1. Purpose
Bayarcash values your privacy and is committed to protecting your personal data. This policy explains how we collect, use, store, share, and protect your information when you use our services, websites, applications, and digital platforms (collectively, the “Services”).
We handle all personal data in accordance with the Personal Data Protection Act 2010 (Act 709) of Malaysia, as amended by the PDPA Amendment Act 2024, and other applicable data protection laws and regulations.
2. Scope
This policy applies to:
- All customers, merchants, partners, users, and visitors of Bayarcash platforms;
- All personal data collected and processed through Bayarcash systems, applications, and services; and
- All employees, contractors, and third parties who have access to such personal data.
3. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information that can identify an individual (e.g., name, address, ID number, email, phone number). |
| Processing | Any operation performed on personal data such as collection, recording, storage, use, disclosure, or deletion. |
| Data Subject | The individual whose personal data is processed. |
| Data Controller | The person or entity that determines the purpose and means of processing personal data (term introduced by PDPA Amendment Act 2024, Phase 2). |
| Data Processor | The entity that processes personal data on behalf of the controller. |
| Data Protection Officer (DPO) | A designated individual responsible for overseeing data protection compliance within the organisation. Mandatory appointment since 1 June 2025. |
| Personal Data Protection Commissioner (JPDP) | The authority responsible for enforcing the PDPA in Malaysia, also known as Jabatan Pelindungan Data Peribadi. |
| Sensitive Personal Data | Includes data relating to physical or mental health, political opinions, religious beliefs, criminal offences, biometric data (physical, physiological, or behavioural characteristics derived from technical processing), and other categories classified as sensitive under the PDPA. |
4. What Information We Collect
We may collect the following types of personal data:
| Source | Data Collected |
|---|---|
| Information You Provide Directly | Full name, address, date of birth, gender, and contact details. Government-issued identification (e.g., passport, MyKad, driver’s licence). Biometric data (where collected for identity verification). Financial details (bank account, payment card, transaction data). KYC documentation. Employment or business registration data (for merchants). Correspondence or feedback you send to us. |
| Information Collected Automatically | Device and browser information. IP address, geolocation, and usage analytics. Log-in data, cookies, and app performance data. Transaction and behavioural data. |
| Information from Third Parties | Credit bureaus, partner financial institutions, identity verification providers, and regulatory agencies (for compliance, fraud prevention, or credit scoring). |
5. How We Use Your Personal Data
We process your data to:
- Verify your identity and perform KYC/AML checks;
- Facilitate transactions, payments, and wallet operations;
- Maintain your Bayarcash account and provide customer support;
- Detect and prevent fraud, financial crimes, or misuse;
- Comply with legal, regulatory, and reporting obligations;
- Improve and personalize our products, features, and user experience;
- Send you service updates, alerts, and relevant marketing communications (with your consent);
- Conduct analytics, research, and risk assessments.
We will only process your personal data for legitimate and lawful purposes.
6. Lawful Basis for Processing
Under Section 6 of the PDPA, Bayarcash processes personal data based on one or more of the following legal grounds:
| Lawful Basis | Description |
|---|---|
| Consent | When you voluntarily agree to provide your data. |
| Contractual necessity | When processing is required to fulfil our service agreement. |
| Legal obligation | When required by law (e.g., AML/CFT, tax reporting). See our AML/CFT Policy for details. |
| Legitimate interests | When necessary for our operations without infringing your rights. |
7. Data Sharing & Disclosure
We may share your personal data with:
- Affiliates and subsidiaries of Bayarcash;
- Service providers and sub-processors (e.g., payment gateways, IT vendors, cloud hosting providers, KYC partners);
- Regulatory and government authorities, as required by law;
- Financial institutions and partners to complete transactions;
- Auditors, consultants, or legal advisors under confidentiality obligations.
Under the PDPA Amendment Act 2024, vendors and sub-processors who process personal data on our behalf can be directly fined up to RM1 million for non-compliance. All third-party engagements involving personal data are governed by a Data Processing Agreement that sets out security, confidentiality, and breach notification obligations. See our Data Processing Agreement for details.
