Your data, your rules.

Bolehlah is operated by Lunar Flame Sdn Bhd (Co. No. 1361453-X), Level 13A, Wisma Mont Kiara, 1 Jalan Kiara, Mont Kiara, 50480 Kuala Lumpur, Malaysia. We are the data user for the personal data described in this notice, and we process it under the Personal Data Protection Act 2010 (Act 709) (“PDPA”).

What Bolehlah is — and isn't. Bolehlah is a software platform that helps you track your loans, talk to B (our AI assistant), and — where you choose — apply to a licensed lender. We are not a lender, a koperasi, a bank, or an e-money issuer. Loans are between you and the licensed money lender or koperasi you choose. We do not hold your money. This matters for privacy because the lender is a separate data user for the data you submit to them through us.

We collect the following classes of personal data, directly from you and from the documents you choose to share:

Identity: your name, NRIC/MyKad number, the photo on your MyKad, date of birth, gender, marital status, dependents, mother's name (where a lender's form requires it for verification), mobile number, email address, and residential and mailing address.

Sensitive personal data (s.40 PDPA): a short selfie / liveness capture of your face for one-time eKYC identity verification (a biometric — see the eKYC section below). We do not collect data on your health, political opinions, religious beliefs, or commission of any offence.

Financial & credit: employer, salary, allowances, salary deductions, ANGKASA payroll/employer code, employee number, employment type and service start date, bank-account details you provide for disbursement or repayment, the loans you track, your payment history, and the credit-bureau and ANGKASA/eSGPA eligibility results returned when you authorise a check.

Behavioural: your conversation history with B, the choices you make in the loan flow, and how you use the platform.

Technical: device, browser, IP address, and login times — used for security and fraud detection, and for nothing else.

We process your personal data for these purposes only:

(1) to verify your identity and that you are a real, present person (eKYC), as required before a loan can be disbursed; (2) to let you track your loans and talk to B; (3) where you choose to apply, to assess your application against the specific lender's rate card and pass it to that lender; (4) to run an authorised credit-bureau or ANGKASA/eSGPA eligibility check when you consent to one; (5) to send you reminders and service messages about your loans; (6) to detect and prevent fraud and keep the platform secure; (7) to improve B's decision quality using anonymised, aggregated data only — never your raw identifiable records; and (8) to comply with our legal obligations under the PDPA, the Anti-Money Laundering Act 2001 (AMLA), tax law, and lawful requests from regulators and authorities.

Where the law lets us process without consent — for example to perform a contract with you, or to meet a legal obligation — we rely on that. Otherwise we rely on your consent, which you can withdraw.

Most of the data above is provided voluntarily, but some of it is obligatory if you want a particular outcome. To verify your identity you must complete eKYC; to apply for a loan you must give the lender the identity, employment, and income data its form requires; and to run a credit-bureau or ANGKASA check you must authorise it. If you do not provide obligatory data, the consequence is simply that we cannot complete that step — for example, we cannot verify you or submit your application — but you can still use the rest of the platform.

We disclose your personal data only to the following classes of third parties, and only as far as the purpose requires:

Licensed lenders — the licensed money lender or koperasi you choose to apply with receives the borrower data needed for that application. A lender never sees your activity with another lender, and never sees an application you did not make.

Credit reporting agencies — when you authorise a credit check, we orchestrate a pull from a registered credit reporting agency (e.g. CTOS, which carries CCRIS data) under the Credit Reporting Agencies Act 2010 (Act 710). You have the right to access and dispute your credit report with that agency.

ANGKASA / eSGPA — for salary-deduction eligibility, we check your status with ANGKASA's eSGPA service where you consent.

Identity, e-signature, and Shariah-trade providers — our eKYC provider (Innov8tif EMAS) for identity verification; certification authorities for the digital signature on your agreement; and the licensed commodity-trading partner that executes the Tawarruq leg of an Islamic AKAD.

Our data processors (sub-processors) — the infrastructure and AI providers that process data on our behalf under contract: Amazon Web Services (AWS Bedrock, in Malaysia) for AI processing, and Anthropic, PBC as a standby model-provider path. The full register is at /trust.

Regulators and authorities — BNM, the Consumer Credit regulator, the Inland Revenue Board (LHDN), the police, and the courts, where a law or a lawful order requires it. We comply with the law and tell you when we are legally allowed to.

We do not sell your personal data, and we do not disclose it for any third party's own advertising.

Your face / liveness capture is sensitive personal data under s.40 of the PDPA, so we process it only with your explicit consent, given at the eKYC step.

What we collect. To verify your identity for a loan application (“eKYC”), the app captures a short selfie / liveness check of your face — a one-time identity step. We do not use face recognition to log you in, to track you across the app, or to build a persistent faceprint for any other purpose.

How it's used. Your facial image is used solely to confirm you are a real, present person and that you match the photo on your MyKad (NRIC) — the identity check Malaysian lenders are required to perform before disbursing a loan. It is never used for advertising, profiling, or to train any AI or facial-recognition model.

Who processes it, and where it's stored. To run the match, the image is processed by our licensed eKYC provider, Innov8tif (the EMAS eKYC platform), under a contractual data-processing agreement with protections equivalent to this policy. The image and its verification result are stored encrypted, in the Singapore region, on Bolehlah's infrastructure and the provider's — only for as long as the check and its audit record require. Lenders never receive your facial image; the lender sees only the pass/fail verification result.

Retention + your control. Your selfie / liveness capture is deleted once its retention window passes — kept only for the loan tenure plus the period the PDPA and anti-money-laundering law require for the verification audit trail, then erased. You can request deletion of your eKYC data at any time (subject to that legal retention for active loans) at dpo@bolehlah.ai.

B's replies are generated by an advanced AI model served through Amazon Web Services' Bedrock service in Malaysia (the ap-southeast-5 region). By default, your data is processed in Malaysia. When you chat with B, the messages you send — and the minimum account context needed to help you (e.g. your loans, payments, and the question at hand) — are processed there solely to generate B's reply.

No storage, no training, no model-provider access. Under AWS Bedrock's service terms, this data is not stored by the AI service, is not used to train any model, and the model provider does not receive it. A standby direct processing path to Anthropic, PBC (a US company) exists for service continuity, under contractual protections equivalent to this policy — no training on your data, and no retention beyond what is needed to return the reply. We do not sell it.

Automated processing + a human in the loop. B helps you understand your options and can support a lender's screening, but B's output is not a binding lending decision and is not financial or legal advice. The lending decision is made by the licensed lender. Where a decision materially affects you, you can ask for it to be reviewed by a person — write to dpo@bolehlah.ai.

Your choice. In the app we ask for your agreement before B sends anything for AI processing, and you can stop using B at any time.

By default your personal data is processed in Malaysia. Two flows may involve a transfer outside Malaysia: your eKYC image is processed and stored in the Singapore region, and the standby AI path to Anthropic, PBC is in the United States. We make any such transfer only under contractual data-protection terms equivalent to this policy and in line with s.129 of the PDPA. We do not transfer your data anywhere else without a lawful basis.

Under the PDPA you have the right to: (a) access the personal data we hold about you (s.30); (b) correct anything that is inaccurate, incomplete, or out of date (s.34); (c) withdraw your consent to any specific processing (s.38) — we will tell you the consequence, which is usually that we can no longer provide that step; (d) prevent processing that is likely to cause you substantial damage or distress (s.42); (e) prevent processing for direct marketing at any time (s.43); and (f) request deletion of your data, subject to the retention the law requires for active loans and records.

We aim to acknowledge a request within 24 hours and to respond within 21 days as the PDPA requires. We may charge the small prescribed fee for a data-access request. Make any request — in any language — at dpo@bolehlah.ai. If you are not satisfied, you may complain to the Personal Data Protection Commissioner (Jabatan Perlindungan Data Peribadi, JPDP) at pdp.gov.my.

We keep personal data only as long as the purpose, or the law, requires:

Active-loan and identity-verification data: kept for the loan tenure and for the period required by anti-money-laundering law (AMLA — at least 6 years after the relationship ends) and tax law (up to 7 years). _[Counsel to confirm the controlling window against BNM/CCOB and the lender DPAs.]_

Conversation logs with B: kept for 24 months, then anonymised.

Marketing data: deleted promptly when you opt out.

Technical/security logs: kept for a short period for fraud detection, then deleted.

When a retention period ends, we delete or irreversibly anonymise the data.

We protect your data with encryption in transit and at rest, access controls and audit logging, the principle of least privilege, and contractual data-protection terms with every processor. Bolehlah HQ sees aggregate patterns, never raw borrower data, except in a logged audit or dispute review. No system is perfectly secure, but we hold ourselves to a standard appropriate to financial data, and our information-security certification (ISO 27001) is in progress.

If a personal-data breach occurs that is likely to cause you significant harm, we will notify the Personal Data Protection Commissioner and affected individuals as required by the PDPA (including the 2024 breach-notification amendment), describe what happened and what we are doing about it, and tell you the steps you can take to protect yourself.

We use essential cookies (login, security) only. No advertising trackers. No Google Analytics. No Facebook Pixel. For aggregate visit counts and page-performance metrics we use Vercel Web Analytics and Vercel Speed Insights (Vercel Inc., our hosting provider) — cookieless, no cross-site tracking, and no personal profiles are built.

Bolehlah is for adults. You must be at least 18 years old to use the platform. We do not knowingly collect data from anyone under 18; if we learn that we have, we delete it.

We'll email you at least 14 days before any material change, and post the new effective date here. Last revised: 16 June 2026.