AOC Logo

The Art Of Crypto

Privacy Policy

Effective Date: March 6, 2026

AOC SDN BHD (Company Registration No. [NUMBER], "AOC," "we," or "us") is committed to protecting your personal data in accordance with applicable data protection laws, including:

  • Personal Data Protection Act 2010 (Malaysia)
  • General Data Protection Regulation (GDPR) — for UK/EU customers
  • Australian Privacy Act 1988 — for Australian customers
  • Applicable US state privacy laws

This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Platform and Services.

1. Data Controller

The data controller responsible for your personal data is:
AOC SDN BHD
7-2, Plaza Danau 2, Jalan 2/109F
Taman Danau Desa, 58100 Kuala Lumpur, Malaysia
Email: support@theartofcrypto.co
UK/EU Representative: [To be appointed if processing substantial EU/UK data]

2. Personal Data We Collect

2.1 Information You Provide

When you register or purchase Services, we collect:

  • Full name
  • Email address
  • Phone number (for WhatsApp support and community access)
  • Payment information (processed by Stripe/PayPal; we do not store full card details)
  • Country of residence
  • Billing address
  • Time zone (optional, for live session scheduling)

2.2 Automatically Collected Data

When you use the Platform, we automatically collect:

  • IP address
  • Device type and operating system
  • Browser type and version
  • Access timestamps (including First Access to content)
  • Module viewing history and video watch time
  • Login/logout activity
  • Referral source (how you found our Platform)
  • Cookies and similar tracking technologies

2.3 Communications

We retain records of support ticket correspondence, email communications, WhatsApp/Telegram messages in Community Channels (where applicable and consented to), and feedback and survey responses.

2.4 Special Categories of Data

We do NOT intentionally collect sensitive personal data (racial origin, political opinions, religious beliefs, health data, biometric data, etc.). If you voluntarily provide such information, we will delete it or obtain your explicit consent for processing.

3. Purpose of Data Collection

3.1 Service Delivery (Primary Purpose)

Granting access to the Member Portal, delivering course content and live mentorship, facilitating Community Channel access, providing technical support, and personalizing educational content.
Legal Basis: Contract performance (GDPR Art. 6(1)(b)); Consent (PDPA Section 6, GDPR Art. 6(1)(a))

3.2 Security and Fraud Prevention

Detecting account sharing or unauthorized access, preventing fraudulent refund claims, defending chargeback disputes, and monitoring for suspicious activity.
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f)); Legal obligations (GDPR Art. 6(1)(c))

3.3 Compliance and Legal Obligations

Complying with Malaysian tax and company law requirements, responding to lawful requests from regulators or law enforcement, enforcing our Terms of Service and Refund Policy, and maintaining transaction records for audit purposes.
Legal Basis: Legal obligations (PDPA Section 6, GDPR Art. 6(1)(c))

3.4 Analytics and Improvement

Understanding user engagement and course effectiveness, improving content delivery and Platform functionality, conducting internal business analytics, and A/B testing educational approaches.
Legal Basis: Legitimate interests (GDPR Art. 6(1)(f)); Consent (for cookies/analytics)

3.5 Marketing (With Consent)

Sending promotional emails about new courses or services, targeted advertising, newsletter distribution, and student success story features (with explicit consent).
Legal Basis: Consent (PDPA Section 6, GDPR Art. 6(1)(a), Australian Privacy Act)
You can withdraw consent at any time by clicking "unsubscribe" or emailing support@theartofcrypto.co.

4. Data Sharing and Disclosure

4.1 Third-Party Service Providers

We share personal data with:

  • Payment Processors (Stripe, PayPal) — transaction processing
  • Email Service Providers — communications
  • Analytics Tools (Google Analytics) — Platform usage analysis
  • Cloud Hosting Providers (e.g., AWS, Google Cloud) — secure data storage
  • Communication Platforms (WhatsApp, Telegram) — community access

These providers are contractually obligated to process data only for specified purposes, implement appropriate security measures, comply with applicable data protection laws, and not use data for their own purposes.

4.2 No Sale of Data

WE DO NOT SELL, RENT, OR TRADE YOUR PERSONAL DATA TO THIRD PARTIES FOR MARKETING PURPOSES.

