Privacy Policy & Personal Data Protection Notice

Klinik Bustari (Bustari Healthcare Sdn Bhd, registered in Malaysia)

Version 2.0 ยท Last updated: 30 May 2026

This Privacy Policy and Personal Data Protection Notice (“Notice”) explains how Bustari Healthcare Sdn Bhd, trading as Klinik Bustari (“we”, “us”, “our”), collects, uses, discloses, stores, and protects your personal data. We process your personal data in accordance with the Personal Data Protection Act 2010 (Act 709), the Personal Data Protection Regulations 2013, the seven Personal Data Protection Principles, and all related amendments including the Personal Data Protection (Amendment) Act 2024.

This Notice is issued under Section 7 of the Personal Data Protection Act 2010 (“PDPA”). By submitting your personal data to us or by using our services, you acknowledge that you have read and understood this Notice and consent to the processing of your personal data in the manner described below.

Bilingual notice (Bahasa Malaysia): Notis ini diterbitkan menurut Akta Perlindungan Data Peribadi 2010. Versi Bahasa Malaysia boleh diperolehi atas permintaan dengan menghubungi kami menggunakan butiran di bawah.

1. Who We Are (Data Controller)

The data controller responsible for your personal data is:

  • Bustari Healthcare Sdn Bhd (trading as Klinik Bustari)
  • Registered address: GF, Lot 4081, Sukma Commercial Centre, Jalan Sultan Tengah, 93050 Kuching, Sarawak, Malaysia
  • Principal medical officer: Dr Bustari Eddie (MB. BCh. BAO — Royal College of Surgeons in Ireland)
  • Telephone: 082-444234
  • WhatsApp: 016-4534234  |  011-6500 4234
  • Email: bustarihealthcare@gmail.com  |  customerservice@klinikbustari.com
  • Website: www.klinikbustari.com

Klinik Bustari is a licensed private healthcare facility operating under the Private Healthcare Facilities and Services Act 1998 (Act 586) and is regulated by the Ministry of Health Malaysia.

2. Personal Data We Collect

Depending on your interaction with us, we may collect the following categories of personal data:

2.1 Identification & Contact Data

  • Full name (including name of parent or legal guardian for minors)
  • MyKad / passport / patient identification number
  • Date of birth, age and gender
  • Residential and mailing address
  • Telephone, WhatsApp number and email address
  • Emergency contact and next-of-kin details
  • Photograph or image (where required for identification, treatment records, or consent)

2.2 Health & Medical Data

  • Presenting complaint, symptoms and reason for visit
  • Medical and surgical history, allergies and current medications
  • Family medical history (where clinically relevant)
  • Vital signs, examination findings and clinical observations
  • Diagnostic, laboratory and imaging results
  • Treatment plans, prescriptions, procedures performed and follow-up notes
  • Vaccination records and screening results
  • Mental health assessments (where applicable)

2.3 Insurance, Panel & Billing Data

  • Insurance or panel provider details (e.g. AIA, Great Eastern, MySejahtera, SOCSO, TPA)
  • Policy or membership numbers, claim references
  • Service fees, deposits, payment status

2.4 Payment Data

  • Transaction reference numbers and receipts
  • Bank or e-wallet details (only for direct transfer confirmation)
  • We do not store full credit card or debit card numbers. All card payments are processed by our authorised payment gateway, ToyyibPay (Bumiwangsa Maju Sdn Bhd).

2.5 Technical & Usage Data

  • IP address, browser type and operating system
  • Pages visited, time and date of access, referring website
  • Device information when using our online booking system
  • Cookies and similar tracking technologies (see Section 12)

3. Sensitive Personal Data

Some of the data we collect is classified as “Sensitive Personal Data” under Section 4 of the PDPA — specifically information about your physical or mental health, medical conditions, religious beliefs, or any data identified as such by the Minister.

Sensitive personal data may only be processed with your explicit consent (which you provide by submitting our appointment form, attending our clinic, or signing relevant consent forms), or where processing is necessary for the purposes of medical diagnosis, the provision of treatment, the management of healthcare services, or to protect your vital interests.

4. Sources of Personal Data

We collect personal data from the following sources:

  • Directly from you, when you book an appointment online, walk in, telephone, WhatsApp or email us
  • From your parent, legal guardian or authorised representative
  • From referring doctors, hospitals or diagnostic laboratories (where you have provided consent for referral)
  • From your panel, insurance provider or Third Party Administrator (where you have authorised them to share data with us for claims)
  • Automatically when you use our website (cookies, server logs)

5. Purposes of Processing

We process your personal data only for the following lawful purposes:

  1. To schedule, confirm, reschedule or cancel your medical appointment
  2. To provide medical care — consultation, diagnosis, treatment, procedures, prescriptions and follow-up
  3. To maintain medical records as required under the Private Healthcare Facilities and Services Act 1998 and Malaysian Medical Council guidelines
  4. To process panel and insurance claims on your behalf where you have authorised us
  5. To communicate with you regarding appointments, results, prescriptions, billing, or clinical follow-up (via WhatsApp, SMS, telephone or email)
  6. To process payments and deposits through our authorised payment gateway
  7. To comply with legal, regulatory and statutory obligations — including notifiable disease reporting to the Ministry of Health, court orders, and tax/accounting requirements
  8. To prevent, detect and investigate fraud or misuse of our services
  9. To improve our services and patient care quality through anonymised internal review and audit
  10. With your separate, explicit consent — to send health tips, promotional materials or service updates (see Section 14)

We will not use your personal data for any purpose materially different from those stated above without seeking your further consent.

6. Legal Basis & Consent

We rely on the following lawful bases under the PDPA for processing your personal data:

  • Your consent — provided expressly when you submit our appointment form, attend our clinic, or sign clinical consent forms (Section 6, PDPA)
  • Necessary for the performance of a contract with you for the provision of medical services
  • Compliance with legal obligations to which we are subject as a licensed healthcare provider
  • Protection of vital interests — where processing is necessary to protect your life or health, or that of another person, in a medical emergency
  • Administration of justice or performance of any function conferred under written law

6.1 Withdrawal of Consent

You may withdraw your consent for the processing of your personal data at any time by contacting us using the details in Section 18. Withdrawal of consent may, however, affect our ability to provide you with medical services and may, depending on the circumstances, require us to terminate the doctor-patient relationship. We will retain medical records to the extent required by law even after consent is withdrawn (see Section 10).

7. Disclosure to Third Parties

We treat all medical and personal information as strictly confidential. We will only disclose your personal data to the following categories of recipients, and only to the extent necessary for the purposes set out in Section 5:

  • Our medical professionals and clinic staff directly involved in your care
  • Referral specialists, hospitals or diagnostic laboratories — only with your knowledge and consent
  • Your appointed panel or insurance provider / Third Party Administrator — for claims processing you have authorised
  • Our authorised service providers:
    • ToyyibPay (Bumiwangsa Maju Sdn Bhd) — for deposit and payment processing
    • Resend — for transactional email delivery
    • WasenderAPI — for WhatsApp appointment notifications
    • Google Firebase (Google LLC) — for secure database and authentication infrastructure
    All such providers are bound by contractual obligations to process your data only for the purposes we authorise, and to maintain appropriate security safeguards.
  • Government authorities and regulators — only where legally required, including the Ministry of Health Malaysia (e.g. notifiable disease reporting), Inland Revenue Board, court orders, or law enforcement agencies acting under written law
  • Professional advisors — auditors, accountants, lawyers and insurers, subject to confidentiality obligations
  • Successor entities — in the event of restructuring, merger, acquisition or sale of business assets, with appropriate safeguards

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

8. Cross-Border Data Transfer

Some of our service providers operate cloud infrastructure located outside Malaysia. In particular:

  • Google Firebase Realtime Database — data is hosted in the Asia Southeast (Singapore) region
  • Firebase Cloud Functions — hosted in the United States (us-central1 region)
  • Resend (email delivery) — servers located in the United States and the European Union
  • WasenderAPI — processes WhatsApp messages via Meta’s infrastructure

Where personal data is transferred outside Malaysia, we ensure that the recipient country has comparable data protection laws or that we have appropriate contractual safeguards in place, in accordance with Section 129 of the PDPA. By using our services, you consent to such transfers.

