Privacy Policy

Privacy Policy

Applicability of Privacy Policy

FlyFirefly Sendirian Berhad and its group of companies under Malaysia Aviation Group is committed to the protection of your Personal Data and takes the matter of protecting your privacy as high priority.
This Privacy Policy explains general terms on how we collect, use and protect the privacy of your Personal Data under various privacy laws to which we are subjected to.

For the purposes of the EU General Data Protection Regulation (“GDPR”), the data controller is Malaysia Airlines Berhad, with its registered office at Malaysia Airlines Berhad, 1st Floor, Administration Building, South Support Zone, KLIA, 64000 Sepang, Selangor (from now on referred to as (“Malaysia Airlines Berhad”, “we”, or “us”).

If you booked a flight with FlyFirefly Sendirian Berhad but one or more flights in your booking are to be operated by other airlines, such other airlines are also a “data controller” for the purposes of GDPR compliance. If you have reserved any non-flight services through FlyFirefly Sendirian Berhad, the provider of such services is also a “data controller”. Please access the respective privacy policies of the other airlines or non-flight service providers through their official websites or you may request a copy of their privacy policies from them directly.

Please read this Privacy Policy to understand how we will collect and use your Personal Data and the rights you have in relation to your Personal Data. This Privacy Policy was last updated on the date above and may vary from time to time so please check it regularly.

By visiting our website and using our products and services, you acknowledge the terms of this Privacy Policy together with our Terms and Conditions and the use and disclosure of your Personal Data as set out in this Privacy Policy.

What is Personal Data?

“Personal Data” means any information relating to an identified or identifiable natural person.
The types of Personal Data that we collect directly from you or from third parties depend on the circumstances of collection and on the nature of the service requested or transaction undertaken. It may include:
  1. personal information that links back to an individual;
  2. contact information;
  3. payment information;
  4. travel information;
  5. health information;
  6. technical information; and
  7. statistical data.
  8. location data.

How do we collect your Personal Data?

We may collect and receive Personal Data directly from you or from your authorised representatives (i.e. persons whom you have authorised, persons who have been validly identified as being you or your authorised representative pursuant to our security procedures), from third parties (e.g., travel agent or service providers) or the Personal Data of your relatives or principal where you disclose same on their behalf, including when you:

(a) use any of our services, including when you travel with us or use airports where we operate or any facilities within those airports that we operate, such as our lounge facilities;
(b) use or access our Website or Mobile Apps, particularly when completing the "passenger details" section during the course of a booking, even if you do not complete the booking;
(c) communicate with us such as by email, telephone, in writing or through our customer services pages or social media platforms; or
(d) register, create or modify an online or in-app account with us, including your Enrich membership.
(e) Firefly Airlines app collects location data to enable beacon based location tracking even when the app is closed or not in use. The purpose is to receive information or promotions notifications.

We may receive your Personal Data from other entities within our group of companies under Malaysia Aviation Group.

We may also collect your Personal Data from publicly available sources through our Website or Mobile Apps and other channels including our ticketing counters and airport operations and third party providers or our subcontractors where you have consented to providing your Personal Data to them or where we subcontract them to assist us in providing services to you (e.g. wheelchair assistance, transfers, special meals).
Where another person makes reservations on your behalf, you undertake and will ensure that you have authorized the disclosure of your Personal Data and are aware of the terms and conditions of this Privacy Policy. Where you are booking on behalf of another person, you represent and warrant that you have the consent of those persons to provide their Personal Data. In addition, where you are booking on behalf of children (those below 18 of age), please ensure that you are over 18 and have appropriate authority.

Where you disclose Personal Data on behalf of another person, you undertake and will ensure that the individual whose Personal Data is supplied to FlyFirefly Sendirian Berhad has authorized the disclosure, is informed of and consents to the terms and conditions of this Privacy Notice. Where the disclosure if in respect of a child’s Personal Data, you should do as only as the parent or legal guardian of that child and enter into relevant contracts on behalf of that child.

What do we use your Personal Data for?

