Data Protection Officer
StoreHub has designated a Group Data Protection Officer responsible for ensuring compliance with applicable data
protection laws across our operating entities:
- StoreHub Sdn Bhd (Malaysia): Personal Data Protection Act 2010
- Onestorehub Pte. Ltd. (Singapore): Personal Data Protection Act 2012
- StoreHub (Thailand) Co., Ltd.: Personal Data Protection Act B.E. 2562 (2019)
- StoreHub Philippines Inc.: Data Privacy Act of 2012
For any queries regarding our collection, use, or disclosure of your personal data, or to exercise your rights under any applicable data protection law, please contact:
Data Protection Officer
Email: [email protected]
Payment Facilitation Services
Who We Are and Who This Applies To
1.1 Data Controller
The data controller for personal data processed in connection with StoreHub Payments is:
StoreHub Sdn Bhd
Company No. 201301042468
Level 7, KYM Tower, No. 8 Jalan PJU 7/6, Mutiara Damansara, Petaling Jaya, Selangor
Email: [email protected]
Website: https://www.storehub.com
1.2 Who This Applies To
This Supplement applies to anyone who registers to use StoreHub Payments as a merchant, including:
Owners, directors, and key contacts of businesses onboarded to StoreHub Payments;
Ultimate Beneficial Owners (UBOs) and authorised signatories whose information is collected as part of the onboarding process; and
Any other individuals whose personal data StoreHub receives in the course of managing a merchant account.
This Supplement does not apply to Shoppers (the end customers who make payments at merchant terminals). Shopper data is processed by Adyen MY under Adyen's own privacy framework.
1.3 Our Role Alongside Adyen MY
StoreHub works with Adyen Malaysia Sdn Bhd ("Adyen MY") to deliver card payment processing. Because Adyen MY is the licensed acquirer underpinning StoreHub Payments, some of the data we collect is shared with Adyen MY, who processes it as an independent data controller for payment processing and regulatory compliance purposes. Adyen MY's privacy policy is available at https://www.adyen.com/policies-and-disclaimer/privacy-policy.
2. What Data We Collect
Because StoreHub Payments involves regulated financial activity, we collect significantly more data than for our standard POS platform. Below is a comprehensive overview:
2.1 Business Data
Data Type
Examples
Business registration details
Legal name, SSM registration number, registered address, business type, MCC code
Financial information
Bank account name and number, 3 months' bank statements, expected monthly transaction volume
Business licence information
F&B licence, liquor licence, pharmacy licence (where applicable)
Transaction records
Full history of card transactions processed through StoreHub Payments, including amounts, dates, and merchant references
Chargeback and refund records
Details of all disputes, chargebacks, and refunds on your account
Communications
All emails, messages, and correspondence with StoreHub's compliance and support teams
2.2 Personal Data of Directors and Beneficial Owners
Data Type
Examples
Identity documents
Malaysian IC (MyKad) — both sides — of all directors and UBOs
Biometric data
Live facial image captured during Entrust identity verification (liveness check)
Personal contact details
Mobile number, email address
Financial and credit data
CTOS credit score and report for directors or UBOs where applicable
Sanctions and PEP status
Results of screening against international sanctions lists and PEP databases
Adverse media
Publicly available news or reports linked to your name or business
A note on biometric data
We use Entrust’s certified e-KYC platform to verify the identity of directors and beneficial owners. This involves capturing a live photograph and comparing it against your MyKad. The biometric data is processed by Entrust and is not stored by StoreHub beyond what is necessary for the verification record. Entrust acts as a data processor on our behalf and is bound by strict data protection obligations.
2.3 Data We Generate About You
In addition to data you provide, StoreHub generates and maintains:
A risk score and risk category for your business, based on identity verification results, credit scores, and business type;
Transaction monitoring alerts and investigation notes;
Audit logs of all actions taken on your account;
Compliance decision records (e.g. records of onboarding approval, EDD decisions, and account reviews); and
Communications with Adyen MY and BNM concerning your account.
3. Why We Collect Your Data and How We Use It
The table below explains the legal basis for each category of processing under Malaysia's Personal Data Protection Act 2010 (PDPA) and applicable financial services regulations:
Purpose
What Data Is Used
Legal Basis
Identity verification and KYC at onboarding
MyKad, biometric data (via Entrust), SSM records, CTOS credit report
Legal obligation (AMLATFPUAA, BNM e-KYC Guidelines) and contract performance
Ongoing KYC refresh (annual)
Updated identity documents, SSM status, bank account details
Legal obligation (BNM AML/CFT requirements)
Sanctions and PEP screening
Names of directors and UBOs, identity documents
Legal obligation (AMLATFPUAA, international sanctions regimes)
Transaction monitoring for fraud and AML
Full transaction history, patterns, business type, risk profile
Legal obligation (AMLATFPUAA, BNM supervision) and legitimate interest
Credit assessment
CTOS score, bank statements
Legitimate interest (risk management and setting appropriate settlement terms)
Settlement and payout processing
Bank account details, transaction records
Contract performance
Regulatory reporting (STRs, CTRs)
Transaction data, identity data, account records
Legal obligation (AMLATFPUAA — reporting to BNM)
Dispute and chargeback management
Transaction records, communications with your business
Contract performance and legitimate interest
Compliance with Adyen MY requirements
KYC records, transaction data, compliance decisions
Legal obligation and contract performance (Adyen PF Agreement)
Card Scheme reporting (MATCH/VMAS in fraud terminations)
Business details, termination reason
Legal obligation (Visa/Mastercard Scheme Rules)
Security and fraud prevention
Login data, device data, transaction patterns
Legitimate interest and legal obligation
Internal audit and record-keeping
All data categories above
Legal obligation (7-year retention required by BNM)
4. Who We Share Your Data With
StoreHub Payments cannot operate without sharing your data with certain regulated third parties. Below is a complete list of parties we may share your data with, and why:
Recipient
What Is Shared
Why
Adyen Malaysia Sdn Bhd
KYC records, transaction data, compliance decisions, account status
Required under the Payment Facilitator Agreement; Adyen MY is the licensed acquirer and regulatory anchor for StoreHub Payments
Adyen N.V. (Netherlands)
KYC and compliance data as required
Adyen NV co-signs the PF Agreement and provides the global compliance framework
Entrust (UK)
MyKad images, live facial photos for liveness detection
Identity verification, document authenticity checks, sanctions/PEP screening; acts as a data processor bound by contractual obligations to StoreHub
dillisense GmbH (Switzerland)
Business name, registration number, address, director details
Entity-level sanctions screening and business verification. Acts as data processor on StoreHub's behalf.
CTOS Data Systems Sdn Bhd (Malaysia)
Director/UBO names, IC numbers, business registration data
Credit scoring and financial health assessment; CTOS is an independent data controller operating under Malaysian law
SSM (Companies Commission of Malaysia)
Business registration number (query only)
Real-time validation of SSM registration status via API
Citibank Malaysia
Bank account and settlement data
Settlement of funds to merchant bank accounts; Citibank processes transactions as a financial institution under its own regulatory framework
Visa / Mastercard (Card Schemes)
Merchant identity data, MCC, transaction volume, termination details
Card Scheme registration, reporting, and compliance requirements; MATCH/VMSS reporting in fraud terminations
Law enforcement / other regulators
Account data, transaction records as required
Response to lawful orders or regulatory directives
Cross-border data transfers
Some of the parties above (including Adyen N.V. and Entrust) are located outside Malaysia. Where your personal data is transferred outside Malaysia, we ensure that appropriate safeguards are in place, including contractual protections consistent with PDPA requirements. Entrust, for example, processes data under EU Standard Contractual Clauses and is ISO 27001 certified. We do not transfer personal data outside Malaysia unless required by law or necessary to provide the services described in these Terms.
5. How Long We Keep Your Data
Retention periods for payment facilitation data are governed primarily by BNM's AML/CFT requirements, which mandate a minimum retention period of 7 years from the date of account termination or the last transaction, whichever is later.
Record Type
Retention Period
Stored Where
KYC / CDD documentation
7 years post-termination
AWS Malaysia (AES-256 encrypted)
Transaction records
7 years from transaction date
AWS Malaysia (AES-256 encrypted)
STR / compliance files
7 years from filing date
Secure separate storage (restricted access)
Investigation files
7 years from case closure
AWS Malaysia (AES-256 encrypted)
Declined applications
2 years from date of decision
AWS Malaysia (encrypted)
6. How We Protect Your Data
StoreHub takes the security of your data seriously. Our technical and organisational security measures for StoreHub Payments data include:
6.1 Technical Controls
AES-256 encryption for all data stored at rest;
TLS 1.2 or higher encryption for all data in transit;
Data hosted exclusively in AWS Malaysia (ap-southeast-1) — no cross-border data transfers except where disclosed in Section 4;
Real-time replication across multiple availability zones for resilience; and
Daily encrypted backups with documented recovery procedures.
