Last updated: 6 June 2026
Faktur.my (“we”, “our”, “us”) operates the Faktur.my web application at faktur.myand the FakturMY iOS application (collectively, the “Service”). This Privacy Policy explains how we collect, use, and protect your personal data. By using the Service, you agree to this policy.
This policy is compliant with Malaysia’s Personal Data Protection Act 2010 (PDPA).
We collect only what is necessary to provide the Service:
| Category | Data | Purpose |
|---|---|---|
| Account | Email address, password (hashed) | Authentication & account management |
| Profile | Full name, company name, phone, address, business registration number, tax number, logo | Displayed on your documents (invoices, quotes, payslips) |
| Business data | Invoices, quotations, customers, employees, payslips | Core Service functionality |
| Usage | App interactions (errors, crashes) | Improving reliability |
We do not collect payment card details. iOS in-app purchases are processed entirely by Apple via StoreKit — we receive only a confirmation of entitlement, not payment data.
We do not use your data for advertising, profiling, or sell it to any third party.
We use the following sub-processors to operate the Service:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, file storage | All user data (stored securely) |
| Resend | Transactional email delivery | Recipient email, document content |
| Apple (iOS) | In-app purchase processing (StoreKit) | Purchase confirmation only — no payment data shared with us |
| Vercel | Web app hosting | Request logs (IP, user agent) |
We retain your data for as long as your account is active. When you delete your account (via Settings → Account → Delete Account), all your data is permanently deleted — including your profile, invoices, quotes, customers, employees, and payslips. This deletion is irreversible.
Under Malaysia’s PDPA 2010, you have the right to:
To exercise any right or submit a data request, email us at support@faktur.my.
All data is encrypted in transit (HTTPS/TLS). Passwords are hashed and never stored in plain text. Database access is protected by Row-Level Security (RLS) — each user can only access their own data. We do not store any payment credentials.
The Service is intended for business use by adults (18 years and above). We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us immediately.
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. The “Last updated” date at the top of this page will always reflect the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.
For privacy-related questions, data requests, or complaints: