Overview
This notice explains how Bayarcash Sdn. Bhd. (“Bayarcash”, “we”, “us”, or “our”) collects, uses, processes, and protects your personal data in compliance with the Personal Data Protection Act 2010 (Act 709) of Malaysia, as amended by the PDPA Amendment Act 2024.
By using our services, you acknowledge that you have read and understood this notice and consent to the processing of your personal data as described herein.
1. Collection of Personal Data
We may collect and process your personal data, including but not limited to:
| Category | Examples |
|---|---|
| Identity & contact | Name, MyKad/passport number, contact information, and address |
| Financial & banking | Bank account details, payment card information, and transaction records |
| Business registration | Company registration details, director information (for merchants) |
| Biometric data | Facial recognition or other biometric identifiers collected through identity verification services (e.g., KENAL) |
| Usage data | Transaction records, service usage data, IP address, device and browser information |
Biometric data is classified as sensitive personal data under the PDPA Amendment Act 2024 and is processed only with your explicit consent for identity verification purposes.
2. Purpose of Processing
Your personal data is collected and processed for the following purposes:
- To provide and improve our payment services
- To verify your identity, including biometric verification where applicable
- To comply with legal and regulatory requirements (including AML/CFT obligations)
- To prevent fraud, financial crimes, and manage risk
- To communicate with you on service-related matters
- To facilitate merchant onboarding, settlement, and reporting
3. Disclosure of Personal Data
We may disclose your personal data to:
- Regulatory and governmental authorities where required by law
- Our financial partners, banks, and payment networks
- Our service providers, contractors, or professional advisors
- Identity verification providers (for biometric and KYC processing)
- Any other parties with your prior consent
Under the PDPA Amendment Act 2024, vendors and data processors who process personal data on our behalf are directly accountable for compliance. All third-party engagements involving personal data are governed by a Data Processing Agreement that sets out security, confidentiality, and breach notification obligations.
We never sell your personal data to third parties.
4. Cross-Border Data Transfers
Where your personal data is transferred outside Malaysia, Bayarcash undertakes a rigorous assessment of the receiving country’s data protection framework and ensures appropriate safeguards are in place, in accordance with the PDPA Amendment Act 2024.
5. Data Security & Retention
Bayarcash takes all reasonable steps to protect your personal data against loss, misuse, modification, unauthorised access, or disclosure. Security measures include data encryption, secure authentication, access controls, and regular security audits.
Your data will be retained for as long as necessary to fulfil the purposes stated in this notice or as required by law (e.g., AML/CFT record-keeping of 5–10 years). After the retention period, data will be securely deleted or anonymised.
6. Your Rights
Under the PDPA and the PDPA Amendment Act 2024, you have the following rights:
| Right | Description |
|---|---|
| Right to access | Request a copy of the personal data we hold about you |
| Right to correction | Request correction or update of inaccurate or incomplete personal data |
| Right to erasure | Request deletion of your personal data where retention is no longer necessary or consent has been withdrawn, subject to legal retention obligations |
| Right to data portability | Obtain your personal data in a structured, commonly used, and machine-readable format for transfer to another service provider |
| Right to withdraw consent | Withdraw your consent to processing at any time, subject to legal and contractual restrictions |
| Right to object | Refuse processing for marketing or other non-essential purposes |
| Right to lodge a complaint | File a complaint with the Personal Data Protection Commissioner (JPDP) at https://www.pdp.gov.my |
Requests may be sent to our Data Protection Officer at the contact details below. We will respond to valid requests within 21 days of receipt.
7. Data Breach Notification
In accordance with the PDPA Amendment Act 2024, in the event of a personal data breach that causes or is likely to cause significant harm, Bayarcash will:
- Notify the Personal Data Protection Commissioner and affected data subjects within 72 hours
- Provide details of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach
- Take immediate corrective measures to contain and mitigate the impact
Non-compliance with breach notification obligations is subject to penalties under the PDPA.
8. Data Protection Officer (DPO)
In compliance with the PDPA Amendment Act 2024 (mandatory appointment since 1 June 2025), Bayarcash has appointed a Data Protection Officer responsible for:
- Overseeing compliance with data protection obligations
- Conducting data protection impact assessments
- Serving as the point of contact for data subjects and the Personal Data Protection Commissioner
For any enquiries, requests, or complaints regarding your personal data, please contact our DPO at the details below.
9. Updates to This Notice
We may update this notice periodically. Material changes will be communicated through our website or via email. Continued use of our services after an update constitutes your acceptance of the revised notice.
10. Contact Us
| trust-center@bayarcash.com | |
| Address | PT 2499 Tingkat 1, Kampung Cherang, 15200 Kota Bharu, Kelantan |