Personal Data Protection Act 2010 (PDPA) Notice

Overview

This notice explains how Bayarcash Sdn. Bhd. (“Bayarcash”, “we”, “us”, or “our”) collects, uses, processes, and protects your personal data in compliance with the Personal Data Protection Act 2010 (Act 709) of Malaysia, as amended by the PDPA Amendment Act 2024.

By using our services, you acknowledge that you have read and understood this notice and consent to the processing of your personal data as described herein.

1. Collection of Personal Data

We may collect and process your personal data, including but not limited to:

Category	Examples
Identity & contact	Name, MyKad/passport number, contact information, and address
Financial & banking	Bank account details, payment card information, and transaction records
Business registration	Company registration details, director information (for merchants)
Biometric data	Facial recognition or other biometric identifiers collected through identity verification services (e.g., KENAL)
Usage data	Transaction records, service usage data, IP address, device and browser information

Biometric data is classified as sensitive personal data under the PDPA Amendment Act 2024 and is processed only with your explicit consent for identity verification purposes.

2. Purpose of Processing

Your personal data is collected and processed for the following purposes:

• To provide and improve our payment services
• To verify your identity, including biometric verification where applicable
• To comply with legal and regulatory requirements (including AML/CFT obligations)
• To prevent fraud, financial crimes, and manage risk
• To communicate with you on service-related matters
• To facilitate merchant onboarding, settlement, and reporting

3. Disclosure of Personal Data

We may disclose your personal data to:

• Regulatory and governmental authorities where required by law
• Our financial partners, banks, and payment networks
• Our service providers, contractors, or professional advisors
• Identity verification providers (for biometric and KYC processing)
• Any other parties with your prior consent

Under the PDPA Amendment Act 2024, vendors and data processors who process personal data on our behalf are directly accountable for compliance. All third-party engagements involving personal data are governed by a Data Processing Agreement that sets out security, confidentiality, and breach notification obligations.

We never sell your personal data to third parties.

4. Cross-Border Data Transfers

Where your personal data is transferred outside Malaysia, Bayarcash undertakes a rigorous assessment of the receiving country’s data protection framework and ensures appropriate safeguards are in place, in accordance with the PDPA Amendment Act 2024.

5. Data Security & Retention

Bayarcash takes all reasonable steps to protect your personal data against loss, misuse, modification, unauthorised access, or disclosure. Security measures include data encryption, secure authentication, access controls, and regular security audits.

Your data will be retained for as long as necessary to fulfil the purposes stated in this notice or as required by law (e.g., AML/CFT record-keeping of 5–10 years). After the retention period, data will be securely deleted or anonymised.

6. Your Rights

Under the PDPA and the PDPA Amendment Act 2024, you have the following rights:

Right	Description
Right to access	Request a copy of the personal data we hold about you
Right to correction	Request correction or update of inaccurate or incomplete personal data
Right to erasure	Request deletion of your personal data where retention is no longer necessary or consent has been withdrawn, subject to legal retention obligations
Right to data portability	Obtain your personal data in a structured, commonly used, and machine-readable format for transfer to another service provider
Right to withdraw consent	Withdraw your consent to processing at any time, subject to legal and contractual restrictions
Right to object	Refuse processing for marketing or other non-essential purposes
Right to lodge a complaint	File a complaint with the Personal Data Protection Commissioner (JPDP) at https://www.pdp.gov.my

Requests may be sent to our Data Protection Officer at the contact details below. We will respond to valid requests within 21 days of receipt.

7. Data Breach Notification

In accordance with the PDPA Amendment Act 2024, in the event of a personal data breach that causes or is likely to cause significant harm, Bayarcash will:

• Notify the Personal Data Protection Commissioner and affected data subjects within 72 hours
• Provide details of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach
• Take immediate corrective measures to contain and mitigate the impact

Non-compliance with breach notification obligations is subject to penalties under the PDPA.

8. Data Protection Officer (DPO)

In compliance with the PDPA Amendment Act 2024 (mandatory appointment since 1 June 2025), Bayarcash has appointed a Data Protection Officer responsible for:

• Overseeing compliance with data protection obligations
• Conducting data protection impact assessments
• Serving as the point of contact for data subjects and the Personal Data Protection Commissioner

For any enquiries, requests, or complaints regarding your personal data, please contact our DPO at the details below.

9. Updates to This Notice

We may update this notice periodically. Material changes will be communicated through our website or via email. Continued use of our services after an update constitutes your acceptance of the revised notice.

10. Contact Us