1.1 This Privacy Policy outlines how we collect, process, utilize, and disclose your personal data concerning your utilization of Gambit Custody products and services. References to 'Gambit Custody,' 'we,' 'us,' 'our,' or similar terms refer to Gambit Custody Sdn Bhd, the data controller.
1.2 We are dedicated to ensuring the protection of your privacy. When using this website, if we request information through which you can be identified, rest assured it will only be utilized in accordance with this Privacy Statement.
1.3 We prioritize the security of your personal data. To prevent unauthorized access or disclosure, we have implemented appropriate physical, electronic, and managerial procedures to safeguard and protect the personal data collected online.
1.4 By submitting your information, signing up on the website, or through other confirmations, and/or utilizing the products and/or services, you are considered to have read, comprehended, and agreed to the practices and policies outlined in this privacy policy. By doing so, you consent to our collection, use, and disclosure of your personal data and information as described herein. Furthermore, you affirm that you are bound by this Privacy Policy Statement.
1.5 We retain the right to modify, supplement, append, or delete sections of this Privacy Policy Statement at our sole discretion, at any time. If you disagree with this Privacy Policy Statement at any point, refrain from using any of our products and/or services or providing us with any of your personal data and/or information.
1.6 If you choose not to furnish us with all or some of the requested information or retract your consent to Gambit Custody collecting and utilizing your personal data, Gambit Custody will be unable to provide or continue providing you with our products and services.
2.1 Our Platform, product or services is subject to laws and regulations regarding data privacy and data protection pursuant to the PDPA. In particular, the PDPA applies to any person who processes and any person who has control over or authorises the processing of, any personal data in respect of commercial transactions save and except for any personal data processed outside of Malaysia and is not intended to be further processed in Malaysia.
2.1 The objectives outlined in this Privacy Policy Statement are to:
2.2.1 Establish a framework of privacy and personal data protection standards governing our procedures, aimed at safeguarding the privacy of your personal data.
2.2.2 Demonstrate our continuous dedication to protecting your privacy and addressing any privacy-related concerns you may have.
2.2.3 Detail the methods through which we collect, utilize, disclose, and retain your personal data.
2.2.4 Ensure our compliance with the Personal Data Protection Act 2010 ('PDPA').
2.2.5 Enable our adherence to any future advancements in personal data protection.
3.1 Collected Directly from User -The Platform collects these types of information from the User, which may constitute Personal Data under the PDPA:
3.1.1 Personally Identifiable Information (PII), such as:Name.
I. NRIC, passport or other identification number.
II. Telephone number(s).
III. Mailing address.
IV Email address.
V. Personal interests.
VI. Any other PII submitted by the User to the Platform in any enquiry or feedback forms, or through opening an account with the Platform, or interaction with the Platform and its agents/employees.
3.1.2 Financial Information, which may be considered Confidential Information, such as bank account information, routing number etc.
3.1.3 Correspondence Information, such as any information that the User provides to the Platform in correspondence, including account opening and customer support, participation in customer surveys, competitions and promotions, when the User does any of the following throughout his ongoing relationship with the Platform:
I. Register for any product or service of the Platform.
II. Sign up to receive updates via email or social media channels.
III. Use a mobile device or web browser to access content.
IV Contact via email, social media, or on any similar technologies.
V. Mention the Platform on social media.
Note: The various channels that a User corresponds with the Platform, such as application forms, email, letters and telephone calls, may be monitored or recorded for quality assurance, training and security purposes.
3.1.4 Biometric Information, such as facial images collected for identity verification (for the purposes below):
I. Extraction and comparison of facial scan data from the User’s photo in his identity document provided to the Platform with the facial scan data extracted from the User’s selfie photo or video that he uploads, for the purpose of verification.
II. Comparison of facial scan data from the image uploaded when the User first registered the account with the facial scan data provided by the User to authenticate himself as an authorised user of the Platform.
III. Detection and prevention of identity fraud, and improvement of facial recognition services.
3.1.5 Employment Information, such as job title and source of wealth.
3.1.6 Institutional Information, in the context of institutional customers, such as the legal name, company registration number, and proof of legal existence (which may include articles of incorporation, certificate of formation, business licence, trust instrument, or another comparable legal document); and
3.1.7 Other information that the User voluntarily chooses to provide.
3.1.8 Sensitive Information is not collected or requested by the Platform and thus will not be processed unless consent is given as per PDPA paragraph 40(1)(a), and such information is necessary for the performance of legal right or obligation or for protection of the User’s (Data Subject) interest as per PDPA paragraph 40(1)(b).
3.2 Collected Automatically from Usage -The Platform collects these types of information from the course of usage by the User, which may constitute Personal Data under the PDPA:
3.2.1 Log Information, such as following:
I. When the User visits the Platform’s Website, the Platform servers will automatically log the standard data provided by the User’s browser. It may include the User’s device Internet Protocol (IP) address, browser type and version, the pages he visits, the time and date of his visit, the time spent on each page, and other details about his visit.
II. Additionally, if the User encounters certain errors while using the site, the Platform may automatically collect data about the error and the circumstances surrounding its occurrence. This data may include technical details about his device, what he was trying to do when the error happened, and other technical information relating to the problem. The User may or may not receive notice of such errors, even in the moment they occur, that they have occurred, or what the nature of the error is.
III. While the log information may not be personally identifying by itself, it may be possible to combine it with other datasets to personally identify individual persons.
3.2.2 Device Information, such as hardware identifiers, device capability, operating system, connection information, bandwidth, geo-location;
3.2.3 Usage of the Platform’s Website, including online identifiers such as domain name, IP address, clickstream activity, internal and external traffic related to the web pages visited, and search history information;
3.2.4 Usage of the Platform’s Products and/or Services, including the transaction history of the User, and his behavioural analytics covering volume, patterns, predictions and trends;
3.2.5 Online Information collected from cookies onsite; and
3.2.6 Email and Telephone Call Data records.
3.3 Collected from Third Parties -The Platform may collect these types of information from third parties, which may constitute Personal Data under the PDPA:
3.3.1 Identification Information, such as name, phone number, email and mailing addresses, government identification numbers;
3.3.2 Financial Information, such as bank account information, routing number, etc.;
3.3.3 Credit and Fraud Information, such as credit reference, credit investigation, credit eligibility, identity or account verification, fraud detection, or as may otherwise be required by Applicable Law;
3.3.4 Transaction Information, such as public blockchain data based on the User’s digital asset address, and/or transaction activity;
3.3.5 Note: The Platform and its appointed service providers may match the User’s digital asset address to PII about the User and identify the User based on the blockchain transaction(s).
3.3.6 Legal Information, as permitted by law or where required to comply with legal obligations, which may include criminal records or alleged criminal activity, or information about any person or corporation with whom the User have had, currently have, or may have a financial relationship; and
3.3.7 Consented Information, from such sources which the User has given prior consent to disclose, including Sensitive and Confidential Information, and/or where not otherwise restricted.
3.4 The Platform may combine voluntarily provided and automatically collected Personal Data above with general information or research data received from third parties and other trusted sources.
4.1 The Platform considers user-generated content to be materials (text, image and/or video content) voluntarily supplied to the Platform by its Users for the purpose of publication on the Platform’s Website, or re-publishing on the Platform’s social media channels.
4.2 All user-generated content is associated with the account or email address used to submit the materials.
4.3 Any content submitted by the User for the purpose of publication will be public after posting (and subsequent review or vetting process). Once published, it may be accessible to third parties and is not covered under this Privacy Policy.
4.4 Anonymized or aggregated customer data refers to the information on Users that is combined (based on data processing techniques which modify personal information), so that it no longer identifies or references an individual person (non-PII).
4.5 The Platform may use anonymised or aggregated data of its Users for any business purpose, including to better understand its customers, improve its services, conduct business intelligence and marketing campaigns, and detect security threats. The Platform may perform its own analytics on anonymized data.
4.6 The types of data that are anonymised include, transaction data, clickstream data, performance metrics, and fraud indicators.
5.1 The Platform will not share Personal Data with third parties, except to those described below:
5.1.1 Service Providers: For business or commercial purposes so that they can provide Platform services, including identity verification, fraud detection and prevention, credit verification, security threat detection, payment processing, customer support, data analytics, information technology, advertising, marketing, data processing, network infrastructure, storage, transaction monitoring, and tax reporting.