We may use your Personal Data for the following purposes:
  1. to enable us to provide our services and perform our obligations to you;
  2. to facilitate your travel (e.g., making a booking) and freight arrangements;
  3. to verify identity of passengers and perform luggage check-ins;
  4. to provide flight alert messages;
  5. to facilitate internet check-in;
  6. to process any commercial transaction (e.g. In-flight sales);
  7. to maintain your Enrich loyalty account, facilitate your participation in Enrich loyalty programme or third parties’ loyalty programmes which have partnership with us;
  8. to enable experience using your Enrich loyalty account or any other loyalty programme under Malaysia Aviation Group;
  9. to protect the safety and well-being of yourself and/or other customers;
  10. to investigate and respond to claims and inquiries from you;
  11. to remind you to complete your booking and/or offer our assistance (in case, for instance, failure to complete due to technical difficulties);
  12. to provide in-flight catering and other services that best meet your preferences and needs;
  13. for financial purposes such as credit or other payment card verification, accounting, billing and audit; and / or
  14. for business development purposes such as statistical, research and marketing analysis, systems testing, maintenance and development, quality assurance, customer surveys, customer relations to advise on alterations to flights or to help us in any future dealings with you, for example by identifying your requirements and preference;
  15. to customise the content in our website or mobile application according to your needs, preferences and personality;
  16. to share your Personal Data with our selected partners or/and our group of companies within Malaysia Aviation Group to enable us and/or our partners to personalise the services or products offered to you;
  17. to comply with any legal or regulatory requirements;
  18. to communicate and facilitate promotions, offers, product, services and information on products and activities, offers to upgrade or other notifications in relation to your booking;
  19. to allow you to participate in our programmes or features via our website or/and mobile application when you opt to do so; and/or
  20. to operate our competitions, promotions, programmes and events via our newsletters and other communications offered by Malaysia Airlines, any group of companies under Malaysia Aviation Group or our selected business partners.

Some of the Personal Data processing above may be an optional service. You may choose not to receive these emails at any time by following the unsubscribe link at the bottom of each such email or email to to request for removal of subscription notification. Kindly note we may not be able to optimise your user experience when using our products or services by doing so.

What are our legal bases for processing your Personal Data?

There are a number of different ways that we are lawfully able to process your Personal Data. We have set these out below.
Where using your Personal Data is necessary for us to carry out our obligations under our contract with you

We are allowed to use your Personal Data when it is necessary to do so for the performance of our contract with you.
For example, we need to collect your contact details in order to be able to book your flight or provide you with any additional services you have requested.
Where processing is necessary for us to carry out our legal obligations

As well as our obligations to you under any contract, we also have other legal obligations that we need to comply with and we are allowed to use your Personal Data when we need to in order to comply with those other legal obligations
For example, we are required to transfer certain Personal Data to government authorities for anti-terrorism purposes.
Where using your data is in our legitimate interests

We are allowed to use your Personal Data where it is in our interests to do so, and those interests aren't outweighed by any potential prejudice to you. We believe that our use of your Personal Data is within a number of our legitimate interests, including but not limited to:
  • To enable us to provide our services to our customers;
  • To help us satisfy our legal obligations (for example, in relation to anti-terrorism);
  • To help us understand our customers better and provide better, more relevant services to them; and
  • To help us keep our systems and physical premises secure and prevent unauthorized access or cyberattacks.
We don't think that any of the activities set out in this Privacy Policy will prejudice you in any way. However, you do have the right to object to us processing your Personal Data on this basis. We have set out details regarding how you can go about doing this above
Where you give us your consent to use your Personal Data

We are allowed to use your data where you have specifically consented. In order for your consent to be valid:
  • It has to be given freely, without us putting you under any type of pressure;
  • You have to know what you are consenting to – so we'll make sure we give you enough information;
  • You should only be asked to consent to one thing at a time – we therefore avoid "bundling" consents together so that you don't know exactly what you're agreeing to; and
  • You need to take positive and affirmative action in giving us your consent – we're likely to provide a tick box for you to check so that this requirement is met in a clear and unambiguous fashion.
As part of our relationship with you, we may ask you for specific consents to allow us to use your data in certain ways. For example, we currently ask for your consent to provide you with marketing communications. If we require your consent, we will provide you with sufficient information so that you can decide whether or not you wish to consent.
You have the right to withdraw your consent at any time. We have set out details regarding how you can go about this above.

