Privacy Policy

1. Introduction

crestira is committed to protecting the privacy and personal information of individuals who interact with our thermal wellness programs. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the Personal Data Protection Act 2010 (PDPA) of Malaysia and international data protection principles.

By using our services, visiting our website, or engaging with us in any capacity, you consent to the practices described in this policy. If you have questions or concerns about how we handle your personal information, please contact us at [email protected].

2. Information We Collect

We collect personal information that you provide directly to us and information that is automatically collected through your use of our services.

Information You Provide:

• Contact details including name, email address, phone number, and mailing address
• Program booking information and travel preferences
• Health considerations relevant to thermal wellness activities
• Dietary requirements and accessibility needs
• Payment information processed through secure third-party payment processors
• Feedback, reviews, and communications with our team

Automatically Collected Information:

• Device information, IP address, and browser type
• Website usage data including pages visited and time spent on site
• Cookies and similar tracking technologies (see our Cookie Policy)
• Location data if you grant permission through your device

3. How We Use Your Information

We use the personal information we collect for the following purposes:

• To process and fulfill your wellness program bookings and provide related services
• To communicate with you about your reservations, including confirmations, updates, and post-program follow-up
• To address health and safety considerations relevant to thermal wellness activities
• To improve our programs, website, and customer service based on feedback and usage patterns
• To send marketing communications about our services (only with your consent, and you may opt out at any time)
• To comply with legal obligations and respond to lawful requests from authorities
• To prevent fraud, protect our legal rights, and ensure the security of our systems

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to fulfill our service agreement with you
• Consent: You have given explicit permission for specific processing activities
• Legitimate Interests: Processing necessary for our business operations, provided it does not override your rights
• Legal Compliance: Processing required to meet our legal obligations under Malaysian law

5. Data Sharing and Disclosure

We may share your personal information with the following parties:

• Service Providers: Accommodation partners, massage practitioners, heritage guides, and transportation providers involved in delivering your wellness program
• Payment Processors: Secure third-party payment services that handle transaction processing
• Technology Partners: Website hosting, email services, and analytics platforms that support our operations
• Legal Authorities: When required by law or to protect our legal rights and safety

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. All service providers are contractually required to maintain the confidentiality and security of your data.

6. Data Retention

We retain your personal information for as long as necessary to provide our services and fulfill the purposes outlined in this policy. Specifically:

• Booking and transaction records: 7 years for accounting and legal compliance purposes
• Marketing communications data: Until you withdraw consent or opt out
• Website usage data: 24 months for analytics and improvement purposes
• Health and safety information: 3 years after program completion

After the retention period expires, we securely delete or anonymize your personal data.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit and at rest
• Secure server infrastructure and regular security audits
• Access controls limiting data access to authorized personnel only
• Regular staff training on data protection and privacy practices
• Incident response procedures in the event of a data breach

While we take reasonable steps to secure your data, no internet transmission or electronic storage method is completely secure. We cannot guarantee absolute security of your information.

8. Your Rights

Under Malaysian data protection law and international privacy standards, you have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Erasure: Request deletion of your personal data under certain circumstances
• Objection: Object to processing of your data for specific purposes
• Data Portability: Receive your data in a structured, machine-readable format
• Withdraw Consent: Withdraw previously given consent for data processing
• Limit Processing: Request restriction of how we process your data

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 21 days.

9. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your browsing experience and analyze site usage. For detailed information about our cookie practices, including how to manage your preferences, please refer to our Cookie Policy.

10. Third-Party Links

Our website may contain links to third-party websites, such as accommodation partners or cultural heritage sites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal information.

11. Children's Privacy

Our services are designed for adults aged 18 and above. We do not knowingly collect personal information from individuals under 18 without parental consent. If we become aware that we have collected data from a minor without proper consent, we will take steps to delete that information promptly.

12. International Data Transfers

Your personal information is primarily processed and stored in Malaysia. If we transfer data to countries outside Malaysia, we ensure appropriate safeguards are in place, such as standard contractual clauses or adequacy decisions by relevant authorities.

13. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. The "Last Updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this policy regularly. Significant changes will be communicated through our website or via email.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

15. Supervisory Authority

If you believe we have not addressed your privacy concerns adequately, you have the right to lodge a complaint with the Personal Data Protection Department of Malaysia or other relevant supervisory authority in your jurisdiction.