9. Data Storage & Security (Security Principle)

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, alteration or destruction. These measures include:

  • Encryption of data in transit (HTTPS / TLS 1.2+)
  • Encryption of data at rest within our cloud database providers
  • Role-based access control — only authorised staff can access patient records relevant to their duties
  • Multi-factor authentication for administrative access
  • OTP verification for booking confirmation
  • Regular automated backups
  • Access logging and audit trails
  • Secure storage of physical paper records in locked premises with restricted access
  • Confidentiality undertakings by all staff members
  • Regular review of security practices

While we take reasonable steps to safeguard your personal data, no transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security but commit to acting promptly to any suspected or confirmed breach (see Section 15).

10. Data Retention (Retention Principle)

We retain personal data only for as long as is necessary for the purposes for which it was collected, in compliance with statutory retention requirements:

  • Adult medical records: a minimum of seven (7) years from the date of last consultation, in line with Malaysian Medical Council guidelines and the Private Healthcare Facilities and Services Regulations 2006
  • Paediatric medical records (patients under 18): retained until the patient reaches 25 years of age, or seven (7) years from last consultation, whichever is later
  • Maternity / obstetric records: a minimum of 25 years
  • Mental health records: a minimum of 20 years from last consultation
  • Appointment and booking data (non-clinical): retained for as long as needed for clinical continuity, then archived or anonymised
  • Financial and tax records: seven (7) years as required under the Income Tax Act 1967
  • Marketing consent records: until you withdraw consent or three (3) years from your last interaction, whichever is earlier

After the applicable retention period, personal data is securely destroyed or irreversibly anonymised.

11. Your Rights as a Data Subject

Under the PDPA, you have the following rights with respect to your personal data:

  • Right of access (Section 30) — to request a copy of the personal data we hold about you
  • Right of correction (Section 34) — to request that we correct any inaccurate or incomplete data
  • Right to withdraw consent (Section 38) — for non-essential processing (e.g. marketing communications)
  • Right to prevent processing likely to cause damage or distress (Section 42)
  • Right to prevent processing for direct marketing (Section 43)
  • Right to data portability — under the Personal Data Protection (Amendment) Act 2024, to receive your personal data in a structured, commonly used format and have it transmitted to another data controller, where technically feasible
  • Right to lodge a complaint with the Personal Data Protection Commissioner of Malaysia
The Seven Personal Data Protection Principles (PDPA 2010)
  1. General Principle — personal data processed lawfully with consent
  2. Notice and Choice Principle — data subjects informed of processing
  3. Disclosure Principle — data only disclosed for stated purposes
  4. Security Principle — reasonable safeguards in place
  5. Retention Principle — data kept no longer than necessary
  6. Data Integrity Principle — data kept accurate and up to date
  7. Access Principle — data subjects can access and correct their data

11.1 How to Exercise Your Rights

To exercise any of these rights, please submit a written request to us using the contact details in Section 18. We will respond within twenty-one (21) days of receiving your request. A nominal fee may be charged for processing access requests, as permitted under the Personal Data Protection (Fees) Regulations 2013.

We may need to verify your identity before disclosing personal data, to protect your information from unauthorised access.

12. Cookies & Tracking Technologies

Our website uses minimal cookies and similar technologies for the following purposes:

  • Essential cookies — required for the website to function (session management, security)
  • Analytics — anonymised usage statistics to improve our website
  • Marketing pixels — we use the Meta Pixel (Facebook / Instagram) to measure the effectiveness of our advertising. This pixel may set cookies that share anonymised event data with Meta Platforms Ireland Limited.

