StoreHub Privacy Policy
Introduction
StoreHub and its subsidiaries, affiliates, related and associated companies (including but not limited to StoreHub Sdn Bhd, OneStoreHub Pte Ltd, StoreHub (Thailand) Co., Ltd.) and Storehub Philippines Inc. (collectively referred to as “we, us, our or StoreHub”) complies with the “Applicable Data Protection Laws” and other applicable privacy legislation when dealing with personal information.
“Applicable Data Protection Laws” means the personal data protection or data privacy laws (as amended from time to time) of the relevant country where the Merchant operates in, including those that are set out in the table below:
StoreHub and its subsidiaries, affiliates, related and associated companies (including but not limited to StoreHub Sdn Bhd, OneStoreHub Pte Ltd, StoreHub (Thailand) Co., Ltd.) and Storehub Philippines Inc. (collectively referred to as “we, us, our or StoreHub”) complies with the “Applicable Data Protection Laws” and other applicable privacy legislation when dealing with personal information.
“Applicable Data Protection Laws” means the personal data protection or data privacy laws (as amended from time to time) of the relevant country where the Merchant operates in, including those that are set out in the table below:
Personal information is any information relating to a natural person, which enables the identification of such a person, whether directly or indirectly, but not including the information of the deceased persons (“Personal Information”).
This StoreHub Privacy Policy (“Policy”) sets out how we will collect, use, disclose and protect Personal Information of the merchants and consumers that use our service as specified in the Terms of Use (“you”) including the rights you have regarding your Personal Information that we collected. In this Policy, the Service is our service as described in our Terms of Use. This Policy forms part of the Terms of Use.
This Policy does not limit or exclude any of your rights under applicable legislation in your jurisdiction, except to the extent permitted by law.
We collect and maintain Personal Information that you enter or provide on storehub.com, storehub.me, storehubhq.com, beepit.com (“Website”) or give us in any other way for the use of our Service. You can choose not to provide certain information, but you may not be able to enjoy all the features of our Website and services provided by us. Personal Information we collect from you helps us to personalise and continually improve your online experience. Here are the types of Personal Information that we collect:
Personally Identifiable information e.g. name, photo, gender, date of birth, nationality, passport/identification card number and country of residence, biometric data, marital status, religion, health information, vehicle and insurance information;
Contact information e.g. address (billing and shipping), email address and phone numbers;
Payment information e.g. credit or debit card information, including the name of cardholder, card number, card issuing bank, card issuing country, card expiry date and banking account details;
Technical information e.g. IP address, time zone, device information; and
Behavioural information e.g. features you use on our Services, transaction information.
Changes to this Policy
We reserve the right to change, amend and/or vary may change this Policy by uploading a revised Policy on our Website. The change will apply from the date that we upload the revised Policy. In case there are material changes that may affect your rights and privacy, we will inform you immediately. Your continued use of our Website shall be deemed that you acknowledge the changes of this Policy.
Who Do We Collect Your Personal Information From
We collect Personal Information about you from the following sources and method:
you, when you provide your Personal Information to us for using of our Service, including via the Service usage, Website and any related service provided by us, through any registration or subscription process, through any contact with us (e.g. telephone call or email), or when you buy or use our services and products; and
third parties, including merchants that use our services, as part of the operation of the Service (such as your purchase of products or services from the merchants), where you have authorised this, or the information is publicly available.
If possible, we will collect personal information from you directly where we need to verify your identity (for example, if there are concerns around identity theft, or if you call into support and we need to authenticate your account), we may request that you provide us with government-issued identification information.
How We Use Your Personal Information
We will collect, use or disclose your Personal Information for the following purposes:
to verify your identity when using our Service.
to provide services and products to you, including the Service.
to manage your shared login that you can use for all Website.
to personalise your experience when you use our Services and our communications when we contact you periodically to conduct performance improvement measures.
to market our services and products to you, including contacting you electronically (e.g. by text or email for this purpose).
to improve the services and develop new services for you.
to undertake credit checks of you (if necessary).
to collect money that you owe merchants, including authorising and processing credit card transactions.
to provide advertisers with reports about the kinds of people seeing their ads and how their ads are performing.
