Privacy Policy

MyTrustCredit Sdn Bhd (Company No. SSM 202301012345-D) ("MyTrustCredit", "we", "us", or "our") is a KPKT-licensed direct moneylender operating under Moneylenders Licence No. WL1234/5678 pursuant to the Moneylenders Act 1951. Our registered office is at Level 12, Menara KL, Jalan Sultan Ismail, 50250 Kuala Lumpur.

We are the sole data controller for every loan we originate. When you apply through mytrustcredit.com, your application is assessed, approved, and funded by MyTrustCredit itself — we are not a broker, introducer, or lead-matching platform. All underwriting decisions, loan agreements, and debt collection activity are performed in-house by MyTrustCredit and its contracted processors.

This Privacy Policy explains what personal data we collect, how we use it, who we disclose it to, how long we keep it, and the rights you have under the Personal Data Protection Act 2010 ("PDPA"). By submitting a loan application or otherwise using mytrustcredit.com, you acknowledge that you have read and understood this Policy.

This Policy is published in English, Bahasa Malaysia, and Simplified Chinese. In the event of any inconsistency, the English version shall prevail.

We collect only the personal data that is strictly necessary to (i) verify your identity, (ii) make a lawful credit decision under the Moneylenders Act 1951, (iii) disburse approved funds, and (iv) service and collect your loan. The categories we collect are:

• Identity data — Full name as per MyKad, MyKad number (for identity verification and statutory recordkeeping under the Moneylenders Act 1951), date of birth, gender, nationality status, preferred language, and a copy of your MyKad at the underwriting stage.
• Contact data — Residential address, mobile number, email address, state of residence, and (optionally) a next-of-kin / emergency contact.
• Financial data — Monthly income (gross and net), source of income, employer name and address, length of employment, existing financial commitments, and bank account details for disbursement of approved funds and collection of repayments (via DuitNow, IBG, or direct debit).
• Credit-bureau inquiries — Where lawful and with your consent, we may perform soft credit inquiries against CTOS and CCRIS (Bank Negara Malaysia) to support our underwriting decision. Approved loans are reported to CCRIS monthly as required by law.
• Loan-performance data — Loan reference number, agreement terms, disbursement records, repayment history, arrears status, and any collection actions taken on a defaulted loan.
• Behavioural & technical data — IP address, user-agent string, referrer, UTM parameters, pages viewed, session timestamps, and reCAPTCHA risk scores. This data helps us secure the site against fraud and improve user experience.
• Consent & correspondence — A snapshot of every consent you give (including the exact text shown), your signed Loan Agreement, and correspondence with our loan, support, and collection teams.

We process your personal data exclusively for the legitimate purposes below. Each purpose is grounded in your consent, the performance of our loan contract with you, our own legitimate interests as a regulated lender, or an explicit legal obligation.

1. Identity verification and anti-fraud screening at application.
2. Credit assessment and underwriting of your loan application, including internal scoring and optional CTOS / CCRIS soft-inquiry lookups.
3. Preparation, e-signature, and execution of your Loan Agreement.
4. Disbursement of approved loan funds via licensed Malaysian banks (DuitNow, IBG).
5. Ongoing loan servicing — reminders, statements, restructure discussions, settlement letters — via WhatsApp, SMS, email, or phone.
6. Collection activity on overdue accounts, including mandatory CCRIS reporting and, where necessary, instructing a licensed debt collection agency or legal counsel.
7. Compliance with Malaysian law, including the Moneylenders Act 1951, PDPA 2010, Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA), and Bank Negara AML / CFT guidelines.
8. Fraud detection, rate limiting, abuse prevention, and information-security operations.
9. Internal analytics to improve our products (performed only on pseudonymised data).
10. Marketing of our own loan products and cashback promotions — only where you have opted in, and you may withdraw at any time without affecting any active loan.

As a direct lender, we do not sell your data and we do not share it with other lenders for matching. Your personal data is disclosed only to the narrow set of recipients below, and only to the extent necessary to run a compliant licensed lending business.

• Our processing partners — Licensed Malaysian banks and payment schemes (for example the banks that execute IBG / DuitNow transfers of your approved loan), our cloud infrastructure provider (MongoDB Atlas, Singapore region), our transactional email provider, our WhatsApp Business API provider, and Google reCAPTCHA. Each is bound by a written data processing agreement with confidentiality, purpose-limitation, and security obligations.
• Credit bureaus — CTOS and CCRIS (Bank Negara Malaysia) — for soft inquiries during underwriting (with your consent) and for mandatory monthly reporting of loan performance on any loan we disburse.
• Licensed debt collection agencies — Engaged only if your loan becomes significantly overdue (typically 90 days) and only under a written agreement that binds the agency to the Moneylenders Act, our Debt Collection Code of Conduct, and strict anti-harassment rules.
• Regulators, law enforcement, and auditors — The Ministry of Housing and Local Government (KPKT) as our licensing regulator, Bank Negara Malaysia (BNM) for CCRIS and AML matters, the Personal Data Protection Commissioner (PDPC), the Royal Malaysia Police (PDRM), and courts, where required by law, regulation, or lawful order. Our external financial and compliance auditors under non-disclosure.
• Professional advisors — External legal counsel and tax advisors, only where instructed, and only under professional confidentiality.