You may disable cookies in your browser settings. Disabling essential cookies may affect website functionality. You can opt out of Meta’s targeted advertising at facebook.com/help/568137493302217.

We do not use third-party advertising trackers beyond those listed above.

13. Children & Minors

For patients under the age of 18 (“minors”), personal data is collected only with the consent of a parent or legal guardian. The guardian’s contact details are required for paediatric and circumcision (khatan) bookings. Minors aged 16 and above may provide consent for their own medical treatment in accordance with Malaysian law, but we will still require parental information where clinically appropriate.

We do not knowingly collect data from children under 13 without parental consent. If we discover that we have collected data from a child without proper consent, we will delete it promptly.

14. Marketing Communications

We may send you health tips, service updates, promotional offers, or appointment reminders via WhatsApp, SMS or email, only with your separate, explicit consent. You may opt out of marketing communications at any time by:

  • Replying “STOP” or “UNSUBSCRIBE” to a WhatsApp or SMS message
  • Clicking the “unsubscribe” link in any marketing email
  • Contacting us using the details in Section 18

Opting out of marketing will not affect transactional communications necessary for your medical care (e.g. appointment confirmations, clinical follow-up).

15. Data Breach Notification

Under the Personal Data Protection (Amendment) Act 2024, we are required to notify the Personal Data Protection Commissioner of any personal data breach that is likely to result in significant harm to data subjects within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to your rights and interests, we will also notify you directly without undue delay, including the nature of the breach, the data affected, mitigation measures taken, and recommended actions you should consider.

16. Consequences of Non-Provision of Personal Data

The provision of certain personal data is mandatory in order for us to provide medical services. If you choose not to provide the requested information, we may be unable to:

  • Schedule or confirm your appointment
  • Provide consultation, diagnosis or treatment
  • Process panel or insurance claims on your behalf
  • Issue medical certificates, prescriptions or referrals
  • Comply with our statutory record-keeping obligations

We will explain the consequences at the point of collection where this is the case.

17. Updates to this Notice

We may update this Notice from time to time to reflect changes in law, our practices, or our services. The current version is always available at www.klinikbustari.com/privacy-policy.html. Material changes will be communicated by website notice and, where appropriate, by direct notification to registered patients. The “Last updated” date at the top of this Notice indicates when it was most recently revised.

18. Contact & Complaints

If you have any questions, concerns, or requests regarding this Notice or your personal data, please contact our Data Protection enquiry point:

Data Protection Enquiries — Klinik Bustari

Bustari Healthcare Sdn Bhd
GF, Lot 4081, Sukma Commercial Centre,
Jalan Sultan Tengah, 93050 Kuching, Sarawak, Malaysia

๐Ÿ“ž 082-444234 (clinic)  |  ๐Ÿ’ฌ 016-4534234 (WhatsApp)
โœ‰๏ธ bustarihealthcare@gmail.com
โœ‰๏ธ customerservice@klinikbustari.com
๐ŸŒ www.klinikbustari.com

18.1 Right to Complain to the Regulator

If you are dissatisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Commissioner of Malaysia:

Jabatan Perlindungan Data Peribadi (JPDP)
Aras 6, Kompleks Kementerian Komunikasi dan Multimedia,
Lot 4G9, Persiaran Perdana, Presint 4,
62100 Putrajaya, Malaysia

๐Ÿ“ž 03-8911 7000
โœ‰๏ธ aduan@pdp.gov.my
๐ŸŒ www.pdp.gov.my

By submitting our appointment form, attending our clinic, or otherwise using our services, you acknowledge that you have read and understood this Notice and consent to the processing of your personal data as described.

Bustari Healthcare Sdn Bhd · Registered in Malaysia · Version 2.0 (30 May 2026)