Terms of Service

Effective date: 01.01.2026

This Privacy Policy describes how Estika (“we”, “us”, or “our”) collects, uses, stores, discloses, and protects your personal data when you visit www.estika.com (the “Website”), purchase skincare products from us, book medispa treatments, or visit our medispa. We are committed to protecting your privacy in accordance with the Personal Data Protection Act 2010 of Malaysia (“PDPA”).

By using our Website, purchasing our products, or receiving our services, you consent to the collection and use of your personal data as described in this Policy.

1. About US

Estika, operated by Estika Medispa Holdings Sdn Bhd, is a medispa and skincare business based in Malaysia, providing facial spa treatments at our medispas and selling skincare products through our Website.

Contact: Estika Medispa Holdings Sdn Bhd (201501030317 (1155641-A)) , M-4-01, 4th Floor Connection Commercial Persiaran IRC 3 Conezion @ 10l Resort City Sepang, 62502 Putrajaya, [email protected]

2. Personal Data We Collect

Because our services include both retail skincare and aesthetic treatments, we collect different categories of personal data depending on your interaction with us.

2.1 Information You Provide to Us

  • Identity and contact information: full name, date of birth, gender, email address, telephone number, and delivery address.
  • Account information: username, password, and preferences (if you create a Website account).
  • Order information: products purchased, order history, delivery instructions, and billing details. Payment details are collected and processed directly by our third-party payment processor, toyyibpay, and are not stored by us.
  • Booking information: preferred treatment, preferred practitioner, appointment date and time, and any notes you provide when booking.
  • Health and medical information (for treatments only): skin concerns, skin type, allergies, current medications, medical history, pregnancy or breastfeeding status, previous aesthetic treatments, photographs of treatment areas (“before and after” images), and treatment records. This information is collected at the clinic during consultations and is necessary for safe delivery of treatments.
  • Communications: messages, enquiries, feedback, and reviews you submit to us.

2.2 Information Collected Automatically

  • IP address, browser type, operating system, and device identifiers.
  • Pages visited, products viewed, time spent on pages, and navigation patterns.
  • Cookie and similar tracking data (see Section 7).

2.3 Information from Third Parties

We may receive information about you from social media platforms (if you interact with us there), referrals, or service providers such as delivery couriers and analytics providers.

3. How We Use Your Personal Data

We use your personal data for the following purposes:

3.1 Product Sales and Delivery

  • Processing orders, collecting payment, and arranging delivery of skincare products.
  • Sending order confirmations, shipping notifications, and delivery updates.
  • Managing returns (where applicable) and responding to product-related enquiries.

3.2 Treatment Bookings and Care

  • Scheduling, confirming, and managing your treatment appointments.
  • Sending appointment reminders and follow-up care instructions.
  • Assessing your suitability for treatments and ensuring safe, appropriate care.
  • Maintaining clinical records as required under Malaysian healthcare law and professional guidelines.
  • Using before-and-after photographs for your own treatment records, and, only with your separate written consent, for marketing or educational purposes.

3.3 General Business Purposes

  • Responding to enquiries, feedback, and reviews submitted through the Website or other channels.
  • Sending service-related notices such as changes to your booking or order.
  • With your consent, sending marketing communications about products, promotions, and treatments. You may withdraw consent at any time.
  • Improving the Website, our products, and our services.
  • Complying with legal, regulatory, tax, and accounting obligations.
  • Preventing fraud and enforcing our Terms.

4. Sensitive Personal Data

Health information (including skin condition, medical history, and treatment photographs) is treated as sensitive personal data under the PDPA. We only collect and process this data where:

  • You have given explicit consent via our consultation or consent forms.
  • It is necessary to provide treatments safely and in accordance with professional standards.
  • It is required by law, regulation, or professional body.

Access to your health information is restricted to qualified personnel directly involved in your care.

5. Legal Basis for Processing

  • Your consent (including explicit consent for sensitive health data).
  • Performance of a contract with you (e.g., fulfilling an order or delivering a treatment you have booked).
  • Compliance with legal or regulatory obligations.
  • Our legitimate interests in operating the business, provided these do not override your rights.