to respond to communications from you, including a complaint you have regarding the use of our Service.
to help us conduct marketing and/or advertising campaigns, surveys, internal marketing analysis, customer profiling activities, analysis of customer patterns and choices, usage and activity trends analysis in relation to our Services and our users’ demographics (on an anonymised basis).
to conduct research and statistical analysis (on an anonymised basis).
to share Personal Information to the merchant who you visit their store on Website when they request us to transfer Personal Information (for example, if they enable a third party app or use a service or product provided by us that accesses your personal information). The share of your Personal Information will be limited to the scope that it is Service related.
to comply with our terms of use or any obligation we have with you regarding the use of the Service.
to protect and/or enforce our legal rights and interests, including defending any claim.
to comply with our legal obligation that we subject to certain jurisdiction.
Processing of your Personal Information depends on how you interact with us during your use of our Services. The lawful basis that we may rely on for processing your Personal Information may consists of:
when you are giving consent / for processing one or many purposes as described under this Policy;
when the processing is necessary for comply with contract or terms and conditions we have with you and/or before entering into a contract;
when it is necessary for us to process your Personal Information to comply with our legal obligation;
when the processing is necessary for the performance of a task carried out in the public interest by us, or it is necessary for the exercising of official authority vested on us; or
when it is necessary for our legitimate interests or any other persons or juristic persons.
We or any third party acting on our behalf may obtain your consent and use your Personal Information before or at the time of collection, unless we are permitted by any applicable law to process your Personal Information without obtaining your consent. Where required by law, we will obtain your express written consent when collecting your Personal Information for processing specified purpose, such as for sending you marketing information about our services or products.
In certain circumstances, we may collect, use or disclose your sensitive personal information, such as health data, religion, biometric data (such as facial recognition data, iris recognition data, fingerprint recognition data) and any data which may affect you in the same manner as sensitive personal information. Before collecting or using this type of information, we will obtain consent from you unless we are permitted by any applicable law to process your sensitive personal information without your consent.
Disclosing Your Personal Information
We will not sell, rent, transfer or disclose any of your Personal Information to any third party without your consent. However, we may disclose your Personal Information to the following persons:
merchants that open accounts or have a store on StoreHub eCommerce / beepit as part of providing the Service.
within our organization, affiliates and group companies to pursue with purposes specified under this Policy.
any business or service provider that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide our Service to you, our website or other services and products that you may use from us.
a credit reference agency for the purpose of credit checking where necessary and applicable for us.
other third parties (for anonymised statistical information) for pursuing with the purposes specified under this Policy.
a government authority who can require us to supply or disclose your Personal Information or any government authorities which we are obliged to disclose your Personal Information, such as submit your financial information or tax information to authorities that regulate tax matters.
any other person authorised by applicable law (e.g. a law enforcement agency) and requested us to disclose your Personal Information.
data centres and/or servers located within or outside your country for data storage purposes.
storage facility and records management service providers.
auditors, consultants, lawyers, accountants or other financial or professional advisers appointed in connection with our business on a strictly confidential basis, appointed by us to provide services to us; any party nominated or appointed by us either solely or jointly with other service providers, who provide services or conduct data processing on our behalf, or for data centralization and/or logistics purposes.
any other person authorised by you for disclosing your Personal Information.
your Personal Information may also be disclosed to an entity that acquires our business, in which such entity will be obliged to protect your Personal Information in the same manner with our practice.
A business that supports our services and products may be located in a country outside your residence. This may mean your Personal Information is held and processed outside your location.
How Long Do We Retain Your Personal Information
We will keep and retain your Personal Information for as long as you still have a relationship with us by the use of our Services and as long as necessary to pursue with purposes specified under this Policy. Therefore, your Personal Information will be destroyed or anonymised from our records and back-up systems in the event your Personal Information is no longer required for the purposes specified under this Policy.
Once you terminate your relationship with us or you are no longer using our Service, we generally will continue to store archived copies of your personal information for legitimate business purposes such as to defend a contractual claim or for audit purposes and to exercise our rights as we entitled under applicable law, except when we receive a valid erasure request, or, if you are a merchant, you terminate your account and your Personal Information is purged pursuant to our standard purge process.
