Privacy Policy

• Account data: Email address used for sign-in (magic link or Google OAuth).
• Bank statements: PDF files you upload for tax relief extraction.
• Transaction data: Extracted transaction details (merchant, amount, date, category) stored in our database.
• Payment data: Stripe processes your payment. We store a transaction reference — never your card number.

• Bank statement PDFs are converted to images and processed by Google Gemini AI to extract transaction data.
• Extracted transactions are analysed by our classification engine to identify tax-deductible spending across 15 relief categories.
• All processing occurs on secured servers. We do not share your financial data with third parties beyond the AI extraction step.

Payments are handled by Stripe, a PCI DSS Level 1 certified payment processor. We never see, store, or have access to your full card details. We only store a reference to your Stripe payment session for order fulfilment.

• Uploaded PDFs: Automatically deleted from storage within 30 days of upload.
• Extracted transactions: Retained for as long as your account is active, to allow year-over-year comparison.
• Account data: Retained until you request deletion.
• Payment records: Retained for accounting and legal compliance purposes.

Under Malaysia's Personal Data Protection Act 2010 (PDPA), you have the right to:

• Access your personal data held by us.
• Request correction of inaccurate data.
• Request deletion of your data and account.
• Withdraw consent for data processing.

We use Supabase (hosted on AWS) with row-level security policies, encrypted storage, and HTTPS for all communications. Authentication is handled via Supabase Auth with industry-standard token management.

• Supabase: Database, authentication, and file storage.
• Google Gemini: AI-powered document extraction (no data retained by Google beyond processing).
• Stripe: Payment processing.
• Vercel: Web application hosting.

For privacy inquiries or data requests, contact us at: privacy@taxfind.my