Privacy Policy

1. Who we are

MyTaxMate is a Malaysian personal income tax assistant. We're a small independent team operating the service at https://app.mytaxmate.my (the “Service”). If you have questions about this policy, email support@mytaxmate.my.

MyTaxMate is not a licensed tax advisor or accountant. We give you tools to organise your own tax filing — we don't file on your behalf or act as your agent with LHDN.

2. What we collect

Data you give us directly

• Account: email address, password (stored hashed by Supabase Auth — we never see the plaintext), full name.
• Profile: marital status, whether your spouse has income, whether your spouse is disabled, and whether you have a disability — the only personal details that change your tax computation. (We used to ask for MyKad, TIN, date of birth, gender, citizenship, address, phone, employer and bank details; we removed all of them in 2026 — see “Data we do NOT collect” below.)
• Dependents: for each child/parent/grandparent you add — name, relationship, date of birth, disability + study status, and, for a studying child, the education level, country, and institution that determine the relief.
• Tax data: income records, reliefs claimed, receipt metadata, business details for Form B (business name and registration number), per-year tax account settings, tax calendar reminders you create, and, for employment income, your employer's name and employer E number (typed in or read from EA forms you scan).
• Receipts: photos or PDFs of receipts you upload, stored in Supabase Storage.
• Tax assistant chats: the questions you ask Kira (our in-app tax assistant) and its replies, stored so you can revisit past conversations. Sharing your tax figures with Kira for personalised answers is optional and controlled in Settings; without it, Kira only sees your question.
• Feedback and surveys: ratings, feedback notes, and survey answers you choose to submit (for example, our pricing survey), stored with your account.
• Newsletter: if you leave your email on our landing page, we store it to send occasional product updates. Every email includes an unsubscribe link; unsubscribing removes you from the list.
• Preferences: language (EN or BM) selection.

Data collected automatically

• Session cookies issued by Supabase to keep you logged in between visits.
• Language cookie (locale) storing your EN/BM preference.
• Pageviews — which pages you visit (Vercel Analytics collects this without cookies or personal identifiers).
• Performance metrics — page load times, Core Web Vitals (Vercel Speed Insights).
• Error reports — if the app crashes, Sentry captures the error, stack trace, your IP address, and user-agent. Session Replay may capture 15 seconds of anonymised UI activity before the error.

Data we do NOT collect

• Plaintext passwords. Ever.
• Your MyKad / NRIC or Tax Identification Number (TIN). MyTaxMate doesn't e-file on your behalf, so we don't need them — you enter those directly on the official ezHASIL / MyTax portal when you submit.
• Your home address, phone number, or bank account details. We removed these fields in 2026 because none of them affect your tax computation.
• Third-party tracking / advertising identifiers (we don't use Meta Pixel, Google Ads, TikTok Pixel, or similar).
• Location beyond what's inferred from your IP address.
• Your bank balance, transaction history, or e-statements (you enter numbers manually — we don't connect to any bank).

Sensitive personal data

Some data you can choose to store is “sensitive personal data” under the PDPA: disability status (yours, your spouse's, or a dependent's), medical receipts (which can reveal health conditions), and zakat records (which can reveal religious belief). We process these only to compute the reliefs, rebates, and offsets you ask us to track, and never for anything else. By adding them, you give us your explicit consent to process them for that purpose. You can edit or remove them at any time, and they're deleted with your account.

3. Why we collect it

• Profile + tax data → to compute your tax payable and generate Form BE / Form B PDFs correctly.
• Receipts → to satisfy LHDN's 7-year receipt retention rule.
• Tax assistant chats → to answer your tax questions and let you revisit earlier conversations.
• Pageviews + performance → to understand which parts of the app are used and where we need to improve speed.
• Error reports → to find and fix bugs before they affect more users.
• Session cookies → so you don't have to log in on every page.

We do not sell your data. Ever. If our business model ever changes in a way that affects this, we will ask for your explicit consent first and you can refuse without losing access to the Service.

4. Who we share it with

We use the following third-party processors. Each only receives the data necessary to do its job.

If we add or change a processor, we will update this list and post a notice at least 14 days before the change takes effect for material changes.

