REZKEY
Privacy Policy
Polisi Privasi
Last updated: 28 February 2026
This Privacy Policy describes how Sarveka Labs Sdn. Bhd. ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the REZKEY mobile application ("REZKEY", "the App"). This policy is drafted in compliance with the Personal Data Protection Act 2010 (PDPA 2010) of Malaysia.
REZKEY is a business finance management application designed for freelancers, sole proprietors, and small business owners in Malaysia.
1. Information We Collect
We collect the following categories of personal data when you use REZKEY:
| Data Category | Examples |
|---|
| Account Information | Full name, email address, profile photo (via Google OAuth) |
| Business Information | Business name, business type, DuitNow ID |
| Transaction Data | Income and expense records, amounts, dates, categories, descriptions |
| Invoice Data | Client names, invoice amounts, due dates, payment status, notes |
| Receipt Images | Photographs of receipts uploaded via camera or gallery |
| Financial Reports | Borang B (LHDN Form B) mapping data generated from your transactions |
| Device Information | Device type, operating system, app version (for troubleshooting only) |
2. How We Collect Your Data
- Directly from you: When you create an account, enter transactions, upload receipts, create invoices, or edit your profile.
- Google OAuth: When you sign in with Google, we receive your email address and display name only. We do not access your Google contacts, calendar, or any other Google services unless you explicitly connect Google Drive (see Section 6).
- Bank CSV Import (Pro): When you import a bank statement CSV, the file is processed locally on your device. Only the parsed transaction data is stored.
3. How We Use Your Data
We use your personal data solely to provide and improve REZKEY's services:
- To provide bookkeeping, invoicing, and financial reporting features
- To generate Borang B (LHDN Form B) tax mapping summaries from your transaction categories
- To sync your data securely across your devices
- To display your business information on invoices you generate
- To process OCR receipt scanning (Pro feature) via Azure Cognitive Services
- To send subscription-related notifications (e.g., expiry reminders)
We do not use your data for advertising, profiling, or marketing purposes.
4. Data Storage and Security
Your data is stored on Supabase infrastructure hosted in the Singapore region. We implement the following security measures:
- Row-Level Security (RLS): Database policies ensure you can only access your own data. No user can view, modify, or delete another user's records.
- Encryption in transit: All data transmitted between REZKEY and our servers uses TLS/HTTPS encryption.
- Encryption at rest: Database storage and file storage are encrypted at rest.
- Authentication tokens: Session tokens are stored in Expo SecureStore (device keychain), not in plain text.
5. Receipt Storage
Receipt images are stored in private Supabase Storage buckets. Each receipt is accessible only by the authenticated user who uploaded it. Receipts are served via time-limited signed URLs that expire after a short period. We do not share, sell, or use receipt images for any purpose other than displaying them to you within the App.
6. Google Drive Integration (Optional, Pro Feature)
If you choose to connect Google Drive for backup:
- REZKEY requests the drive.file scope only. This means REZKEY can only create and access files and folders that REZKEY itself created.
- REZKEY cannot read, modify, or delete your other Google Drive files, folders, or shared drives.
- Backups are stored in a dedicated "REZKEY Backup" folder in your Drive.
- Your Google OAuth refresh token is encrypted and stored securely. You may disconnect Google Drive at any time from the Profile screen, which removes the stored token.
7. OCR Receipt Scanning (Pro Feature)
When you use the OCR receipt scanning feature, your receipt image is sent to Microsoft Azure Cognitive Services (Form Recognizer) for text extraction. The image is processed in real-time and is not retained by Azure after processing. Only the extracted text data (amount, date, vendor) is returned to the App.
8. LHDN / Borang B Data
REZKEY generates Borang B (Form B) category mappings based on your transaction categories. This data is:
- Generated and displayed only on your device and in your account
- Never transmitted to LHDN or any tax authority by REZKEY
- Provided as a convenience tool only — you are responsible for verifying all figures with a qualified accountant before filing
9. Third-Party Services
We use the following third-party services to operate REZKEY:
| Service | Purpose | Data Processed |
|---|
| Supabase | Database, authentication, file storage | All user data |
| Google OAuth | Sign-in authentication | Email, display name |
| Google Drive API | Optional backup (Pro) | Backup files only |
| Microsoft Azure | OCR receipt scanning (Pro) | Receipt images (not retained) |
We do not use analytics tracking, advertising SDKs, or social media trackers in REZKEY.
10. Data Sharing
We do not sell, rent, trade, or share your personal data with third parties for their own purposes. Your data may be disclosed only in the following circumstances:
- To our infrastructure providers (listed above) solely to operate the service
- If required by law, regulation, or legal process under Malaysian law
- To protect the rights, safety, or property of Sarveka Labs Sdn. Bhd. or our users
11. Data Retention
Your data is retained as follows:
- Active accounts: Data is retained for as long as your account remains active.
- Financial records: Transaction and invoice data is retained for a minimum of 7 years from the date of creation, in compliance with LHDN record-keeping requirements under the Income Tax Act 1967.
- Account deletion: If you request account deletion, we will delete your personal data within 30 days, except for financial records that must be retained under law. Retained records will be anonymised where possible.
12. Your Rights Under PDPA 2010
Under Malaysia's Personal Data Protection Act 2010, you have the following rights:
- Right of Access: You may request a copy of your personal data held by us.
- Right of Correction: You may request correction of inaccurate or incomplete personal data.
- Right of Deletion: You may request deletion of your personal data, subject to legal retention requirements.
- Right to Withdraw Consent: You may withdraw your consent for data processing at any time by deleting your account.
- Right to Complain: You may lodge a complaint with the Department of Personal Data Protection Malaysia (JPDP) if you believe your data has been mishandled.
To exercise any of these rights, please contact us at saran@rezkey.my. We will respond within 21 days as required by law.
13. Children's Privacy
REZKEY is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided us with personal data, we will take steps to delete such data.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via an in-app notification. Continued use of the App after changes are posted constitutes acceptance of the updated policy.
15. Contact Us
If you have any questions about this Privacy Policy or your personal data, please contact us:
Sarveka Labs Sdn. Bhd.
Email: saran@rezkey.my
Malaysia