This Privacy Policy explains how BMS Solution Sdn. Bhd. (“BMS”, “we”, “us”) collects, uses, discloses, and protects personal data when you access or use the BMS Pro platform (the “Service”). It applies to two groups of individuals:
- Tenant users — business owners and their staff who register and log in to use the Service.
- End customers — individuals whose data tenant users enter into the Service as part of running their salon (e.g. customer profiles, appointments, health records).
For end customers, the tenant is the “data controller” under Malaysian law and is primarily responsible for compliance with the Personal Data Protection Act 2010 (“PDPA”). BMS acts as a “data processor” on the tenant's behalf. See our PDPA Notice for the formal Malaysian disclosure.
1. Information We Collect
1.1 From Tenant Users (Directly)
- Account identifiers: business name, slug, your name, phone, email, password (hashed).
- Authentication data: login timestamps, IP address, device fingerprints, 2FA secrets.
- Billing data (via Stripe): payment method last-4 digits, billing address, transaction history. We do not store full card numbers.
- Support communications: emails or messages you send to us.
1.2 From Tenant Users (As Part of Service Use)
- End-customer profiles: names, phone numbers, dates of birth, health notes, allergies, lifestyle preferences, purchase history, package balances.
- Operational data: appointments, invoices, payments, staff schedules, inventory movements, audit logs.
1.3 Automatically Collected
- Usage data: pages viewed, actions taken, performance metrics.
- Technical data: browser type, operating system, device type, IP address, time-zone setting.
- Cookies: only session cookies (to keep you logged in) and a preference cookie for language. We do not run advertising or cross-site tracking cookies.
2. How We Use Information
- To provide, operate, and maintain the Service;
- To authenticate you and protect your account;
- To process payments and prevent fraud;
- To send transactional messages (e.g. e-receipts, appointment reminders) on your behalf to end customers, in the language they have indicated;
- To respond to support requests;
- To analyse aggregated, anonymised usage to improve the Service;
- To comply with legal obligations, including responding to lawful requests from authorities.
3. Sharing & Third Parties
We share personal data only with the following categories of recipients, and only as necessary to operate the Service:
- Stripe (United States / Singapore) — payment processing.
- Meta Platforms (WhatsApp Business Cloud API) — sending transactional messages to end customers.
- Resend — transactional email delivery.
- DigitalOcean — application hosting and managed database (currently a Singapore region).
- Service providers under written agreement — accountants, lawyers, and similar advisors, only when strictly necessary.
- Authorities — only when required by law or to protect legal rights.
We do not sell personal data and do not share it for advertising purposes.
4. Data Retention
- Tenant account data: retained for the duration of your subscription, plus 30 days after termination, then deleted.
- End-customer data: retained for as long as the tenant's account is active. Tenants may delete individual end-customer records at any time via the Service.
- Financial and tax records: retained for at least 7 years to comply with Malaysian tax law.
- Audit logs: retained for the life of the tenant account, plus 30 days.
- Aggregated, anonymised analytics: may be retained indefinitely.
5. Data Security
We take reasonable technical and organisational measures to protect personal data, including TLS in transit, password hashing with industry-standard algorithms, role-based access control, tenant-level data isolation enforced at the database layer, audit logging of sensitive operations, and a 14-day backup window. No system is perfectly secure; we encourage you to use a strong, unique password and enable two-factor authentication.
6. Your Rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you;
- Correct data that is inaccurate or incomplete;
- Request deletion of your data (subject to legal retention obligations);
- Withdraw consent for non-essential processing;
- Object to processing in certain circumstances;
- Lodge a complaint with the Personal Data Protection Commissioner of Malaysia.
To exercise these rights, contact us at mybmspro@bmssolution.com.my. We will respond within 21 days as required by the PDPA. End customers should direct their requests to the tenant that holds their data; BMS will assist the tenant as a processor.
7. International Data Transfers
Personal data may be processed outside Malaysia by our service providers (e.g. Stripe in the US, DigitalOcean in Singapore). When data leaves Malaysia, we rely on the safeguards in our agreements with those providers, which include contractual data-protection obligations consistent with the PDPA.
8. Children's Privacy
The Service is intended for businesses; we do not knowingly collect personal data from individuals under 18 except where a tenant lawfully enters that data as part of providing services to a minor end customer with parent or guardian consent.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated version at this URL with an updated “Last updated” date. Material changes will also be notified by email or in-app banner.
10. Contact
Privacy questions or requests:
Email: mybmspro@bmssolution.com.my
Postal: BMS Solution Sdn. Bhd., Malaysia (full address to be confirmed before public launch).