Skip to main content

Privacy Policy

Last updated: 13 March 2026

Pelangi Capsule Hostel (“we”, “us”, or “our”) is committed to protecting your personal data in accordance with Malaysia’s Personal Data Protection Act 2010 (PDPA) and the Personal Data Protection (Amendment) Act 2024, specifically Section 7 which requires us to provide you with this privacy notice. This policy explains what personal data we collect, how we use it, and your rights as a data subject.

1. Data Controller

The data controller responsible for your personal data is:

Pelangi Capsule Hostel

26A Jalan Perang, Taman Pelangi

80400 Johor Bahru, Johor, Malaysia

Email: [email protected]

Phone: +60 12-708 8789

We process personal data as a registered business under Malaysian law.

2. Personal Data We Collect

We collect the following categories of personal data:

  • Identity data: Name, nationality, passport or IC number (collected at check-in as required by Malaysian hospitality regulations)
  • Contact data: Email address, phone number
  • Booking data: Check-in/check-out dates, room type, number of guests, booking reference
  • Payment data: Transaction reference (we do not store full card details — payments are processed by third-party providers)
  • Technical data: IP address, browser type, device identifiers, pages visited, time spent on site (via cookies and analytics)
  • Communications data: Messages sent via WhatsApp, email, or our contact form
  • Marketing data: Email address and name if you subscribe to our newsletter (only with your explicit consent)

3. Purpose of Processing

We process your personal data for the following purposes:

  • Booking fulfilment: Processing reservations, sending confirmation emails, and managing your stay
  • Regulatory compliance: Guest registration as required by Malaysian immigration and hospitality laws
  • Customer support: Responding to enquiries, complaints, and feedback
  • Analytics: Understanding how visitors use our website to improve content and user experience (only with your cookie consent)
  • Email marketing: Sending newsletters, promotions, and travel tips about Johor Bahru (only with your explicit consent — you may withdraw at any time)
  • Error monitoring: Detecting and fixing technical errors on our website to ensure reliability

4. Legal Basis for Processing

  • Contract: Processing necessary to fulfil your booking
  • Legal obligation: Guest registration required by Malaysian law
  • Consent: Analytics cookies and email marketing (you may withdraw consent at any time)
  • Legitimate interests: Website security, fraud prevention, and improving our services

5. Third-Party Data Processors

We use the following third-party services that may process your data on our behalf:

Service Purpose Data Shared
Google Analytics 4 Website analytics IP address, device/browser data, pages visited
Microsoft Clarity Heatmaps & session recordings IP address, device/browser data, click and scroll behaviour
Sentry Error monitoring IP address, browser data, error context
Brevo (Sendinblue) Email marketing Name, email address (newsletter subscribers only)
Booking Platforms Reservation processing Name, contact details, booking information

All third-party processors are required to handle your data securely and in compliance with applicable data protection laws.

6. Data Retention

  • Booking records: 7 years (required for accounting and tax purposes under Malaysian law)
  • Guest registration forms: As required by Malaysian hospitality regulations
  • Marketing data (newsletter): Until you unsubscribe or withdraw consent
  • Analytics data (Google Analytics): 14 months (GA4 setting)
  • Analytics data (Microsoft Clarity): 12 months
  • Cookie consent records: 12 months

7. Your Rights

Under the PDPA 2010, you have the following rights:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to correction: Request correction of inaccurate or incomplete personal data
  • Right to withdraw consent: Withdraw consent for marketing or analytics processing at any time without affecting prior processing
  • Right to limit processing: Request that we restrict how we use your data in certain circumstances

To exercise any of these rights, please contact us at [email protected]. We will respond within 21 days as required by the PDPA.

8. Cookies

We use essential cookies (required for the website to function) and optional analytics cookies (only with your explicit consent). Under Malaysia’s Personal Data Protection (Amendment) Act 2024, non-essential cookies are not loaded until you actively opt in via our cookie consent banner. No boxes are pre-ticked.

Cookie Categories

Cookie Name Category Purpose Retention Third Party
NEXT_LOCALE Essential Stores your language preference (EN / 中文) 1 year None (first-party)
pelangi_cookie_consent Essential Records your cookie consent choice 1 year None (first-party)
_ga, _ga_* Analytics Google Analytics 4 — page views, traffic sources, user journeys Up to 14 months Google LLC (USA)
_clck, _clsk Analytics Microsoft Clarity — heatmaps, session recordings, scroll depth Up to 12 months Microsoft Corporation (USA)

You can manage your cookie preferences at any time via the “Manage Preferences” button on the cookie consent banner, or by clearing your browser cookies and revisiting our site.

For more information about how cookies work, visit allaboutcookies.org.

9. International Data Transfers

Some of our third-party processors (Google, Sentry, Brevo) may transfer and store your data outside Malaysia. Where this occurs, we ensure appropriate safeguards are in place, including contractual protections and the processor’s compliance with applicable data protection standards.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. Our website uses HTTPS encryption for all data in transit. However, no internet transmission is completely secure, and we cannot guarantee absolute security.

11. Data Breach Notification

Under the Personal Data Protection (Amendment) Act 2024, which came into force on 1 January 2025, we are legally required to notify relevant parties in the event of a personal data breach:

  • Commissioner notification: We will notify the Personal Data Protection Commissioner within 72 hours of becoming aware of a data breach that poses a risk of significant harm to data subjects.
  • Data subject notification: We will notify affected individuals within 7 days of the breach notification to the Commissioner, informing you of the nature of the breach, the data involved, and the steps we are taking to mitigate any harm.

A data breach includes any unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar action involving your personal data that compromises its security, confidentiality, or integrity.

For more information about your rights under the PDPA and the 2024 Amendment, visit the Department of Personal Data Protection (JPDP).

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. The “Last updated” date at the top of this page indicates when the policy was last revised. Continued use of our website after changes constitutes acceptance of the updated policy.

13. Data Protection Officer & Contact

In accordance with the Personal Data Protection (Amendment) Act 2024 requirement for mandatory Data Protection Officer (DPO) designation, we have appointed a DPO to oversee our data protection practices.

If you have questions, concerns, or complaints about this privacy policy, how we handle your personal data, or wish to exercise your rights as a data subject, please contact our Data Protection Officer:

Data Protection Officer (DPO)

Pelangi Capsule Hostel

26A Jalan Perang, Taman Pelangi, 80400 Johor Bahru, Johor

Email: [email protected]

Phone: +60 12-708 8789

You also have the right to lodge a complaint with Malaysia’s Department of Personal Data Protection (JPDP) at www.pdp.gov.my.