Last updated: 17 July 2026 — updated hosting provider from Shinjiru (Malaysia) to Infomaniak Network SA (Switzerland); Data Processing Agreement with Infomaniak concluded 17 July 2026 pursuant to GDPR Art. 28 and Swiss nDSG Art. 9; updated international transfer section to reflect EU adequacy decision for Switzerland.
1. Controller
IT AI Advisory Sdn Bhd
Reto Gruenenfelder
Kuala Lumpur, Malaysia
For data-related enquiries, write to
2. Applicable Law
This website is operated in compliance with the Personal Data Protection Act 2010 (as amended by the Personal Data Protection (Amendment) Act 2024) of Malaysia. Where applicable, we align with the EU General Data Protection Regulation (GDPR) for visitors from the European Economic Area (EEA), and with the Swiss Federal Act on Data Protection (nDSG, in force since September 2023) for visitors from Switzerland.
3. Data Collected and Purpose
This website does not use cookies, tracking scripts, or analytics tools. No personal data is collected automatically when you visit this site.
If you contact us via the contact form or by email, we process the data you provide (name, email address, organisation, message content) solely for the purpose of responding to your enquiry. This data is not sold, shared with third parties for marketing purposes, or used for any purpose other than responding to your request.
Newsletter subscriptions: If you subscribe to The AI Governance Letter via the subscription form on this website, we collect your email address for the sole purpose of sending you the newsletter. Subscription uses a double opt-in process: you will receive a confirmation email and must click the link in that email before your subscription becomes active. You may unsubscribe at any time by clicking the unsubscribe link included in every newsletter email. Your email address will not be used for any purpose other than delivering the newsletter.
Newsletter data processor — MailerLite: Newsletter subscriptions are managed through MailerLite (MailerLite UAB, Paupio g. 46, LT-11341 Vilnius, Lithuania). Subscriber email addresses are stored on MailerLite's servers located in the European Union. MailerLite acts as a data processor on behalf of IT AI Advisory Sdn Bhd under a Data Processing Agreement, and processes subscriber data solely for the purpose of delivering the newsletter. MailerLite's privacy policy is available at mailerlite.com/legal/privacy-policy.
Under the PDPA, personal data will not be processed without your consent and will only be used for the purpose for which it was collected.
3a. Legal Basis for Processing (GDPR)
For visitors from the European Economic Area (EEA) or Switzerland, we process personal data on the following legal bases under Article 6 GDPR:
— Contact form and email enquiries: Performance of pre-contractual measures at the request of the data subject (Article 6(1)(b) GDPR) — processing is necessary to take steps at your request prior to entering into a potential engagement.
— Newsletter subscription: Consent (Article 6(1)(a) GDPR) — you have freely given, specific, informed, and unambiguous consent by completing the subscription form and confirming your email address via double opt-in. You may withdraw your consent at any time by unsubscribing. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.
— Fonts: This website uses self-hosted fonts (Cormorant Garamond and DM Sans). The font files are served directly from our hosting infrastructure in Switzerland (Infomaniak Network SA, Geneva). No connection to Google servers is made and no personal data is transmitted to third parties in connection with font loading.
4. Fonts
This website uses self-hosted fonts (Cormorant Garamond and DM Sans). The font files are served directly from our hosting infrastructure in Switzerland, operated by Infomaniak Network SA, Rue Eugène-Marziano 25, 1227 Geneva, Switzerland. No connection to Google servers or any other third-party font service is made when you visit this site. No personal data is transmitted to third parties in connection with font loading.
5. Cookies
This website does not use tracking cookies, advertising cookies, or analytics tools. No cookies are set on your device for the purpose of monitoring your behaviour or identifying you across sessions.
A temporary session token is generated when you submit the contact form. This token exists only for the duration of your browser session and is not used for tracking or profiling purposes. It is deleted when you close your browser.
6. Data Breach Notification
In the event of a personal data breach, we will notify the Personal Data Protection Commissioner as soon as practicable, in accordance with the PDPA (Amendment) Act 2024. Where a breach is likely to cause significant harm to affected individuals, those individuals will also be notified without unnecessary delay. For EEA and Swiss visitors, we will also comply with applicable GDPR and nDSG breach notification obligations.
