Your data, your rules.

Identity:NRIC (verified once via MyDigitalID, never re-typed), full name, mother’s name, date of birth, gender, marital status, dependents, mobile, email, address.

Financial: employer, salary, allowances, deductions, ANGKASA payroll code, employee number, employment type, service start date.

Behavioural: conversation history with B (the AI), choices in the loan flow, payment history.

Technical: device, browser, IP address, login times — used for fraud detection and nothing else.

(1) To verify it’s really you. (2) To assess your application against the specific lender’s rate card. (3) To remind you about repayments. (4) To improve B’s decision quality (anonymised, aggregated only). (5) To comply with BNM, PDPA, and AMLA legal obligations.

Lenders only see the borrower data needed for the loan you applied with them. They do not see your activity at other lenders.

Bolehlah HQ sees aggregate patterns — never raw borrower data outside of audit/dispute review, which is logged.

BNM and authoritiesmay request data under specific legal warrants. We comply with the law and tell you when we’re legally allowed to.

You can: (a) access all data we hold on you, (b) correct anything wrong, (c) withdraw consent for any specific use, (d) request deletion(subject to BNM’s 7-year retention requirement for active loans), (e) complain to the Personal Data Protection Department.

Request anything at privacy@bolehlah.com — we acknowledge within 24h, complete within 21 days as PDPA requires.

Active loan data: kept for the loan tenure + 7 years after the last instalment, per BNM regulation. Marketing data: deleted immediately on opt-out. Conversation logs with B: kept for 24 months, then anonymised.

We use essential cookies (login, security) only. No third-party trackers. No Google Analytics. No Facebook Pixel. We use Plausible for visit counts (no personal data, no IPs stored).

We’ll email you 14 days before any material change. Last updated: 1 May 2026.