Privacy Policy

Under the Personal Data Protection (Amendment) Act 2024, Xedar has appointed a Data Protection Officer accountable for compliance with this policy.

• Data Protection Officer: —
• Email: dpo@xedar.my

The DPO is the designated point of contact for the Personal Data Protection Commissioner of Malaysia and for all data subject enquiries.

We collect only what's needed to provide the service.

Account data: email, name (optional), hashed password, phone (optional), language preference.

Financial data you provide: transactions, receipt images, income sources, tax-relevant inputs, business data if you create a business entity.

Technical data: IP address, device type, pages visited, errors, login sessions.

What we do NOT collect: government ID numbers (unless you enter them for form pre-fill), bank login credentials, biometric data, third-party ad tracker data.

Three purposes only: provide the service, improve the product, stay compliant with law.

• Provide the service: calculate tax position, surface reliefs, pre-fill forms, process billing, send transactional emails, secure your account.
• Improve the product: anonymised usage analytics, bug diagnosis, anonymised A/B testing.
• Comply with law: respond to lawful authority requests, retain LHDN-mandated records (7 years), comply with PDPA + AML regulations.

We do not use your financial data, receipts, or personal information to train any artificial intelligence model. Where AI processing occurs (such as receipt OCR via Google Gemini), it is performed under commercial API terms which contractually prohibit the provider from using your data for model training.

The following sub-processors are engaged by Xedar to deliver the service. Each is contractually bound by a Data Processing Agreement. The current register is maintained at /legal/security and updated within 14 days of any change.

• Google LLC (Gemini API) — AI receipt OCR. US / Singapore. Standard Contractual Clauses + paid-API no-training terms.
• Our payment processor — subscription payment processing. Singapore. DPA + PCI DSS Level 1.
• Application hosting + database infrastructure — Malaysia. MY-domiciled.
• Transactional email delivery — vendor pending; DPA pending before launch.

We do NOT share data with advertisers, data brokers, other Xedar users (entities are isolated), or third-party marketing platforms.

PDPA gives Malaysian users specific rights over their data. Xedar honours all of them.

• Access: export everything as CSV, JSON, or PDF — anytime from your settings.
• Correction: edit data directly in your account.
• Deletion: delete your account from settings. Erased within 30 days from production, 90 days from backups.
• Withdrawal of consent: stop using Xedar at any time. Delete your account to revoke consent.
• Data portability: exports are in standard machine-readable formats.
• Complaints: email dpo@xedar.my. If unresolved, escalate to the Personal Data Protection Commissioner of Malaysia.

We use cookies sparingly. No third-party advertising trackers.

• Essential: login session, language preference, security tokens.
• Analytics: Google Analytics 4 (anonymised). You can opt out from the cookie consent banner.
• Marketing / advertising: none.

Xedar is built for adults filing their own taxes or running their own businesses. Generally that means 18+. If you're under 18, please involve a parent or guardian and contact us at hello@xedar.my.

• Active account data — kept while account exists.
• Production systems (after deletion) — purged within 30 days.
• Backups (after deletion) — purged within 90 days.
• Tax-relevant records — retained 7 years per LHDN regulations.
• Audit logs — 12 months, then deleted.

Primary data centres are in Malaysia. Certain processing involves cross-border transfer:

• AI receipt OCR via Google Gemini API (United States / Singapore)
• Subscription payment processing (provider to be confirmed)

Each transfer is governed by the sub-processor agreements summarised above and complies with the cross-border transfer framework under PDPA 2024 Section 129.

If we materially change how we handle your data, we'll notify you by email at least 30 days before the change takes effect. Continued use indicates acceptance. If you don't agree, you can delete your account.

For data protection enquiries, access requests, correction or deletion requests, or breach notifications, contact our DPO at dpo@xedar.my. For general enquiries, hello@xedar.my. We respond within 5 business days.