protected]
- Post: Aman Retreats, 3 Jalan Tun Fuad Stephens, 88000 Kota Kinabalu, Sabah, Malaysia
- Phone: +60 88-316 742 (office hours)