PRIVACY STATEMENT

MALAYSIA PRIVACY POLICY

Rich Products Malaysia Sdn Bhd and their affiliates and subsidiaries (hereinafter collectively referred to as “Rich’s”, “us”, “we”, “our”, or “Company”) have created this Privacy Policy to apply to all users of this website, www.richs.com.myand all digital assets contained or offered therein (collectively, our “Services”). This Privacy Policy describes, among other things, the types of Data we collect from users when you use our Services, how we use it, and your rights with respect to your Data.

This Privacy Policy is integrated into our Terms & Conditions of Use (“Terms & Conditions”). By accepting this Privacy Policy and providing us with Personal Data (defined below), you agree and consent to the practices described in this Privacy Policy.

If you have any privacy or data use concerns, please contact us as set out below under the headingHow to Contact Us.” To make sure you stay informed of all changes, you should check these policies periodically.
Updates will be referenced by the “Last Updated” date shown below.

DATA CONTROLLER

For purposes of this Privacy Policy, Rich’s is the data controller, with an address at Unit 6-1 & 6-2, Level 6, Menara Mudajaya, No. 12A, Jalan PJU 7/3, Mutiara Damansara 47810, Petaling Jaya, Selangor D.E., Malaysia.

II. CATEGORIES OF DATA WE COLLECT ABOUT YOU

We may collect the following categories of personal data about you which are described in more detail below: (A) Data you provide to us, (B) Data we may automatically collect, (C) Cookies & Technologies Used to Collect Personal Data About You, and (D) Data we may receive from third parties. The Data listed in (A), (B), (C) and (D) above, are detailed below, and hereinafter referred to as “Personal Data”.

A. Personal Data You Provide to Us

In using our Services, you may provide us with Personal Data, including, without limitation:

• Individual identifier such as name, username, birth date, and contact Personal Data including email address, mailing address, and telephone number(s);
• Communications with us, preferences, and other Personal Data you provide to us such as any messages (including via online chat feature), opinions and feedback that you provide to us, your user preferences (such as in receiving updates or marketing data), and other Personal Data that you share with us when you contact us directly (such as for customer support services); and
• Additional Personal Data as otherwise described to you at the point of collection or pursuant to your consent.

You may also provide us with sensitive personal data. We will not process any sensitive personal data about you except with your explicit prior consent (or as otherwise permitted by law).

B. Personal Data We May Automatically Collect About You

Our Services may automatically collect the following categories of usage and technical Personal Data about you. This Personal Data is used by Rich’s for the operation of the Services, to maintain quality of the Services, and to provide general statistics regarding use of the Services. This Personal Data may include:

• IP address, which is the number associated with the service through which you access the Internet, like your ISP (Internet service provider);
• Date and time of your visit or use of our Services;
• Domain server from which you are using our Services;
• Type of computer, web browsers, search engine used, operating system, or platform you use;
• Data identifying the web pages you visited prior to and after visiting our website or use of our Services;
• Your movement and activity within the website, which is aggregated with other data;
• Geographic data such as country or region;
• Mobile device data, including the type of device you use, operating system version, and the device identifier (or “UDID”); and
• Mobile application identification and behavior, use, and aggregated usage, performance data, and where the application was downloaded from.

C. Cookies & Technologies Used to Collect Personal Data About You

We and/or certain service providers operating on our behalf may collect Personal Data about your activity, or activity on devices associated with you over time, on our sites and applications, and across non-affiliated websites or online applications.
We may collect this Personal Data by using certain technologies, such as cookies and other similar technologies. Third-party service providers, advertisers, and/or partners may also view, edit, or set their own cookies or place web beacons.

• Cookies (or browser cookies). Cookies are small digital files that are transferred to your computer or smartphone’s hard drive when you visit a website or click on a URL. Most web browsers automatically accept cookies. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of our Services. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Services.
• AnalyticsAnalytics are tools we use, such as Google Analytics, to help provide us with Personal Data about traffic to our website and use of our Services, which Google may share with other services and websites who use the collected data to contextualize and personalize the ads of its own advertising network. Learn more about Google’s Privacy Policy here: https://policies.google.com/privacy?hl=en-US. You can opt out of having your activity on our Services made available to Google Analytics by installing the Google Analytics opt-out add-on for your web browser by visiting: https://tools.google.com/dlpage/gaoptout.

D. Personal Data We Receive from Third Parties

We may also collect additional Personal Data about you from third parties and third-party websites, social media platforms, such as but not limited to, Facebook, Instagram, YouTube, or TikTok (“Social Media Platforms”), and/or sources providing publicly available Personal Data to help us provide services to you, help prevent fraud, and for marketing and advertising purposes.

