How i-IMS and Ethos Principle Sdn Bhd collect, use, and protect personal data in accordance with Malaysia's Personal Data Protection Act 2010 (PDPA).
Ethos Principle Sdn Bhd ("we", "us", "our", or the "Company") operates the Integrated Integrity Management System ("i-IMS", the "System", or the "Platform"), including this website and any associated portals used by our clients and their staff.
We are committed to protecting your personal data in accordance with the Personal Data Protection Act 2010 (Act 709) ("PDPA") of Malaysia and its related regulations and codes of practice, including the Personal Data Protection (Amendment) Act 2024. This Privacy Policy explains what personal data we collect, why we collect it, how it is used, disclosed, stored, and protected, and the rights available to you as a data subject.
By visiting this website, submitting an enquiry, subscribing to our services, or using i-IMS, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Policy, please refrain from providing your personal data to us or using our services.
This Policy applies to personal data collected from: (a) visitors to this website; (b) individuals who contact us for sales, support, or partnership enquiries; (c) authorized users of i-IMS acting on behalf of a client organization ("Tenant"); and (d) individuals whose data is submitted into i-IMS by a Tenant in the course of using the System (for example, complainants, employees, or vendors named in a case record). Where a Tenant is the data controller for data entered into the System (such as complaint or case data), we act as a data processor on the Tenant's behalf and process such data strictly under the Tenant's instructions and our service agreement with them.
Depending on how you interact with us, we may collect the following categories of personal data:
| Category | Examples |
|---|---|
| Identification & contact data | Name, job title, organization, work email address, phone number |
| Account & access data | Username, encrypted password, login timestamps, IP address, device/browser information, role and permission assignments |
| Communication data | Messages, enquiries, or attachments submitted via our contact form, email, or phone |
| Billing data | Company registration details, billing address, and invoicing information (payment card details are not collected or stored by us) |
| Usage data | Pages visited, feature usage, audit logs, and system activity within i-IMS |
| Case-related data (processed on behalf of Tenants) | Information submitted through complaint, conflict-of-interest, gift, or asset declaration modules — which may include sensitive personal data such as details of alleged misconduct |
Where our whistleblowing / complaints module is configured for anonymous reporting, we do not require the complainant's identity, and identity fields (if voluntarily provided) are encrypted and access-restricted in accordance with the Tenant's configuration.
We collect and process personal data for the following purposes:
Where we process case-related personal data within i-IMS on behalf of a Tenant, such processing is carried out solely for the purposes instructed by that Tenant (for example, managing a complaint, conflict-of-interest declaration, or disciplinary case) and is governed by our data processing agreement with the Tenant.
We rely on one or more of the following legal bases to process your personal data: (a) your consent, given at the point of data collection; (b) performance of a contract with you or your organization; (c) compliance with a legal obligation; or (d) our legitimate business interests, provided these do not override your fundamental rights.
Where consent is the basis for processing (for example, marketing communications), you may withdraw your consent at any time by contacting us using the details in Section 15. Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal, and may affect our ability to continue providing certain services to you.
We do not sell or rent personal data. We may disclose personal data to the following categories of recipients, strictly on a need-to-know basis and subject to appropriate confidentiality and security safeguards:
Personal data is primarily hosted on infrastructure located within Malaysia. Where a Tenant requests a private or on-premise deployment, data resides within the Tenant's own designated infrastructure and jurisdiction.
If personal data must be transferred to, or processed in, a location outside Malaysia (for example, where a cloud or support sub-processor operates internationally), we will only do so in compliance with Section 129 of the PDPA — that is, where the recipient jurisdiction has been specified by the Minister as having substantially similar data protection laws, or where an applicable exception under the PDPA applies, or with your explicit consent.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. Retention periods for case-related data within i-IMS (such as complaint or investigation records) are generally determined by the Tenant's internal governance policy and applicable regulatory retention requirements. Upon expiry of the applicable retention period, personal data is securely deleted or anonymized.
We implement appropriate technical and organizational measures to protect personal data against unauthorized or accidental access, processing, erasure, loss, or misuse, including:
While we take reasonable steps to safeguard personal data, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
Subject to the exceptions and procedures set out in the PDPA, you have the right to:
To exercise any of these rights, please submit a request using the contact details in Section 15. We may require proof of identity before processing your request and may charge a nominal processing fee as permitted under the PDPA. We aim to respond within 21 days of receiving a complete request, as required under the PDPA's Access and Correction regulations.
If your personal data is held within i-IMS as part of a case managed by one of our Tenants (for example, you are named in a complaint record), please direct your request to that Tenant organization in the first instance, as they act as the data controller for that data.
This website uses cookies and similar technologies to operate core functionality (such as session management and security), remember preferences, and understand aggregate site usage. You may configure your browser to refuse cookies; however, some parts of this website may not function properly as a result.
Our website and i-IMS are intended for business use by adults acting in a professional capacity. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child without appropriate consent, we will take steps to delete such data promptly.
Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of such third-party websites. We encourage you to review the privacy policy of any third-party website you visit.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational reasons. The updated version will be indicated by a revised "Last updated" date at the top of this page. We encourage you to review this Policy periodically.
If you have any questions, concerns, or requests regarding this Privacy Policy or how your personal data is handled, please contact us:
Ethos Principle Sdn Bhd
Attn: Data Protection Officer
info@ethosprinciple.com.my
+6019 800 3217
Cyberjaya, Malaysia