7. Retention
Contact form submissions and email enquiries are retained for up to 24 months from the date of last correspondence, after which they are securely deleted unless a contractual or legal obligation under Malaysian law requires longer retention. Newsletter subscriber email addresses are retained by MailerLite for as long as the subscription remains active; upon unsubscribing, your address is removed from active lists. Residual data may be retained by MailerLite in accordance with their data retention policy. All data is stored securely and accessed only by the data controller.
8. Hosting Provider
This website and all its content are hosted on servers physically located in Switzerland, operated by Infomaniak Network SA, Rue Eugène-Marziano 25, 1227 Geneva, Switzerland (infomaniak.com). As the hosting provider, Infomaniak processes server logs and stores website files and contact form submissions. Infomaniak is subject to the Swiss Federal Act on Data Protection (nDSG) and complies with GDPR as a data processor. A Data Processing Agreement between IT AI Advisory Sdn Bhd and Infomaniak Network SA has been concluded pursuant to Article 28 GDPR and Article 9 nDSG, with effect from 17 July 2026. Infomaniak's privacy policy is available at infomaniak.com/en/legal/confidentialite.
8a. International Data Transfers (GDPR)
Switzerland is recognised by the European Commission as providing an adequate level of data protection equivalent to the EEA (Commission Implementing Decision 2000/518/EC). Personal data submitted via the contact form or otherwise collected in connection with this website is stored on servers operated by Infomaniak Network SA in Switzerland. This transfer is covered by the EU adequacy decision for Switzerland and does not require additional safeguards under GDPR Article 46.
IT AI Advisory Sdn Bhd, as data controller, is established in Malaysia, which is not recognised by the European Commission as an adequate third country. Where the controller accesses or reviews personal data submitted by EEA or Swiss visitors (for example, when responding to an enquiry), this may constitute a further transfer to Malaysia. Such access is made on the basis of Article 49(1)(b) GDPR — the transfer being necessary for the performance of pre-contractual measures taken at your request — and is limited to the minimum data necessary to respond to your enquiry. Newsletter subscriber data is stored by MailerLite on servers in the European Union and does not involve a third-country transfer.
9. Your Rights
Under the PDPA (as amended in 2024), you have the right to access, correct, and request portability of your personal data, and to withdraw consent where processing is consent-based. Please note that the Malaysian PDPA does not provide a general right to erasure equivalent to the GDPR right to be forgotten; however, you may withdraw your consent at any time, which will result in us ceasing to process your data for the relevant purpose.
For visitors from the EEA or Switzerland, under GDPR you additionally have the right to: erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), and to object to processing based on legitimate interest (Article 21). To exercise any of these rights, contact us at .
9a. Right to Lodge a Complaint (GDPR)
If you are located in the EEA or Switzerland and believe that your personal data has been processed in violation of the GDPR or applicable national data protection law, you have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. The Swiss supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch. This right is without prejudice to any other administrative or judicial remedy.
10. Swiss nDSG — Specific Provisions
For visitors resident in Switzerland, this privacy policy also constitutes the required privacy notice under the Swiss Federal Act on Data Protection (nDSG). The responsible entity (Verantwortlicher) is IT AI Advisory Sdn Bhd, represented by Reto Gruenenfelder. In the event of a data security incident affecting Swiss residents, IT AI Advisory Sdn Bhd will notify the Federal Data Protection and Information Commissioner (FDPIC) where required by law. You have the right to lodge a complaint with the FDPIC at edoeb.admin.ch. No automated individual decision-making or profiling takes place in connection with this website.
11. Changes
This privacy policy may be updated from time to time to reflect changes in our data processing activities or applicable law. The current version, including the date of last update, is always available on this page. For material changes affecting EEA or Swiss subscribers, we will notify you by email where we hold your address.
12. Content Disclaimer
This privacy policy relates solely to the processing of personal data. For the disclaimer applicable to all published content — including the AI Governance Guide and the AI Governance Letter series — please refer to the full disclaimer available at itaiadvisory.com/disclaimer.