I. By signing up for an account with the Platform, the User agrees that he has read, understood and accepted the release of his Personal Data to these service providers.
II. Personal Data shall be shared with these service providers insofar as to provide these services only, and where applicable, in performance of services which are fully exempt from PDPA principles and notification to the User or Data Subject (as per PDPA Part III paragraph 45).
III. Service providers are prohibited from using or disclosing Personal Data for any other purpose and subject to strict confidentiality obligations.
5.1.2 Affiliates: For the purposes outlined above, and as it is necessary to provide and fulfil services to Users.
5.1.3 Government Entities: As may be legally required to regulators, government agencies, and law enforcement.
5.1.4 Corporate Transactions: In the event of a proposed or consummated merger, acquisition, reorganisation, asset sale, or similar corporate transaction, or in the event of a bankruptcy or dissolution.
5.1.5 Professional Advisors: Including legal, accounting, consulting, taxation, etc. for purposes of audits or to comply with legal obligations.
5.1.6 Consent: The Platform may share or disclose Personal Data with the User’s consent.
5.1.7 Other Business Purposes: As permitted by law or where required to comply with legal obligations.
5.2 Notwithstanding the above, the Platform may disclose Personal Data to:
5.2.1 A parent, subsidiary, or affiliate of the Platform;
5.2.2 Employees, contractors, and/or related entities;
5.2.3 Existing or potential agents, sub-contractors or business partners;
5.2.4 Credit reporting agencies, courts, tribunals, and regulatory authorities (including the SC);
5.2.5 Fraud and crime prevention agencies for the purposes of assessing the risk of crime, fraud and money laundering;
5.2.6 Collection agencies, lawyers, courts, tribunals, and law enforcement officers, in connection with any actual or prospective legal proceedings, or in order to establish, exercise, or defend our legal rights;
5.2.7 An entity that buys the Platform, or to which the Platform transfers all or substantially all its assets and business; and
5.2.8 any other parties if so, required by the Applicable Law.
5.3 Where the User’s consent is needed, the Platform may request for consent in the form of:
5.3.1 Signatures or ticks indicating consent;
5.3.2 Opt-in or opt-out consent; or;
5.3.3 Consent by conduct or performance.;
5.3.4 And such consent may be obtained either on paper or on electronic mediums utilised by the User including text, email, online, social and application-based messaging systems.
6.1 The Platform shall maintain, and aid in maintaining, the confidentiality of all transaction data of Users (‘Confidential Information’) that comes to the knowledge of the Platform or any of its officers or employees or is in the possession of the Platform or any of its officers or employees.
6.2 The requirements set forth herein shall not apply to the disclosure of Confidential Information for the following purposes or in the following circumstances:
6.2.1 Service Providers: For business or commercial purposes so that they can provide Platform services, including identity verification, fraud detection and prevention, credit verification, security threat detection, payment processing, customer support, data analytics, information technology, advertising, marketing, data processing, network infrastructure, storage, transaction monitoring, and tax reporting.
6.2.2 The User to which the Confidential Information relates consents to such disclosure in writing;
6.2.3 The disclosure of Confidential Information is necessary for the execution by the Platform of a transaction in any clearing or settlement of a transaction and such disclosure is made only to another person which is -
I. A party to the transaction; or
II. A User of the Platform
6.2.4 The disclosure of Confidential Information is necessary -
I. In any disciplinary proceedings of the Platform, provided that reasonable steps are taken to ensure that Confidential Information disclosed to any third person is used strictly for the purpose for which the Confidential Information is disclosed; or
II. For the publication, in any form or manner, of the disciplinary proceedings and the outcome thereof;
6.2.5 The Confidential Information disclosed is already in the public domain;
6.2.6 The disclosure of Confidential Information is made in connection with —
I. The outsourcing or proposed outsourcing of any function of the Platform to a third party;
II. The engagement or potential engagement of a third party by the Platform to create, install or maintain systems of the Platform; or
III. The appointment or engagement of an auditor, a lawyer, a consultant or other professional by the Platform under a contract for service;
6.2.7 The disclosure of Confidential Information is necessary in —
I. An application for a grant of probate or letters of administration or the resealing thereof in relation to the estate of a deceased User; or
II. The administration of the estate of a deceased User, including such disclosure as may be required by the Public Trustee or the Commissioner of Estate Duties;
6.2.8 The disclosure of Confidential Information is made in connection with —
I. In the case where the User is an individual, the bankruptcy of such User; or
II. In the case where the User is a body corporate, the winding up or receivership of such User;
III. The disclosure of Confidential Information is authorised to be disclosed or furnished by the SC; or
IV. The disclosure of Confidential Information is made pursuant to any requirement imposed under any written law or order of court in Malaysia.
6.3 Where Confidential Information is disclosed under 6.2, the Platform shall:
6.3.1 Maintain a record of the circumstances relating to the disclosure of Confidential Information, and make that record available for inspection by the SC;
6.3.2 Disclose the Confidential Information only insofar as is necessary for the relevant purpose; and
6.3.3 Take reasonable steps to ensure that the Confidential Information disclosed is used by the person to whom the disclosure is made strictly for the relevant purpose, and that the Confidential Information is not disclosed by that person to any other person except with the consent of the Platform.
6.3.4 Where disclosure of Confidential Information is permitted to be made for any purpose or in any circumstance under 5.2 to a body corporate, the Confidential Information may be disclosed only to those officers of the body corporate to whom the disclosure is necessary for the relevant purpose.
6.4 Where Confidential Information is disclosed under 6.2, the Platform shall:
6.4.1 Consents to the recording of telephone conversations between the relevant personnel of the User and its affiliates and the Platform and its affiliates in connection with the Rules and any transaction executed on or pursuant to the rules of the Platform;
6.4.2 Agrees to obtain any necessary consent of, and give any necessary notice of such recording to, its agents, representatives and other relevant personnel;
6.4.3 Agrees to the extent permitted by Applicable Law, that recordings may be submitted as evidence in any dispute; and
6.4.4 Agrees that the other provisions of this Data Confidentiality Policy shall apply to any such recordings made by the Platform.
6.5 For the avoidance of doubt, nothing in this Policy shall be construed, or deemed to be construed, as an express or implied agreement by the Platform to a higher degree of confidentiality than that prescribed under Applicable Law.
6.6 The Platform may collect and use such Personal Data for the purposes of operating an approved custodian in accordance with these Rules. Each User shall ensure that:
6.6.1 Any and all of its agents, representatives or personnel in relation to whom Personal Data are provided to the Platform (‘Data Subjects’) have consented in advance to such data being collected, used, disclosed and Processed by the Platform, or, if not a natural person, have agreed to procure such consent to the extent necessary;
6.6.2 The disclosure of Personal Data by the User or its agents, representatives or personnel is in all respects and in each case lawful; and
6.6.3 The information set out in paragraph 6.7 has been provided to each Data Subject prior to disclosure of Personal Data relating to such Data Subject to the Platform.
6.7 The Platform shall have the right to disclose Personal Data to such Persons and for such purposes as are set out herein (which shall apply to Personal Data in the same way as it applies to Confidential Information). The Platform and other persons may transfer Personal Data outside Malaysia subject to Applicable Law.
6.7.1 Data Subjects have the right (subject to Applicable Law):
I. On payment of a small fee to the Platform, to receive a copy of Personal Data held by the Platform;
II. To have any errors or inaccuracies in such Personal Data rectified; and
III. To submit questions to the Platform in relation to collection, use or disclosure by the Platform of Personal Data in relation to such Data Subject. Any request should be addressed to the Platform’s registered office.
7.1 The Platform shall retain the User’s Personal Data, in accordance with this Privacy Policy and Terms of Use, for the duration of the User’s relationship with the Platform, and afterwards for such period as may be necessary for our legitimate business purposes (including compliance with our legal obligations, preventing fraud, resolving disputes and enforcing agreements), to protect the interests of the Platform and its customers, and as required by law.