6.2 Access Controls
Role-based access control (RBAC) — only authorised personnel with a need to access your data may do so;
Comprehensive audit logging of all access to and actions taken on your data; and
Access credentials reviewed and updated upon any change in personnel.
6.3 Organisational Controls
Mandatory AML/CFT and data protection training for all staff with access to payment facilitation data;
Regular internal audits of data handling practices;
A documented incident response plan for data breaches; and
Contractual data protection obligations imposed on all third-party processors (e.g. Entrust, CTOS).
Security incidents
If StoreHub detects a security or confidentiality breach affecting your personal data, we will notify Adyen MY in writing within 24 hours of detection, and will notify you and BNM as required by applicable law. If you suspect that your account data has been compromised, please contact us immediately at [email protected].
7. Your Rights Under Malaysian Data Protection Law
Malaysia's Personal Data Protection Act 2010 (PDPA) gives you the following rights in relation to your personal data processed by StoreHub:
Right
What It Means
Right of access
You may request a copy of the personal data StoreHub holds about you.
Right to correct
You may ask us to correct inaccurate or incomplete personal data.
Right to withdraw consent
Where processing is based on consent, you may withdraw consent at any time. Note: for payment facilitation data, most processing is based on legal obligation, not consent. Withdrawing consent will not remove our legal right to retain data as required by BNM.
Right to prevent processing for direct marketing
You may opt out of direct marketing at any time. Your compliance and transactional data is not used for marketing purposes.
2.2 Personal Data of Directors and Beneficial Owners
Data Type
Examples
Identity documents
Malaysian IC (MyKad) — both sides — of all directors and UBOs
Biometric data
Live facial image captured during Entrust identity verification (liveness check)
Personal contact details
Mobile number, email address
Financial and credit data
CTOS credit score and report for directors or UBOs where applicable
Sanctions and PEP status
Results of screening against international sanctions lists and PEP databases
Adverse media
Publicly available news or reports linked to your name or business
A note on biometric data
We use Entrust’s certified e-KYC platform to verify the identity of directors and beneficial owners. This involves capturing a live photograph and comparing it against your MyKad. The biometric data is processed by Entrust and is not stored by StoreHub beyond what is necessary for the verification record. Entrust acts as a data processor on our behalf and is bound by strict data protection obligations.
To exercise any of these rights, please contact our Data Protection contact at [email protected]. We will respond within 21 days as required by the PDPA. In some cases (particularly where data processing is required by law), we may not be able to accommodate all requests.
8. Automated Decision-Making
StoreHub uses automated systems to assist in certain decisions relating to your StoreHub Payments account. These include:
Initial risk scoring at onboarding (based on Entrust verification results, CTOS score, and business type);
Transaction monitoring alerts (triggered automatically when transactions exceed defined rules or thresholds);
Real-time sanctions screening (automated blocking of confirmed matches); and
Settlement tier assignment (initial assignment based on credit and risk profile).
Significant decisions — such as account refusal, termination for cause, or escalation for AML investigation — involve human review by StoreHub's Risk & Compliance team. Automated alerts are reviewed by a Risk Analyst before any account action is taken, except in the case of confirmed sanctions matches, which are auto-blocked immediately.
If you believe an automated decision has had an adverse effect on your account and was made in error, please contact us at [email protected] and we will arrange for a human review.
9. Changes to This Supplement
We may update this Privacy Supplement from time to time to reflect changes in law, regulatory requirements, or our business practices. We will notify you of material changes via email or through the StoreHub platform at least 30 days before the changes take effect. The current version of this Supplement will always be available at https://www.storehub.com/storehubpay/privacy.
10. Contact Us
If you have any questions about how we handle your personal data in connection with StoreHub Payments, or to exercise your PDPA rights, please contact:
Data Protection Contact
Data Protection & Compliance Officer
Email: [email protected]
Phone: +6016 299 5342
Address: Level 7, KYM Tower, No. 8 Jalan PJU 7/6, Mutiara Damansara, Petaling Jaya, Selangor
If you are not satisfied with our response to a data protection query or complaint, you may raise a complaint with Malaysia's Department of Personal Data Protection (JPDP) at https://www.pdp.gov.my or through the Personal Data Protection Commissioner.
Document Control
Version
1.0
Effective Date
7 years from transaction date
Review Frequency
Annually (or upon material regulatory change)
Document Owner
Head of Risk & Compliance, StoreHub
Contact Us
Headquarters
Level 7, KYM Tower, 8, Jalan PJU 7/6, Mutiara Damansara, 47800 Petaling Jaya, Selangor, Malaysia