Protecting Your Personal Information
When you provide us with your Personal Information, you have the rights regarding your Personal Information through which you can exercise your rights free of charge, unless the applicable law specified to be otherwise. You may have legal rights with respect to your Personal Information which allow you to exercise any of these rights:
Right to withdraw consent: If you have given consent to us to collect, use or disclose your Personal Information, you have the right to withdraw such consent at any time throughout the period your Personal Information available and under our possession. However, the withdrawal of consent shall not affect the processing of Personal Information you have already given consent to us legally.
Right to access: Subject to applicable grounds for refusal set out in applicable law, you may have the right to access your readily retrievable Personal Information that we hold and to request corrections to your Personal Information to ensure that the Personal Information you provide to us is correct, complete and accurate. Before you exercise this right, we may need evidence to confirm that you are the individual to whom the Personal Information is related to.
Right to rectification: You have the right to rectify your Personal Information to be updated, complete and not misleading. In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the Personal Information, we will make the correction. If we do not make the correction, we will take reasonable steps to note the Personal Information that you requested.
Right to data portability: You have the right to obtain your Personal Information if we organize such Personal Information in automatic machine-readable or usable format and can be processed or disclosed by automatic means; to request us to send or transfer the Personal Information in such format directly to other data controllers if doable by automatic means; and to request to obtain the Personal Information in such format sent or transferred by us directly to other data controllers unless not technically feasible.
Right to objection: You have the right to object to collection, use or disclosure of your Personal Information at any time if such doing is conducted for legitimate interests of us, corporation or individual or for carrying out public tasks, unless such processing is within your reasonable expectation.
Right to be forgotten: You have the right to request us to erase, destroy or anonymize your Personal Information if you believe that the collection, use or disclosure of your Personal Information is against relevant laws; or retention of the Personal Information by us is no longer necessary in connection with related purposes under this Policy; or when you request to withdraw your consent or to object to the processing as earlier described under this clause.
Right to restriction of processing: You have the right to request us to suspend processing your Personal Information during the period where we examine your rectification or objection request; or when it is no longer necessary, and we must erase or destroy your Personal Information pursuant to relevant laws, but you request us to suspend the processing instead.
Right to lodge a complaint: You have the right to complain to competent authorities pursuant to relevant laws in your jurisdiction if you believe that the collection, use or disclosure of your Personal Information is violating or not in compliance with any applicable law regarding Personal Information protection.
If you want to exercise either of the above rights, you can do so by email us at [email protected]. Your email should provide evidence of who you are and set out the details of your request (e.g. the right that you wish to exercise with us, the detail of your Personal Information, or the correction that you are requesting). We will notify the result of your request without delay upon receipt of your request. If we deny the request, we will inform you of the reason via email.
We may charge you our reasonable costs of providing you copies of your personal information or correcting that information.
Internet Use
While we take reasonable steps to maintain secure internet connections, if you provide us with your Personal Information over the internet, the provision of that information is at your own risk.
If you follow a link on our Website to another site, the owner of that site will have its own privacy policy relating to your Personal Information. We suggest you review that site’s privacy policy before you provide Personal Information to them.
We use cookies (an alphanumeric identifier that we transfer to your computer’s hard drive so that we can recognise your browser) to monitor your use of the website. You may disable cookies by changing the settings on your browser, although this may mean that you cannot use all of the features of the website.
Data Protection Officer
StoreHub has designated a Group Data Protection Officer responsible for ensuring compliance with applicable data
protection laws across our operating entities:
- StoreHub Sdn Bhd (Malaysia): Personal Data Protection Act 2010
- Onestorehub Pte. Ltd. (Singapore): Personal Data Protection Act 2012
- StoreHub (Thailand) Co., Ltd.: Personal Data Protection Act B.E. 2562 (2019)
- StoreHub Philippines Inc.: Data Privacy Act of 2012
For any queries regarding our collection, use, or disclosure of your personal data, or to exercise your rights under any applicable data protection law, please contact:
Data Protection Officer
Email: [email protected]
Payment Facilitation Services
Who We Are and Who This Applies To
1.1 Data Controller
The data controller for personal data processed in connection with StoreHub Payments is:
StoreHub Sdn Bhd
Company No. 201301042468
Level 7, KYM Tower, No. 8 Jalan PJU 7/6, Mutiara Damansara, Petaling Jaya, Selangor
Email: [email protected]
Website: https://www.storehub.com
1.2 Who This Applies To
This Supplement applies to anyone who registers to use StoreHub Payments as a merchant, including:
Owners, directors, and key contacts of businesses onboarded to StoreHub Payments;
Ultimate Beneficial Owners (UBOs) and authorised signatories whose information is collected as part of the onboarding process; and
Any other individuals whose personal data StoreHub receives in the course of managing a merchant account.
This Supplement does not apply to Shoppers (the end customers who make payments at merchant terminals). Shopper data is processed by Adyen MY under Adyen's own privacy framework.
1.3 Our Role Alongside Adyen MY
StoreHub works with Adyen Malaysia Sdn Bhd ("Adyen MY") to deliver card payment processing. Because Adyen MY is the licensed acquirer underpinning StoreHub Payments, some of the data we collect is shared with Adyen MY, who processes it as an independent data controller for payment processing and regulatory compliance purposes. Adyen MY's privacy policy is available at https://www.adyen.com/policies-and-disclaimer/privacy-policy.
2. What Data We Collect
Because StoreHub Payments involves regulated financial activity, we collect significantly more data than for our standard POS platform. Below is a comprehensive overview:
2.1 Business Data
Data Type
Examples
Business registration details
Legal name, SSM registration number, registered address, business type, MCC code
Financial information
Bank account name and number, 3 months' bank statements, expected monthly transaction volume
Business licence information
F&B licence, liquor licence, pharmacy licence (where applicable)
Transaction records
Full history of card transactions processed through StoreHub Payments, including amounts, dates, and merchant references
Chargeback and refund records
Details of all disputes, chargebacks, and refunds on your account
Communications
All emails, messages, and correspondence with StoreHub's compliance and support teams
2.2 Personal Data of Directors and Beneficial Owners
Data Type
Examples
Identity documents
Malaysian IC (MyKad) — both sides — of all directors and UBOs
Biometric data
Live facial image captured during Entrust identity verification (liveness check)
Personal contact details
Mobile number, email address
Financial and credit data
CTOS credit score and report for directors or UBOs where applicable
Sanctions and PEP status
Results of screening against international sanctions lists and PEP databases
Adverse media
Publicly available news or reports linked to your name or business
A note on biometric data
We use Entrust’s certified e-KYC platform to verify the identity of directors and beneficial owners. This involves capturing a live photograph and comparing it against your MyKad. The biometric data is processed by Entrust and is not stored by StoreHub beyond what is necessary for the verification record. Entrust acts as a data processor on our behalf and is bound by strict data protection obligations.
2.3 Data We Generate About You
In addition to data you provide, StoreHub generates and maintains:
A risk score and risk category for your business, based on identity verification results, credit scores, and business type;
Transaction monitoring alerts and investigation notes;
Audit logs of all actions taken on your account;
Compliance decision records (e.g. records of onboarding approval, EDD decisions, and account reviews); and
Communications with Adyen MY and BNM concerning your account.
3. Why We Collect Your Data and How We Use It
The table below explains the legal basis for each category of processing under Malaysia's Personal Data Protection Act 2010 (PDPA) and applicable financial services regulations:
Purpose
What Data Is Used
Legal Basis
Identity verification and KYC at onboarding
MyKad, biometric data (via Entrust), SSM records, CTOS credit report
Legal obligation (AMLATFPUAA, BNM e-KYC Guidelines) and contract performance
Ongoing KYC refresh (annual)
Updated identity documents, SSM status, bank account details
Legal obligation (BNM AML/CFT requirements)
Sanctions and PEP screening
Names of directors and UBOs, identity documents
Legal obligation (AMLATFPUAA, international sanctions regimes)
Transaction monitoring for fraud and AML
Full transaction history, patterns, business type, risk profile
Legal obligation (AMLATFPUAA, BNM supervision) and legitimate interest
Credit assessment
CTOS score, bank statements
Legitimate interest (risk management and setting appropriate settlement terms)
Settlement and payout processing
Bank account details, transaction records
Contract performance
Regulatory reporting (STRs, CTRs)
Transaction data, identity data, account records
Legal obligation (AMLATFPUAA — reporting to BNM)
Dispute and chargeback management
Transaction records, communications with your business
Contract performance and legitimate interest
Compliance with Adyen MY requirements
KYC records, transaction data, compliance decisions
Legal obligation and contract performance (Adyen PF Agreement)
Card Scheme reporting (MATCH/VMAS in fraud terminations)
Business details, termination reason
Legal obligation (Visa/Mastercard Scheme Rules)
Security and fraud prevention
Login data, device data, transaction patterns
Legitimate interest and legal obligation
Internal audit and record-keeping
All data categories above
Legal obligation (7-year retention required by BNM)
4. Who We Share Your Data With
StoreHub Payments cannot operate without sharing your data with certain regulated third parties. Below is a complete list of parties we may share your data with, and why:
Recipient
What Is Shared
Why
Adyen Malaysia Sdn Bhd
KYC records, transaction data, compliance decisions, account status
Required under the Payment Facilitator Agreement; Adyen MY is the licensed acquirer and regulatory anchor for StoreHub Payments
Adyen N.V. (Netherlands)
KYC and compliance data as required
Adyen NV co-signs the PF Agreement and provides the global compliance framework
Entrust (UK)
MyKad images, live facial photos for liveness detection
Identity verification, document authenticity checks, sanctions/PEP screening; acts as a data processor bound by contractual obligations to StoreHub
dillisense GmbH (Switzerland)
Business name, registration number, address, director details
Entity-level sanctions screening and business verification. Acts as data processor on StoreHub's behalf.
CTOS Data Systems Sdn Bhd (Malaysia)
Director/UBO names, IC numbers, business registration data
Credit scoring and financial health assessment; CTOS is an independent data controller operating under Malaysian law
SSM (Companies Commission of Malaysia)
Business registration number (query only)
Real-time validation of SSM registration status via API
Citibank Malaysia
Bank account and settlement data
Settlement of funds to merchant bank accounts; Citibank processes transactions as a financial institution under its own regulatory framework
Visa / Mastercard (Card Schemes)
Merchant identity data, MCC, transaction volume, termination details
Card Scheme registration, reporting, and compliance requirements; MATCH/VMSS reporting in fraud terminations
Law enforcement / other regulators
Account data, transaction records as required
Response to lawful orders or regulatory directives
Cross-border data transfers
Some of the parties above (including Adyen N.V. and Entrust) are located outside Malaysia. Where your personal data is transferred outside Malaysia, we ensure that appropriate safeguards are in place, including contractual protections consistent with PDPA requirements. Entrust, for example, processes data under EU Standard Contractual Clauses and is ISO 27001 certified. We do not transfer personal data outside Malaysia unless required by law or necessary to provide the services described in these Terms.
5. How Long We Keep Your Data
Retention periods for payment facilitation data are governed primarily by BNM's AML/CFT requirements, which mandate a minimum retention period of 7 years from the date of account termination or the last transaction, whichever is later.
Record Type
Retention Period
Stored Where
KYC / CDD documentation
7 years post-termination
AWS Malaysia (AES-256 encrypted)
Transaction records
7 years from transaction date
AWS Malaysia (AES-256 encrypted)
STR / compliance files
7 years from filing date
Secure separate storage (restricted access)
Investigation files
7 years from case closure
AWS Malaysia (AES-256 encrypted)
Declined applications
2 years from date of decision
AWS Malaysia (encrypted)
6. How We Protect Your Data
StoreHub takes the security of your data seriously. Our technical and organisational security measures for StoreHub Payments data include:
6.1 Technical Controls
AES-256 encryption for all data stored at rest;
TLS 1.2 or higher encryption for all data in transit;
Data hosted exclusively in AWS Malaysia (ap-southeast-1) — no cross-border data transfers except where disclosed in Section 4;
Real-time replication across multiple availability zones for resilience; and
Daily encrypted backups with documented recovery procedures.
6.2 Access Controls
Role-based access control (RBAC) — only authorised personnel with a need to access your data may do so;
Comprehensive audit logging of all access to and actions taken on your data; and
Access credentials reviewed and updated upon any change in personnel.
6.3 Organisational Controls
Mandatory AML/CFT and data protection training for all staff with access to payment facilitation data;
Regular internal audits of data handling practices;
A documented incident response plan for data breaches; and
Contractual data protection obligations imposed on all third-party processors (e.g. Entrust, CTOS).
Security incidents
If StoreHub detects a security or confidentiality breach affecting your personal data, we will notify Adyen MY in writing within 24 hours of detection, and will notify you and BNM as required by applicable law. If you suspect that your account data has been compromised, please contact us immediately at [email protected].
7. Your Rights Under Malaysian Data Protection Law
Malaysia's Personal Data Protection Act 2010 (PDPA) gives you the following rights in relation to your personal data processed by StoreHub:
Right
What It Means
Right of access
You may request a copy of the personal data StoreHub holds about you.
Right to correct
You may ask us to correct inaccurate or incomplete personal data.
Right to withdraw consent
Where processing is based on consent, you may withdraw consent at any time. Note: for payment facilitation data, most processing is based on legal obligation, not consent. Withdrawing consent will not remove our legal right to retain data as required by BNM.
Right to prevent processing for direct marketing
You may opt out of direct marketing at any time. Your compliance and transactional data is not used for marketing purposes.
2.2 Personal Data of Directors and Beneficial Owners
Data Type
Examples
Identity documents
Malaysian IC (MyKad) — both sides — of all directors and UBOs
Biometric data
Live facial image captured during Entrust identity verification (liveness check)
Personal contact details
Mobile number, email address
Financial and credit data
CTOS credit score and report for directors or UBOs where applicable
Sanctions and PEP status
Results of screening against international sanctions lists and PEP databases
Adverse media
Publicly available news or reports linked to your name or business
A note on biometric data
We use Entrust’s certified e-KYC platform to verify the identity of directors and beneficial owners. This involves capturing a live photograph and comparing it against your MyKad. The biometric data is processed by Entrust and is not stored by StoreHub beyond what is necessary for the verification record. Entrust acts as a data processor on our behalf and is bound by strict data protection obligations.
To exercise any of these rights, please contact our Data Protection contact at [email protected]. We will respond within 21 days as required by the PDPA. In some cases (particularly where data processing is required by law), we may not be able to accommodate all requests.
8. Automated Decision-Making
StoreHub uses automated systems to assist in certain decisions relating to your StoreHub Payments account. These include:
Initial risk scoring at onboarding (based on Entrust verification results, CTOS score, and business type);
Transaction monitoring alerts (triggered automatically when transactions exceed defined rules or thresholds);
Real-time sanctions screening (automated blocking of confirmed matches); and
Settlement tier assignment (initial assignment based on credit and risk profile).
Significant decisions — such as account refusal, termination for cause, or escalation for AML investigation — involve human review by StoreHub's Risk & Compliance team. Automated alerts are reviewed by a Risk Analyst before any account action is taken, except in the case of confirmed sanctions matches, which are auto-blocked immediately.
If you believe an automated decision has had an adverse effect on your account and was made in error, please contact us at [email protected] and we will arrange for a human review.
9. Changes to This Supplement
We may update this Privacy Supplement from time to time to reflect changes in law, regulatory requirements, or our business practices. We will notify you of material changes via email or through the StoreHub platform at least 30 days before the changes take effect. The current version of this Supplement will always be available at https://www.storehub.com/storehubpay/privacy.
10. Contact Us
If you have any questions about how we handle your personal data in connection with StoreHub Payments, or to exercise your PDPA rights, please contact:
Data Protection Contact
Data Protection & Compliance Officer
Email: [email protected]
Phone: +6016 299 5342
Address: Level 7, KYM Tower, No. 8 Jalan PJU 7/6, Mutiara Damansara, Petaling Jaya, Selangor
If you are not satisfied with our response to a data protection query or complaint, you may raise a complaint with Malaysia's Department of Personal Data Protection (JPDP) at https://www.pdp.gov.my or through the Personal Data Protection Commissioner.
Document Control
Version
1.0
Effective Date
7 years from transaction date
Review Frequency
Annually (or upon material regulatory change)
Document Owner
Head of Risk & Compliance, StoreHub
