Privacy Policy

How we protect your personal data.

This policy describes the data we collect, why we collect it, how it is stored, and your rights under the Personal Data Protection Act 2010 (PDPA).

Last updated: 22 June 2026 · Effective: 22 June 2026

1. Who we are

DanaLaju Sdn Bhd is a Malaysian company headquartered in Kuala Lumpur, a licensed money-lender under the Moneylenders Act 1951 (KPKT). We are the data user under the Personal Data Protection Act 2010.

2. Data we collect

To evaluate loan applications, comply with Malaysian financial regulations, and provide services to you, the DanaLaju mobile app and website collect the following categories of personal data:

Data categoryExamples
IdentityFull name, identity card number (MyKad) — stored encrypted and masked in-app, date of birth (derived from the MyKad), nationality.
ContactMobile phone number, email address, residential address.
EmploymentEmployer name and work address.
Reference / emergency contactOne reference contact you type in yourself — name, phone number, and relationship. We do not read your phone's contact book; you enter these details manually.
Financial / bank accountBank account number and account-holder name (to disburse funds to your account), loan and repayment history, payment status, FPX transactions.
eKYCMyKad front and back images, live selfie and liveness video, biometric matching results.
Location (approximate)Approximate (coarse) GPS coordinates at the moment you submit a loan application (for verification of operating area only — not continuous tracking).
DevicePer-install device identifier / device fingerprint (model, OS version, install ID), FCM push notification token, device language.
NetworkIP address (stamped server-side).
ApplicationApp usage logs, screens visited, application date, approval date.
What we do NOT collect

The DanaLaju app does not read your phone contacts, SMS messages, call history, or photo gallery. The app does not request these permissions, and will not in the future. We do not use an advertising ID, do not sell your personal data, and do not use it for third-party advertising.

3. Why we request specific permissions

The DanaLaju app requests several device permissions to enable key features. Each permission is explained below — what it enables, when it is used, and how long the data is kept.

Permission / dataWhy we request it
CameraTo scan MyKad (front + back) and take a live selfie for identity verification (eKYC). Required by AMLA and Bank Negara Malaysia (BNM) guidelines. Images are stored for 7 years in encrypted storage separate from account data.
Location (GPS, approximate)Only an approximate (coarse) location captured at the moment you submit a loan application. Not background tracking. Used for operating-area verification and detection of high-risk clustered applications.
NotificationsTo send application status updates, payment reminders, and messages from the support team. You can disable these in your device settings at any time.
Installed apps list (optional / consent-based)With your consent, DanaLaju reads the list of application package names installed on your device and compares them against a list of known money-lending, gambling, and high-risk applications, to help detect loan fraud and over-borrowing ("loan stacking"). We collect only application names/identifiers — we never access the content, data, messages, or activity of any app. This check is OPTIONAL; you may decline and continue to use the app. Not shared with third parties.
Device fingerprintPer-install identifier, device model, OS version, IP address, device language, FCM push token. Used to detect fake accounts, emulators, and rooted/jailbroken devices commonly used by fraudsters.
Behavioural patternsKeystroke count and typing speed within specific fields, paste events. Your input content is not stored — only aggregate patterns to distinguish humans from automated input (bots).
Local biometrics (fingerprint / face)For fast login. Biometric data never leaves your device — stored in the secure Android Keystore. We only receive a success/failure signal.
App-level attestation (Play Integrity)To verify the app is running on a genuine, unmodified Android device. The Play Integrity verdict is stored alongside your application record for fraud detection.
You can decline

You may decline any permission, but some features will not function. For example, without camera permission we cannot complete eKYC, and your application cannot proceed.

4. Purpose of collection

We collect your personal data for the following purposes:

5. Who we share with

We do not sell your personal data and do not use it for third-party advertising. The app does not use an advertising ID, and does not read your SMS, call logs, or phone contacts. We share data only with the following third parties, for the purposes stated above, with your consent or as required by law:

5a. Third-party services embedded in the app

The DanaLaju mobile app embeds the following third-party services. Each is bound by its own privacy policy:

ServicePurpose · Data accessed
Firebase Cloud Messaging (FCM)Push notifications. Receives device token + the notification payload (status updates, payment reminders). Privacy policy.
SentryRuntime error capture. Receives stack traces with personal data scrubbed before send. Privacy policy.

6. Retention period

We retain your personal data for as long as needed for the purposes for which it was collected, and to meet legal obligations:

7. Your rights

Under the Personal Data Protection Act 2010, you have the right to:

To exercise any of these rights, email our data protection officer at [email protected]. We will respond within 21 business days.

8. Delete your account

You can request your DanaLaju account be deleted at any time, either in the app (Settings → Account → Delete account) or by emailing [email protected] from your registered email address with the subject "Account Deletion Request" and the last four digits of your MyKad for verification.

After identity verification, we will:

If you only want to stop receiving notifications, you can disable them in your device settings — no need to delete your account.

9. Security

Your personal data is encrypted in transit (TLS 1.3) and at rest (AES-256). Internal team access is restricted to what is needed for each role, logged, and audited. eKYC images are stored in a separate encrypted bucket isolated from account data.

10. Children

DanaLaju services are only for individuals aged 21 years and above. We do not collect data from children. If you believe a child has provided data to us, please contact us and we will delete it immediately.

11. Changes to this policy

We may update this policy from time to time. Any material changes will be communicated to you via the app or by email at least 30 days before they take effect. The latest version will always be available on this page.

12. Contact the data protection officer

Data Protection Officer (DPO)
DanaLaju Sdn Bhd
25-4 Avenue 10, 8 Jalan Kerinchi, Bangsar South, 59200 Kuala Lumpur, Wilayah Persekutuan Kuala Lumpur
Email: [email protected]
WhatsApp: 011-6725 0178

Our privacy commitment

DanaLaju is committed to protecting your personal data under the Personal Data Protection Act 2010. You may withdraw consent, access, or correct your data at any time through our data protection officer.