How we protect your personal data.

This policy describes the data we collect, why we collect it, how it is stored, and your rights under the Personal Data Protection Act 2010 (PDPA).

Last updated: 25 May 2026 · Effective: 1 June 2026

1. Who we are

DanaLaju Sdn Bhd (SSM Registration: 199701061235) is a Malaysian company headquartered in Kuala Lumpur. We are the data user under the Personal Data Protection Act 2010.

2. Data we collect

To evaluate loan applications, comply with Malaysian financial regulations, and provide services to you, the DanaLaju mobile app and website collect the following categories of personal data:

Data categoryExamples

IdentityFull name, identity card number (MyKad), date of birth, gender, nationality.

ContactMobile phone number, email address, residential address.

FinancialBank account number, bank name, monthly income, source of income.

EmploymentEmployer name, job title, length of service, office address (for verification).

eKYCMyKad front and back images, live selfie, biometric matching results.

LocationGPS coordinates at the moment you submit a loan application (for verification of operating area only — not continuous tracking).

DeviceDevice fingerprint (model, OS version, install ID), IP address, device language.

PaymentLoan and repayment history, payment status, FPX transactions.

ApplicationApp usage logs, screens visited, application date, approval date.

What we do NOT collect

The DanaLaju app does not read your phone contacts, SMS messages, call history, or photo gallery. The app does not request these permissions, and will not in the future.

3. Why we request specific permissions

The DanaLaju app requests several device permissions to enable key features. Each permission is explained below — what it enables, when it is used, and how long the data is kept.

Permission / dataWhy we request it

CameraTo scan MyKad (front + back) and take a live selfie for identity verification (eKYC). Required by AMLA and Bank Negara Malaysia (BNM) guidelines. Images are stored for 7 years in encrypted storage separate from account data.

Location (GPS)Only captured at three specific moments: when you submit an application, when you complete eKYC, and when you confirm employment information. Not background tracking. Used for operating-area verification and detection of high-risk clustered applications.

NotificationsTo send application status updates, payment reminders, and messages from the support team. You can disable these in your device settings at any time.

Installed apps listOnly package names (not content, not usage patterns, not data inside those apps). Used to detect stacked-loan patterns, gambling apps, or known scammer apps. Not shared with third parties.

Device fingerprintInstall identifier, device model, OS version, IP address, device language. Used to detect fake accounts, emulators, and rooted/jailbroken devices commonly used by fraudsters.

Phone state (SIM)To detect SIM-swap events between application submission and disbursement. We read only the SIM serial identifier — not your phone number, not your call history, not your SMS.

Bluetooth + Wi-Fi neighbour scanOnly the cryptographic fingerprint of neighbouring radios at apply time — used as a fraud signal to detect clustered applications from the same physical location. We do not connect to, read content from, or track any device. neverForLocation flag is set per Android guidance.

Behavioural patternsKeystroke count and typing speed within specific fields, paste events. Your input content is not stored — only aggregate patterns to distinguish humans from automated input (bots).

Local biometrics (fingerprint / face)For fast login. Biometric data never leaves your device — stored in the secure Android Keystore. We only receive a success/failure signal.

App-level attestation (Play Integrity)To verify the app is running on a genuine, unmodified Android device. The Play Integrity verdict is stored alongside your application record for fraud detection.

You can decline

You may decline any permission, but some features will not function. For example, without camera permission we cannot complete eKYC, and your application cannot proceed.

4. Purpose of collection

We collect your personal data for the following purposes:

Loan evaluation — to determine your eligibility and an appropriate loan amount.
Identity verification (eKYC) — in line with the Anti-Money Laundering Act (AMLA) and BNM guidelines.
Fraud prevention — detecting suspicious applications or fake identities.
Payment processing — disbursing funds to your bank account and collecting repayments.
Customer support — responding to your enquiries and resolving account issues.
Reporting obligations — meeting reporting requirements of KPKT, BNM, LHDN, and other competent authorities.
Notifications — payment reminders, application status, and service updates.

We do not sell your personal data. We share data only with the following third parties, with your consent or as required by law:

Payment processors — partner banks and FPX providers (for disbursements and collections).
eKYC providers — BNM-approved identity verification technology providers.
Authorities — KPKT, BNM, LHDN, police, or the courts, as required by law.
Service providers — cloud, analytics, and SMS providers bound by strict confidentiality agreements (see Section 5a below).
Collection agencies — only for extended overdue accounts, and only after notice to you.

The DanaLaju mobile app embeds the following third-party services. Each is bound by its own privacy policy:

ServicePurpose · Data accessed

Firebase Cloud Messaging (FCM)Push notifications. Receives device token + the notification payload (status updates, payment reminders). Privacy policy.

SentryRuntime error capture. Receives stack traces with personal data scrubbed before send. Privacy policy.

6. Retention period

We retain your personal data for as long as needed for the purposes for which it was collected, and to meet legal obligations:

Active account records — for the duration your account is active.
Loan and transaction records — 7 years after loan closure (financial reporting requirement).
eKYC data (MyKad images, selfies) — 7 years (AMLA requirement).
Rejected applications — 2 years for fraud prevention.
Non-personally-identifiable analytics logs — up to 24 months.

7. Your rights

Under the Personal Data Protection Act 2010, you have the right to:

Access — request a copy of the personal data we hold about you.
Correction — request that we correct inaccurate data.
Limit processing — request that we stop processing for marketing purposes.
Withdraw consent — where processing is based on your consent (does not apply to data we are legally required to retain).
Complaint — to the Personal Data Protection Commissioner if you are not satisfied.

To exercise any of these rights, email our data protection officer at [email protected]. We will respond within 21 business days.

8. Delete your account

You can request your DanaLaju account be deleted at any time. Email [email protected] from your registered email address with the subject "Account Deletion Request" and the last four digits of your MyKad for verification.

After identity verification, we will:

Deactivate your account within 21 business days, and send a confirmation email.
Delete data not required by law — including marketing preferences, app usage logs, and device fingerprints.
Retain data required by law — including loan records, payment transactions, and eKYC images for 7 years per AMLA and financial reporting requirements. This data will not be used for any other purpose.
Accounts with active loans must be settled first before they can be deleted.

If you only want to stop receiving notifications, you can disable them in your device settings — no need to delete your account.

9. Security

Your personal data is encrypted in transit (TLS 1.3) and at rest (AES-256). Internal team access is restricted to what is needed for each role, logged, and audited. eKYC images are stored in a separate encrypted bucket isolated from account data.

10. Children

DanaLaju services are only for individuals aged 21 years and above. We do not collect data from children. If you believe a child has provided data to us, please contact us and we will delete it immediately.

11. Changes to this policy

We may update this policy from time to time. Any material changes will be communicated to you via the app or by email at least 14 days before they take effect. The latest version will always be available on this page.

12. Contact the data protection officer

Data Protection Officer (DPO)
DanaLaju Sdn Bhd
25-4 Avenue 10 8, Jalan Kerinchi, Bangsar South, 59200 Kuala Lumpur, Wilayah Persekutuan Kuala Lumpur
Email: [email protected]
WhatsApp: 011-6812 2249

Our privacy commitment

DanaLaju is committed to protecting your personal data under the Personal Data Protection Act 2010. You may withdraw consent, access, or correct your data at any time through our data protection officer.

How we protect your personal data.

1. Who we are

2. Data we collect

3. Why we request specific permissions

4. Purpose of collection

5. Who we share with

5a. Third-party services embedded in the app

6. Retention period

7. Your rights

8. Delete your account

9. Security

10. Children

11. Changes to this policy

12. Contact the data protection officer