7.2 Contact Information — Contact Information such as the User’s name, email address and telephone number for marketing purposes is retained on an ongoing basis until the User unsubscribes. Thereafter the Platform will add the User to its suppression list to ensure that it does not inadvertently market to the User.
7.3 Analytic Information — The Platform may retain analytic information in an anonymous or aggregated form where that information does not identify the User personally.
7.4 Cookie Information —
7.4.1 Information collected via internal technical means such as cookies, web page counters and other analytics tools is typically kept in session or for a period of up to one (1) year from expiry of the cookie.
7.4.2 The length of time a cookie stays on the User’s browsing device depends on whether it is a “persistent” or “session” cookie. Session cookies will only stay on the device until the User closes his browser. Persistent cookies stay on the browsing device until they expire or are deleted.
7.5 Biometric Information – The User’s biometric data is held by the Platform’s service providers for a period of no longer than one (1) year from the time when the User ceases to be a customer of the Platform.
7.5.1 The service provider shall securely store all selfies, videos, photos of identity documents, and facial scan data in an encrypted format. The service provider may maintain backup copies and allow third parties to service the systems on which such data is stored.
7.5.2 The service provider shall permanently destroy the facial scan data when directed to do so by the Platform, or within one (1) year of the Data Subject’s last interaction with the service provider, whichever occurs first, unless otherwise required by law or legal process to retain the data.
7.5.3 The service provider may retain a record of the partially completed process and any media that the User uploaded in accordance with the instructions of the Platform.
7.5.4 The service provider shall not sell, lease, trade, or, other than to provide the verification and authentication services to the Platform described in this Policy, or otherwise benefit from facial scan data.
7.5.5 The service provider shall not disclose, redisclose, or disseminate facial scan data, other than as set forth herein, unless doing so:
7.5.6 The length of time a cookie stays on the User’s browsing device depends on whether it is a “persistent” or “session” cookie. Session cookies will only stay on the device until the User closes his browser. Persistent cookies stay on the browsing device until they expire or are deleted.
I. Completes a transaction requested by the Platform and authorised by the User or his legally authorised representative;
II. Is requested by regulators or required by law, or pursuant to a warrant or subpoena issued by a court of competent jurisdiction; or
III. Is expressly consented to by the User.
7.6 User Generated Content – Content that the User posts on the Platform’s Website such as support desk comments, photographs, videos, blog posts, and other content may be kept after the User closes his account for audit and crime prevention purposes (e.g. to prevent a known fraudulent actor from opening a new account).
8.1 By accessing the Platform, its Website and/or using products or services of the Platform, the User is deemed to have provided consent to the Platform for contact via phone calls, text messages, emails and/or other electronic methods by using the Personal Data given by the User during his registration on the Website.
8.2 The consent above is deemed to include consent to receive pictures, videos, online messages and/or emails about the Platform’s business partners’, strategic partners’, sponsors’ or advertisers’ products, services, promotions, special offers, events and/or activities which may be of interest to the User.
8.3 The User may elect to opt out from receiving any marketing content such as promotional materials or offers, in whole or in part, by written instruction to the Platform or clicking on the “unsubscribe” links in the communication pieces.
8.4 As long as the User maintains a registered account with the Platform, the User will not have the option to opt out from receiving account-related and service-related notifications or announcements from the Platform.
9.1 The User has various rights under law in respect of his Personal Data retained by the Platform. These rights are set out as follows:
9.1.1 Accessing Personal Data (subject to payment of the relevant processing fee, if applicable);
9.1.2 Requesting rectification or erasure of Personal Data or to keep Personal Data accurate, complete, not misleading and up to date;
9.1.3 Requesting restrictions on the processing of Personal Data;
9.1.4 Withdrawing consent previously given to the Platform for the processing of Personal Data; and
9.1.5 Objecting to the Platform for processing his Personal Data.
9.2 Pursuant to the User’s right to access his Personal Data as stated above:
9.2.1 The User also has the right to receive a copy of his Personal Data in an electronic format. However, this right is limited to Personal Data that has been provided to the Platform and processed based on his consent. It does not cover Personal Data that the Platform may have received on other grounds or from other sources; and
9.2.2 The Platform may withhold the User’s request to access his Personal Data in certain circumstances, including but not limited to:
I. When the Platform is unable to confirm the User’s identity;
II. Where such Personal Data requested is of a confidential nature; or
III. When we receive requests for the same data.
9.2.3 In any event, the Platform will promptly notify the User of the reason(s) for not being able to accede to the request.