This Privacy Policy only applies to Personal Data collected by our Services. We are not responsible for the privacy and security practices of those other websites or Social Media Platforms or the Personal Data they may collect (which may include IP address). You should contact such third parties directly to determine their respective privacy policies. Links to any other websites or content do not constitute or imply an endorsement or recommendation by us of the linked website, Social Media Platform, and/or content.

III. SOURCE OF DATA

We collect your Personal Data directly from you when you interact with us, including when you access our Services, communicate with us, or provide information for transactions. In addition, we may obtain your Personal Data from other sources where permitted by law, such as our affiliates, business partners, service providers, marketing partners, Social Media Platforms, or from publicly available records.

IV. HOW WE USE YOUR DATA

A. Use and Purpose of Processing Your Data

We will only collect and process your Personal Data when we have your consent for one or more of the following purposes:

• To respond to your inquiries and provide you with requested Personal Data and other communications, including by email;
• To process your product request;
• To send you our newsletter and other correspondence you request;
• For general or targeted marketing and advertising purposes, including sending you promotional material or special offers on our behalf or on behalf of our marketing partners and/or their respective affiliates and subsidiaries and other third parties, provided that you have not already opted out of receiving such communications;
• To fulfill contracts we have with you;
• To manage, improve, and foster relationships with third-party service providers, including vendors, suppliers, and parents, affiliates, subsidiaries, and business partners;
• To maintain, improve, customize, or administer the Services, perform business analyses, or other internal purposes to improve the quality of our business, the Services, resolve technical problems, or improve security or develop other products and services;
• To comply with our Terms & Conditions;
• For analytics for business purposes and business intelligence; (business intelligence);
• To comply with any applicable laws and regulations and respond to lawful requests; and/or
• For any other purposes disclosed to you at the time we collect your Personal Data and/or pursuant to your consent.

B. Sharing or Disclosing Your Data

For the above-mentioned use and purposes of Personal Data processing, we may share and/or disclose your Personal Data as set forth in the Privacy Policy and in the following circumstances:

• Third-Party Service Providers. We may share your Personal Data with third-party service providers or data processors that perform certain functions or services on our behalf (such as to host the Services, store or manage the data, perform analyses, process payments, provide customer service, or send communications for us). These third-party service providers will process this data only for purposes specified by us. In some instances, we may aggregate Personal Data we collect so third parties do not have access to your identifiable Personal Data to identify you individually.
• Disclosure of Personal Data for Legal and Administrative Reasons. We may disclose your Personal Data without notice: (i) when required to by law or to comply with a court order, subpoena, search warrant, or other legal process; (ii) to cooperate with or undertake an internal or external investigation or audit; (iii) to comply with legal, regulatory, or administrative requirements of governmental authorities (including, without limitation, requests from the governmental agency authorities to view your data); (iv) to protect and defend the rights, property, or safety of us, our subsidiaries and affiliates and any of their officers, directors, employees, attorneys, agents, contractors and partners, and the website Service users; (v) to enforce or apply our Terms & Conditions; and (vi) to verify the identity of the user of our Services.
• Business Transfers. Your Personal Data may be transferred or otherwise conveyed to a third party (“Conveyances”) where we: (i) merge with or are acquired by another business entity; (ii) sell all or substantially all of our assets; (iii) are adjudicated bankrupt; or (iv) are liquidated or otherwise reorganize. You agree to any and all such Conveyances of your Personal Data. We may also share Personal Data with prospective purchasers to evaluate the proposed transaction.
• Personal Data Shared with our Subsidiaries, Parents, and Affiliates. We may share your Personal Data with our subsidiaries and affiliates. If you do not want us to share your Personal Data with our subsidiaries and affiliates, please contact privacy@rich.com.
• Aggregate and Deidentified Data. We may share general data, aggregated data or publish Personal Data based on aggregated data. However, we will only do so in a way that your personal identity is protected.
• Online Communications. Any Personal Data you submit in a public forum (e.g., a blog or social network) may be read, collected, or used by us and other participants, and could be used to personalize your experience. You are responsible for the Personal Data you choose to submit in these instances.
• With Your Consent. We may share Personal Data consistent with this Privacy Policy with your consent. In the case of handling your Personal Data for purposes other than those mentioned above, we will only comply with the agreement with you or obtain your consent.

C. Links to Other Websites

Our Services may contain links to other websites or services that are not owned or controlled by us, including links to Social Media Platforms such as Facebook, Instagram, YouTube, or TikTok or may redirect you off our website away from our Services.

