Privacy Policy

1. Introduction

This website (chasurgery.com) is operated by Dr Cha Kar Huei, a Consultant Bariatric, Colorectal and Laparoscopic Surgeon practising at Hospital Picaso, Petaling Jaya, Selangor, Malaysia.

By using this website, submitting an enquiry form, or contacting us by phone or WhatsApp, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and use of your personal data as described herein.

If you do not agree with any part of this policy, please do not use this website or submit your personal information to us.

2. Data We Collect

We may collect the following categories of personal data:

Information you provide directly

• Identity data: full name
• Contact data: phone number, email address, WhatsApp number
• Appointment data: preferred consultation date, reason for consultation, service of interest
• Health data: any medical information you voluntarily share in your enquiry message or during consultation
• Communication data: records of correspondence between you and our clinic

Information collected automatically

• Usage data: pages visited, time spent on site, browser type, device type, operating system
• Technical data: IP address, referral source, geographic region (country/city level)
• Cookie data: preferences and session information stored via cookies (see Section 6)
• Advertising data: interactions with Google Ads, click-through data, conversion events (see Section 7)

Information from third parties

• Referral information from Hospital Picaso or other healthcare providers
• Data from Google Analytics and Google Ads platforms

3. How We Use Your Data

We use your personal data for the following purposes:

• To respond to your appointment enquiry and confirm your consultation
• To provide medical consultation and surgical services
• To contact you regarding your appointment, follow-up care, or test results
• To maintain accurate medical and administrative records
• To send appointment reminders or health-related communications (with your consent)
• To improve our website content and user experience
• To measure the effectiveness of our online advertising (Google Ads)
• To comply with legal, regulatory, and professional medical obligations
• To protect the security and integrity of our services

We will not use your personal data for unsolicited marketing, sell it to third parties, or share it with advertisers for profiling purposes.

4. Legal Basis for Processing

Under the Personal Data Protection Act 2010 (PDPA) Malaysia, we process your personal data on the following legal grounds:

• Consent: when you submit an enquiry form or contact us, you consent to us processing your data to respond to your request
• Contract: when you become a patient, processing is necessary to provide and manage your medical care
• Legal obligation: we are required by Malaysian medical law and professional guidelines to maintain patient records
• Legitimate interests: we use anonymised analytics data to improve our website and services

For sensitive health data (medical information), we rely on your explicit consent and our legal and professional obligations as a healthcare provider.

5. Disclosure of Your Data

We do not sell, rent, or trade your personal data. We may share your data only in the following circumstances:

Healthcare providers

With your consent, we may share relevant medical information with other healthcare professionals involved in your care — such as anaesthetists, referring doctors, Hospital Picaso, or specialist consultants.

Service providers

We use trusted third-party services to operate this website, including:

• Formspree — to receive and forward appointment enquiry form submissions to our clinic email
• Google Analytics — for anonymised website usage statistics
• Google Ads — for advertising and conversion tracking
• Google Fonts — for website typography (font files loaded from Google servers)

These providers process data only as instructed by us and under their own privacy policies.

Legal requirements

We may disclose your data if required to do so by law, court order, or regulatory authority, or if necessary to protect the rights, property, or safety of our patients, staff, or the public.

6. Cookies & Tracking Technologies

Cookies are small text files placed on your device when you visit a website. We use the following types of cookies:

• Strictly necessary cookies: essential for the website to function correctly. These cannot be disabled.
• Analytics cookies: used by Google Analytics to collect anonymised information about how visitors use our website. No personally identifiable information is collected.
• Advertising cookies: used by Google Ads to measure the effectiveness of our advertisements and track conversions (e.g. appointment enquiry submissions).

You can control or disable cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of this website. Most browsers allow you to refuse cookies by adjusting the settings.

For more information about Google's use of cookies, visit policies.google.com/privacy.

7. Google Ads & Analytics

This website uses Google Ads for online advertising and Google Analytics for website performance analysis. These services may collect the following data:

• Pages visited and time spent on site
• Geographic location (country and city level only)
• Device type, browser, and operating system
• Traffic source (how you arrived at our website)
• Conversion events (e.g. submitting an appointment enquiry form)

This data is collected anonymously and is used solely to understand how our website performs and to optimise our advertising. We do not share this data with third parties for marketing purposes.

Google may use this data in accordance with its own Privacy Policy. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

You can manage your Google Ads personalisation settings at adssettings.google.com.

8. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, and in accordance with applicable Malaysian law and medical guidelines:

• Medical records: retained for a minimum of 7 years from the date of last treatment, or longer if required by law or professional guidelines
• Appointment enquiry data: retained for up to 2 years if no consultation takes place, or incorporated into your medical record if you become a patient
• Website analytics data: retained by Google Analytics for up to 26 months by default
• Email correspondence: retained for up to 3 years

When data is no longer required, it is securely deleted or anonymised.

9. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration. These measures include:

• HTTPS encryption for all data transmitted via this website
• Secure email communication for clinical correspondence
• Access controls limiting who can view patient data within our clinic
• Use of reputable third-party service providers with their own security standards

However, no method of internet transmission or electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. If you have reason to believe your data has been compromised, please contact us immediately.

10. Your Rights

Under the Personal Data Protection Act 2010 (PDPA) Malaysia, you have the following rights regarding your personal data:

• Right of access: you may request a copy of the personal data we hold about you
• Right of correction: you may request that inaccurate or incomplete data be corrected
• Right to withdraw consent: you may withdraw consent to marketing communications at any time
• Right to limit processing: you may request that we restrict the processing of your data in certain circumstances

Please note that some rights may be limited where we are required by law to retain data (e.g. medical records under Malaysian medical regulations) or where retention is necessary to protect our legitimate interests.

To exercise any of these rights, please contact us using the details in Section 13.

11. Children's Privacy

This website is not directed at children under the age of 18. We do not knowingly collect personal data from children without verifiable parental or guardian consent.

If a parent or guardian believes that their child has submitted personal data to us without consent, please contact us immediately and we will take steps to delete such data.

When a child is a patient of Dr Cha, all communications and consent are handled through the parent or legal guardian, in accordance with Malaysian medical and legal requirements.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or services. When we make material changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Your continued use of this website after any changes constitutes your acceptance of the updated policy.

Previous versions of this policy are available on request by contacting us directly.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact us: