PDPA Notice · 个人数据保护通知
Privacy Policy · 隐私政策
Last updated · 最后更新: 17 June 2026
This notice is effective immediately upon publication. Review by qualified Malaysian counsel is recommended before large-scale commercial rollout.
本通知自发布之日起生效。建议在大规模商业推广前,由具资质的马来西亚法律顾问进行审阅。
1. Data We Collect
KunciPay collects and processes: company registration details, user account credentials, role and permission records, employee records, supplier and customer records, transaction and voucher data, PBM spend-control records, approval workflow logs, e-Invoice records submitted to LHDN MyInvois, inventory and stock movement records, payroll inputs and outputs, bank account details, API usage logs, device and session metadata, AI assistant conversation context, and support communications.
1. 我们收集的数据
KunciPay收集及处理以下数据:公司注册资料、用户账户凭证、角色与权限记录、员工档案、供应商与客户记录、交易及凭单数据、PBM支出管控记录、审批工作流日志、提交至LHDN MyInvois的电子发票记录、库存及库存移动记录、薪资输入与输出、银行账户资料、API使用日志、设备与会话元数据、AI助理会话内容以及客户支持通讯。
2. Purpose of Processing
We process data to: create and secure accounts; operate PBM payment controls, approval workflows, and audit trails; provide ERP/accounting records and reports; prepare e-Invoice readiness packs for LHDN MyInvois; process payments via Curlec; deliver AI assistant features powered by DeepSeek/Qwen; provide customer support; calculate billing and usage; detect fraud and unauthorised access; and meet Malaysian legal and regulatory obligations including PDPA 2010, LHDN e-Invoice requirements, and Anti-Money Laundering Act.
2. 处理目的
我们处理数据的目的包括:创建及保护账户安全;运行PBM支付管控、审批工作流及审计追踪;提供ERP/会计记录与报告;为LHDN MyInvois准备电子发票就绪包;通过Curlec处理付款;提供由DeepSeek/Qwen驱动的AI助理功能;提供客户支持;计算账单及使用量;检测欺诈及未授权访问;履行马来西亚法律及监管义务,包括2010年《个人数据保护法》、LHDN电子发票要求及《反洗钱法》。
3. PDPA Consent and Your Responsibilities
By registering or using KunciPay, you confirm that you are duly authorised to provide company, employee, supplier, and customer personal data to us, and you consent to our processing of that data under Malaysia's Personal Data Protection Act 2010 (PDPA 2010). You are responsible for giving any notices required by PDPA to your staff, suppliers, and customers before uploading or entering their personal data into KunciPay.
3. 个人数据保护法同意及您的责任
注册或使用KunciPay即表示您确认已获授权向我们提供公司、员工、供应商及客户的个人数据,并同意我们依据马来西亚2010年《个人数据保护法》(PDPA 2010)处理该数据。在将您员工、供应商及客户的个人数据上传或输入KunciPay之前,您有责任依据PDPA的规定向相关当事人发出所需通知。
4. Third-Party Processors
KunciPay uses the following third-party processors: (a) Railway.app — cloud hosting, PostgreSQL database, and Redis cache, physically located in Singapore (AWS ap-southeast-1); (b) Curlec (Razerpay Malaysia) — payment processing and FPX/e-mandate facilitation, holding BNM e-money licence; (c) LHDN MyInvois — Malaysian tax authority e-Invoice system for regulatory submission; (d) DeepSeek / Alibaba Qwen — AI assistant inference, data is processed according to their respective privacy policies and data processing agreements; (e) Sentry.io — error monitoring (optional, no personal data in stack traces); (f) email and communication providers for OTP and support. Provider-pending integrations (bank feeds, CTOS, Shopee/Lazada, official payroll filing) are not live until signed provider agreements and production tests are completed.