If MyTaxMate is ever acquired or merges into another company, your data may transfer to the new operator only under protections at least as strong as this policy. We'll notify you beforehand, and you'll have the chance to delete your account first.

5. International data transfers

Most of your data stays in Singapore (Supabase). Four categories of data are sent outside Singapore in the course of operating the Service:

• Error reports → Sentry in the United States, when the app crashes.
• Receipt and EA form images → Google (Gemini API) in the United States, each time Smart Scan reads a document to auto-extract its details (where on-device text extraction succeeds, only the extracted text is sent). Files are transmitted over HTTPS and are not used to train Google's models per Google's paid-tier API terms.
• Tax assistant chats → Anthropic in the United States, when you ask Kira a question. Your message and a summary of your tax figures are sent for context; they are not retained by Anthropic for training per their commercial API terms.
• Hosting traffic → Vercel's global edge network (primary region Singapore, but individual requests may be served from the nearest edge).

These transfers happen on two legal bases: your consent (you accept this policy at signup) and necessity (the Service can't work without them). Each vendor is bound by a data processing agreement and holds independent security certifications (SOC 2, ISO 27001).

6. How long we keep your data

• Receipts: 7 years after the year of assessment, per LHDN's retention requirement.
• Tax account + computation data: indefinitely while your account is active.
• Session and error data: 90 days in Sentry, shorter in Vercel Analytics.
• On account deletion: we soft-delete all your data within 24 hours and hard-delete from our live systems within 30 days (see Backups below), except data we're required to keep by law.
• Backups: we keep periodic backups of the database and uploaded files for disaster recovery. Backups are automatically purged on a rolling 90-day window, so data deleted from the live system also leaves backups within 90 days at most.
• Records supporting an actual filing: Malaysian law (Income Tax Act 1967, s.82) requires taxpayers to keep records supporting a filing for 7 years. Where records you stored with us supported a filing you actually made, we may retain a minimal, de-linked copy for that statutory window after account deletion, as explained on our Delete Account page.

7. How we protect your data

• All traffic is encrypted in transit (HTTPS with HSTS).
• Data at rest is encrypted by Supabase using AES-256.
• Supabase Row-Level Security enforces that you can only read your own rows, even if our app code has a bug.
• Receipts in Supabase Storage are only accessible via short-lived signed URLs scoped to your user ID.
• Access to production systems requires 2FA.
• We're a small team and we're honest about that: security is a constant practice, not a finished state. If you find a vulnerability, please email support@mytaxmate.my and we'll respond within 3 business days.

If a data breach happens: we follow Malaysia's mandatory breach notification rules. If a breach is likely to cause significant harm (for financial data like yours, it usually would), we will notify the Personal Data Protection Commissioner within 72 hours of becoming aware of it, and notify you directly without undue delay, telling you what happened, what data was involved, and what we're doing about it. We keep an internal register of all security incidents.

8. Your rights under PDPA

Under the Personal Data Protection Act 2010 (Malaysia), you have the right to:

• Access your personal data — email us, we'll send you a copy within 21 days.
• Correct inaccurate data — most you can fix yourself via the Profile and Dependents pages.
• Delete your data — email us; we'll confirm identity and delete per Section 6.
• Withdraw consent — close your account.
• Limit processing — ask us to stop processing your data for specific purposes.
• Object to processing that isn't justified.
• Portability — receive your data in a machine-readable format (JSON export; email us to request).
• Lodge a complaint with the Personal Data Protection Commissioner at pdp.gov.my.

All requests: support@mytaxmate.my. Reply time: 7 business days for acknowledgment; 21 days to complete.

9. Cookies

We set two kinds of cookies:

We do not use advertising cookies or third-party trackers. You can clear all of the above from your browser settings.

10. Children

MyTaxMate is intended for users aged 18 or older. We do not knowingly collect data from anyone under 18. If you believe we've collected data from a minor, email us and we'll delete it.

11. Changes to this policy

If we change this policy in a way that affects how we handle your data, we'll post the updated version here with a new “Last updated” date and email all registered users at least 14 days before material changes take effect. Non-material changes (clarifications, typos) may be made without notice.

12. Contact

Email: support@mytaxmate.my

Postal address available upon request for formal data requests.