Privacy Policy

Last updated: 08/04/2026

1. Who We Are

Our company details and registered address are BanQr Group Limited (LL21620) Level 12(D), Main Office Tower, Financial Park Labuan Complex, Jalan Merdeka 87000 Labuan Federal Territory of Labuan, Malaysia.

This Privacy Notice explains how BanQr Group Limited (“BanQr”, “we”, “us” or “our”) collects, uses, shares, and protects your personal information in connection with our financial products, digital banking services, investment platforms, and related activities.

BanQr Group Limited acts as a data controller in respect of your personal information. We are committed to protecting your privacy, complying with international data protection laws, and upholding principles of transparency, fairness, and Shariah-compliant ethical conduct.

2. The Information We Process

We collect and process personal and confidential information at the start of, and throughout, your relationship with us.

This may include:

  • Basic details: name, date of birth, nationality, contact details, residential address.
  • Financial information: account details, payment history, credit and borrowing data, wealth, assets, liabilities.
  • Digital information: online banking credentials, IP addresses, device identifiers, geolocation data, cookies, online behaviour.
  • Identity and verification data: biometric identifiers, identity documents, video recordings, voice samples.
  • Lifestyle and business information: employment, education, family, investment preferences, ESG/ethical finance preferences.

In limited circumstances, we may also process special categories of data (e.g., religious affiliation, health data, or biometric data) where legally permitted and necessary for compliance, fraud prevention, or service accessibility.

3. How We Obtain Information

Your information comes from:

  • Data you provide directly to us when applying for or using BanQr products or services.
  • Information from affiliates, service providers, regulators, correspondent banks, and credit reference/fraud prevention agencies.
  • Publicly available sources (company registries, sanctions lists, electoral rolls, etc.).
  • Digital interactions via BanQr platforms (cookies, app usage, behavioural analytics).
  • Third-party data providers used to enhance customer understanding and detect fraud.

4. Your Rights

Depending on the laws of your country, you may have the following rights:

  • Access – to receive a copy of your personal information.
  • Rectification – to correct inaccurate or incomplete data.
  • Erasure – to request deletion where legally possible.
  • Restriction – to limit how we process your information.
  • Portability – to receive your information in a structured, machine-readable format.
  • Objection – to object to processing, including marketing.
  • Withdraw consent – where we rely on your consent, you may withdraw it at any time.
  • Lodge complaints – with your local data protection authority.

5. How We Use Your Information

We use your information for:

  • Contractual necessity: providing banking, payment, lending, REIT management, or investment services.
  • Legal obligations: AML/CFT, KYC/eKYC checks, tax reporting, fraud prevention, sanctions compliance.
  • Legitimate interests: risk management, product development, internal reporting, customer support, security monitoring.
  • Consent: where required for marketing, profiling, or specific digital tracking.

6. Sharing Information

We may share your information with:

  • BanQr Group affiliates (e.g., BanQr REIT Manager, BanQr Digital, BanQr Wallet).
  • Service providers supporting our banking, IT, fraud prevention, Shariah advisory, or marketing functions.
  • Regulators, tax authorities, and law enforcement agencies where required.
  • Credit reference and fraud prevention agencies.
  • Correspondent banks and payment networks (e.g., SWIFT).
  • International partners under lawful data transfer mechanisms.

We will never sell your personal information to third parties for their own marketing purposes.

7. International Data Transfers

As a global business, BanQr may transfer personal information to countries outside your jurisdiction, including to affiliates and service providers. Where we do so, we ensure adequate safeguards are in place (e.g., contractual protections, adequacy decisions, or equivalent lawful mechanisms).

8. Marketing Information

Where permitted, we may send you marketing information about BanQr products, Shariah-compliant investments, or partner services via email, SMS, app notifications, or other digital channels. You may opt out at any time.

9. Communications

We will contact you with operational or regulatory information relevant to your accounts and services. We may also monitor or record communications (calls, chats, emails) for quality, compliance, and security purposes.