4. 第三方数据处理方
KunciPay使用以下第三方数据处理方:(a) Railway.app — 云托管、PostgreSQL数据库及Redis缓存,物理位于新加坡(AWS ap-southeast-1);(b) Curlec(Razerpay Malaysia)— 支付处理及FPX/电子授权,持有BNM电子货币牌照;(c) LHDN MyInvois — 马来西亚税务局电子发票系统,用于监管申报;(d) DeepSeek / 阿里云通义千问 — AI助理推理,数据依据各自隐私政策及数据处理协议处理;(e) Sentry.io — 错误监控(可选,错误日志中不包含个人数据);(f) 电邮及通讯服务提供商,用于OTP及客户支持。待接入的集成(银行数据流、CTOS、Shopee/Lazada、正式薪资申报)在签署服务提供商协议并完成生产测试前尚未上线。
5. Data Retention
Operational records are retained for the duration of your active account. Following account closure, core accounting, audit, and transaction records are retained for seven (7) years to comply with Malaysian tax record-keeping requirements under the Income Tax Act 1967 and LHDN guidelines. Audit logs, approval records, and e-Invoice data submitted to LHDN are retained for the period required by law. Backup data may be retained for up to 90 days beyond the live retention period.
5. 数据保留期限
运营记录在您的账户有效期间保留。账户关闭后,核心会计、审计及交易记录将保留七(7)年,以符合马来西亚1967年《所得税法》及LHDN指引的税务记录保留要求。提交至LHDN的审计日志、审批记录及电子发票数据依法律规定期限保留。备份数据可在正式保留期结束后额外保留最多90天。
6. Data Storage and Security
All data is stored in Railway-managed PostgreSQL (Singapore region). Data is encrypted at rest using AES-256 and in transit via TLS 1.2+. We implement access controls, role-based permissions, rate limiting, idempotency keys, CSRF protection, session timeouts, and audit logging. Voucher tokens are encrypted using Fernet symmetric encryption. Strong secrets are enforced at application startup. No security measure eliminates all risk; customers should manage user roles carefully and report suspected breaches promptly.
6. 数据存储与安全
所有数据存储于Railway托管的PostgreSQL(新加坡地区)。静态数据采用AES-256加密,传输数据采用TLS 1.2+加密。我们实施访问控制、基于角色的权限管理、速率限制、幂等性密钥、CSRF保护、会话超时及审计日志。凭单令牌采用Fernet对称加密。应用程序启动时强制要求强密码密钥。任何安全措施均无法完全消除风险;客户应谨慎管理用户角色,并及时报告任何疑似安全漏洞。
7. Your Rights Under PDPA
Under PDPA 2010, you have the right to: (a) access personal data we hold about you; (b) correct inaccurate personal data; (c) request deletion of personal data, subject to legal retention obligations; (d) withdraw consent to processing (which may affect service availability); (e) request a copy of data in a portable format; (f) lodge a complaint with the Personal Data Protection Commissioner. To exercise these rights, email [email protected] with your company name, account email, and the nature of your request. We will respond within 21 days.
7. 您在个人数据保护法下的权利
根据2010年《个人数据保护法》,您有权:(a) 访问我们持有的您的个人数据;(b) 更正不准确的个人数据;(c) 在法律保留义务允许的范围内请求删除个人数据;(d) 撤回数据处理同意(这可能影响服务可用性);(e) 以可携式格式请求数据副本;(f) 向个人数据保护专员提出投诉。如需行使上述权利,请发送电子邮件至 [email protected],并注明您的公司名称、账户电邮及请求性质。我们将在21天内回复。
8. Contact
General support: [email protected] | Data Protection Officer: [email protected] | Registered address: Malaysia. For urgent data breach notifications, email [email protected] with subject "DATA BREACH". We aim to acknowledge within 24 hours and notify the PDPC within 72 hours of a confirmed breach as required by law.
8. 联系方式
一般支持:[email protected] | 数据保护官:[email protected] | 注册地址:马来西亚。如需紧急数据泄露通知,请发送电子邮件至 [email protected],主题注明"DATA BREACH"。我们承诺在24小时内确认,并在确认泄露后72小时内依法通知个人数据保护专员委员会。