4.3 Legal Disclosure

We may disclose personal data if required by court order or subpoena, law enforcement request, regulatory investigation (e.g., Securities Commission Malaysia, FCA, ASIC), defense of legal claims (e.g., chargeback disputes), or protection of our rights, property, or safety, or that of others.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the successor entity. You will be notified of any such transfer at least 30 days in advance. UK/EU Customers: Such transfers will comply with GDPR requirements, including appropriate safeguards.

4.5 Anonymized Data

We may share aggregated, anonymized data (which cannot identify you) with researchers, business partners, industry analysts, and marketing platforms.

5. Data Retention

5.1 Active Accounts

We retain your personal data for as long as your account is active or as needed to provide Services.

5.2 Post-Termination Retention Periods

Data TypeRetention PeriodReason
Transaction records7 yearsMalaysian tax law
Access logs (for chargeback defense)24 monthsLegal defense
Communications (support tickets)2 yearsDispute resolution
Marketing preferencesUntil withdrawalConsent management
Video viewing data12 monthsService improvement

5.3 Extended Retention

We may retain data beyond standard periods if required by law or regulatory order, necessary for ongoing legal proceedings, or subject to litigation hold.

5.4 Anonymization

After retention periods, personal identifiers are removed, and data may be retained indefinitely in anonymized form for statistical analysis.

5.5 Your Deletion Rights

Subject to legal retention requirements, you may request earlier deletion by contacting support@theartofcrypto.co.

6. Your Rights Under Applicable Laws

6.1 Rights for All Users (PDPA 2010)

Under Malaysian law, you have the right to:

  • Access: Request a copy of personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Withdrawal of Consent: Withdraw consent for marketing or optional processing
  • Limitation: Request limitation of processing to specific purposes

6.2 Additional Rights for UK/EU Customers (GDPR)

If you are in the UK or EU, you additionally have the right to:

  • Erasure ("Right to be Forgotten"): Request deletion of your data, subject to legal obligations to retain records and legitimate interests in defending legal claims
  • Object: Object to processing based on legitimate interests
  • Restrict Processing: Request limitation of processing while disputes are resolved
  • Data Portability: Receive your data in a structured, machine-readable format (CSV, JSON)
  • Automated Decision-Making: Right not to be subject to decisions based solely on automated processing (Note: We do not use automated decision-making for critical decisions)
  • Lodge a Complaint: UK — Information Commissioner's Office (ICO): ico.org.uk; EU — your national data protection authority

6.3 Additional Rights for Australian Customers

Under the Australian Privacy Act 1988, you have the right to access and correct your personal information, and to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

6.4 Rights for US Customers

California (CCPA/CPRA): Right to know what personal information is collected, right to delete personal information, right to opt out of sale (Note: We do not sell data), and right to non-discrimination for exercising rights.

Virginia, Colorado, Connecticut: Similar rights to CCPA where applicable under state privacy laws.

6.5 How to Exercise Your Rights

Contact support@theartofcrypto.co with "DATA REQUEST" in the subject line. We will respond within: PDPA — 21 days; GDPR — 30 days (extendable by 60 days for complex requests); Australian Privacy Act — 30 days; CCPA — 45 days. We may require proof of identity before processing requests to prevent unauthorized access.

7. Data Security

7.1 Technical Measures

We implement industry-standard security measures including:

  • Encryption: SSL/TLS encryption for data transmission (minimum TLS 1.2); at-rest encryption for databases
  • Authentication: Secure password hashing (bcrypt); multi-factor authentication (optional for users)
  • Access Controls: Role-based access for internal staff; regular access audits
  • Monitoring: Intrusion detection systems; regular security vulnerability assessments; penetration testing (annual)

7.2 Organizational Measures

Employee training on data protection, confidentiality agreements with all staff and contractors, data processing agreements with third-party processors, incident response plan for data breaches, and regular security policy reviews.

7.3 Data Breach Notification

In the event of a data breach affecting your personal data:

  • UK/EU Customers: We will notify you within 72 hours if required by GDPR
  • Australian Customers: We will notify you if the breach is likely to cause serious harm (Notifiable Data Breaches scheme)
  • Malaysian/Other Customers: We will notify you in accordance with best practices and legal requirements

7.4 Limitation of Security

No system is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security. You are responsible for maintaining confidentiality of login credentials, using secure internet connections, keeping devices and software updated, and not sharing account access.

7.5 Your Security Responsibilities

To protect your account: use a strong, unique password; enable two-factor authentication if available; log out after using shared devices; and report suspicious activity immediately to support@theartofcrypto.co.