10. Credit Reference and Fraud Prevention

We may use information from fraud prevention and credit reference agencies to verify your identity, prevent fraud, assess creditworthiness, and comply with regulatory requirements. Fraud data may be shared globally with law enforcement or financial institutions where legally permitted.

11. Data Retention

We retain your data only as long as necessary to meet legal, regulatory, or contractual obligations, typically for 5–10 years after the end of your relationship with BanQr, unless a longer period is required by law.

12. Security

We apply robust technical, organisational, and Shariah-aligned ethical safeguards to protect your information, including encryption, access controls, fraud detection systems, and secure hosting.

13. Automated Processing & AI

BanQr may use machine learning, AI, and profiling to support decision-making (e.g., credit scoring, fraud detection, investment recommendations). Where required, we will provide human review and ensure fairness, transparency, and explainability.

14. Changes to This Notice

We may update this Privacy Notice from time to time. Any significant changes will be communicated through our website and other official channels.

Global Data Protection Addendum

Because BanQr Group Limited operates across multiple jurisdictions, we provide additional country-specific information where required by local law. These provisions apply in addition to the international Privacy Notice.

1. European Union / European Economic Area (EEA) & United Kingdom (UK GDPR)

  • Legal Basis: We process your data under one of the following: contractual necessity, legal obligation, legitimate interests, or consent.
  • International Transfers: If data is transferred outside the EEA/UK, we use adequacy decisions or Standard Contractual Clauses (SCCs).
  • Data Protection Rights: In addition to the rights set out in the main Notice, you may:
    • Lodge complaints with your national data protection authority or the UK ICO.
    • Request details of any automated decision-making logic that significantly affects you.
  • Retention: Normally 7–10 years, but may be longer for regulatory reasons.

2. Malaysia (PDPA 2010)

  • Consent Principle: Your personal data will only be processed with your consent unless another lawful basis applies (e.g., legal obligation).
  • Access & Correction: You may request access to and correction of your personal data by contacting BanQr’s Data Protection Officer in Malaysia.
  • Disclosure: We will not disclose your personal data without consent, except as required by law, regulators, or under contractual necessity.
  • Retention: Data will be kept only as long as necessary for the purposes collected or as required by law.

3. Indonesia (Personal Data Protection Law 2022)

  • Consent: Processing of personal data requires your explicit consent unless another lawful ground applies.
  • Rights: You have the right to access, correct, delete, and limit processing of your personal data, and to withdraw consent at any time.
  • Data Transfers: Cross-border transfers will only occur if the receiving country ensures adequate protection, or where contractual safeguards exist.
  • Retention: BanQr will retain data for the duration of your relationship and up to 5 years thereafter, unless longer is legally required.

4. Gulf Cooperation Council (GCC) – DIFC, ADGM, Bahrain, Saudi Arabia

  • Local Regulators: BanQr complies with applicable DP laws (e.g., DIFC DP Law 2020, ADGM DP Regulations 2021, Bahrain Law 30/2018, Saudi Arabia PDPL 2021).
  • International Transfers: Data leaving the GCC is protected through adequacy decisions or contractual safeguards.
  • Rights: You may request information about the categories of personal data processed, demand correction or deletion, and restrict marketing use.

5. United States (California – CCPA/CPRA)

  • Notice at Collection: We collect identifiers (name, address, email, device data), financial information, geolocation data, internet usage, and professional information.
  • Your Rights (California residents):
    • Right to know categories of data collected and shared.
    • Right to request deletion.
    • Right to opt-out of sale or sharing of personal data (BanQr does not sell personal data).
    • Right to non-discrimination for exercising your rights.
  • Sensitive Personal Information: We only process sensitive data (e.g., biometric identifiers) for necessary business purposes.

Contact Information

For privacy enquiries or to exercise your rights, you may contact:

  • Data Protection Officer (DPO), BanQr Group LimitedContact Us
  • Local contact details for Malaysia, Indonesia, GCC, EU/UK, and US are available on request or via our Contact Us page.