This notice is issued by BMS Solution Sdn. Bhd. (“BMS”, the “Data User”) in accordance with section 7 of the Personal Data Protection Act 2010 of Malaysia (“PDPA”). It explains how we process personal data when you use the BMS Pro platform.
1. Identity of the Data User
BMS Solution Sdn. Bhd.
Registered in Malaysia.
Contact: mybmspro@bmssolution.com.my
2. Personal Data We Process
2.1 Tenant users (you, as the business owner / staff)
- Name, business name, business registration number (if provided);
- Contact details: phone number, email address, postal address (optional);
- Authentication data: hashed password, 2FA secret, session metadata;
- Billing details: payment method last-4, billing address (handled by Stripe);
- Activity logs: timestamps, IP addresses, audited operations.
2.2 End customers (data your tenants enter)
- Identification: name, phone number, date of birth;
- Sensitive personal data (when entered by the tenant): allergies, skin conditions, treatment health notes;
- Transactional data: appointments, invoices, payments, package balances.
For end-customer data, the tenant is the data user; BMS is the data processor acting on the tenant's instructions. The tenant is responsible for issuing its own PDPA notice to its end customers and obtaining lawful consent.
3. Purposes of Processing
We process personal data for the following purposes:
- To provide, maintain, and improve the BMS Pro Service;
- To authenticate users and secure their accounts;
- To process billing and prevent fraud;
- To send transactional messages (e-receipts, appointment confirmations / reminders, package expiry, debtor notices) on the tenant's behalf;
- To provide support and respond to your enquiries;
- To comply with legal and regulatory obligations including tax law, anti-money-laundering rules, and lawful requests from authorities;
- For internal analytics on an aggregated, anonymised basis.
4. Source of Personal Data
We obtain personal data from:
- You, when you register and use the Service;
- Your tenant, when you are an end customer whose data has been entered by the salon you visit;
- Automated systems collecting technical / usage data when you access the Service;
- Third-party services we integrate with (e.g. Stripe for payment status, Meta for WhatsApp delivery receipts).
5. Disclosure to Third Parties
Your personal data may be disclosed to the categories of recipients listed in our Privacy Policy §3 (Stripe, Meta Platforms, Resend, DigitalOcean, professional advisors, authorities). Disclosure outside these categories is made only with your consent or where required by law.
6. Consent
By registering an account and clicking “I agree” on the signup form, you consent to the collection, use, and disclosure of your personal data as described in this Notice. Where consent is required for sensitive personal data of end customers (e.g. health notes), the tenant must obtain that consent directly from the end customer before entering the data.
7. Your Rights as a Data Subject
Under the PDPA, you have the right to:
- Access — request a copy of the personal data we hold about you;
- Correct — request correction of inaccurate or incomplete data;
- Withdraw consent — by written notice; note that withdrawal may prevent us from continuing to provide the Service to you;
- Limit processing — request that we limit processing for direct marketing;
- Complain — lodge a complaint with the Personal Data Protection Commissioner of Malaysia (www.pdp.gov.my) if you believe we have breached the PDPA.
Requests should be addressed to mybmspro@bmssolution.com.my. We will respond within 21 days (the statutory period) and may charge a prescribed fee where allowed under section 30 of the PDPA. End customers should direct requests to the tenant that holds their data; BMS will assist the tenant in fulfilling those requests as a processor.
8. Data Security & Retention
We apply technical and organisational security measures consistent with the Security Principle (§9 PDPA) including TLS in transit, password hashing, tenant-level isolation, audit logging of sensitive operations, and managed-database backups. Personal data is retained only as long as necessary; see our Privacy Policy §4 for retention periods.
9. Cross-Border Transfers
Some of our service providers process data outside Malaysia (e.g. DigitalOcean Singapore, Stripe US). Under the Transfer Principle (§10 PDPA), we ensure such transfers are protected by contractual obligations on those providers that are consistent with Malaysian standards.
10. Translations
This notice is issued in English. Should there be any inconsistency between the English version and any translation, the English version shall prevail.
11. Contact / Data Protection Officer
For all matters concerning your personal data:
BMS Solution Sdn. Bhd. — Data Protection Officer
Email: mybmspro@bmssolution.com.my