1. Introduction
InvoisKit ("we", "us", or "our") is committed to protecting the privacy of our users ("you" or "your"). This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the Malaysian Personal Data Protection Act 2010 (PDPA).
By using InvoisKit, you consent to the collection and use of your data as described in this policy.
2. Data We Collect
We collect the following categories of personal data:
2.1 Account Information
- Full name
- Email address
- Password (stored as a secure hash, never in plaintext)
2.2 Business Information
- Business name
- SSM registration number
- Tax Identification Number (TIN) - encrypted at rest using AES-256 encryption
- Business address
- Phone number
- Currency preference
2.3 Client Information
- Client names, emails, phone numbers, and addresses
- Client TIN numbers - encrypted at rest using AES-256 encryption
- Client company names and notes
2.4 Financial Data
- Invoice details (amounts, line items, tax rates)
- Proposal details (pricing, scope of work)
- Bank account details (as entered by you for invoice display)
- Payment status information
2.5 Usage Data
- Feature usage counts (proposals and invoices created)
- Subscription status and billing history
- Consent records (timestamps of agreement acceptance)
3. How We Use Your Data
We use your data for the following purposes:
- Service delivery: To provide proposal generation, invoice creation, client management, and PDF generation features
- AI processing: Project descriptions are sent to OpenAI's API for proposal generation. No personally identifiable information (PII) such as TIN or SSM numbers is sent to AI services
- Payment processing: Subscription payments are handled by Stripe. We do not store your credit card details
- Communication: To send payment reminders, email notifications, and service-related updates
- Service improvement: To understand usage patterns and improve the Service
- Legal compliance: To comply with applicable laws and regulations
4. Data Security
We implement the following security measures to protect your data:
- Encryption at rest: Sensitive data such as TIN numbers are encrypted using AES-256-GCM encryption before being stored in our database
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS
- Authentication: We use industry-standard authentication mechanisms provided by Supabase Auth
- Row Level Security (RLS): Database-level access controls ensure users can only access their own data
- Password hashing: Passwords are never stored in plaintext; they are hashed using secure algorithms
- No plaintext TIN storage: TIN numbers are always encrypted before being written to the database and are only decrypted in your browser session
5. Third-Party Services
We use the following third-party services that may process your data:
- Supabase: Database hosting, authentication, and file storage (servers in Singapore)
- Stripe: Payment processing for subscriptions. Stripe's privacy policy applies to payment data
- OpenAI: AI proposal generation. Only project descriptions and non-sensitive context are sent. No TIN, SSM, or financial data is shared with OpenAI
- Resend: Transactional email delivery for payment reminders and notifications
- Vercel: Application hosting and deployment
6. Data Retention
6.1. Your data is retained for as long as your account is active.
6.2. Upon account deletion, your data will be permanently removed from our systems within 30 days, except where retention is required by law.
6.3. Backup copies may persist for up to 90 days before being permanently purged.
6.4. Consent records are retained for the duration of your account plus 7 years for legal compliance purposes.
7. Your Rights Under PDPA
Under the Malaysian Personal Data Protection Act 2010, you have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete personal data
- Withdrawal of consent: Withdraw your consent for data processing (this may affect your ability to use certain features)
- Data portability: Request an export of your data in a machine-readable format
- Deletion: Request deletion of your account and associated data
To exercise any of these rights, contact us at support@invoiskit.it.com. We will respond to your request within 21 days as required by the PDPA.
8. Cookies and Local Storage
8.1. We use essential cookies for authentication and language preferences. These are strictly necessary for the Service to function.
8.2. We use local storage to store your theme preference (light/dark mode).
8.3. We do not use third-party tracking cookies or analytics trackers.
9. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.
10. International Data Transfers
Your data may be processed on servers located outside of Malaysia (including Singapore and the United States) through our third-party service providers. We ensure that appropriate safeguards are in place to protect your data in accordance with the PDPA.
11. Data Breach Notification
In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach, in compliance with applicable regulations.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 14 days before they take effect. Your continued use of the Service after the changes take effect constitutes acceptance of the revised policy.
13. Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:
Email: support@invoiskit.it.com