PAY DIRECT TECHNOLOGY SDN BHD
BOLD.REMIT
B2B Outbound Remittance Services
PRIVACY POLICY
Personal Data Protection Act 2010 ("PDPA") Compliant
Effective Date: [05 March 2026] | Version 1.0 | Reviewed Annually
Pay Direct Technology Sdn Bhd ("Bold.Remit")
Company No: 201701027329 (1241495-V)
Level 23A Menara Allianz Central, Kuala Lumpur, Malaysia
Compliance Team: compliance@boldremit.com
General Enquiries: support@boldremit.com
IMPORTANT: This Privacy Policy explains how Bold.Remit (also "we", "our" or "us") collects, retains, processes, shares and transfers your Personal Data in connection with the Bold.Remit B2B outbound remittance services ("Services") in line with the PDPA. This Privacy Policy also serves as a notice in accordance with the PDPA. Please read this Privacy Policy carefully. By registering for or using our Services, you acknowledge and consent to the practices described herein. For the purposes of this Privacy Policy, the expression "Personal Data" and "processing" have the meaning ascribed to them in the PDPA (and the expression "process" shall therefore be construed accordingly).
1. Introduction and Scope
Bold.Remit is an appointed money services business agent of MoneyMatch Sdn Bhd for remittance business providing the Services from Malaysia. We are committed to protecting the privacy and Personal Data of our clients, their representatives, directors, shareholders, ultimate beneficial owners ("UBO"), and all other individuals whose Personal Data we process in the course of providing our Services.
Who This Privacy Policy Applies To
This Policy applies to Personal Data processed in relation to:
- Directors and authorized representatives of business client entities;
- Shareholders and UBOs of business clients;
- Authorized users (makers and checkers) of the Bold.Remit Platform ("Platform");
- Beneficiaries of outbound remittance transactions;
- Visitors to the Bold.Remit website ("Site") and Platform. We are not responsible for the privacy policies of online websites or services that we do not own or control, including websites or services of other Bold.Remit users;
- Any other individuals whose Personal Data is provided to Bold.Remit in connection with the Know Your Business ("KYB"), Know Your Client ("KYC"), or transaction processes.
2. Personal Data of Minors
The Platform and Services are intended exclusively for registered business entities and corporate clients. We do not knowingly collect or process Personal Data of individuals under the age of 18 years. If we become aware that Personal Data of a minor has been collected inadvertently, we will take immediate steps to delete such data.
If you believe we have inadvertently collected Personal Data relating to a minor, please contact us at compliance@boldremit.com.
3. Personal Data We Collect
The categories of Personal Data we collect include:
3.1 Identity and Verification Data
- Full legal name;
- National Registration Identity Card (NRIC/MyKad) number or passport number;
- Date of birth;
- Nationality and country of residence;
- Photograph or biometric facial image (for KYC/KYB liveness verification);
- Occupation, position, and role within the business client entity;
- Personal tax identification number (TIN) where applicable.
3.2 Contact Information
- Residential address and correspondence address;
- Mobile phone number;
- Personal and business email addresses;
- Proof of address.
3.3 Financial and Transaction Data
- Business bank account details (account name, number, bank name, branch);
- Transaction history, including amounts, currencies, dates, and beneficiary details;
- Source of funds and source of wealth declarations;
- Audited financial statements and management accounts provided during KYB processes;
- Exchange rate confirmations and fee receipts.
3.4 Corporate and Ownership Data
- Percentage of shareholding in the business client entity;
- UBO declaration information;
- Information on politically exposed person ("PEP") status;
- Adverse media, sanctions, and watchlist screening results.
3.5 Platform Usage and Technical Data
- IP address and device identifiers;
- Browser type and operating system;
- Login timestamps, session duration, and Platform activity;
- Transaction actions taken within the Platform (submission, approval, rejection).
4. How We Collect Personal Data
We collect Personal Data from the following sources including but not limited to:
| Source | How Personal Data is Collected |
|---|
| KYB / KYC Application | Directly from the business client and its authorized representatives during the account registration and verification process. |
| Platform Registration | Through completion of registration forms, profile setup, and submission of authorized user credentials on the Platform. |
| Transaction Submission | Through remittance requests and associated beneficiary information submitted by makers and approved by checkers. |
| Automated Verification (Shufti Pro) | Through the document scanning and liveness detection process conducted by our third-party identity verification partner, Shufti Pro. |
| Third-Party Data Sources | From public registries (e.g., Companies Commission of Malaysia), sanctions list and commercially available adverse media databases. |
| Correspondence | Through email, chat messages, or any other communications with our team. |
| Regulatory Bodies | Information received from Bank Negara Malaysia ("BNM"), law enforcement, or other competent authorities in connection with compliance obligations. |
5. Purposes of Personal Data Processing
It is necessary for Bold.Remit to process Personal Data for the following purposes including but not limited to ("Purposes"):
| Purpose of Processing | Description | Legal Basis (PDPA) |
|---|
| KYB & KYC verification | Identity verification of directors, shareholders, and authorized users prior to account activation. | Contractual necessity; Legal obligation |
| Account management | Creating and maintaining business account, authorized user profiles, and checker/approver assignments. | Contractual necessity |
| Transaction processing | Executing outbound remittance transactions, communicating with correspondent banks, and delivering funds to beneficiaries. | Contractual necessity |
| AML/CFT Compliance | Screening against sanctions lists, monitoring transactions for suspicious activity, filing Suspicious Transaction Reports ("STR") and Cash Threshold Reports ("CTR") with BNM's Financial Intelligence Unit. | Legal obligation (AMLA 2001) |
| Regulatory reporting | Reporting to BNM, Personal Data Protection Department of Malaysia ("PDPD"), Malaysian Anti-Corruption Commission ("MACC"), and other competent authorities as required by law. | Legal obligation |
| Customer support | Responding to queries, complaints, and service requests from business clients. | Legitimate interests; Contractual necessity |
| Fraud prevention & security | Detecting, investigating, and preventing fraud, identity theft, cybersecurity threats, and unauthorized access. | Legitimate interests; Legal obligation |
| Risk management | Assessing operational risk, and AML/CFT risk associated with business clients and transactions. | Legitimate interests; Legal obligation |
| Legal claims | Establishing, exercising, or defending legal claims, regulatory proceedings, or disputes. | Legitimate interests; Legal obligation |
| Marketing & promotions | Sending service updates, product announcements, and promotional materials (with consent where required). | Consent |
If you wish to withdraw your consent to the processing for the Purposes, we will not be able to provide you with our Services.
6. Disclosure and Sharing of Personal Data to Third Parties
Bold.Remit does not sell your Personal Data to third parties. We may share Personal Data only to the following third parties and / or in the following circumstances:
6.1 Disclosure to Service Providers and Partners
We engage trusted third-party service providers who process Personal Data on our behalf under strict contractual obligations and data protection agreements:
| Category of Recipient | Purpose of Disclosure |
|---|
| Identity verification | KYC/KYB document verification and biometric liveness detection. |
| Correspondent banks & intermediary banks | Execution of outbound remittance transactions to beneficiary accounts. |
| Cloud infrastructure providers | Secure hosting of the Platform and storage of transaction and customer data. |
| Sanctions screening providers | Real-time screening against international sanctions, PEP, and adverse media databases. |
| Payment processing partners | Processing fund transfers and exchange rate execution. |
| Legal and audit advisors | Legal advice, compliance audits, and statutory audit purposes. |
| Cybersecurity and fraud detection services | Monitoring, detecting, and preventing fraud and cybersecurity threats. |
6.2 Disclosure to Regulatory and Law Enforcement Authorities
Bold.Remit is legally required to disclose Personal Data to:
- BNM and its Financial Intelligence and Enforcement Department;
- PDPD;
- Royal Malaysia Police (PDRM) and MACC;
- Any court, tribunal, or arbitral body in connection with legal proceedings;
- Foreign financial intelligence units or regulatory bodies pursuant to mutual legal assistance treaties or BNM directives;
- Any other competent authority with lawful authority to require disclosure.
6.3 Cross-Border Data Transfers
The execution of outbound remittance transactions necessarily involves the transfer of beneficiary Personal Data and transaction details to third parties set out in this Privacy Policy including financial institutions in destination countries outside of Malaysia as required for our Purposes or to fulfil contractual services between yourself and Bold.Remit. We may also transfer your Personal Data to places outside Malaysia where permitted by law. You consent to us transferring your Personal Data to places outside Malaysia in these instances. Bold.Remit implements appropriate safeguards for cross-border transfers, including:
- Contractual data protection clauses with correspondent banks and overseas partners;
- Transfer to jurisdictions with adequate data protection standards recognized by the PDPA;
6.4 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of all or part of Bold.Remit's business, Personal Data may be transferred to the successor entity, subject to equivalent data protection obligations and, where required, prior notification to affected data subjects.
7. Third-Party Data Processors
Bold.Remit engages the following categories of third-party data processors and service providers. All processors are bound by data processing agreements requiring them to implement appropriate security measures and process Personal Data only on our documented instructions:
| Processor Category | Role and Data Processing Activity |
|---|
| Identity Verification | Processes identity documents, facial biometric data, and liveness verification during KYB/KYC. Data processed in accordance with Shufti Pro's own General Data Protection Regulation (GDPR)-compliant privacy policy. Applicable cross-border transfer safeguards are in place. |
| Cloud Hosting Provider | Hosts the Platform and stores encrypted customer and transaction data. Subject to ISO 27001 or equivalent security certification. |
| Sanctions & PEP Screening | Processes names, NRIC/passport numbers, and nationality data against global sanctions, watchlist, and adverse media databases. |
| Correspondent Banking Network | Processes beneficiary names, account numbers, and transaction amounts to execute outbound remittances. Subject to their own regulatory privacy obligations. |
| Email and Communication Services | Processes contact information and communication content for service-related notifications and customer support. |
| Analytics & Platform Monitoring | Processes aggregated and pseudonymized usage data to monitor platform performance and improve user experience. |
Bold.Remit conducts periodic vendor due diligence reviews of all third-party processors to assess their compliance with applicable data protection standards. The current list of sub-processors is available upon written request to compliance@boldremit.com.
8. Data Retention
Bold.Remit retains Personal Data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. The following minimum retention periods apply unless applicable laws require a longer retention period:
| Category of Data | Retention Period |
|---|
| KYB / KYC documentation and identity records | Minimum 7 years from account closure / execution, completion or termination of business relationship, transaction, activity (whichever latest) |
| Remittance transaction records and receipts |
| STR / CTR filings and supporting records |
| Account access logs and audit trails |
| Customer correspondence and support records | 3 years from last interaction |
| Biometric verification data (Shufti Pro) | Per Shufti Pro's data retention policy (typically 5–7 years) |
| Marketing consent records | Until consent is withdrawn + 1 year |
After the applicable retention period, your Personal Data will be securely deleted, or destroyed in accordance with our data disposal procedures. Where such data must be retained beyond the minimum period due to ongoing legal proceedings, regulatory investigations, or legitimate business interests, Bold.Remit will document the basis or where possible, anonymise such data for extended retention.
9. Data Security
9.1 Security Measures
Bold.Remit implements technical and organizational security measures proportionate to the sensitivity of the Personal Data we process, and the risks posed by our processing activities. Our security measures include:
Technical Measures:
- Encryption of sensitive data at rest using AES-256 or equivalent standards;
- Multi-factor authentication (MFA) for all authorised user platform access;
- Role-based access controls ensuring access to Personal Data is limited to personnel who require it for their functions;
- Regular penetration testing and vulnerability assessments;
- Intrusion detection and prevention systems;
- Secure software development lifecycle (SDLC) practices.
Organizational Measures:
- Data protection training for all staff handling Personal Data;
- Internal data protection policies, procedures, and incident response plans;
- Vendor due diligence for all third-party data processors;
- Annual review and audit of data protection practices.
9.2 Data Breach Response
In the event of a Personal Data breach, Bold.Remit will take immediate steps to contain and investigate the breach. Where required under the PDPA or BNM regulations, we will notify the PDPD and affected data subjects in accordance with the applicable notification timelines.
The business client must immediately notify Bold.Remit at compliance@boldremit.com upon becoming aware of any suspected security incident, data breach, or unauthorized access to their Business Account that may compromise Personal Data processed in connection with Bold.Remit's Services.
Security Reminder: Bold.Remit will never ask you to provide your password, OTP, or security credentials via email, telephone, or chat. If you receive such a request claiming to be from Bold.Remit, treat it as suspicious and report it immediately.
9.3 Limitation of Responsibility
While we are dedicated to securing our systems and Services, you are responsible for securing and maintaining the privacy of your password(s) and account/profile registration information and verifying that the Personal Data we maintain about you is accurate and current.
10. Cookies and Tracking Technologies
10.1 Types of Cookies We Use
| Cookie Type | Basis | Purpose |
|---|
| Strictly Necessary | Required (no opt-out) | Session management, authentication, security tokens, CSRF protection. Essential for Platform operation. |
| Functional | Required | Saving your language preferences, time zone settings, and session state. |
| Security Monitoring | Required | Bot detection and login anomaly detection. |
11. Your Privacy Choices
11.1 What Privacy Choices are Available to You?
You have choices when it comes to the privacy practices and communications described in this Privacy Policy. Many of your choices may be explained at the time you sign up for or use a Service or in the context of your use of a Site. You may be provided with instructions and prompts within the experiences as you navigate the Services.
11.2 Choices Relating to the Personal Data We Collect
(i) Personal Data. You may decline to provide Personal Data when it is requested by Bold.Remit, but certain Services or all of the Services may be unavailable to you.
(ii) Location and other device-level information. The device you use to access the Sites or Services may collect information about you, including geolocation information and user usage data that Bold.Remit may then collect and use.