6. Disclosure of Your Personal Data

We do not sell, rent, or trade your personal data to third parties. We may disclose your personal data only to trusted third-party service providers and other recipients described below who assist us in operating our Website, processing payments, fulfilling orders, managing bookings, delivering communications, supporting our operations, or where disclosure is otherwise permitted or required by law. Such parties are expected to keep your information confidential and use it only for the authorised purpose.

  • Payment processors (toyyibpay) for payment processing.
  • Delivery and logistics providers to ship your products.
  • Cloud hosting, booking system, and CRM providers that support our operations.
  • Email, SMS, and marketing platform providers.
  • Qualified practitioners, therapists, and staff involved in your care.
  • Professional advisers (lawyers, accountants, auditors, insurers).
  • Regulatory authorities (including the Ministry of Health) where required by law or in response to a lawful request.
  • Successor entities in the event of a merger, acquisition, or sale of assets.

7. Cookies and Tracking Technologies

Our Website uses cookies and similar technologies to:

  • Enable essential Website functions (such as the shopping cart and login).
  • Analyse Website traffic and user behaviour (e.g., Google Analytics).
  • Remember your preferences and personalise your experience.
  • Measure the effectiveness of marketing campaigns (e.g., Meta Pixel, if used).

You can control cookies through your browser settings. Disabling cookies may affect the functionality of the Website.

8. International Data Transfers

Some of our service providers (including toyyibpay and cloud hosting providers) may process your personal data outside Malaysia. Where this occurs, we take reasonable steps to ensure that your data receives an adequate level of protection, including through contractual safeguards.

9. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy or as required by law. Typical retention periods include:

  • Order and transaction records: seven (7) years, in line with Malaysian tax and accounting requirements.
  • Medical and treatment records: at least seven (7) years from the date of the last entry, or longer where required by Malaysian healthcare regulations.
  • Treatment photographs: retained in your clinical file; marketing use (if consented) will continue until consent is withdrawn.
  • Marketing contacts: up to two (2) years from last interaction, unless consent is withdrawn earlier.
  • Website analytics: up to twenty-six (26) months.

10. Data Security

We implement appropriate technical and organisational measures to safeguard your personal data, including encryption of data in transit, access controls, secure storage of clinical records, staff confidentiality training, and regular review of our security practices. However, no system is completely secure, and we cannot guarantee absolute security.

11. Your Rights Under the PDPA

  • Right of access: to request a copy of the personal data we hold about you.
  • Right to correct: to request correction of inaccurate or incomplete data.
  • Right to withdraw consent: at any time, where processing is based on consent (note: some records, such as medical records, may need to be retained for legal reasons even if consent is withdrawn).
  • Right to limit processing: in certain circumstances.
  • Right to prevent direct marketing: to opt out of marketing communications.
  • Right to lodge a complaint: with the Personal Data Protection Commissioner of Malaysia.

To exercise any of these rights, please contact us at [email protected]. We may require verification of your identity before responding.

12. Children’s Privacy

  • Our Website and services are intended for individuals aged eighteen (18) and above. We do not knowingly collect personal data from children. Certain aesthetic treatments may have additional age restrictions; these will be explained during your consultation.

13. Third-Party Links

  • Our Website may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies.

14. Changes to This Privacy Policy

  • We may update this Privacy Policy from time to time. The updated Policy will be posted on the Website with a revised “Effective Date”. Where changes are material, we will take reasonable steps to notify you. Your continued use of our Website or services after the Policy is updated constitutes your acceptance of the revised Policy.

15. How to Contact Us

  • For questions or requests regarding this Privacy Policy:

    Estika Medispa Holdings Sdn Bhd

    Email: [email protected]

    Website: www.estika.com

    Address: M-4-01, 4th Floor Connection Commercial Persiaran IRC 3 Conezion @ 10l Resort City Sepang, 62502 Putrajaya

    — End of Privacy Policy —

Who we are

Suggested text: Our website address is: http://165.22.97.160.

Comments

Suggested text: When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

Suggested text: If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

Suggested text: If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Suggested text: Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

Suggested text: If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

Suggested text: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

Suggested text: If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where your data is sent

Suggested text: Visitor comments may be checked through an automated spam detection service.