8. International Data Transfers

8.1 Cross-Border Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including Malaysia (our primary operations), the United States (cloud hosting providers), and Singapore (backup data centers).

8.2 Adequacy and Safeguards

For UK/EU Customers: We ensure adequate protection through: (a) Adequacy Decisions — where the destination country has been deemed adequate by the European Commission or UK government; (b) Standard Contractual Clauses (SCCs) — for transfers to countries without adequacy decisions; (c) Additional Safeguards — technical measures (encryption), organizational measures (data processing agreements), and legal measures (binding corporate rules).

For Australian Customers: We ensure overseas recipients comply with Australian Privacy Principles or are subject to substantially similar privacy protections.

8.3 Your Consent

By using the Services, you consent to the transfer of your data as described in this Policy, subject to the safeguards outlined above.

8.4 Right to Object (UK/EU)

UK/EU customers may object to international transfers on grounds relating to their particular situation. Contact support@theartofcrypto.co to exercise this right.

9. Cookies and Tracking Technologies

9.1 What Are Cookies

Cookies are small text files stored on your device that help us provide and improve the Services.

9.2 Types of Cookies We Use

CategoryPurposeDurationCan Disable?
EssentialLogin sessions, security, Platform functionalitySession / 30 days❌ No — required for service
AnalyticsGoogle Analytics, usage patterns, A/B testing1–2 years✅ Yes — via cookie settings
MarketingAd targeting, conversion tracking90 days✅ Yes — via cookie settings
PreferencesLanguage, timezone, display settings1 year✅ Yes — via cookie settings

9.3 Third-Party Cookies

We use Google Analytics (usage analysis), Facebook Pixel (ad targeting, if you arrived via Facebook ads), and Stripe/PayPal (payment processing cookies).

9.4 Cookie Management

You can control cookies through our Cookie Settings, browser settings (Chrome: Settings › Privacy › Cookies; Firefox: Preferences › Privacy › Cookies; Safari: Preferences › Privacy › Cookies), or opt-out tools:

  • Google Analytics: tools.google.com/dlpage/gaoptout
  • Network Advertising Initiative: optout.networkadvertising.org

9.5 Effect of Disabling Cookies

Disabling essential cookies will prevent you from logging in or accessing the Platform. Disabling analytics/marketing cookies will not affect core functionality.

9.6 Do Not Track (DNT)

We currently do not respond to DNT browser signals, but you can disable tracking cookies via the methods above.

9.7 UK/EU Cookie Consent

For UK/EU visitors, we obtain explicit consent before setting non-essential cookies via our cookie banner.

10. Children's Privacy

10.1 Age Restriction

The Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors.

10.2 Parental Discovery

If we discover that a minor has provided personal data, we will delete the data immediately, terminate the account, and refund any payments (if applicable).

10.3 Reporting

If you believe a minor has provided us with personal data, contact support@theartofcrypto.co with "MINOR PRIVACY CONCERN" in the subject line.

11. Changes to This Policy

11.1 Right to Modify

We may update this Privacy Policy from time to time to reflect changes in data protection laws, new Services or features, feedback from regulators, or improvements to our practices.

11.2 Notice of Changes

We will provide notice of material changes via email to your registered address (at least 30 days in advance), prominent notice on the Platform, and pop-up notification upon login.

11.3 Effective Date

The "Effective Date" at the top of this Policy indicates the last revision date. Continued use after changes constitutes acceptance.

11.4 Right to Object (UK/EU/Australian Consumers)

If you do not agree with changes that materially reduce your rights, you may object to the changes, request account deletion, or request a refund (subject to Refund Policy).

12. Contact Us / Data Protection Officer

12.1 General Privacy Inquiries

Email: support@theartofcrypto.co — Subject Line: "PRIVACY INQUIRY"

12.2 Data Subject Requests

Email: support@theartofcrypto.co — Subject Line: "DATA REQUEST - [Your Request Type]"

12.3 Data Breach Reporting

Email: support@theartofcrypto.co — Subject Line: "URGENT: SECURITY BREACH"

12.4 Postal Address

AOC SDN BHD
Attention: Data Protection Officer
7-2, Plaza Danau 2, Jalan 2/109F
Taman Danau Desa, 58100 Kuala Lumpur
Malaysia

© 2026 AOC SDN BHD. All rights reserved.