9.3 The User has the right to unsubscribe or opt-out of marketing communications from the Platform’s email database.
9.4 Subject to the User’s request in pursuant to 9.1 and 9.2 above, the Platform reserves the right to deny the User’s access to the Platform or the User’s requests for further documentary evidence for reasons permitted by the Applicable Law.
10.1 The Platform will be a global business. As a result, Personal Data may be stored and processed in any country where the Platform may have operations or where it may engage service providers.
10.2 The Platform may transfer Personal Data of Users to recipients in countries other than the country in which the Personal Data was originally collected. Those other countries may have data protection or privacy rules that are different from those of the User’s home country.
10.3 However, the Platform will take measures to ensure that any such transfers comply with applicable data protection laws and that the User’s Personal Data remains protected to the standards described in this Data Privacy Policy. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access the User’s Personal Data.
10.4 The Personal Data collected by the Platform may be transferred to, stored and processed outside of the jurisdiction in which the User resides, and the laws of those countries may differ from the laws applicable in Malaysia.
10.5 The Platform may enter into the appropriate data processing agreements and, if required, standard contractual clauses for the transfer of data which have been approved by the European Commission. We may transfer personal data from Europe to third countries outside of Europe, including the United States, under the following conditions:
10.5.1 Contractual Obligation: Where transfers are necessary to fulfil the Platform’s obligation to the User under the Terms of Service, including to provide the User with services and customer support; and
10.5.2 Consent: Where the User has consented to the transfer of his Personal Data to a third country. Where transfers to a third country are based on consent, the User may withdraw consent at any time. Nonetheless, the Platform’s services may not be available to the User if the Platform is unable to transfer Personal Data to third countries.
10.6 Any processing of such data will be undertaken by the Platform’s staff, or the staff of its third party service providers, whose roles will include verifying the User’s identity, processing payment details, and providing customer support.
10.7 By accepting this Data Privacy Policy and submitting Personal Data to the Platform, the User agrees to the transfer, storing or processing of it outside of Malaysia.
11.1 The Platform, its Website and/or Products and Services are not intended for use by or directed to anyone below the age of eighteen (18) (‘Minor’).
11.2 The Platform does not and will not knowingly collect Personal Data from any Minor.
11.3 If the Platform becomes aware that it has collected Personal Data from any Minor without verification of parental consent, it will take the necessary steps to remove all information relating to such Minor from digital storage facilities, servers and service providers.
11.4 If the User is a parent or guardian and is aware that his Minor has provided the Platform with any Personal Data, the User should contact us immediately.
12.1 The Platform may change this Privacy Policy from time to time to reflect changes to its privacy practices and advances in technology, to enhance user experience, or comply with relevant laws.
12.2 If the Platform decides to modify the purposes for which Personal Data is collected, used, or shared, or its practices relating to Personal Data, this Privacy Policy shall be updated accordingly -
12.2.1 It shall be the same link by which the User is accessing this Policy.
12.2.2 The “Last Updated” legend at the top of the Data Privacy Policy indicates when the Policy was last revised.
12.2.3 The updates shall be effective immediately upon being posted on the Website.
12.2.4 The User’s continued use of Platform after the posting of this updated Policy means that the User understands and agrees to such changes.
13.1 In accordance with Section 7(3) of the PDPA, this Policy will be posted on the Platform’s Website in both Bahasa Malaysia and English language.
13.2 In the event of any inconsistency between the Bahasa Malaysia version and the English version of this Policy, the English version shall prevail over the Bahasa Malaysia version.
Gambit Custody Sdn Bhd
A wholly owned subsidiary of Gambit Group Sdn Bhd
Address
J-39-01, Level 39, HCK Tower J, PJU 8, Jalan Damansara, Empire City, 47820 Petaling Jaya, Selangor Darul Ehsan, Malaysia
Operating Hours:
Mon - Fri | 9am to 6pm
Inquiries
hello@gambit.com.my
