Privacy Policy

Dasar Privasi (Bahasa Malaysia)

This Privacy Policy is written in English. Any translation is provided for convenience only; the English version prevails in case of conflict.

Last updated: 9 May 2026

1. Who this policy is from

This website (www.nicholaskew.com) is operated by Nicholas Kew, an individual trading personally and based in Malaysia.

Contact for privacy matters: Nicholas Kew A-3-9 Endah Promenade, No. 5, Jalan 3/149E, Taman Sri Petaling, 57000 Kuala Lumpur, Malaysia Email: qqsubs55@gmail.com

In this policy, "I", "me", and "my" refer to Nicholas Kew. "You" and "your" refer to you, the visitor or customer. Under the Malaysian Personal Data Protection Act 2010 (as amended), I act as the data controller for personal data collected through this website.

A Bahasa Malaysia version of this policy is also available at [/dasar-privasi]. Where there is any conflict between the English and Bahasa Malaysia versions, the English version prevails for interpretation purposes, except where Malaysian law requires otherwise.

2. What this policy covers

This policy explains how I collect, use, store, share, and protect personal data when you:

  • Browse this website;

  • Contact me via the website or via email;

  • Purchase a digital template or other product from the shop;

  • Subscribe to a newsletter, publication, or community (including the Quiet Dinners newsletter and community, delivered via Substack);

  • Interact with me via linked third-party platforms (such as LinkedIn or Substack) where the interaction originates from this website.

It applies whether you are based in Malaysia, the European Union, the United Kingdom, or elsewhere.

3. The personal data I collect

I collect only the data I need to operate the website, fulfil orders, and communicate with you.

When you browse the site, the following is collected automatically by Squarespace (the platform hosting this site): IP address, approximate location (country/region level), browser type and version, device type, pages visited, time spent on pages, referring website, and similar technical data. This is collected through Squarespace Analytics and through cookies (see Section 8).

When you contact me, I receive your name, email address, and the contents of your message.

When you purchase from the shop, the following is processed: your name, billing email address, billing address, country, and order details. Payment is processed by PayPal — I do not see, store, or have access to your card or bank details. PayPal provides me with confirmation of payment and the email address you used to pay.

When you subscribe to a newsletter or community (including Quiet Dinners), I collect your email address and any name you provide. Newsletter delivery is handled by Substack (see Section 6). Once you become a Substack subscriber, Substack will also collect data from you under its own privacy policy as part of providing the Substack platform to you.

I do not knowingly collect data from children under the age of 16. If you are under 16, please do not submit personal data to this website. If you believe a child has provided data, contact me and I will delete it.

I do not collect sensitive personal data (health, religion, political views, etc.) and you should not send any to me unless specifically requested.

4. Why I collect it, and the lawful basis

For each type of data, I rely on a specific lawful basis under the PDPA and, where applicable, the GDPR:

  • Operating and securing the website — using technical data and IP address. Lawful basis: legitimate interest.

  • Responding to your enquiries — using your name, email, and message. Lawful basis: consent, or steps to enter into a contract.

  • Processing your purchase and delivering the product — using your name, email, billing details, and order data. Lawful basis: performance of a contract.

  • Sending order confirmations and download links — using your email and order data. Lawful basis: performance of a contract.

  • Sending newsletters or community updates (including Quiet Dinners) — using your email and name. Lawful basis: your explicit consent (you can withdraw at any time).

  • Complying with tax, accounting, and legal obligations — using order and payment records. Lawful basis: legal obligation.

  • Detecting fraud and protecting the website — using technical data and order data. Lawful basis: legitimate interest.

I do not use your data for automated decision-making or profiling that produces legal effects on you.

5. How long I keep your data

I keep personal data only as long as I need it:

  • Order and payment records: 7 years from the date of the transaction (required under Malaysian tax and accounting law).

  • Contact enquiries: up to 24 months after the last interaction, then deleted unless an ongoing matter requires longer retention.

  • Newsletter and community subscriptions: until you unsubscribe, after which your email is removed from the active list (Substack may retain limited records for a short period under its own retention policy).

  • Website analytics data: as per Squarespace's retention defaults (typically up to 3 years).

6. Who I share your data with

I do not sell your personal data. I share it only with the following processors and third parties, and only as needed:

  • Squarespace, Inc. (United States) — hosts the website, provides analytics, and processes order data through its commerce platform. Squarespace's privacy policy: https://www.squarespace.com/privacy

  • PayPal Pte. Ltd. (Singapore) and PayPal, Inc. (United States) — processes all payments. I do not receive your card or bank details. PayPal's privacy policy: https://www.paypal.com/myr/legalhub/privacy-full

  • Substack, Inc. (United States) — delivers newsletters and operates the Quiet Dinners newsletter and community subscription. If you subscribe, your email address is processed by Substack as a processor for delivery purposes, and Substack also acts as an independent controller in respect of your use of the Substack platform itself. Substack's privacy policy: https://substack.com/privacy

  • Government authorities — where I am legally required to disclose data (for example, in response to a valid court order or LHDN/IRBM enquiry).

