1. Who we are (Data Controller)
BitScoot Resources (the "Company", "we", "us", "our") is a scooter rental business operating in Langkawi, Kedah, Malaysia. We are the data controller as defined in Section 4 of the PDPA 2010.
- Business: BitScoot Resources, Langkawi
- Email: [email protected]
- WhatsApp: +601162385822
- Website: bitscoot.co
2. Data Protection Officer (DPO)
Per the PDPA Amendment 2024, our designated Data Protection Officer is reachable at: [email protected] (subject line: "PDPA DPO enquiry"). The DPO handles all data-subject requests, breach reports, and consent questions.
3. What personal data we collect
| Category | Examples | Source |
|---|---|---|
| Identification | Full name, IC / passport number, date of birth | You provide at pickup |
| Contact | Email, mobile / WhatsApp number, hotel / pickup address | You provide on booking |
| Licence | Driving licence number & class, issuing country | You provide at pickup |
| Financial | Deposit / rental payment (card & bank details handled by Stripe — we do NOT see card numbers) | You provide via Stripe Checkout |
| Booking | Pickup / return dates, scooter model, delivery address | You provide on booking |
| Documents | Photo of passport / IC, signed rental agreement | Captured at pickup |
| Technical | IP address, browser type, pages viewed (analytics) | Auto-collected on website visit |
Sensitive personal data (IC/passport, biometric/photo) is processed only with your express consent, securely, and exclusively for rental verification and legal compliance.
4. Why we collect it (Purposes)
- To verify your identity and right to ride (legal requirement under Malaysian Road Transport laws).
- To process your booking, deposit, and final rental payment.
- To communicate with you on WhatsApp / email about your booking, pickup, return, and any incident.
- To enforce our rental terms (damage claims, late returns, traffic fines we receive on your behalf).
- To comply with Malaysian tax, anti-money-laundering, and police reporting obligations.
- To improve our service (aggregated usage analytics — never to identify individuals).
5. Legal basis & consent
We process your data under one or more of the following lawful bases:
- Your consent — ticking the consent box on our booking form.
- Contract performance — to fulfil the rental contract you enter into.
- Legal obligation — tax, traffic fine forwarding, police requests.
- Legitimate interest — anti-fraud, security, debt recovery.
You may withdraw consent at any time by emailing the DPO. Withdrawal does not affect lawfulness of prior processing or our right to retain records for legal compliance.
6. Who we share data with
- Stripe Payments Malaysia Sdn Bhd — payment processing (PCI-DSS Level 1 certified).
- Hostinger — secure hosting of our admin database.
- Cloudflare — DDoS protection & CDN for our public website.
- Meta WhatsApp Business — customer communication.
- Google (Workspace, Maps, Drive) — email, location, backups.
- Government authorities — only when legally compelled (police request, traffic compound, tax audit, court order).
We do not sell, rent, or trade your data to marketers, brokers, or any third party for advertising purposes.
7. Cross-border data transfer
Some of our service providers (Stripe, Cloudflare, Google) process data on servers outside Malaysia (United States, European Union, Singapore). We rely on these providers' standard contractual clauses, ISO 27001 / SOC 2 certifications, and PDPA-equivalent safeguards. Your data receives the same level of protection abroad as it would in Malaysia.
8. How long we keep it (Retention)
| Data | Retention Period | Reason |
|---|---|---|
| Rental records, invoices, deposit receipts | 7 years | Malaysian Income Tax Act, dispute resolution |
| IC / passport scan | 2 years after last rental, then anonymised | Fraud detection, traffic fine forwarding |
| WhatsApp / email conversations | 2 years | Dispute resolution |
| Marketing consent (if granted) | Until withdrawn or 3 years inactive | Customer relationship |
| Website analytics | 14 months | Service improvement |
9. Your rights as a Data Subject
Under PDPA 2010 (as amended 2024), you have the right to:
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate or incomplete data.
- Withdraw consent — opt out of further processing (subject to legal retention).
- Limit processing — instruct us to limit direct marketing to specific channels.
- Data portability — receive your data in a structured, machine-readable format.
- Lodge a complaint with the Personal Data Protection Commissioner (JPDP).
We respond to verified requests within 21 days at no charge for the first request in any 12-month period.
10. How we protect your data (Security)
- TLS 1.3 encryption for all website traffic and admin app.
- Database encrypted at rest, accessible only to authorised staff with role-based access control.
- Stripe handles card data — we never see or store full card numbers (PCI-DSS Level 1).
- Daily off-site backups (Google Drive, encrypted).
- 2-factor authentication on admin accounts.
- Rate-limiting + honeypot anti-bot on public forms.
- Staff trained on PDPA obligations & bound by confidentiality.
11. Data breach notification
Per the PDPA Amendment 2024, if we detect a personal data breach likely to result in significant harm, we will:
- Notify the Personal Data Protection Commissioner within 72 hours.
- Notify affected individuals without undue delay, explaining the nature of the breach, likely consequences, and remedial measures.
12. Cookies & tracking
Our website uses essential cookies (session, theme preference, security) that do not require consent under PDPA. We do not use third-party advertising cookies. We may use first-party analytics (Google Analytics) configured with IP anonymisation. Reject all non-essential cookies via the banner shown on your first visit, or via your browser settings.
13. Children
Our services are intended for individuals aged 18 and above (minimum riding age in Malaysia is 16 with B2 licence; we require 18+ for rental contracts). We do not knowingly collect data from children under 18. If you believe we have, please contact the DPO for immediate deletion.
14. Changes to this policy
We may update this policy from time to time. Material changes will be notified via website banner and (where appropriate) WhatsApp / email. The "Last updated" date at the top of this page always reflects the current version. Continued use of our services after a change indicates acceptance.
15. Contact us
Questions, requests, or complaints? Reach our Data Protection Officer:
BitScoot Resources — DPO
Email: [email protected]
WhatsApp: +601162385822
Not satisfied with our response? Lodge a complaint with the Personal Data Protection Commissioner at www.pdp.gov.my.
© 2026 BitScoot Resources. Bahasa Malaysia version: privacy-ms.php.