Your rights

You have various rights in relation to the Personal Data which we hold about you. We have described these below.
To get in touch with us about any of these rights, please contact us at:

Business Integrity Department,
Malaysia Airlines Berhad, 1st Floor, Administration Building,
South Support Zone, KLIA, 64000 Sepang, Selangor,
We will seek to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Right to object
This right enables you to object to us processing your Personal Data where we do so for one of the following reasons:
  • because it is in our legitimate interests to do so (for further information please see below);
  • to enable us to perform a task in the public interest or exercise official authority;
  • to send you direct marketing materials; or
  • for scientific, historical, research, or statistical purposes.
Right to withdraw consent
Where we have obtained your consent to process your Personal Data for certain activities (for example, for marketing), you may withdraw this consent at any time and we will cease to use your data for that purpose unless we consider that there is an alternative legal basis to justify our continued processing of your data for this purpose, in which case we will inform you of this condition.
In particular, you may elect to stop receiving promotional activities by:
  1. unsubscribing from the mailing list;
  2. editing the relevant account settings to unsubscribe; or
  3. sending a request to
Data Subject Access Requests
You may ask us for a copy of the information we hold about you at any time, and request us to modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this unless permitted by law. If you request further copies of this information from us, we may charge you a reasonable administrative cost.  Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.
Right to erasure
You have the right to request that we "erase" your Personal Data in certain circumstances. Normally, this right exists where:
  • The data are no longer necessary;
  • You have withdrawn your consent to us using your data, and there is no other valid reason for us to continue;
  • The data has been processed unlawfully;
  • It is necessary for the data to be erased in order for us to comply with our obligations under law; or
  • You object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
We would only be entitled to refuse to comply with your request for erasure in limited circumstances and we will always tell you our reason for doing so.
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.
Right to restrict processing
You have the right to request that we restrict our processing of your Personal Data in certain circumstances, for example if you dispute the accuracy of the Personal Data that we hold about you or you object to our processing of your Personal Data for our legitimate interests. If we have shared your Personal Data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your Personal Data.
Right to rectification
You have the right to request that we rectify any inaccurate or incomplete Personal Data that we hold about you. If we have shared this Personal Data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. You may also request details of the third parties that we have disclosed the inaccurate or incomplete Personal Data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
In particular, you may update or make amendments to your Personal Data as below:
  1. for online registered customers, you may login to your online account and update your Personal Data; or
  2. for every other customer, you may email your request to
Right of data portability
If you wish, you have the right to transfer your Personal Data between service providers. In effect, this means that you are able to transfer the details we hold on you to another third party. To allow you to do so, we will provide you with your data in a commonly used machine-readable format so that you can transfer the data. Alternatively, we may directly transfer the data for you.
Right to complain
You have the right to lodge a complaint with our regulator, who is the Commissioner of Personal Data Protection in Malaysia. In Europe, you may access to the privacy regulators for each Member State are listed (along with contact details) by clicking the link.

To whom do we disclose your Personal Data?

We will not trade or sell your Personal Data to third parties. Your Personal Data shall only be disclosed or transferred to the following third parties appointed or authorised by the Company, who may be located within or outside Malaysia:
  1. our travel and freight service providers or travel-related businesses;
  2. our partner airlines and other carriers;
  3. airport authorities;
  4. our other affiliates and service partners where it is necessary to facilitate your travel;
  5. our group of companies within Malaysia Aviation Group to provide services, products or personalised offers or/and messages;
  6. credit card verification providers,
  7. IT service providers;
  8. data analytics including search engine providers and/or marketing agency which assist us to improve and optimise your experience in using our website and mobile application;
  9. advertisers and advertising networks which require certain data to offer relevant adverts to you and/or other selected partners to provide better customised offers, promotions, or/and personalised messages to you or others;
  10. other third parties in order to process your commercial transactions;
  11. participating merchants and partners of our Enrich loyalty programme or/and any other programmes within Malaysia Aviation Group offering products and services by using or through our website or mobile application hosted by us;
  12. legal bodies as permitted or required by law such as in compliance with a warrant or subpoena issued by a court of competent jurisdiction; and/or
  13. customs, immigration or other regulatory authorities applicable to you;
  14. if necessary, prevent passengers who have been issued notices from flying or using any of the services under Malaysia Aviation Group; and/or
  15. safety and security personnel.
In addition to the above, your Personal Data may also be disclosed or transferred to any of the Company’s actual and potential assignee, transferee or acquirer (within or outside Malaysia) (including our affiliates and subsidiaries) of our business, assets or group companies, or in connection with any corporate restructuring or exercise including the restructuring to transfer the business, assets and/or liabilities.

