Privacy Policy

Last updated: June 06, 2026

Our commitment to you

✓Payments are handled exclusively by a BNM-licensed payment gateway — not by KongsiPay

✓Your banking credentials are never seen or stored by us

✓Your personal data is stored securely with multiple layers of protection

✓Your data is never sold, rented, or shared without your explicit permission

1. Overview

KongsiPay ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our platform. By accessing or using KongsiPay, you agree to the practices described in this policy. If you do not agree, please discontinue use of the platform.

2. Payment Processing — Handled by a Licensed Third Party

KongsiPay does not handle, process, or store your payment credentials. All payment transactions on our platform are processed exclusively through a trusted, third-party payment gateway that is fully licensed and regulated by Bank Negara Malaysia (BNM) — Malaysia's central bank and financial regulator.

This gateway operates under strict regulatory standards enforced by BNM and is the same infrastructure widely used by banks, government agencies, e-commerce platforms, and thousands of apps and websites across Malaysia. It is one of the most trusted and commonly adopted payment systems in the country.

Your payment is fully protected.

Because your payment flows directly between you and your bank through this BNM-licensed gateway — not through KongsiPay — your transaction is governed and protected at the banking and regulatory level. This means:

✓Your banking username, password, and credentials are never shared with or visible to KongsiPay at any point
✓Transactions are authorised directly through your own bank's secure interface
✓There is no risk of payment-related fraud or scams through our platform
✓The same level of protection applies here as when you use online banking or pay via any major Malaysian app

We are not a financial institution and do not hold, move, or have visibility into your funds. Our role is limited to initiating and confirming payment intents — the actual financial transaction happens entirely within the licensed gateway and your bank.

3. Information We Collect

We collect only what is strictly necessary to provide our services:

Account information — your name, email address, and profile photo when you register or sign in via Google
Usage data — groups you create or join, expenses you record, and settlement activities
Device & access information — browser type, operating system, IP address, and session identifiers for security and fraud-prevention purposes
Communication data — messages or reports you send to our support team
Transaction references — payment confirmation reference numbers generated by the payment gateway, used solely to verify and record settlement status

We do not collect payment card numbers, bank account numbers, PINs, passwords, or any banking credentials — ever.

4. Data Storage & Security

Your data is protected using a multi-layered security approach and hosted exclusively on globally recognised, enterprise-grade infrastructure:

Google Cloud Secure authentication and cloud services with ISO 27001 certification, SOC 2 Type II compliance, and enterprise-grade identity management

DigitalOcean Managed database and server hosting with encrypted storage at rest (AES-256), automated backups, isolated private networking, and SOC 2 Type II compliance

Cloudflare Enterprise DDoS protection, full SSL/TLS encryption, Web Application Firewall (WAF), bot management, and rate limiting on all platform traffic

Beyond infrastructure, we apply the following security layers to your data:

All data in transit is protected with HTTPS (TLS 1.2/1.3)
Passwords are hashed using industry-standard algorithms (bcrypt) and never stored in plain text
Sensitive fields are encrypted at rest using AES-256 encryption
Database access is restricted via private network and requires multi-factor authentication
Regular automated backups are maintained to prevent data loss
Access to production systems is restricted to authorised personnel only

5. How We Use Your Information

We use your information solely to:

Provide and improve our expense-sharing and settlement features
Send transactional notifications (group invites, expense updates, settlement confirmations)
Verify your identity and prevent fraudulent or unauthorised access
Respond to your customer support requests
Monitor platform stability, performance, and security
Comply with legal obligations where required by Malaysian law

We do not use your data for advertising, behavioural profiling, data brokering, or any purpose beyond operating and improving the KongsiPay platform.

6. Data Sharing & Third Parties

We do not sell, rent, trade, or share your personal data with any third party without your explicit consent, except in the following strictly limited circumstances:

Infrastructure providers — trusted service providers listed in Section 4 who process data strictly on our behalf under binding data processing agreements and confidentiality obligations
Payment gateway — only the minimum transaction-related data required to initiate and confirm a payment (e.g. amount, reference) is passed to the licensed gateway; no personal profile data is shared
Legal compliance — when required by applicable Malaysian law, a valid court order, or a directive from a regulatory authority such as BNM or the PDPA Commissioner
With your explicit consent — any other sharing will only ever occur with your clear, informed, prior approval

We do not integrate with any advertising networks, data brokers, or social media tracking tools that would have access to your personal data.

7. Cookies & Tracking

KongsiPay uses cookies and similar technologies to:

Maintain your authenticated session (essential cookies)
Store your preferences such as language and display settings
Protect against cross-site request forgery (CSRF tokens)

We do not use third-party advertising cookies, tracking pixels, or behavioural profiling tools. You may disable cookies in your browser settings, though some core features such as staying logged in will not function without essential session cookies.

8. Data Retention

We retain your account data for as long as your account is active and as needed to provide our services. Specifically:

If you delete your account, your personal data will be permanently removed from our systems within 30 days
Transaction reference records may be retained for up to 7 years as required under Malaysian financial and tax regulations
Anonymised, aggregated usage data (which cannot identify you) may be retained indefinitely for platform analytics
Backup copies are purged on a rolling schedule within 90 days of account deletion

9. Third-Party Links

Our platform may contain links to third-party websites or services (for example, payment gateways, help documentation, or social login providers). KongsiPay is not responsible for the privacy practices or content of those third-party sites. We encourage you to review the privacy policies of any external services you visit.

10. International Data Transfers

Some of our infrastructure providers (Google Cloud, Cloudflare) may process data in data centres located outside of Malaysia. Where this occurs, we ensure that transfers are subject to appropriate contractual safeguards and that providers maintain compliance with internationally recognised data protection standards (such as ISO 27001 and SOC 2). We do not transfer your data to countries with inadequate data protection without ensuring equivalent protections are in place.

11. Security Incident Response

In the unlikely event of a data breach or security incident that affects your personal data, we will:

Investigate and contain the incident immediately
Notify affected users via email within a reasonable timeframe
Take appropriate corrective action to prevent recurrence

We maintain an incident response plan and conduct regular internal security reviews to minimise the risk of such events occurring.

12. Your Rights Under the PDPA

Under Malaysia's Personal Data Protection Act 2010 (PDPA), you have the right to:

Access the personal data we hold about you
Request correction of inaccurate, incomplete, or outdated data
Request deletion of your account and associated personal data (subject to legal retention requirements)
Withdraw consent for optional data processing at any time
Restrict or object to certain types of processing
Receive a copy of your data in a portable format

To exercise any of these rights, contact us at [email protected]. We will respond to all requests within 14 business days.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do, the "Last updated" date at the top of this page will be revised. Significant changes will be communicated via email or an in-app notification at least 7 days before taking effect. Continued use of KongsiPay after any update constitutes your acceptance of the revised policy.

Questions or concerns about this policy? Contact us at [email protected]. We take privacy seriously and will respond promptly.