Privacy Policy

This Privacy Policy explains how PNH Malaysia Sdn Bhd (trading as Salute, “we”, “us”, “our”) collects, uses, shares, and protects your personal data when you visit salute.my, create an account, place an order, take part in our skin quiz, or otherwise interact with our services.

We are the data controller of your personal data under the Malaysian Personal Data Protection Act 2010, as amended by the Personal Data Protection (Amendment) Act 2024 (“PDPA”). This policy is written to comply with the PDPA and its supporting guidelines, including the Personal Data Protection Guidelines No. 03/2025 on Cross-Border Personal Data Transfer.

Please read this policy carefully. By using salute.my, you confirm that you have read and understood it.

Who we are

PNH Malaysia Sdn Bhd (trading as Salute) is a company incorporated in Malaysia and is the data controller responsible for the personal data described in this policy.

Registered address: A-21-01, Pinnacle PJ Tower A,  Lorong Utara C, Pjs 52, 46200 Petaling Jaya, Selangor.
Website: salute.my
General enquiries: hi@salute.my
Data Protection Officer (DPO): contact via hi@salute.my, addressed to the Data Protection Officer

Who this policy applies to

This policy applies to anyone who:

Visits or browses salute.my;
Creates a customer account on salute.my;
Places an order through salute.my;
Takes our skin quiz, uploads a photo for shade-matching, or writes a product review;
Signs up to our email or WhatsApp marketing;
Takes part in our referral programme;
Contacts us by email, WhatsApp, social media, or any other channel.

You must be 18 years or older to create an account, place an order, or otherwise provide personal data to us. See section 16 (Minors) below.

The personal data we collect

We collect the following categories of personal data:

Account and order data

Full name, email address, mobile phone number;
Shipping and billing addresses;
Account password (stored only as an encrypted hash — we cannot see your actual password);
Order history, returns, refunds, and customer service correspondence.

Payment data

Payments on salute.my are processed by Curlec Sdn Bhd (Curlec by Razorpay), a payment gateway licensed by Bank Negara Malaysia. Your card or banking details are entered directly with Curlec and are not stored by us. We only receive a transaction reference and confirmation that payment was successful.

Skin profile and beauty preference data

Skin type, skin concerns, and other answers you provide in our skin quiz;
Skin tone and shade-matching information;
Allergy and skin sensitivity information that you voluntarily share with us (this is sensitive personal data — see section 8);
Date of birth or age (used for birthday offers and to confirm you are 18 or above);
Photos you upload to our shade-matching tool (see section 9);
Product reviews, ratings, and any photos you submit with a review;
Wishlist items and product favourites.

Marketing and communications data

Email marketing opt-in status and preferences;
WhatsApp marketing opt-in status;
Information about which emails and messages you open or click;
Your participation in our referral programme (including the email address of anyone you refer).

Technical and usage data

IP address, approximate location (city or region only), device type, operating system, browser type, and language settings;
Pages viewed, products viewed, time on page, and the website that referred you to us;
Cookie and similar tracking technology data — see section 12.

How we collect your personal data

Directly from you — when you create an account, place an order, take the skin quiz, upload a photo, leave a review, sign up to marketing, refer a friend, or contact us.
Automatically — through cookies, pixels, and analytics tools when you browse salute.my (see section 12).
From third parties — such as Curlec (transaction confirmations) and our courier partners (delivery status).

How we use your personal data

We use your personal data for the following purposes:

Purpose	Categories of data used	Legal basis under PDPA
Processing and fulfilling your orders, including delivery and returns	Account, order, payment, technical	Performance of a contract with you
Managing your customer account	Account, order	Performance of a contract with you
Providing skin quiz results and personalised product recommendations	Skin profile, beauty preferences	Consent (you may withdraw at any time)
Processing allergy and sensitivity information to recommend suitable products	Sensitive personal data (allergies)	Explicit consent
Shade-matching using photos you upload	Customer-uploaded photos	Consent
Sending you marketing emails and WhatsApp messages about Salute products and offers	Account, marketing preferences	Consent (you may unsubscribe at any time)
Operating our referral programme	Account, referral data	Consent of both you and the person you refer
Detecting and preventing fraud, abuse of promotional codes, or misuse of the website	Account, order, technical	Legitimate interests of protecting our business
Complying with our legal obligations (e.g. keeping tax and accounting records under the Income Tax Act 1967)	Order, payment	Legal obligation
Improving salute.my, our products, and customer experience through analytics	Technical, usage	Consent (for non-essential cookies); legitimate interests (for essential analytics)
Responding to your enquiries and customer service requests	Account, order, communications	Performance of a contract; legitimate interests

Third parties we share your data with

We do not sell your personal data. We share it only with the third parties listed below, and only to the extent necessary for the purposes set out above. Each of these third parties is contractually required to protect your data and use it only on our instructions.

