Personal Data Protection Notice

1.0 Introduction & Binding Effect

1.1 This Personal Data Protection Notice ("Notice") is issued by Heritage Bites (collectively referred to as "we", "us", "our", or "the Company") to all our customers, visitors, members, and users of our online ordering systems, applications, and physical outlets. This Notice describes how we collect, process, manage, store, transfer, and secure your Personal Data in compliance with the Malaysian Personal Data Protection Act 2010 (Act 709) ("PDPA").

1.2 By accessing our website, utilizing our online ordering platforms, registering for our loyalty programs, entering our physical premises, or purchasing our products and services, you hereby consent to the processing of your Personal Data by the Company and all authorized third parties in accordance with this Notice.

2.0 Collection of Personal Data

2.1 "Personal Data" refers to any information in respect of commercial transactions, which relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of the Company. We may collect the following categories of Personal Data:

• Identity Particulars: Name, contact numbers (mobile, home, office), email address, delivery address, billing address, gender, date of birth, nationality, and NRIC or passport number (where explicitly required for verification).
• Financial & Transactional Data: Credit card, debit card, or e-wallet tokens, transactional history, purchase records, order details, Bite Points loyalty account activity, and invoice details.
• Technical & Telemetry Data: IP address, device identifiers, browser cookies, device type, location coordinates, network connectivity information, and website/application navigation logs.
• Surveillance & Visual Data: Video, image, and audio recordings captured by Closed-Circuit Television (CCTV) cameras installed at our outlets, as well as photographs or video recordings taken during promotional events or inside our premises.

3.0 Sources of Personal Data

3.1 We collect your Personal Data from various lawful sources, including but not limited to:

• Direct Submission: Information provided voluntarily by you when creating an account, registering for loyalty programs, placing orders online, submitting physical feedback cards, entering contests, or corresponding with us.
• Point of Sale (POS) & Premises: Information captured during transactions at our physical outlets, guest Wi-Fi logins, and table QR code ordering systems.
• Automated Technologies: Data captured automatically when you visit our website, including browser metadata, cookies, and location services.
• Security Systems: CCTV cameras operating on-site at our kitchen and restaurant outlets.

4.0 Purposes of Processing Personal Data

4.1 The Company processes your Personal Data for purposes including, but not limited to:

• Fulfillment of Orders: Preparing, processing, billing, and executing food orders, coordinating table service, and managing transaction receipts.
• Delivery Services: Sharing your contact details and delivery address coordinates with delivery partners to facilitate food drop-offs.
• Customer Management & Loyalty: Administering the Bite Points loyalty program, managing member profiles, tracking rewards, and addressing support queries.
• Safety & Security (CCTV): Maintaining CCTV surveillance on-site to ensure the safety and security of our premises, staff, and customers, preventing fraudulent activities, resolving cashier register discrepancies, and assisting in crime prevention.
• Corporate Compliance & Marketing: Fulfilling tax, audit, and legal obligations, conducting internal market research, and sending promotional materials or personalized offers (subject to your right to opt out).

5.0 Disclosure of Personal Data

5.1 We maintain strict confidentiality protocols. However, in order to perform our services, we may disclose your Personal Data to the following categories of third parties (who may be located inside or outside Malaysia):

• Logistics & Courier Partners: Third-party delivery providers (such as Lalamove) to fulfill order routing.
• Financial Institutions: Payment gateway providers and merchant acquirers (such as Curlec/Razorpay) to secure transactions.
• IT & System Administrators: Software vendors managing our POS systems, cloud server hosting, database storage, and email dispatch networks.
• Professional Advisors: Auditing firms, tax consultants, insurance companies, and legal advisors.
• Regulatory & Law Enforcement: Governmental bodies, local councils, court systems, or law enforcement agencies (such as the Royal Malaysia Police - PDRM) in compliance with statutory or legal requirements.

6.0 Data Protection, Security & Cross-Border Transfer

6.1 The Company implements strict technical, physical, and administrative measures to secure your Personal Data against unauthorized access, loss, alteration, or disclosure. All online transmission of transactional data is protected using SSL/TLS encryption.

6.2 In order to maintain cloud-based hosting and POS infrastructure, your Personal Data may be transferred to, stored at, or processed in server locations outside of Malaysia. By using our platforms, you explicitly consent to such cross-border data transfers.

7.0 Data Retention Policies

7.1 Personal Data will not be kept longer than is necessary for the fulfillment of the purposes for which it was collected, unless a longer retention period is required or permitted by law.

7.2 **General Data:** Customer account details, transaction records, and tax-related information are retained for a period of up to seven (7) years in compliance with the Malaysian Income Tax Act 1967 and accounting standards.

7.3 **CCTV Surveillance:** Video recordings captured by our on-site CCTV cameras are securely stored on physical or cloud recording devices and are automatically overwritten or deleted after thirty (30) days, except where the recordings are required for active security investigations or legal proceedings.

8.0 Rights of Data Subjects

8.1 In accordance with the PDPA, you possess the following rights in respect of your Personal Data:

• Right of Access: You may request a copy of the Personal Data we hold about you.
• Right of Correction: You may request us to correct or update any of your Personal Data that is inaccurate, incomplete, or outdated.
• Right to Limit Processing: You may request to restrict or limit the manner in which we process your Personal Data (e.g., opting out of marketing communications).
• Right to Withdraw Consent: You may withdraw your consent for us to collect and process your Personal Data at any time. However, withdrawing consent may prevent us from fulfilling your orders or providing membership benefits.

8.2 We reserve the right to charge a prescribed fee for processing data access requests as permitted under the PDPA regulations. We will respond to your requests within twenty-one (21) days of receipt.

9.0 Contact Information

9.1 To exercise any of your rights, submit inquiries, or lodge complaints regarding the management of your Personal Data, please contact our designated Data Privacy Officer: