Legal

Privacy Policy

Last updated: 31 May 2026 · Compliant with the Malaysian Personal Data Protection Act 2010 (PDPA) including the Amendment Act 2024.

Plain English summary

1. Who we are (Data Controller)

BitScoot Resources (the "Company", "we", "us", "our") is a scooter rental business operating in Langkawi, Kedah, Malaysia. We are the data controller as defined in Section 4 of the PDPA 2010.

2. Data Protection Officer (DPO)

Per the PDPA Amendment 2024, our designated Data Protection Officer is reachable at: [email protected] (subject line: "PDPA DPO enquiry"). The DPO handles all data-subject requests, breach reports, and consent questions.

3. What personal data we collect

CategoryExamplesSource
IdentificationFull name, IC / passport number, date of birthYou provide at pickup
ContactEmail, mobile / WhatsApp number, hotel / pickup addressYou provide on booking
LicenceDriving licence number & class, issuing countryYou provide at pickup
FinancialDeposit / rental payment (card & bank details handled by Stripe — we do NOT see card numbers)You provide via Stripe Checkout
BookingPickup / return dates, scooter model, delivery addressYou provide on booking
DocumentsPhoto of passport / IC, signed rental agreementCaptured at pickup
TechnicalIP address, browser type, pages viewed (analytics)Auto-collected on website visit

Sensitive personal data (IC/passport, biometric/photo) is processed only with your express consent, securely, and exclusively for rental verification and legal compliance.

4. Why we collect it (Purposes)

  • To verify your identity and right to ride (legal requirement under Malaysian Road Transport laws).
  • To process your booking, deposit, and final rental payment.
  • To communicate with you on WhatsApp / email about your booking, pickup, return, and any incident.
  • To enforce our rental terms (damage claims, late returns, traffic fines we receive on your behalf).
  • To comply with Malaysian tax, anti-money-laundering, and police reporting obligations.
  • To improve our service (aggregated usage analytics — never to identify individuals).

5. Legal basis & consent

We process your data under one or more of the following lawful bases:

  • Your consent — ticking the consent box on our booking form.
  • Contract performance — to fulfil the rental contract you enter into.
  • Legal obligation — tax, traffic fine forwarding, police requests.
  • Legitimate interest — anti-fraud, security, debt recovery.

You may withdraw consent at any time by emailing the DPO. Withdrawal does not affect lawfulness of prior processing or our right to retain records for legal compliance.

6. Who we share data with

  • Stripe Payments Malaysia Sdn Bhd — payment processing (PCI-DSS Level 1 certified).
  • Hostinger — secure hosting of our admin database.
  • Cloudflare — DDoS protection & CDN for our public website.
  • Meta WhatsApp Business — customer communication.
  • Google (Workspace, Maps, Drive) — email, location, backups.
  • Government authorities — only when legally compelled (police request, traffic compound, tax audit, court order).

We do not sell, rent, or trade your data to marketers, brokers, or any third party for advertising purposes.

7. Cross-border data transfer

Some of our service providers (Stripe, Cloudflare, Google) process data on servers outside Malaysia (United States, European Union, Singapore). We rely on these providers' standard contractual clauses, ISO 27001 / SOC 2 certifications, and PDPA-equivalent safeguards. Your data receives the same level of protection abroad as it would in Malaysia.

8. How long we keep it (Retention)

DataRetention PeriodReason
Rental records, invoices, deposit receipts7 yearsMalaysian Income Tax Act, dispute resolution
IC / passport scan2 years after last rental, then anonymisedFraud detection, traffic fine forwarding
WhatsApp / email conversations2 yearsDispute resolution
Marketing consent (if granted)Until withdrawn or 3 years inactiveCustomer relationship
Website analytics14 monthsService improvement

9. Your rights as a Data Subject

Under PDPA 2010 (as amended 2024), you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request correction of inaccurate or incomplete data.
  • Withdraw consent — opt out of further processing (subject to legal retention).
  • Limit processing — instruct us to limit direct marketing to specific channels.
  • Data portability — receive your data in a structured, machine-readable format.
  • Lodge a complaint with the Personal Data Protection Commissioner (JPDP).

We respond to verified requests within 21 days at no charge for the first request in any 12-month period.

10. How we protect your data (Security)

  • TLS 1.3 encryption for all website traffic and admin app.
  • Database encrypted at rest, accessible only to authorised staff with role-based access control.
  • Stripe handles card data — we never see or store full card numbers (PCI-DSS Level 1).
  • Daily off-site backups (Google Drive, encrypted).
  • 2-factor authentication on admin accounts.
  • Rate-limiting + honeypot anti-bot on public forms.
  • Staff trained on PDPA obligations & bound by confidentiality.

11. Data breach notification

Per the PDPA Amendment 2024, if we detect a personal data breach likely to result in significant harm, we will:

  • Notify the Personal Data Protection Commissioner within 72 hours.
  • Notify affected individuals without undue delay, explaining the nature of the breach, likely consequences, and remedial measures.

12. Cookies & tracking

Our website uses essential cookies (session, theme preference, security) that do not require consent under PDPA. We do not use third-party advertising cookies. We may use first-party analytics (Google Analytics) configured with IP anonymisation. Reject all non-essential cookies via the banner shown on your first visit, or via your browser settings.

13. Children

Our services are intended for individuals aged 18 and above (minimum riding age in Malaysia is 16 with B2 licence; we require 18+ for rental contracts). We do not knowingly collect data from children under 18. If you believe we have, please contact the DPO for immediate deletion.

14. Changes to this policy

We may update this policy from time to time. Material changes will be notified via website banner and (where appropriate) WhatsApp / email. The "Last updated" date at the top of this page always reflects the current version. Continued use of our services after a change indicates acceptance.

15. Contact us

Questions, requests, or complaints? Reach our Data Protection Officer:

BitScoot Resources — DPO

Email: [email protected]

WhatsApp: +601162385822

Not satisfied with our response? Lodge a complaint with the Personal Data Protection Commissioner at www.pdp.gov.my.

© 2026 BitScoot Resources. Bahasa Malaysia version: privacy-ms.php.