Third party	What they do	Data shared
Curlec Sdn Bhd (Curlec by Razorpay)	Payment processing	Name, email, phone, billing address, transaction amount
Hostinger International Ltd	Website and database hosting	All data stored on salute.my
Brevo (Sendinblue SAS)	Email marketing platform	Name, email, marketing preferences, email engagement data
WhatsApp Business API (Meta Platforms, Inc.)	WhatsApp customer service and marketing messages	Name, phone number, message content
EasyParcel Sdn Bhd and appointed couriers	Order delivery	Name, shipping address, phone number, order contents (for declaration)
Google LLC (Google Analytics, Google Tag Manager, Google Ads)	Website analytics and advertising	Technical data, usage data, cookie identifiers
Meta Platforms, Inc. (Facebook & Instagram Pixel, Meta Ads)	Advertising and retargeting	Technical data, usage data, cookie identifiers, hashed email (where consented)
TikTok Pte. Ltd. (TikTok Pixel, TikTok Ads)	Advertising and retargeting	Technical data, usage data, cookie identifiers
Government authorities, courts, and law enforcement	Where required by Malaysian law	Whatever is legally required
Professional advisers (lawyers, auditors, accountants)	Legal, audit, and tax compliance	Only what is strictly necessary

Cross-border transfers of personal data

Some of the third parties listed in section 6 process data outside Malaysia. In particular:

Hostinger is headquartered in Lithuania and may store data on servers in the European Union, Singapore, or other regions.
Brevo is based in France and processes data within the European Union.
Google, Meta, and TikTok are headquartered outside Malaysia (in the United States and Singapore respectively) and may transfer data globally.
WhatsApp Business API is operated by Meta and may involve transfers outside Malaysia.

Where personal data is transferred outside Malaysia, we rely on one or more of the following safeguards as permitted under section 129 of the PDPA and the Personal Data Protection Guidelines No. 03/2025 on Cross-Border Personal Data Transfer:

Your consent to the transfer;
The transfer being necessary for the performance of your order contract with us;
Contractual safeguards (such as standard contractual clauses) ensuring the recipient provides protection at least equivalent to the PDPA;
Transfers to jurisdictions that the recipient operates in with comparable data protection laws.

You may contact our DPO at hi@salute.my to request more information about the specific safeguards in place.

Sensitive personal data (allergies)

Information about your physical health, allergies, or skin sensitivities is classified as sensitive personal data under section 4 of the PDPA. We only process this information with your explicit consent.

When you complete our skin quiz or otherwise share allergy or sensitivity information, you will be asked to tick a clearly worded consent box confirming that you agree to Salute processing this information to recommend suitable products.

We use this information solely for product recommendations and to flag potentially unsuitable products for you. We do not share this data with marketing partners, advertisers, or any third party other than the technical service providers listed in section 6 who store it securely on our behalf.

You may withdraw your consent at any time by emailing hi@salute.my. On withdrawal we will delete the sensitive data from your profile within 30 days, though personalised recommendations will no longer be available.

Customer photos for shade-matching

If you choose to upload a photo to our in-house shade-matching tool, please note:

Photos are processed by us in-house — we do not send your photos to any third-party AI or shade-matching service.
Photos are stored against your account permanently, so that we can deliver consistent shade matching on repeat purchases. You may delete your photos at any time from your account, or by emailing hi@salute.my.
Photos are never used for marketing, advertising, social media content, or shared with any third party, unless you separately and explicitly agree in writing.
You may withdraw your consent at any time and request deletion of your photos.

Cookies and similar technologies

We use cookies and similar tracking technologies (pixels, tags, local storage) on salute.my for the following purposes:

Strictly necessary cookies

Required for the website to function — keeping you logged in, remembering your shopping cart, and processing payments. These cannot be switched off.

Analytics cookies

Help us understand how visitors use the site so we can improve it. Set by Google Analytics, Google Tag Manager, and similar tools.

Advertising and retargeting cookies

Allow us and our advertising partners (Meta, TikTok, Google) to show you Salute products on other websites and social media platforms that you may be interested in. These cookies are only set with your consent.

When you first visit salute.my, you will see a cookie banner allowing you to accept or reject non-essential cookies. You can change your preferences at any time through the cookie settings link in our website footer.

Marketing communications

We will only send you marketing emails or WhatsApp messages if you have opted in by ticking an unticked consent box at checkout, on our newsletter signup form, or in your account settings.

You can unsubscribe at any time by:

Clicking the “unsubscribe” link at the bottom of any marketing email;
Replying “STOP” to any marketing WhatsApp message;
Emailing us at hi@salute.my; or
Updating your preferences in your salute.my account.

Even if you unsubscribe from marketing, we will still send you transactional messages (order confirmations, shipping updates, refund notices, account security alerts) because these are necessary to fulfil your order.

How long we keep your personal data

Data	Retention period
Active customer account data	For as long as your account is active
Inactive customer accounts	Deleted after 3 years of inactivity (no login, no order)
Order, invoice, and payment records	7 years from the date of the order, to comply with the Income Tax Act 1967 and other Malaysian tax and accounting laws
Marketing data (email/WhatsApp opt-in records)	Until you unsubscribe, plus a short suppression record afterwards to ensure we do not contact you again
Skin quiz answers and allergy/sensitivity data	Until you delete your account, or 2 years of inactivity, whichever comes first
Customer-uploaded photos (shade-matching)	Until you delete the photo or your account
Cookie data	Varies by cookie — see our cookie settings for details
Customer service correspondence	3 years from the date of the last interaction

When we no longer need your personal data, we will securely delete or anonymise it.

Your rights under the PDPA

You have the following rights regarding your personal data:

Right of access — you may request a copy of the personal data we hold about you.
Right to correct — you may ask us to correct inaccurate or incomplete data.
Right to withdraw consent — where we rely on your consent, you may withdraw it at any time. Withdrawal does not affect any processing carried out before the withdrawal.
Right to data portability — under the PDPA (Amendment) Act 2024, you may request that we transfer your personal data directly to another data controller, where technically feasible.
Right to limit processing — you may ask us to stop processing your data for direct marketing or other specified purposes.
Right to prevent processing likely to cause damage or distress — you may ask us to stop processing where that processing is likely to cause you damage or distress.
Right to delete — you may ask us to delete your personal data, subject to our legal obligation to retain certain records (e.g. tax records for 7 years).
Right to complain — you may lodge a complaint with the Personal Data Protection Commissioner (see section 17).

To exercise any of these rights, please email our DPO at hi@salute.my. We will respond within 21 days of receiving your request, as required by section 30 of the PDPA. We may need to verify your identity before processing your request, and we may charge a prescribed fee for access requests as permitted under the PDPA.

How we protect your data

We take the security of your personal data seriously and apply the security principle under section 9 of the PDPA. Measures we use include:

HTTPS encryption across all pages of salute.my;
Passwords stored as one-way salted hashes — they are not readable even by our staff;
Payment card data handled exclusively by our PCI-DSS compliant payment gateway, Curlec — we never see or store card details;
Role-based access controls — only authorised staff can access customer data, and only for legitimate business purposes;
Regular software updates and security patches on our hosting infrastructure;
Written data-processing agreements with all third-party providers listed in section 6.

Data breach notification

If a personal data breach occurs that is likely to cause significant harm to you, we will, in line with the PDPA (Amendment) Act 2024:

Notify the Personal Data Protection Commissioner of the breach within the timeframe required by law; and
Notify affected individuals directly, with information about what happened, what data was involved, and what steps to take.

Minors (under 18)

Salute is intended for adults. You must be at least 18 years old to create an account, place an order, or otherwise provide personal data on salute.my.

We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a person under 18 without verified parental consent, we will delete that data as soon as reasonably possible. If you believe we hold data about a minor, please contact hi@salute.my.

Contact us and how to file a complaint

If you have any questions about this policy, want to exercise any of your rights under the PDPA, or would like to make a complaint about how we have handled your personal data, please contact our Data Protection Officer:

Data Protection Officer

PNH Malaysia Sdn Bhd (trading as Salute)

A-21-01, Pinnacle PJ Tower A,  Lorong Utara C, Pjs 52, 46200 Petaling Jaya, Selangor.

Email: hi@salute.my

If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commissioner:

Jabatan Perlindungan Data Peribadi (JPDP)

Aras 6, Kompleks Kementerian Digital, No. 13, Persiaran Perdana, Presint 2, Pusat Pentadbiran Kerajaan Persekutuan,
62000 Putrajaya, Malaysia

Website: www.pdp.gov.my

Email: aduan@pdp.gov.my

Changes to this policy

We may update this policy from time to time to reflect changes in our practices, services, or applicable law. When we make material changes, we will:

Update the “Last updated” date at the top of this policy;
Post a clear notice on salute.my; and
Where the change is significant (for example, a new category of data sharing), notify you by email and ask for fresh consent where required by law.

We encourage you to review this policy periodically.

Popular Categories

Best Sellers