Privacy Policy
This Privacy Policy explains how Regacity Enterprise (operating eBil at ebil.my) collects, uses, shares, and protects your personal data when you use our service. We refer to ourselves as "we", "us", or "eBil"; we refer to you as "you" or "the user".
This policy is written to comply with the Malaysian Personal Data Protection Act 2010 (PDPA) and reflects our genuine practices. If anything here is unclear, contact us at hello@ebil.my.
1. Who we are
eBil is a digital invoicing service for Malaysian micro and solo businesses, operated by Regacity Enterprise, a sole proprietorship registered in Malaysia. We are the data controller for personal data collected through eBil.
2. Personal data we collect
We collect only the data needed to provide the service. Specifically:
| Category | What we collect |
|---|---|
| Account | Email address, display name, password (hashed by Firebase Authentication — we never see your plaintext password) |
| Business profile | Business name, TIN, BRN, MSIC code, SST registration number, business address, phone, default tax settings, bank account details (for payouts), uploaded business logo |
| Invoice data | Buyer details (name, TIN/BRN, address, contact), line items, amounts, taxes, payment status, notes, and any LHDN MyInvois validation data (UUID, QR code, status) |
| Payment | For paid subscribers: card details are collected and stored by Stripe, our payment processor — we do not see or store your full card number. We retain the Stripe customer ID and subscription status only. |
| LHDN credentials | For users who enable MyInvois integration: the LHDN Client ID and Client Secret you provide. These are encrypted at rest. |
| Referral / KOL data | If you join the referral program: promo code, bank account name and number for payouts, claim history. |
| Technical | IP address, browser type, device type, timestamps of activity, and error logs — collected automatically by Firebase to operate and secure the service. |
| AI usage | If you use AI-powered features, the prompts you submit and the responses generated are processed in real time. We track aggregate usage counts per month for fair-use enforcement. |
We do not knowingly collect data from children under 13. We do not collect biometric data, location beyond approximate IP-based region, or sensitive categories like health, religion, or political opinion.
3. How we use your data
- To provide the service — creating, storing, and displaying your invoices; submitting them to LHDN MyInvois on your behalf when you enable that feature.
- To process payments — for Pro subscribers, Stripe handles billing on our behalf.
- To operate the referral program — tracking referrals, calculating earnings, processing claim payouts.
- To communicate with you — service announcements, billing notices, security alerts, and replies to your support messages.
- To improve and secure eBil — debugging, fraud detection, capacity planning, and abuse prevention.
- To meet legal obligations — including Malaysian tax record retention requirements.
We do not sell your data. We do not share your data with advertisers. We do not use your invoice content to train AI models.
4. Who we share data with
We use third-party processors to operate eBil. We share only the data necessary for each processor's function. Each processor is bound by their own privacy and security commitments.
| Processor | Purpose |
|---|---|
| Google (Firebase) | Authentication, database (Firestore), serverless functions, file storage, App Check security. Data stored in Google Cloud regions (typically us-central1). |
| Stripe | Subscription billing, card processing, promo code management. Stripe is PCI-DSS Level 1 certified. |
| LHDN MyInvois | For users who enable e-invoice submission: invoice data is transmitted to LHDN as required by Malaysian e-invoicing regulations. |
| Google (Gemini, via Firebase AI Logic) | AI-powered features process your prompt input through Google's Gemini models. Subject to Google's AI processing terms; not used for training. |
We may also disclose data when required by law, valid court order, or to protect the rights, property, or safety of eBil, our users, or the public.
5. Where your data is stored
Your data is hosted in Google Cloud data centres, primarily in the United States (Iowa region, us-central1). By using eBil you consent to this cross-border transfer. Google maintains certifications including ISO 27001, SOC 2, and adheres to data protection standards equivalent to those required under Malaysian law.
Stripe processes payment data primarily in the United States and may transfer it to other regions where Stripe operates. LHDN data remains within Malaysia.
6. How long we keep your data
We retain your data only for as long as necessary:
- While your account is active — all data is retained.
- After you request deletion — personal identifying data (name, email, phone, address) is anonymized within 30 days.
- Invoice and tax records — retained for 7 years from the date of issuance, as required by the Malaysian Income Tax Act 1967 (Section 82) and LHDN MyInvois retention rules. This obligation overrides your deletion request for invoice records specifically.
- After 7 years — all remaining records are permanently purged.
- Inactive accounts — accounts with no login activity for 24 consecutive months may be deleted after a 30-day notice email.
7. Your rights
Under Malaysian PDPA and our internal practices, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Correct — update inaccurate or outdated information. Most fields are editable directly from your account settings.
- Delete — request deletion of your account and personal data, subject to the 7-year invoice retention exception above.
- Withdraw consent — revoke consent for optional processing (e.g., LHDN integration). This may limit your ability to use parts of the service.
- Limit processing — object to specific uses of your data.
- Lodge a complaint — with the Malaysian Personal Data Protection Commissioner if you believe we have mishandled your data.
To exercise any of these rights, email hello@ebil.my. We respond within 21 days. We may need to verify your identity before processing certain requests.
8. Cookies and tracking
eBil uses essential cookies and similar technologies to keep you logged in, remember your preferences, and operate security features (e.g., reCAPTCHA via Firebase App Check). We do not use advertising cookies or third-party tracking pixels.
If we add analytics in the future (e.g., Google Analytics or a privacy-focused alternative), we will update this policy and provide opt-out where applicable.
9. Security
We use industry-standard safeguards, including:
- Encryption in transit (TLS 1.2+) and at rest (Firebase default encryption).
- Application-layer encryption for sensitive credentials (LHDN secrets).
- Firebase App Check to block unauthorized client requests.
- Server-side authorization checks for all sensitive operations.
- Strict role-based access — only authorized administrators can access aggregated data.
No system is perfectly secure. If we discover a data breach affecting your personal data, we will notify you and the relevant authorities as required by law.
10. Children
eBil is intended for business users aged 18 and above. We do not knowingly collect data from children under 18. If you believe a child has registered, contact us and we will delete the account.
11. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email and via an in-app banner at least 14 days before taking effect. The "Last updated" date at the top reflects the most recent revision. Your continued use of eBil after the effective date constitutes acceptance.
12. Contact us
For privacy questions, data access requests, or any concerns about how we handle your data:
Regacity Enterprise (operating eBil)
Email: hello@ebil.my
Website: ebil.my
For complaints not resolved by us, you may contact the Malaysian Personal Data Protection Department (Jabatan Perlindungan Data Peribadi):