Legal
Privacy Policy
How we collect, use, and protect your personal data under PDPA Malaysia.
Effective from: 13 May 2026 · Last updated: 13 May 2026
This Privacy Policy explains how Third Space Wellness Sdn. Bhd. (Company Registration No. 202601004222 (1666319-T)), trading as Icebatu ("we," "us," "our"), collects, uses, and protects your personal data in compliance with the Personal Data Protection Act 2010 (PDPA) of Malaysia.
By using icebatu.com or any service we provide, you agree to the practices described in this policy.
Section 1: Information we collect
We collect the following categories of personal data:
Information you provide directly:
- Name, Email address, Phone number
- Payment information (processed by Stripe — we do not store full card details)
- Communications you send us via email, WhatsApp, or our contact forms
Information collected automatically:
- Device and browser information (browser type, operating system, IP address)
- Usage data (pages visited, time on site, referring URL)
- Cookies and similar technologies (see Section 6)
Information from third parties:
- Referral information when you join via another member's referral link
- Payment confirmation data from Stripe
Section 2: How we use your information
- Membership operations: Creating and managing your account, processing payments, providing access to our facilities
- Service delivery: Booking sessions, sending session reminders, managing waitlists
- Communications: Sending updates about Icebatu, renovation progress, opening dates, retreat information
- Marketing: With your consent, sending newsletters and promotional information (you can withdraw consent at any time)
- Legal compliance: Meeting our obligations under Malaysian law including tax, accounting, and consumer protection requirements
- Safety: Maintaining emergency contact information for use of contrast therapy facilities
Section 3: Legal basis for processing
- Your consent (for marketing communications and optional data)
- Performance of a contract (delivering the membership and services you've paid for)
- Compliance with legal obligations
- Our legitimate interests (improving services, preventing fraud, ensuring safety)
Section 4: Who we share your data with
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Payment processing | Name, email, payment details |
| Supabase Inc. | Database hosting and authentication | All membership data |
| Resend (Substance Labs Inc.) | Transactional email delivery | Name, email |
| Vercel Inc. | Website hosting | Usage logs, IP addresses |
| Google Analytics (if enabled) | Website analytics | Anonymized usage data |
We do not sell your personal data. We do not share your data with advertisers.
We may disclose your information if required by law, court order, or to protect the safety of our members or staff.
Section 5: International data transfers
Some of our service providers are located outside Malaysia (notably Stripe, Supabase, Resend, and Vercel which operate primarily from the United States and European Union). When we transfer your data internationally, we ensure equivalent levels of protection through contractual safeguards and the providers' own compliance frameworks.
Section 6: Cookies and tracking
| Cookie | Purpose | Duration |
|---|---|---|
| icebatu_lang | Remember your language preference (EN / 中文) | 1 year |
| icebatu_referral | Track referrals from other members | 30 days |
| Supabase auth session | Keep you signed in | Per session |
We do not use third-party advertising cookies.
Section 7: Data retention
We retain your personal data for as long as necessary to:
- Provide our services to you
- Meet our legal and accounting obligations (typically 7 years from your last transaction, per Malaysian tax law)
- Resolve disputes and enforce our agreements
When you cancel your membership, we retain a record of your membership history for the periods above, but we will delete or anonymize data that's no longer needed.
Section 8: Your rights under PDPA
- Access the personal data we hold about you
- Correct any inaccurate or incomplete information
- Withdraw consent for marketing communications at any time
- Object to processing of your data for certain purposes
- Request deletion of your data, subject to our legal obligations to retain certain records
- Lodge a complaint with the Personal Data Protection Commissioner of Malaysia
To exercise any of these rights, contact us at icebatu.official@gmail.com. We will respond within 21 days as required by PDPA.
Section 9: Data security
We protect your data through:
- Encrypted connections (HTTPS) for all data transmission
- Encrypted storage of sensitive data in Supabase
- Restricted internal access on a need-to-know basis
- Regular security reviews
No system is 100% secure. If a data breach occurs that affects your personal data, we will notify you and the relevant authorities as required by law.
Section 10: Children's privacy
Icebatu services are not intended for individuals under 18. We do not knowingly collect data from anyone under 18. If you believe we have collected data from a minor, please contact us.
Section 11: Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to active members and posted on this page with an updated "Effective from" date.
Section 12: Contact us
Third Space Wellness Sdn. Bhd.
Email: icebatu.official@gmail.com
Address: [Business address — to be confirmed upon CCC handover]
Company Registration: 202601004222 (1666319-T)
Related policies: