Truestack

PDPA Notice

Notice and choice statement under Malaysia's Personal Data Protection Act 2010 (PDPA), including our KYC verification interface.

Last updated: March 2026

1. Scope of this Notice

This PDPA Notice explains how Truestack collects, uses, stores, and discloses personal data in connection with services delivered through truestack.my and related service interfaces, including identity verification journeys.

This notice applies to the following domains and systems:

  • truestack.my
  • admin.truestack.my
  • kredit.truestack.my
  • kredit-api.truestack.my
  • core.truestack.my
  • api.truestack.my

We process data in accordance with the Personal Data Protection Act 2010 (Act 709) and applicable Malaysian regulatory requirements.

2. Services Covered

TrueIdentity e-KYC

Identity verification workflows including MyKad OCR, selfie capture, liveness checks, biometric matching, fraud screening, and verification results.

TrueKredit

Borrower onboarding and loan lifecycle records, including customer profiles, repayment records, compliance documents, and audit trails.

KPKT Compliance Services

Account management and licensing support, including operational and compliance submissions required by Malaysian regulators.

3. Personal Data We Process

Depending on the service flow, we may process:

  • Identity data (name, IC/passport number, date of birth, contact details)
  • KYC media and extracted fields (document image, OCR fields, selfie image)
  • Verification and risk outputs (liveness results, face-match scores, pass/fail)
  • System and audit records (timestamps, device/browser metadata, activity logs)

KYC workflows may involve sensitive personal data under PDPA (for example, biometric data used for identity verification).

4. Why We Process Data

We process personal data to:

  • Perform identity verification and anti-fraud checks
  • Deliver requested services and platform features
  • Support compliance and audit requirements for regulated businesses
  • Maintain service security, integrity, and incident response

5. Disclosure and Transfers

We may disclose personal data to:

  • Customers who requested the KYC/verification check
  • Service providers supporting hosting, infrastructure, and security operations
  • Regulators or authorities where required by Malaysian law

We do not sell personal data. Any cross-border transfer, where applicable, is managed in line with PDPA requirements and equivalent safeguards.

6. Third-Party Processors and Data Shared

Where required to deliver our services, we may share limited personal data with trusted third-party processors under contractual and security controls.

Innov8tif (innov8tif.com) - e-KYC processing provider

For KYC verification, data shared may include identity fields, document images, OCR-extracted data, selfie/liveness media, and verification metadata required to return a KYC outcome.

MSC Trustgate (msctrustgate.com) - digital signing/certificate services provider

For digital signing workflows, data shared may include signer identity/contact details, documents and signing package data, signature/certificate records, and signing audit metadata.

CTOS (ctoscredit.com.my) - credit report processing provider

For credit assessment workflows, data shared may include identity details and identifiers required to retrieve and process credit report results, plus related request/response metadata.

We share only data that is necessary for the requested service and do not authorise third-party processors to use personal data for unrelated purposes.

7. Security and Retention

We implement technical and organisational controls including access control, encryption in transit, and protected storage to reduce unauthorised access risk.

Data is retained only as long as necessary for service delivery, legal/regulatory obligations, dispute handling, and audit evidence.

8. Your Rights Under PDPA

Subject to applicable legal limitations, you may request to:

  • Access personal data we hold about you
  • Correct inaccurate, incomplete, or outdated data
  • Withdraw consent or limit certain processing activities

9. KYC Interface Consent Notice

When you proceed with the KYC interface on core.truestack.my, you acknowledge that personal data (including sensitive data required for identity verification) may be collected and processed for verification, fraud prevention, and compliance.

KYC data submitted through core.truestack.my is processed by backend services on api.truestack.my.

You also acknowledge that verification outcomes may be shared with the business that requested your verification.

10. Contact

For PDPA data requests or questions about this notice, contact: