PIPO BNPL Malaysia Privacy Policy
Last updated: 14 October 2024
Welcome
to PIPO. PIPO and its group companies (“PIPO”,
“us” or “we”) provide payments, financial and technology solutions to
businesses and individuals (“Services”).
These Services include accepting and processing payments for ecommerce
transactions, and facilitating transactions with social media creators,
advertisers, merchants and their respective service providers. In addition,
PIPO provides identity verification, fraud detection and loss prevention
services for various online businesses.
The
PIPO entity responsible for providing Buy Now Pay Later (“BNPL”) services in Malaysia is PIPO FinTech (MY) Sdn Bhd. Different data controllers may be responsible for
other processing services or activities undertaken by PIPO in your country.
This Privacy Policy explains how we
collect, use, share, and otherwise process personal information relating to
individuals (“you” or “your”) in connection with our Services.
We may collect your personal
information in a number of contexts, including:
●
Where we
provide our Services to social media creators, advertisers, merchants, service
providers or our affiliates whose services you use, or with which you interact
or transact. For example, we may collect your personal information where you
make or receive payments relating to products, services or content, through
websites, apps, social media platforms and ecommerce platforms for which we
process payments.
●
Where you
are a customer of Services which we provide to you, such as where you use our
Buy Now Pay Later (“BNPL”) services
as an individual, or where you are a merchant using our payment services.
●
Where you
use the services of a third-party finance or payments provider, and we have a
role in facilitating the relevant transaction.
●
Where you
communicate with our customer support or sales
teams, or otherwise provide your personal information to us for any reason.
Our role in processing your personal
information may differ depending on the context in which we process your
information. For example, when you make a purchase on an ecommerce platform, we
may process your personal information on behalf of the merchant that sells the
product to you. Where we process information on behalf of a merchant, or
another individual or business, you should refer to the privacy policy
published by this party for more information on the processing of your personal
information.
We may collect the
following information about you:
Basic Information.
We may collect basic information such as your name, date of birth, gender,
mobile number, email address, postal address and country. Where you
make or receive payments from third parties, such as where you are a buyer
making a purchase from an ecommerce merchant, we may also receive this
information from these parties where we process payments between you and them.
If we provide our Services in connection with a social media or ecommerce
platform, we may receive your account ID for the relevant platform as part of
the basic information we collect.
Payment Information.
The payment information we collect depends on the
specific Services
you use and on the local requirements in
your jurisdiction.
●
When you make payments using payment
cards, we process your payment card information such as the name on your card,
primary account number (“PAN”),
service code and expiration date.
●
When you use different payment
methods to withdraw or receive any amount, we collect your bank or cardholder
data such as PAN or IBAN, SWIFT BIC, bank code, beneficiary name and address
and any other relevant information related to your chosen account. Where
relevant, we may also process Value-Added Tax or Goods & Services Tax
information.
●
If you make payments through a
third-party payment service provider, we may collect information about your
account with that service provider.
To ensure the safety and security of
your payments, we process (but not store) payment verification information such
as card verification value (“CVV”).
Identification Information. We may collect government-issued identification documents and
related information to verify your identity. This may include copies of your
government-issued identification card, passport, driver’s license, information
such as your local identification number and passport number, nationality,
country of residence, and photograph for facial verification. We may require
proof of address and information relating to your income or financial status
including documents such as utility bills, bank statements, credit card
statements or tax-related documents. We will only collect and process
identification and financial information where permitted under applicable laws.
We may also request that you provide us with professional or employment
information such as business information of your employer and your job
title.
Transaction Information. We collect information in respect of the transactions you make
or receive while using our Services. For example, we may collect information on
your purchase and transaction history (including information associated with
buyer and merchant accounts on ecommerce platforms), information about refunds
and complaints, payment method, order ID logistics information regarding the
shipment and delivery of products including by third party logistics providers,
and tax-related information.
Technical Information.
We may collect technical information such as information on your device type,
your device’s network connections, IP address, information about your device
web browser and internet connection, and technical usage information.
Communications. We collect information
from or about you when you communicate with us, such as when you contact our
customer support or sales teams. This may include the content of messages you
send to us. We may record phone calls and video conferences (in accordance with
applicable law) and retain transcripts of dialogue for training, quality
assurance, product development and administration purposes. We may also collect
contract information when you provide us with details of your contractual
arrangements with third parties.
Information from Third-Party Sources or
Corporate Group Entities. We may collect
information about you from publicly available sources or from third-party
identity verification, governance, risk and compliance solutions. Where we work with third-party licensed payment providers, we may
receive certain postback data from these payment
service providers relating to the status of your transaction. We may also obtain information about you from certain
affiliated entities within our corporate group, including about your activities
on their platforms.
Credit and Risk Information. We may require
certain types of information to determine your creditworthiness including your
repayment history and credit usage. We may request such information from you where you take up loan or
credit-related products and services from us or where we facilitate the
provision of such products and services to you. Such information may include
information relating to your employment, income, location and other demographic
data. We may draw inferences relating to your credit risk or to monitor for
fraud or other risks based on your Transaction Information, Technical
Information and Information from Third-Party Sources or Corporate Group
Entities.
Research and Surveys.
We may collect information about you, such as survey or market research
responses, where you choose to participate in such research studies or surveys.
We process your personal
information:
●
To enable us to provide
and administer our Services, including to enable you and others to perform and
manage e-wallets, accounts and transactions, and for us to fulfill requests for
products, services, and information.
●
To communicate and
provide support to you or parties with whom you transact, including to perform
troubleshooting, provide information about changes to our Services and other
service-related notifications.
●
To investigate and
resolve complaints or disputes between you and other individuals or businesses
with whom you transact.
●
To process, manage or
verify your eligibility for our Services or for products and services offered
by our corporate group affiliates and business partners. This may include
performing a credit assessment and/or risk profiling where you request loan or
credit-related products and services.
●
To check and verify your
identity and information, carry out due diligence, Anti-Money Laundering and
Know-Your-Customer checks, sanctions screening or other transaction monitoring activities
in accordance with our legal and regulatory obligations, industry practice or
our risk management procedures.
●
To monitor, analyze,
improve and develop our Services, systems and processes, and conduct research
and product development.
●
To ensure our Services
are safe and secure, including to detect and prevent deceptive, fraudulent, or
illegal activity.
●
For our internal
operations, including for accounting, troubleshooting, data analysis, testing,
statistical, and survey purposes and to solicit your feedback.
●
To maintain and enhance
the safety, security, and stability of our Services, systems and
infrastructure, such as by identifying and addressing technical or security
issues or problems (including detecting and preventing abuse, harmful activity,
fraud, spam, and other illegal activities).
●
To review, improve,
promote, and develop our Services, including by monitoring user interactions
and transactions, conducting surveys, and by training and improving our
technology, such as our machine learning, AI models and algorithms.
●
To comply with our legal
and regulatory obligations including under applicable tax, payments and
financial services laws, and to meet our accounting and financial reporting
obligations.
● To facilitate and fulfill discount programmes
relating to payment methods.
● For any other purposes disclosed to you at the
time we collect your information or pursuant to your consent.
We share your
information with the following parties:
We work with partners
that help us provide, support, and develop our Services, and understand how
they are used. They provide services such as mailing, email, cloud hosting,
customer and technical support, legal, audit, accounting, analytics, payments
and financial services, fraud prevention and regulatory compliance,
engineering, administrative or other similar support services. We share your
information (as described in What Information We Collect) with these partners
as necessary to enable them to provide their services. Some examples include:
●
Payment Service Providers and Financial
Institutions. These providers and
institutions process or facilitate payments or provide other banking or
financial services to us, you, merchants or other parties with whom
transactions are made. These providers and institutions may also process your
data for anti-money laundering and fraud prevention purposes.
