This Privacy Policy governs the collection, use, storage, and disclosure of personal data by Vault 6 Studios (“we”, “us”, “our”), operating at vault6studios.com, in compliance with the Personal Data Protection Act 2010 (Act 709) (PDPA) of Malaysia and, where applicable, the principles of the EU General Data Protection Regulation (GDPR).

By placing an order, creating an account, subscribing to our newsletter, or otherwise interacting with this site, you consent to the practices described herein. If you do not agree, please refrain from using our services.

Note to EU/EEA Residents: Where our processing activities fall within the territorial scope of GDPR (Article 3), we honour the GDPR rights set out in Section 9 of this policy in addition to your PDPA rights.

We collect the following categories of personal data when you interact with us:

Under the PDPA 2010, we process personal data in accordance with the following seven Data Protection Principles:

• General Principle: Data is collected only for lawful purposes directly related to our business activities.
• Notice & Choice: You are informed of the purposes at or before the point of collection. Consent is obtained for non-essential processing such as direct marketing.
• Disclosure: We do not disclose personal data to third parties except as described in Section 5 of this policy, or as required by law.
• Security: Appropriate technical and organisational measures are in place to protect data against unauthorised access, loss, or destruction.
• Retention: Data is not retained beyond what is necessary for the stated purposes, or the minimum retention period required by law.
• Data Integrity: We take reasonable steps to ensure personal data is accurate, complete, and up-to-date.
• Access: You have the right to access and correct your personal data as described in Section 9.

We process your personal data for the following purposes:

• To process and fulfil orders, including payment verification, packaging, and dispatch
• To communicate with you regarding your order status, shipping updates, and returns
• To maintain your membership account and administer loyalty points and tier benefits
• To send marketing communications (newsletters, promotions) — only where you have subscribed or given explicit consent, and only until you withdraw such consent
• To detect and prevent fraud, unauthorised transactions, and abuse of our platform
• To comply with legal and regulatory obligations, including tax records required under the Income Tax Act 1967 and other applicable Malaysian statutes
• To improve our services through aggregated, anonymised analysis of site usage patterns

We do not use personal data for automated profiling or decision-making that produces legal or similarly significant effects without human review.

We do not sell, rent, or trade your personal data. We share personal data only with the following categories of third parties, strictly on a need-to-know basis:

• Fiuu Sdn. Bhd. (Payment Processor): Your payment details are submitted directly to Fiuu's secure gateway. We receive only transaction confirmation and payment method type. Fiuu's privacy policy governs their handling of payment data.
• Courier Partners (J&T Express, PosLaju, NinjaVan, DHL eCommerce, etc.): Your name, delivery address, and phone number are shared with the assigned courier solely for the purpose of parcel delivery.
• Cloudflare, Inc. (Infrastructure Provider): Technical data including IP addresses passes through Cloudflare's network for security, DDoS protection, and content delivery. Cloudflare is certified under SOC 2 Type II and ISO 27001.
• Resend, Inc. (Transactional Email): Where email is used to deliver membership credentials or transactional notifications, Resend processes your email address solely for message delivery.

• Order and transaction records: Retained for a minimum of 7 years from the date of transaction, in accordance with the Income Tax Act 1967 and the Companies Act 2016 (audit trail requirements).
• Member account data: Retained for the duration of active membership plus 2 years after account deletion, to resolve any outstanding disputes.
• Newsletter subscription data: Retained until you unsubscribe or withdraw consent.
• Communication records: Retained for 3 years for dispute resolution purposes.
• Technical log data: Retained for up to 90 days by Cloudflare per their standard data retention policy.

We implement the following technical and organisational security measures:

• All data transmitted between your browser and our site is encrypted using TLS 1.2 or higher (HTTPS).
• Member passwords are stored as cryptographic hashes (one-way bcrypt or equivalent); no plaintext passwords are stored or accessible to us.
• Admin access to customer data is protected by a time-limited session token system with no persistent access keys in the codebase.
• Data is stored on Cloudflare Workers KV, which operates within Cloudflare's global infrastructure with physical and logical access controls, SOC 2 Type II certification, and data residency in the APAC region.
• We apply the principle of least privilege: only personnel with a direct operational need can access personal data.

We use minimal cookies:

• Session cookie (admin_session): An HTTP-only, Secure, SameSite=Strict cookie used exclusively for administrative authentication. Not set for regular shoppers.
• Cloudflare security cookies: Cloudflare may set cookies (e.g. __cf_bm) for bot detection and DDoS mitigation. These are strictly functional and not used for advertising.

We do not use third-party advertising cookies, social media tracking pixels, or behavioural analytics tools (e.g. Google Analytics, Facebook Pixel).

Under the PDPA 2010, you have the following rights regarding your personal data:

• Right of Access (Section 30, PDPA): You may request a copy of the personal data we hold about you. We will respond within 21 days of receipt of a valid written request.
• Right of Correction (Section 34, PDPA): You may request correction of inaccurate or incomplete personal data. We will correct or supplement the data within 21 days or notify you if we are unable to do so.
• Right to Withdraw Marketing Consent (Section 38, PDPA): You may opt out of direct marketing at any time by contacting us or using the unsubscribe link in any marketing email. Withdrawal does not affect the lawfulness of prior processing.
• Right to Restrict Processing: In limited circumstances, you may request that we restrict processing of your data while a dispute or correction request is pending.

For EU/EEA Residents (GDPR): In addition to the above, you have the right to data portability (Article 20), the right to object to processing based on legitimate interests (Article 21), and the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us via WhatsApp or email with subject line “PDPA Data Request”. We may require you to verify your identity before processing the request.

For all data protection enquiries, access requests, correction requests, or complaints, please visit our Contact Us page.

Vault 6 Studios operates as a private seller of collectible figures, registered and operating within Malaysia.