We shall take reasonable and practical steps in accordance with the law and acceptable industry standards to ensure that their employees, officers, agents, consultants, contractors and such other third parties mentioned above who are involved in the collection, use and disclosure of your Personal Data will observe and adhere to the terms of this Privacy Policy.

Where do we store your Personal Data?

We will store your Personal Data in the country in which we are based (i.e. Malaysia). As discussed above, we may also disclose your Personal Data to our group companies and their service providers located in Malaysia and elsewhere, and to employees operating outside of the EEA who work for us or for one of our group companies or their respective service providers.
We want to make sure that your Personal Data is stored and transferred in a way which is secure.
We will therefore only transfer data outside of the EEA where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data. For example, this could be:
  • By way of an intra-group agreement between MAB entities, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of Personal Data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws;
  • By way of a data transfer agreement with a third party, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of Personal Data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws; or
  • By transferring your data to an entity which has signed up to the EU-U.S. Privacy Shield Framework for the transfer of Personal Data from entities in the EU to entities in the United States of America or any equivalent agreement in respect of other jurisdictions; or
  • By transferring your data to a country where there has been a finding of adequacy by the European Commission in respect of that country's levels of data protection via its legislation; or
  • Where it is necessary for the conclusion or performance of a contract between ourselves and a third party and the transfer is in your interests for the purposes of that contract; or
  • Where you have explicitly consented to the data transfer.
Where we transfer your Personal Data outs

How do we keep your Personal Data secure?

We will take all reasonable precautions necessary to protect your Personal Data from misuse, interference and loss; and unauthorised access, modification or disclosure. In addition, the Company will secure your data in following ways:
  1. register all those who are allowed access;
  2. control and limit access based on necessity;
  3. maintain proper record of access and transfer of Personal Data;
  4. ensure all employees of the Company protect confidentiality;
  5. conduct awareness programmes to all employees on responsibility to protect Personal Data;
  6. establish physical security procedures;
  7. bind third parties involved in processing of Personal Data; and
  8. do not use removable device and cloud computing service to transfer or store Personal Data unless with written consent from top management of the Company.

For how long do we retain your Personal Data?

We will not retain your Personal Data longer than necessary for the purposes for which they are collected. However, relevant Personal Data may be retained subject to the conditions below:
  1. as and when required under legislation; or
  2. where legal actions have arisen and are pending.
  3. commercial/operational purposes of Malaysia Airlines.
We shall take all reasonable steps to ensure that all Personal Data is destroyed or permanently deleted when no longer required and prepare disposal schedule for inactive data with 24 month period.

If you opt-out or withdraw your consent to marketing, we will remove you from our marketing database. You may do so by clicking the opt out link provided at the bottom of such email or send us your opt out request to

Links to third party website

We may link this website and/or our applications to other companies or organizations websites (collectively, “Third Party Sites”). This Privacy Policy does not apply to such Third Party Sites as those sites are outside our control. If you access Third Party Sites using the links provided, the operators of these sites may collect your personal information. Please ensure that you are satisfied with the privacy statements of these Third Party Sites before you submit any personal information. We try, as far as we can, to ensure that all third party linked sites have equivalent measures for protection of your personal information, but we cannot be held responsible legally or otherwise for the activities, privacy policies or levels of privacy compliance of these Third Party Sites.


If you still have inquiries or complaints in relation to our handling of your Personal Data or our Privacy Policy or wish to exercise any of your rights as described above, please contact us via the details as described below:

Chief Privacy Officer,
Business Integrity Department, Malaysia Airlines Berhad,
1st Floor, Administration Building, South Support Zone, KLIA,
64000 Sepang, Selangor, Malaysia.

Malaysia Airlines’ UK Office,
No. 247-249, Cromwell Road,
Kensington, London SW5 9GA,
United Kingdom.
Contact Details: +44 (0) 207 341 2075
If you are our Enrich members and wish to change your personal details, you may login to Enrich portal here. If you wish to amend either your Name or Date of Birth, please contact our Enrich team here. If you have any queries or issues regarding your reservation and flight details, please click here.
About Us
Contact Us