Privacy Policy
Effective: 23 April 2026 · Last updated: 23 April 2026
This policy explains what data MyTaxMate collects, why, and how we protect it. It's written in plain language because we think you deserve to understand it without a law degree. If you're about to sign up, please read it first.
1. Who we are
MyTaxMate is a Malaysian personal income tax assistant. We're a small independent team operating the service at https://app.mytaxmate.my (the “Service”). If you have questions about this policy, email limyuehyih@gmail.com.
MyTaxMate is not a licensed tax advisor or accountant. We give you tools to organise your own tax filing — we don't file on your behalf or act as your agent with LHDN.
2. What we collect
Data you give us directly
- Account: email address, password (stored hashed by Supabase Auth — we never see the plaintext), full name.
- Profile: MyKad number, TIN, date of birth, gender, marital status, citizenship, disability status, phone number, address, bank name and account number, employer name and E-number.
- Dependents: for each child/parent/grandparent you add — name, MyKad, date of birth, relationship, disability + study status.
- Tax data: income records, reliefs claimed, receipt metadata, per-year tax account settings, tax calendar reminders you create.
- Receipts: photos or PDFs of receipts you upload, stored in Supabase Storage.
- Preferences: language (EN or BM) selection.
Data collected automatically
- Session cookies issued by Supabase to keep you logged in between visits.
- Language cookie (
locale) storing your EN/BM preference. - Pageviews — which pages you visit (Vercel Analytics collects this without cookies or personal identifiers).
- Performance metrics — page load times, Core Web Vitals (Vercel Speed Insights).
- Error reports — if the app crashes, Sentry captures the error, stack trace, your IP address, and user-agent. Session Replay may capture 15 seconds of anonymised UI activity before the error.
Data we do NOT collect
- Plaintext passwords. Ever.
- Third-party tracking / advertising identifiers (we don't use Meta Pixel, Google Ads, TikTok Pixel, or similar).
- Location beyond what's inferred from your IP address.
- Your bank balance, transaction history, or e-statements (you enter numbers manually — we don't connect to any bank).
3. Why we collect it
- Profile + tax data → to compute your tax payable and generate Form BE / Form B PDFs correctly.
- Receipts → to satisfy LHDN's 7-year receipt retention rule.
- Pageviews + performance → to understand which parts of the app are used and where we need to improve speed.
- Error reports → to find and fix bugs before they affect more users.
- Session cookies → so you don't have to log in on every page.
We do not sell your data. Ever. If our business model ever changes in a way that affects this, we will ask for your explicit consent first and you can refuse without losing access to the Service.
4. Who we share it with
We use the following third-party processors. Each only receives the data necessary to do its job.
| Vendor | Purpose | Data | Region |
|---|---|---|---|
| Supabase | Database, auth, storage | Everything in Section 2 “directly” | Singapore |
| Vercel | App hosting + DNS | All HTTP traffic | Global, SIN primary |
| Vercel Analytics | Anonymous pageview stats | URL, viewport size | Global |
| Vercel Speed Insights | Core Web Vitals | Timing measurements | Global |
| Sentry | Error monitoring | Stack traces, IP, user-agent, 15s replay | United States |
| Anthropic | SmartScan receipt OCR | Receipt image (per scan). Not retained for training. | United States |
| GitHub | Source code + deploys | No personal data | United States |
If we add or change a processor, we will update this list and post a notice at least 14 days before the change takes effect for material changes.
5. International data transfers
Most of your data stays in Singapore (Supabase). Three categories of data are sent outside Singapore in the course of operating the Service:
- Error reports → Sentry in the United States, when the app crashes.
- Receipt images → Anthropic in the United States, each time you use SmartScan to auto-extract receipt details. Images are transmitted base64-encoded over HTTPS and are not retained by Anthropic for training per their commercial API terms.
- Hosting traffic → Vercel's global edge network (primary region Singapore, but individual requests may be served from the nearest edge).
These transfers are necessary to operate the Service and are protected by the vendors' respective security certifications (SOC 2, ISO 27001).
6. How long we keep your data
- Receipts: 7 years after the year of assessment, per LHDN's retention requirement.
- Tax account + computation data: indefinitely while your account is active.
- Session and error data: 90 days in Sentry, shorter in Vercel Analytics.
- On account deletion: we soft-delete all your data within 24 hours and hard-delete from Supabase within 30 days, except data we're required to keep by law.
7. How we protect your data
- All traffic is encrypted in transit (HTTPS with HSTS).
- Data at rest is encrypted by Supabase using AES-256.
- Supabase Row-Level Security enforces that you can only read your own rows, even if our app code has a bug.
- Receipts in Supabase Storage are only accessible via short-lived signed URLs scoped to your user ID.
- Access to production systems requires 2FA.
- We're a small team and we're honest about that: security is a constant practice, not a finished state. If you find a vulnerability, please email limyuehyih@gmail.com and we'll respond within 3 business days.
8. Your rights under PDPA
Under the Personal Data Protection Act 2010 (Malaysia), you have the right to:
- Access your personal data — email us, we'll send you a copy within 21 days.
- Correct inaccurate data — most you can fix yourself via the Profile and Dependents pages.
- Delete your data — email us; we'll confirm identity and delete per Section 6.
- Withdraw consent — close your account.
- Limit processing — ask us to stop processing your data for specific purposes.
- Object to processing that isn't justified.
- Portability — receive your data in a machine-readable format (JSON export; email us to request).
- Lodge a complaint with the Personal Data Protection Commissioner at pdp.gov.my.
All requests: limyuehyih@gmail.com. Reply time: 7 business days for acknowledgment; 21 days to complete.
9. Cookies
We set three cookies:
| Name | Purpose | Duration |
|---|---|---|
sb-* | Supabase auth session | Session or up to 30 days |
locale | EN/BM language preference | 1 year |
We do not use advertising cookies or third-party trackers. You can clear all of the above from your browser settings.
10. Children
MyTaxMate is intended for users aged 18 or older. We do not knowingly collect data from anyone under 18. If you believe we've collected data from a minor, email us and we'll delete it.
11. Changes to this policy
If we change this policy in a way that affects how we handle your data, we'll post the updated version here with a new “Last updated” date and email all registered users at least 14 days before material changes take effect. Non-material changes (clarifications, typos) may be made without notice.
12. Contact
Email: limyuehyih@gmail.com
Postal address available upon request for formal data requests.
This policy is provided in good faith and reflects our actual data practices as of the effective date. It is not legal advice; if your circumstances require legal certainty, please consult a Malaysian lawyer specialising in data protection.