Privacy Policy

1. PDPA Compliance Statement

We are fully committed to compliance with the Personal Data Protection Act 2010 and all seven PDPA principles. This Privacy Policy is designed to meet the requirements of the PDPA and provide you with transparent information about our data processing practices.

2. Personal Data We Collect

2.1 Account Registration Data

When you create an EzFlow account:

• Full name of the authorized representative
• Business name and SSM registration number (if applicable)
• Email address
• Malaysian mobile phone number
• Password (encrypted — never stored in plain text)

2.2 Business and Operational Data

When you use EzFlow to run your business:

• Appointment bookings and scheduling records
• Staff profiles, work schedules, and attendance records
• Customer names, contact numbers, and email addresses
• Invoice records and transaction history
• WhatsApp communication logs
• Google review data linked to your business

2.3 Payment and Billing Data

When you subscribe to a paid plan:

• Billing name and email address
• Subscription plan and payment history
• Note: All card and payment details are processed directly by Stripe. EzFlow never stores, processes, or has access to your payment card information.

2.4 Technical Data

Automatically collected when you use the Platform:

• IP address
• Browser type and version
• Device information and operating system
• Access times and pages visited
• Platform usage patterns and feature usage statistics

3. Legal Basis for Processing

We process your personal data based on:

• Consent: Provided when you create an account and agree to these policies
• Contractual Necessity: Required to deliver the Services you have subscribed to
• Legitimate Interests: For fraud prevention, platform security, and service improvement
• Legal Obligation: To comply with Malaysian law including LHDN requirements

4. How We Use Your Personal Data

4.1 Service Provision

• Creating and managing your account
• Delivering all subscribed features including bookings, invoicing, scheduling, and automations
• Processing subscription payments via Stripe
• Sending transactional notifications (booking confirmations, invoice receipts, OTP)

4.2 Platform Improvement

• Analyzing usage patterns to improve user experience
• Identifying and resolving technical issues
• Developing new features based on user needs and feedback

4.3 Communication

• Transactional emails (subscription confirmations, payment receipts, security alerts)
• Product updates and feature announcements
• Marketing communications — only with your explicit opt-in consent

4.4 What We Will NEVER Do

• Sell your personal data or your customers' data to any third party
• Share your business data with competitors
• Use your data for purposes beyond those stated in this Policy without fresh consent
• Access your customers' WhatsApp messages beyond what is necessary to deliver automation features

5. Your Customer Data

5.1 Your Responsibility

When you use EzFlow to manage your customer data (bookings, contacts, invoices), you are the data controller for that customer data. You are responsible for obtaining appropriate consent from your customers, complying with PDPA obligations, responding to your customers' data rights requests, and providing your customers with a privacy notice.

5.2 Our Role

EzFlow acts as a data processor for your customer data. We process it solely on your instructions to deliver the Services and will not use it for our own purposes.

6. Third-Party Data Sharing and Processors

We share your data only with trusted service providers who are contractually bound to protect it.

We do not sell, rent, or trade your personal data or your customers' personal data to any third party under any circumstances.

7. Data Storage and Security

7.1 Storage Infrastructure

All data is stored using Supabase hosted in Singapore with:

• Encryption in transit (TLS/SSL) and at rest
• Row-Level Security (RLS) ensuring Users can only access their own data
• Regular security audits and vulnerability assessments
• Access controls limiting data access to authorized personnel only

7.2 Password Security

Passwords are never stored in plain text. We use industry-standard cryptographic hashing via Supabase Auth.

7.3 Cross-Border Transfer

Your data is transferred from Malaysia to Singapore (Supabase infrastructure). Singapore maintains data protection standards comparable to Malaysia's PDPA. All transfers are encrypted and access-controlled.

8. Data Retention

8.1 Active Accounts

We retain your data for as long as your account is active to ensure continuity of service.

8.2 Post-Termination

After account termination, we retain your data for 30 days to allow data export. After this period, data is permanently deleted unless retention is required by Malaysian law.

8.3 Legal Retention Requirements

Certain records (e.g., invoices, transaction logs) may be retained for up to 7 years as required by Malaysian tax and accounting law, even after account termination.

9. Your Rights Under PDPA

You have the following rights under the Personal Data Protection Act 2010:

10. Cookies and Tracking Technologies

We currently use only essential session cookies required for Platform functionality (authentication, session management). These cannot be disabled.

When analytics tools are activated, we will provide a cookie consent banner and allow you to manage preferences. No analytics cookies are set without your consent.

11. Children's Privacy

EzFlow is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has registered, contact [email protected] immediately.

12. Data Breach Notification

In the event of a data breach affecting your personal data, we will:

• Notify the Personal Data Protection Commissioner as required by law
• Notify affected Users via email within 72 hours of becoming aware
• Provide details of the breach and steps taken to address it

13. Changes to This Privacy Policy

Material changes will be communicated via email at least 14 days before taking effect. Continued use of EzFlow constitutes acceptance of the updated Policy.

14. Contact Information

By using EzFlow, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your personal data as described in this Privacy Policy.