Privacy Policy

Winding House ("we", "our", "us") is committed to handling the personal information you share with us thoughtfully and responsibly. This policy explains what data we gather, why we gather it, how it is used, and what rights you hold in relation to it. It applies to all visitors and clients who interact with our website at windinghou.club or contact us directly. We operate in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia.

1.Data We Collect

We collect only the information that helps us provide our watch repair services and communicate with you effectively. This includes:

Identification data: Your name and, where relevant, the details of the timepiece you are bringing in (brand, model, reference number).
Contact data: Email address and phone number, provided through our contact form or given during a service enquiry.
Service communications: The content of messages you send us, including questions, descriptions of your watch's condition, or feedback.
Technical data: IP address, browser type, pages visited, and session duration — collected passively through analytics cookies when consent is given.
Payment data: Where applicable, transaction references. We do not store card details — payment processing is handled by third-party providers.

2.How We Use Your Data

Your information is used only for the purposes described below. We do not sell or rent personal data to any third party.

Responding to service enquiries and coordinating watch drop-off or collection arrangements.
Preparing and delivering the written Health Assessment report or service summary.
Sending status updates about an ongoing repair, including estimated completion timelines.
Processing payments and maintaining transaction records for accounting and compliance purposes.
Understanding how our website is used so we can improve its content and navigation (analytics only, with consent).
Complying with legal obligations under Malaysian law, including record-keeping requirements.

3.Legal Basis for Processing

Consent

Where you submit our contact form or accept optional cookies, you are providing consent for us to process that data. You may withdraw consent at any time by contacting us.

Contractual necessity

When you engage Winding House for a service, processing your contact and watch details is necessary to fulfil that service agreement.

Legitimate interests

We may process certain data where we have a legitimate interest in doing so — for example, to improve our workshop processes or follow up on an enquiry you initiated.

Legal obligation

Some data is retained because we are required to do so under Malaysian law (e.g., financial transaction records).

4.Sharing Your Information

We do not share your personal data with third parties except in the following limited circumstances:

Service providers: Companies that assist us in operating our website or processing payments (e.g., hosting providers, payment gateways). These parties are contractually bound to use your data only for the purpose of delivering their service to us.
Analytics services: Anonymised and aggregated usage data may be shared with analytics platforms (such as Google Analytics) when you consent to analytics cookies. No personally identifiable information is included.
Legal requirements: If required by a court order, regulatory authority, or applicable Malaysian law, we may disclose information as necessary.

We will never sell your personal data. We do not use it for marketing purposes beyond direct follow-up on an enquiry you initiated.

5.Retention Periods

Data Type	Retention Period
Contact form submissions	24 months from date of submission
Service records (client name, watch details, work performed)	7 years (for warranty reference and legal compliance)
Payment/transaction records	7 years (Malaysian Companies Act requirement)
Analytics data	26 months (Google Analytics default, anonymised)
Cookie consent records	12 months from last consent update

After the retention period expires, data is securely deleted or anonymised. You may request earlier deletion — see Your Rights below.

6.How We Protect Your Data

We apply reasonable technical and organisational measures to keep your information safe:

Encrypted Transmission

All data exchanged between your browser and our website is transmitted over HTTPS/TLS.

Secure Hosting

Our website is hosted on servers with access controls, regular patching, and firewall protection.

Limited Access

Only personnel who need your information to perform their role have access to it.

Breach Response

In the unlikely event of a data breach, affected parties will be notified promptly and in accordance with the PDPA 2010.

7.Cookies

We use cookies to operate our website and, with your consent, to understand how it is used. Cookies are small text files stored in your browser. We use four categories:

Essential: Required for the website to function. Cannot be disabled.
Analytics: Help us understand visitor behaviour in aggregate. Optional.
Marketing: Used for relevant advertising. Optional.
Preferences: Remember your settings and choices. Optional.

For full details and to manage your preferences, please visit our Cookie Policy.

8.Your Rights

Under the Personal Data Protection Act 2010 (Malaysia), you have the following rights regarding your personal data:

Right to Access: You may request a copy of the personal data we hold about you.

Right to Correction: If any information we hold is inaccurate or out of date, you may ask us to correct it.

Right to Erasure: In certain circumstances, you may request that we delete your personal data.

Right to Object: You may object to certain types of processing, including direct marketing.

Right to Withdraw Consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at [email protected]. We will respond within 21 days. If you feel your rights have not been respected, you may escalate a complaint to the Department of Personal Data Protection (JPDP) Malaysia.

9.Third-Party Links

Our website may contain links to external websites for your convenience. These sites operate independently and have their own privacy policies. We are not responsible for how those websites handle your data, and we encourage you to review their privacy notices before providing any personal information.

10.Children's Privacy

Our services are intended for adults aged 18 and above. We do not knowingly collect personal data from individuals under the age of 18. If you believe a minor has submitted personal information through our website, please contact us and we will take steps to remove it promptly.

11.Policy Updates

We may revise this policy from time to time to reflect changes in our practices or applicable law. When we make material changes, the "Last Updated" date at the top of this page will be amended. We encourage you to review this page periodically. Continued use of our website following any update constitutes your acknowledgment of the revised policy.

12.Contact Us

If you have any questions about this policy, would like to exercise your data rights, or wish to raise a concern, please reach out to us:

Winding House
31 Jalan Tun Razak, 50400 Kuala Lumpur, Malaysia

Email: [email protected]

Phone: +60 3-2162 7834

Contents