●
Integrated Platform Providers and Risk
Management Services. We share limited
information with third party platforms and service providers. These include
third party identity verification providers, so that we can verify your
identity. We may also work with third parties that provide us with fraud and
risk management services including for the checking of payment information to
identify fraudulent transactions. Some of these parties may, where permitted by
applicable law, use facial recognition technology to confirm that you are the
individual identified in documents provided to us as part of our customer
onboarding processes. These parties may also use device fingerprinting
technology to collect information about your device for fraud prevention,
identity check, and security reasons. A device fingerprint refers to a
collection of attributes about a device that enables the device to be
recognized or uniquely distinguished from other devices.
●
Cloud Storage and IT Support Service Providers. We may rely on service providers such as cloud
storage providers and providers of IT services to support our business
operations and provide our Services.
●
Analytics and Search Engine Providers. We share information with advertising,
analytics services providers, and search engine providers that assist us in the
improvement and optimization of our Services.
●
Credit Reporting
Agencies. Where we provide or
facilitate the provision of BNPL services, we may share information with credit
reporting agencies to assess your eligibility to participate in such services.
We may share your
personal information with parties with
whom you transact. For example, where you make payment for a product purchased
on an ecommerce platform, we may share limited information about you with the
recipient of the payment so as to facilitate that transaction.
We may also share your information
with other members, subsidiaries, or affiliates of our corporate group,
including to provide, improve and optimize our Services and to support our
users. These entities process information as necessary to provide the services
and for the purposes set out in this Privacy Policy.
We may share your
information with law enforcement agencies, public authorities or other
organizations if legally required to do so, or if such use is reasonably
necessary to:
●
Comply
with a legal obligation, process or request;
●
Enforce
our terms of service and other agreements, policies, and standards, including
investigation of any potential violation thereof;
●
Detect,
prevent or otherwise address security, fraud or technical issues; or
● Protect the rights, property or
safety of us, our users, a third party or the public as required or permitted
by law (including exchanging information with other companies and organizations
for the purposes of fraud protection and credit risk reduction).
We may also disclose
your information to third parties:
●
In the
event that we sell or buy any business or assets (whether a result of
liquidation, bankruptcy or otherwise), in which case we will disclose your data
to the prospective seller or buyer of such business or assets; or
● If we sell, buy, merge, are
acquired by, or partner with other companies or businesses, or sell some or all
of our assets. In such transactions, user information may be among the
transferred assets.
Your information may be
stored on servers located outside the country where you live, such as in
Singapore, Ireland and the United States. We maintain major servers around the
world to bring you our services globally and continuously.
You have rights and
choices when it comes to your information. The rights which you are afforded
under applicable laws may include the right to access, delete, update, or
rectify your data, to be informed of the processing of your data, to file
complaints with authorities, and potentially other rights. Further information
on the rights afforded to you under the laws of your jurisdiction may be
provided in the Supplemental Terms - Jurisdiction-Specific section below.
Where we are the
controller of your personal information, you may submit a request to exercise
your rights under applicable laws at https://www.pipopay.com/legal/data-subject-rights. Please also see the Supplemental Terms -
Jurisdiction-Specific section below on whether a local representative or local
contact is available for your country.
We may process your
information on behalf of other individuals or businesses such as ecommerce
merchants. Where we process your information on behalf of another party, the
individual or business with whom you work or transact will be responsible for
responding to your requests to exercise your rights and this individual or
business will be the appropriate party to whom your requests should be
submitted.
We take steps to ensure
that your information is processed securely and in accordance with this Privacy
Policy and applicable laws. These steps include for example, the use of
encryption for information transmitted via the internet. Unfortunately, we cannot
guarantee the security of information transmitted via the internet. You should
note that there are risks where you transact online. If you believe that the
security of your accounts or any payment transaction has been compromised,
please contact us immediately. Subject to applicable law, transmission of
information to us via the internet is at your own risk.
We have implemented
appropriate measures, including technical, physical and organizational measures, to ensure
a level of security appropriate to the risks to you and other users of our
Services. We maintain these measures and will amend them from time to time to
improve the overall security of our systems.
We retain your
information for as long as it is necessary for us to provide our Services and fulfill
our contractual obligations and rights in relation to the information involved.
We retain your information only for so long as we have a legitimate business
purpose or legal obligation to keep such data (including where it is necessary
for the establishment, exercise or defence of legal
claims).
The retention periods
which we apply may differ depending on criteria such as the type of information
and the purposes for which we use the information. We may retain information
for longer periods to allow us to deal with any queries, complaints, investigations
or legal claims that may arise and to comply with our legal and/or regulatory
obligations. Please also see the Supplemental Terms - Jurisdiction-Specific
section below for further information on retention requirements specific to
your jurisdiction (where applicable).
PIPO is not for use by
persons aged under 18 and it is not directed at persons under the age of 18.
Persons under the age of 18 are not allowed to use PIPO. In certain cases this
age may be higher due to local regulatory requirements. Where a higher age applies
to a Service for which we are the data controller, this will be stated in the
service terms applicable to that Service.
We may update this
Privacy Policy from time to time. When we update this Privacy Policy, we will
notify you by updating the “Last Updated” date at the top of this policy and
posting the new Privacy Policy or providing any other notice required by
applicable law. Your continued access to or use of our Services after the date
of the updated policy constitutes your acceptance of the updated policy. If you
do not agree to the updated policy, you must stop accessing or using the
Services.
If you have questions,
comments, complaints or requests regarding this Privacy Policy, please contact
us by submitting a request at https://www.pipopay.com/legal/data-subject-rights. Please also see the supplemental terms below on whether a
local representative or local contact is available for your country.
We will endeavor to deal
with your request as soon as possible. This is without prejudice to your right
to make a complaint with a relevant data protection authority, where
applicable.
Some
jurisdiction-specific laws contain additional terms, which are set out in this
section. If you are a user to which the laws of the jurisdictions set out below
apply, the terms set out below apply to you in addition to the terms set out
above and, in the event of a conflict, the terms set out below prevail.
Obligation
to Provide Personal Data. Your personal information is
required for the purposes set out in this Privacy Policy, including for
performing our obligations under a contract with you. If you do not provide the
required personal information, we may not be able to proceed with your request
and/or to perform our obligations under the contract with you, either in whole
or in part.
Language. In the event of any discrepancy or inconsistency between
the English version and Bahasa Malaysia language version of this Privacy
Policy, the English version shall prevail.
Consent for Processing of Consent
Information. We may collect and process credit
information and reports relating to you, including from credit reporting
agencies. We process this information to offer, provide or facilitate the
provision of, consumer credit services such as BNPL services, including to assess
your eligibility for such services, to evaluate, review and monitor your credit
status, and for debt recovery purposes. Credit information we process may
include Basic Information, Identification Information, Payment Information,
Transaction Information, information on your existing credit facilities, credit
repayment information and credit enquiry information. The credit reporting
agencies we engage may also obtain such information and reports from the Central
Credit Reference Information System (“CCRIS”) system operated by Bank
Negara Malaysia, and other content and information providers.
By using our platform and services,
you consent to the credit reporting agencies we engage, accessing, collecting
and processing your credit information, including from CCRIS and other content
and information providers, and for these credit reporting agencies to disclose
this information to us. You also consent to us processing this information for
the purposes stated above and in accordance with this Privacy Policy.
The credit reporting agencies we
engage are regulated under the Credit Reporting Agencies Act 2010. We are not
responsible for the privacy practices of these agencies. Please refer to the CTOS
Privacy Policy and Experian
Privacy Policy for information on how these credit
reporting agencies process your personal information.