This Privacy Policy only applies to Personal Data collected by our Services. We are not responsible for the privacy and security practices of those other websites or Social Media Platforms or the Personal Data they may collect (which may include IP address). You should contact such third parties directly to determine their respective privacy policies. Links to any other websites or content do not constitute or imply an endorsement or recommendation by us of the linked website, Social Media Platform, and/or content.

V. DATA SECURITY

For Personal Data processed both electronically and non-electronically we use commercially reasonable measures to provide our Services. However, you should assume that no data transmitted over the Internet or stored or maintained by us or our third-party service providers can be 100% secure. Therefore, although we believe the measures implemented by us reduce the likelihood of security problems to a level appropriate to the type of data involved, we do not promise or guarantee, and you should not expect that your Personal Data or private communications will always remain private or secure.

If you believe that your Personal Data has been accessed or acquired by an unauthorized person, you shall promptly contact us via the How to Contact Us section so that we can quickly take necessary measures.

VI. DATA RETENTION

Within the scope permitted by law, we retain your Personal Data from the beginning of establishing a relationship with us for as long as needed to fulfil the purposes described in this Privacy Policy or as required or permitted by law. We may retain your Personal Data for a longer period needed to provide you the Services, and as necessary for other lawful purpose, such as to comply with our legal obligations, to resolve disputes, and to enforce our policies and agreements.

VII. YOUR DATA SUBJECT RIGHTS

This section applies to individuals coming to our Services from within Malaysia, and only if we collect through the Services any Personal Data from you that is considered “Personal Data” or “Sensitive Personal Data” as defined by the Personal Data Protection Act 2010 (PDPA) and the Personal Data Protection (Amendment) Act 2024and other applicable decrees or legislation.

A. Identity and Contact Details

B. Your Data Protection Rights

To the extent that Personal Data Protection Act 2010 (PDPA) applies, and we hold your Personal Data as a Data Controller, you may submit a request to exercise the following rights:

• Right to know how your Personal Data is being processed.
• Right to restrict processing of your Personal Data.
• Right to consent or withhold consent for the processing of your Personal Data, except for cases where the processing of Personal Data will be conducted without requiring the consent of the data subject.
• Right to access your Personal Data to view, edit or request to edit your Personal Data, unless otherwise provided by law.
• Right to erase your Personal Data unless an applicable exception applies.
• Right to withdraw your consent for the processing of your Personal Data, unless otherwise provided by law.
• Right to data portability of your Personal Data, unless otherwise provided by law.
• Right to prevent processing likely to cause damage or distress.
• Right to prevent process for purposes of direct marketing.

C. Exercising Your Data Subject Rights

To exercise any of the rights described above, free of charge (subject to certain limitations), please submit a verifiable request to us via the methods described below:

Only you may make a verifiable request related to your Personal Data. The verifiable request must:

• Provide sufficient Personal Data that allows us to reasonably verify you are the person about whom we collected data, or an authorized representative; and
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and response to it.

To help protect your privacy and maintain security, if you request access to or deletion of your Personal Data, we may require you to provide certain Personal Data to verify your identity before granting you access to your Personal Data or complying with your request. In addition, if you ask us to provide you with specific pieces of data, we may require you to sign a declaration. However, please note that there are certain cases as mentioned above where deletion of Personal Data upon your request is inapplicable.

VIII. GEOGRAPHIC LOCATION OF DATA STORAGE AND PROCESSING

Our Services collect Personal Data and process and store that Personal Data in databases located in Malaysia. However, as part of our business operations, we may transfer your Personal Data to a country outside Malaysia. With this data transfer, we take reasonably necessary steps and exercise all due diligence to ensure that the Personal Data will not be processed in a manner that would contravene the PDPA. By visiting our Services and submitting Personal Data, you consent to the transfer of such Personal Data beyond the national jurisdiction for the purposes of fulfilling customer needs and of data processing as mentioned herein.

IX. CHILDREN’S DATA

The Services are intended only for users over the age of eighteen (18) years of age. If we become aware that we have inadvertently collected Personal Data from a child, we will take steps to comply with any applicable legal requirement to remove such Personal Data. Contact us if you believe that we have mistakenly or unintentionally collected Personal Data from a child under the age of eighteen (18).

X. CHANGES TO THIS PRIVACY POLICY

We reserve the right to change, modify, or amend this Privacy Policy at any time to reflect changes in our products and service offerings, accommodate new technologies, regulatory requirements, or other purposes. If we modify our Privacy Policy, we will update the “Last Updated” date below and notify you via reasonable methods, such changes will be effective immediately upon posting.

XI. HOW TO CONTACT US

If you have any questions about this Privacy Policy, or the Data, we have collected about you or would like to contact us, please contact us at the following:

Last Updated: October 2025