7. Cross-border data transfers

Because Squarespace, PayPal, and Substack are based outside Malaysia, your personal data is transferred to and stored in countries including the United States, Singapore, and (for some Squarespace infrastructure) the European Union.

For Malaysian users, these transfers are made in accordance with Section 129 of the PDPA, on the basis that the recipients provide a level of protection substantially similar to the PDPA, the transfer is necessary for the performance of a contract with you, or you have given consent.

For EU/EEA and UK users, transfers outside the EEA are made on the basis of:

  • the recipient's certification under recognised frameworks (e.g. EU-US Data Privacy Framework, where applicable); or

  • Standard Contractual Clauses adopted by the European Commission; or

  • your explicit consent.

8. Cookies and tracking

This website uses cookies and similar technologies, primarily through Squarespace, for the following purposes:

  • Strictly necessary cookies — required for the website and shopping cart to function. These cannot be turned off.

  • Analytics cookies — Squarespace Analytics uses cookies to understand how visitors use the site. Data is aggregated and not used to identify you personally.

  • Functional cookies — to remember preferences (e.g. cart contents).

I do not currently use Google Analytics, Meta Pixel, or other third-party advertising trackers.

You can disable cookies in your browser settings. Disabling strictly necessary cookies may stop parts of the site (especially the shop) from working.

If you are in the EU, EEA, or UK, you will see a cookie banner allowing you to accept or reject non-essential cookies before they are set. Non-essential cookies will not be placed on your device until you have given consent.

9. Your rights

If you are in Malaysia (under the PDPA), you have the right to:

  • Access your personal data and request a copy;

  • Correct inaccurate or incomplete data;

  • Withdraw consent to processing (where consent is the basis);

  • Limit the processing of your data;

  • Prevent processing for direct marketing.

If you are in the EU, EEA, or UK (under the GDPR / UK GDPR), you additionally have the right to:

  • Erasure ("right to be forgotten");

  • Data portability (receive your data in a machine-readable format);

  • Object to processing based on legitimate interests;

  • Lodge a complaint with your local supervisory authority.

Withdrawing consent. Where my processing of your data is based on your consent (for example, newsletter subscriptions), you may withdraw that consent at any time, free of charge, by:

  • Clicking the "unsubscribe" link in any newsletter email; or

  • Emailing me at qqsubs55@gmail.com.

Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, email me at qqsubs55@gmail.com. I will respond within 21 days (PDPA) or 30 days (GDPR), whichever is earlier. There is no charge for reasonable requests.

10. EU/UK representative

I do not currently appoint a representative under Article 27 of the EU GDPR or UK GDPR. My processing of personal data of EU and UK residents is occasional, of low risk to rights and freedoms, does not include special category data within the meaning of Article 9 GDPR, and does not include criminal conviction data, and therefore falls within the exemption under Article 27(2)(a) GDPR.

EU and UK residents may contact me directly at qqsubs55@gmail.com for any matter relating to their personal data.

I will review this position periodically and appoint a representative if and when my processing activities make appointment a legal requirement.

11. California residents (CCPA / CPRA)

I do not currently meet the thresholds that trigger application of the California Consumer Privacy Act ("CCPA") or California Privacy Rights Act ("CPRA"). However, if you are a California resident, the following applies as a matter of good practice:

  • I do not sell your personal information. I have not sold personal information in the preceding 12 months and have no plans to do so.

  • I do not share your personal information for cross-context behavioural advertising.

  • You have the right to know what personal information is collected about you, the right to delete it (subject to exceptions), the right to correct inaccuracies, and the right to opt out of any sale or sharing should that ever change.

  • You will not be discriminated against for exercising any of these rights.

To exercise any of these rights, email qqsubs55@gmail.com.

12. Security

I take reasonable steps to protect your data:

  • The website is served over HTTPS.

  • Payment data is handled entirely by PayPal and never touches my systems.

  • Access to order and contact data is limited to me.

  • Squarespace, PayPal, and Substack each operate their own security programmes appropriate to the data they handle.

No system is completely secure. If a data breach occurs that is likely to cause significant harm, I will notify the Malaysian Personal Data Protection Commissioner within 72 hours (as required by the 2024 PDPA amendments) and notify affected individuals where required.

13. Complaints

If you have a concern about how your data is handled, please contact me first at qqsubs55@gmail.com — most issues can be resolved directly.

If you remain unsatisfied, you may complain to:

  • Malaysia: Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi) — www.pdp.gov.my

  • EU/EEA: your local data protection authority

  • UK: the Information Commissioner's Office (ICO) — www.ico.org.uk

14. Changes to this policy

I may update this policy from time to time. Material changes will be flagged on the website and, where you have given me your email, I will notify you directly. The "Last updated" date at the top of this policy shows the most recent revision.