PDPA Notice & Consent

This PDPA Notice is the condensed, consent-capture version of our Privacy Policy. It is the text you confirm before submitting a loan application, and is saved as a permanent snapshot against your application record under the Personal Data Protection Act 2010 ("PDPA").

For the full text of our processing practices, please read our Privacy Policy.

MyTrustCredit Sdn Bhd (SSM 202301012345-D) — a KPKT-licensed direct moneylender under Moneylenders Licence No. WL1234/5678 — at Level 12, Menara KL, Jalan Sultan Ismail, 50250 Kuala Lumpur, is the data controller of the personal data you submit. We make lending decisions ourselves and do not route your data to any other lender.

• Identity: full name, MyKad number, date of birth, nationality.
• Contact: mobile number, email, residential address, state of residence.
• Financial: monthly income, source of income, existing commitments.
• Employment: employer name and address, length of employment.
• Bank account: account number for disbursement of approved funds and collection of repayments.
• Credit bureau: CTOS and CCRIS soft-inquiry results (with your consent).

1. To process your loan application and make a lawful credit decision.
2. To disburse any approved loan funds to your verified bank account.
3. To service, collect, and report on your loan over its lifetime.
4. To comply with our obligations under the Moneylenders Act 1951, PDPA 2010, AMLA 2001, and BNM AML / CFT rules.
5. To prevent fraud and protect the security of the Service.

As a direct lender, we do not share your data with other lenders for matching. Your data is disclosed only to the following narrow recipients:

1. Payment processors — licensed Malaysian banks and schemes that execute the IBG / DuitNow transfer of your approved loan and the collection of repayments.
2. Licensed debt collection agencies — only if your loan becomes significantly overdue.
3. Regulators and law-enforcement agencies (KPKT, BNM, PDPC, PDRM, courts) — only when required by law.

Your data is processed on the following legal bases under the PDPA:

(a) your explicit consent, given by ticking the PDPA consent box at application submission; (b) performance of the Loan Agreement you enter into with MyTrustCredit directly; and (c) our legitimate interests in preventing fraud and complying with anti-money-laundering law.

You may withdraw your consent at any time by writing to dpo@mytrustcredit.com. Withdrawal does not affect the lawfulness of processing that took place before the withdrawal.

If you withdraw consent while an application is in progress, we will generally be unable to continue that application. If you withdraw consent while a loan is active, this does NOT discharge your contractual repayment obligation — you will still be required to repay the outstanding balance, and we may still process the minimum data necessary to service the loan and meet our statutory obligations.

• Access the personal data we hold about you.
• Correct data that is inaccurate or out of date.
• Withdraw any previously given consent (subject to the caveat above).
• Request deletion, subject to our statutory retention obligations under the Moneylenders Act and AMLA 2001.
• Request a copy of your data in a commonly used electronic format (portability).
• Lodge a complaint with the Personal Data Protection Commissioner (PDPC).

Records of disbursed loans and related audit logs are retained for 7 years after account closure, in line with the Moneylenders Act 1951 and BNM AML / CFT recordkeeping rules. Applications that do not lead to a loan are deleted or anonymised 24 months after your last activity.

We apply AES-256-GCM encryption at rest, TLS 1.3 in transit, role-based access control with mandatory 2FA for administrators, a tamper-evident audit log of every sensitive read, and Google reCAPTCHA v3 bot mitigation on application pages.

Your primary data is hosted in MongoDB Atlas, Singapore region — still covered by the PDPA through contractual safeguards equivalent to the Act. A small number of operational processors (transactional email, WhatsApp Business API) may process limited data outside Malaysia under Standard Contractual Clauses.

Data Protection Officer — dpo@mytrustcredit.com — Level 12, Menara KL, Jalan Sultan Ismail, 50250 Kuala Lumpur. If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Commissioner (PDPC) at www.pdp.gov.my.

Effective date: 20 April 2026.