We retain personal data only for as long as it is needed for the purposes for which it was collected, plus any period required by Malaysian law. Our baseline retention period is 7 years from the closure of your account (or from the last interaction, for applications that did not lead to a loan), in order to comply with the Moneylenders Act 1951, PDPA 2010, BNM AML/CFT recordkeeping obligations, and the Limitation Act 1953.

• Disbursed loan records — 7 years after full settlement or write-off — as required by the Moneylenders Act and AML rules.
• Applications that did not lead to a loan — 24 months from your last activity, then deleted or irreversibly anonymised — unless extended for a legal hold.
• Audit, security, and transaction logs — 7 years, consistent with AMLA 2001 and BNM AML/CFT Policy Document recordkeeping.
• Marketing consent records — Kept until withdrawal plus 12 months, to evidence that you had actively opted in.

Subject to the PDPA 2010 and the Moneylenders Act 1951, you have the following data-subject rights in relation to personal data we hold about you:

1. Right of access — request a copy of the personal data we hold about you.
2. Right to correction — request correction of data that is inaccurate, incomplete, or out of date.
3. Right to withdraw consent — at any time, for processing that is based on your consent (for example marketing communications).
4. Right to limit processing — ask us to stop processing your data for direct-marketing purposes.
5. Right to data portability — receive your data in a commonly used electronic format.
6. Right to lodge a complaint — with our DPO and, if unresolved, with the Personal Data Protection Commissioner (PDPC).

We apply technical, organisational, and physical measures that meet or exceed industry standards for a licensed lender:

• AES-256-GCM envelope encryption at rest for all sensitive fields (full name, MyKad, mobile, email, bank account, income figures).
• TLS 1.3 encryption in transit for every HTTP request, with HSTS preloaded.
• Role-based access control with strict need-to-know, mandatory TOTP two-factor authentication for every administrator, and a full tamper-evident audit log of every sensitive read or export.
• Primary data residency in MongoDB Atlas, Singapore region (ap-southeast-1). Backups are encrypted and kept within the same region.
• Automated intrusion detection, WAF, rate limiting, and bot mitigation via Google reCAPTCHA v3.
• Annual third-party security review and regular penetration testing, plus continuous vulnerability scanning and dependency monitoring.

We use a small number of cookies and equivalent browser-storage technologies to operate mytrustcredit.com securely. They fall into three categories and are governed by our cookie-consent banner:

• Strictly necessary — Session, CSRF, locale, and rate-limit cookies. These are required for the website to function and cannot be disabled.
• Functional — Remember your language preference, UI choices, and whether you have already dismissed a banner. Set only after you accept functional cookies in the consent banner.
• Analytics — Aggregated, pseudonymised usage metrics used to improve the site. Includes Google reCAPTCHA v3 risk scoring, which is strictly necessary for fraud prevention and is always on for application pages. Analytics can be declined without breaking the site.

We do not lend to persons under 21 years of age. mytrustcredit.com is not directed to, and we do not knowingly collect personal data from, anyone under 21. If you believe a minor has submitted personal data to us, please write to dpo@mytrustcredit.com and we will delete the record within 7 working days.

Your personal data is primarily stored and processed within Malaysia and Singapore. Our primary database is hosted on MongoDB Atlas in the Singapore region (ap-southeast-1) — a jurisdiction recognised by the PDPC as providing substantially equivalent data-protection standards to Malaysia.

A limited set of operational processors (transactional email delivery, WhatsApp Business API infrastructure, and our error-monitoring service) may process data outside Malaysia. Every cross-border transfer is covered by a signed Data Processing Agreement incorporating Standard Contractual Clauses and section 129 PDPA safeguards.

We do NOT transfer your data outside Malaysia for marketing, profiling, or analytics purposes that go beyond what is necessary to operate the Service.

We may update this Policy from time to time to reflect changes in law, regulatory guidance, or our own processing activity. Material changes will be notified to you by (a) an email to the address associated with your most recent application or active loan, and (b) a banner displayed on mytrustcredit.com for at least 30 days from the effective date.

The "Last updated" date at the top of this page always shows the date of the latest revision. Previous versions are archived and available on request from dpo@mytrustcredit.com.

Questions about this Policy, or requests to exercise your PDPA rights, can be sent to our Data Protection Officer:

• Email — dpo@mytrustcredit.com
• Mail — Data Protection Officer, MyTrustCredit Sdn Bhd, Level 12, Menara KL, Jalan Sultan Ismail, 50250 Kuala Lumpur, Malaysia
• WhatsApp — +60 12-345 6789 (Monday to Saturday, 9am–8pm MYT; closed on public holidays)