We never sell your personal data to third parties.
8. Cross-Border Data Transfers
Under the PDPA Amendment Act 2024 (Phase 2, effective 1 April 2025), stricter controls apply to cross-border transfers of personal data. Before transferring personal data outside Malaysia, Bayarcash:
- Undertakes a rigorous assessment of the receiving country’s data protection framework;
- Maintains a register of all cross-border data transfers, including the categories of data, recipient countries, and safeguards applied; and
- Ensures appropriate safeguards (such as contractual clauses, binding corporate rules, or equivalent measures) are in place to maintain data security and compliance.
9. Data Retention
We retain personal data only for as long as necessary:
- To fulfill the purposes stated in this Policy;
- To comply with regulatory retention periods (e.g., AML/CFT record-keeping of 5-10 years); or
- Until you withdraw consent or close your account, unless longer retention is legally required.
After the retention period, data will be securely deleted or anonymized.
10. Data Protection & Security Measures
We maintain robust technical and organizational security measures, including:
- Data encryption (in transit and at rest);
- Secure authentication and access control;
- Network firewalls and intrusion detection systems;
- Regular security testing and audits;
- Employee confidentiality agreements and data protection training.
In accordance with the PDPA Amendment Act 2024 (Phase 3, effective 1 June 2025), Bayarcash has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with data protection obligations, conducting impact assessments, and serving as the point of contact for data subjects and the Personal Data Protection Commissioner.
While we employ industry-leading safeguards, no system is 100% secure. We continuously improve our practices to mitigate risks.
11. Your Rights as a Data Subject
You have the following rights under applicable data protection laws:
| Right | Description |
|---|---|
| Right to be informed | To know how your data is collected and used. |
| Right to access | To request a copy of your personal data. |
| Right to rectification | To correct inaccurate or incomplete data. |
| Right to erasure (right to be forgotten) | To request deletion of your personal data where retention is no longer necessary or consent has been withdrawn, subject to legal retention obligations. |
| Right to object | To refuse processing for marketing or other non-essential purposes. |
| Right to data portability | To obtain your data in a structured, commonly used, and machine-readable format for transfer to another service provider (PDPA Amendment Act 2024). |
| Right to lodge a complaint | With the Personal Data Protection Commissioner (JPDP) at https://www.pdp.gov.my or relevant authority. |
Requests may be sent to our Data Protection Officer (DPO) at the contact details below. We will respond to valid requests within 21 days of receipt.
12. Data Breach Notification
Under the PDPA Amendment Act 2024 (Phase 3, effective 1 June 2025), data controllers who have reason to believe a personal data breach has occurred must act promptly. In the event of a breach, Bayarcash will:
- Notify the Personal Data Protection Commissioner and affected data subjects within 72 hours where the breach causes or is likely to cause significant harm;
- Provide details of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach; and
- Take immediate corrective and remedial measures to contain and mitigate the impact.
Non-compliance with breach notification obligations may result in fines of up to RM1 million and imprisonment of up to 3 years. For our internal procedures, see the Incident Response Policy.
13. Cookies & Tracking Technologies
Bayarcash uses cookies and similar technologies to:
- Enable secure logins and essential functions.
- Improve performance and analytics.
- Personalize user experience.
You can control cookie settings through your browser. However, disabling certain cookies may affect the functionality of our Services.
14. Third-Party Links
Our website or app may contain links to third-party websites. We are not responsible for the privacy practices or content of these third parties. We encourage users to review their privacy policies before providing any personal data.
15. Children’s Privacy
Our services are not directed at children under 18 years old. We do not knowingly collect data from minors. If we become aware that we have collected such data without parental consent, we will exercise the right to erasure under the PDPA Amendment Act 2024 and delete it promptly.
16. Updates to This Policy
We may update this policy periodically. Material changes will be notified through our website, app, or via email. Continued use of our services after an update constitutes your acceptance of the revised policy.
17. Contact Us
| compliance@bayarcash.com | |
| Address | PT 2499 Tingkat 1, Kampung Cherang, 15200 Kota Bharu, Kelantan |