12. Business Client's Data Protection Obligations
As a business client using the Bold.Remit Platform, you act as a data controller in respect of the Personal Data of your authorised users, directors, employees, and beneficiaries that you provide to Bold.Remit. In this capacity, you are responsible for:
- Ensuring you have a lawful basis for collecting and sharing Personal Data of individuals with Bold.Remit, including obtaining necessary consents;
- Providing adequate privacy notices to your directors, UBOs, authorised users, and transaction beneficiaries explaining that their data will be shared with Bold.Remit for remittance processing and compliance purposes;
- Ensuring all Personal Data provided to Bold.Remit is accurate, up to date, and complete;
- Promptly notifying Bold.Remit of any corrections or updates to Personal Data provided;
- Maintaining your own data protection policies and practices in compliance with the PDPA where applicable to your business;
- Not providing to Bold.Remit any Personal Data that you are not lawfully authorized to disclose.
13. Marketing Communications and Consent
13.1 Marketing Activities
With your consent, Bold.Remit may contact you with:
- Service updates, new product features, and platform enhancements;
- Promotional offers, fee reductions, and preferential rate campaigns;
- Industry news, regulatory updates, and thought leadership content;
- Invitations to events, webinars, or training sessions.
13.2 Consent and Opt-Out
Marketing communications are sent only to business clients and individuals who have consented to receive them. You may opt out at any time by:
- Clicking the "Unsubscribe" link in any marketing email;
- Updating your communication preferences in the Platform settings.
Please note that opting out of marketing communications does not affect the sending of transactional or service-related communications, which will continue as necessary for the delivery of the Services.
14. Your Rights Under the PDPA
As a data subject under the PDPA, individuals whose Personal Data is processed by Bold.Remit have the following non-exhaustive rights. Please note that these rights may be subject to limitations and exemptions under applicable law, particularly where processing is required for AML/CFT or regulatory compliance purposes.
| Right | Description and How to Exercise |
|---|
| Right to Access | You have the right to request access to the Personal Data we hold about you, including information on the purposes of processing and categories of the Personal Data processed. Submit your request to compliance@boldremit.com. We will respond within 21 days of receipt. |
| Right to Correction | If you believe the Personal Data we hold about you is inaccurate, incomplete, misleading, or out of date, you may submit your request for correction to compliance@boldremit.com. We will rectify the data within 21 days or notify you of our reasons for declining. |
| Right to Withdraw Consent | Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal and may limit our ability to provide certain Services. |
| Right to be Informed | You have the right to be informed of the purposes for which your Personal Data is collected and processed, which is fulfilled by this Privacy Policy. |
| Right to Object | You may object to processing your Personal Data for marketing purposes at any time by contacting us at compliance@boldremit.com or using the unsubscribe link in any marketing communication. |
| Right to Data Portability | Where technically feasible and permitted by law, you may request a copy of your Personal Data in a structured, machine-readable format. |
| Right to Complain | If you believe your rights under the PDPA have been violated, you may lodge a complaint with the PDPD at www.pdp.gov.my. |
Regulatory Limitation: Certain rights under the PDPA are subject to exemptions where processing is required for the prevention or detection of crime, AML/CFT compliance, or where disclosure is ordered by a court or competent authority. Bold.Remit will notify you of any applicable limitation when responding to your request.
15. Contact Us
You may direct any enquiries, comments, requests or complaints regarding your Personal Data to the following:
Data Protection Officer
Pay Direct Technology Sdn Bhd (Bold.Remit)
Compliance Team: compliance@boldremit.com
General Enquiries: support@boldremit.com
You may be required to verify your identity before we process your request as provided under the PDPA. In such event, you should quote your name, address and phone or account number and provide brief details of the information you want a copy of or, as the case may be, you want access of, corrected, updated or deleted. Requests submitted on behalf of another person must be accompanied by written authorisation from that person.
Please note that we may decline to comply with your request in accordance with the PDPA. We shall be entitled to charge a fee (insofar permitted under the applicable law) for any data access request.
16. Changes to This Privacy Policy
Bold.Remit reviews and updates this Privacy Policy periodically to reflect changes in our practices, regulatory requirements, and business operations. We reserve the right to modify, update or amend this Privacy Policy at any time and the updated version shall apply and supersede any and all previous versions. Material changes will be communicated to business clients by email notification and/or a prominent notice on the Platform at least fourteen (14) days before the change takes effect.
Your continued use of the Services after the effective date of any updated Policy constitutes your acceptance of the revised terms. We recommend that you review this Policy periodically for our most up-to-date Privacy Policy. The current version and effective date are displayed on the cover page and the Platform. All previous versions are available upon written request to compliance@boldremit.com.
17. Governing Law and Jurisdiction
This Privacy Policy is governed by and construed in accordance with the laws of Malaysia. Any dispute arising from or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Malaysia.
Bold.Remit | Pay Direct Technology Sdn Bhd
Version 1.0 | Effective: 05 March 2026 | Next Review: 05 March 2027
Privacy Policy | Version 1.0