Personal Data Protection Notice

This Personal Data Protection Notice ("Notice") is issued by Regacity Enterprise (operating eBil) in accordance with Section 7 of the Malaysian Personal Data Protection Act 2010 ("PDPA").

This Notice explains how we process your personal data and the rights available to you under the PDPA. Please read it carefully.

1. Data User

The data user under this Notice is:

2. Personal data we collect

We collect and process the following categories of personal data about you:

• Identification data — name, email address, phone number, business registration number (BRN), tax identification number (TIN).
• Contact data — business address, mailing address.
• Business data — business name, MSIC code, SST registration number.
• Financial data — bank account name and number (for referral payouts), Stripe customer reference (for subscribers).
• Transaction data — invoice records, buyer details, line items, amounts, payment status.
• Technical data — IP address, browser type, device information, login activity logs.
• Authentication data — encrypted password, account verification status.

We do not knowingly collect sensitive personal data (as defined under Section 4 of the PDPA — including data on health, religion, political opinion, or commission of offences). If you voluntarily submit such data through invoice content, we will treat it with additional care, but we recommend you avoid placing sensitive data in invoice fields.

3. Sources of personal data

Personal data is obtained from:

• Information you provide directly when registering and using eBil.
• Automatic collection through your interaction with the service (technical and usage data).
• Third-party processors acting on our behalf (Stripe for payment data, Firebase for authentication data).
• LHDN MyInvois responses, where you have enabled e-invoice submission.

4. Purposes of processing

Your personal data is processed for the following purposes:

• Creating and maintaining your eBil account.
• Providing the invoicing service and related features.
• Processing subscription payments and managing your billing.
• Submitting e-invoices to LHDN MyInvois on your behalf, where you enable this feature.
• Operating the referral and KOL program, including calculating and paying earnings.
• Communicating with you about your account, service updates, and support requests.
• Detecting fraud, abuse, and security incidents.
• Complying with our legal obligations under Malaysian law, including tax record retention.
• Improving our service through analysis of aggregated, non-identifying usage patterns.

5. Disclosure of personal data

We may disclose your personal data to the following classes of third parties, but only to the extent necessary for the purposes stated above:

• Cloud and infrastructure providers — Google (via Firebase), which hosts and processes data on our behalf.
• Payment processors — Stripe, for managing subscriptions and processing card payments.
• Government authorities — Lembaga Hasil Dalam Negeri (LHDN) for e-invoice submissions where you have enabled the integration; or any authority where required by law, court order, or valid legal process.
• AI service providers — Google (Gemini, via Firebase AI Logic) for AI-powered features you use.
• Professional advisors — our auditors, legal counsel, or accountants, where strictly necessary.
• Successors in interest — in the event of a business restructuring, merger, or acquisition, your data may be transferred to the successor entity, who will continue to be bound by this Notice.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

6. Cross-border transfer

Your personal data may be transferred to and stored in jurisdictions outside Malaysia, including the United States (where Google Cloud and Stripe primarily operate). We rely on the data protection safeguards maintained by these processors, which we believe to be substantially equivalent to those required under the PDPA. By using eBil, you consent to such cross-border transfer.

7. Whether providing data is obligatory

Providing certain personal data is necessary to use eBil. Specifically:

• Required — email address and password are required to create an account.
• Required for invoicing — your business name, TIN, and address are required to create LHDN-compliant invoices.
• Required for Pro — payment information is required to subscribe.
• Required for KOL — bank account details are required to receive referral payouts.
• Optional — logo, MSIC code, default tax settings, and other profile fields enhance the service but are not strictly required.

If you do not provide required information, we may not be able to provide some or all of the service to you.

8. Your rights under the PDPA

Under the PDPA, you have the following rights:

Right of access (Section 30)

You may request a copy of the personal data we hold about you. We may charge a prescribed fee for this and respond within 21 days.

Right to correct (Section 34)

You may request correction of inaccurate, incomplete, misleading, or outdated personal data. Most fields can be corrected directly through your account settings.

Right to withdraw consent (Section 38)

You may withdraw your consent to the processing of your personal data, subject to legal and contractual restrictions. Withdrawing consent may limit your ability to use parts of the service.

Right to limit processing for direct marketing (Section 43)

You may instruct us to stop processing your personal data for direct marketing purposes at any time. We do not currently send marketing communications, but if we do in future, you may opt out via the unsubscribe link or by contacting us.

Right to lodge a complaint

If you believe we have mishandled your personal data, you may lodge a complaint with the Personal Data Protection Department of Malaysia (Jabatan Perlindungan Data Peribadi).

9. Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Account data is retained while your account is active.
• Upon deletion request, personal identifying data is anonymized within 30 days.
• Invoice and tax records are retained for 7 years from the date of issuance, in accordance with Section 82 of the Income Tax Act 1967 and LHDN MyInvois retention requirements.
• After legal retention periods expire, data is securely purged.

10. Security of personal data

We take reasonable steps to protect your personal data against loss, misuse, unauthorised access, alteration, and disclosure, including:

• Encryption of data in transit (TLS) and at rest (Firebase default encryption).
• Application-layer encryption for highly sensitive credentials (LHDN secrets).
• Access controls limiting data access to authorised personnel.
• Security checks via Firebase App Check.
• Regular review of our security practices.

11. How to exercise your rights

To exercise any of the rights set out above, or for any questions about this Notice, please contact us:

We may need to verify your identity before processing certain requests. We aim to respond within 21 days.

12. Updates to this Notice

We may revise this Notice from time to time to reflect changes in our practices or in the law. The latest version will always be posted at ebil.my/pdpa, with the "Effective" date updated accordingly. Material changes will be notified by email and via an in-app banner.

13. Regulator

The regulator for personal data protection in Malaysia is: