Privacy Policy

MudahCukai ("we", "our", or "us") operates the MudahCukai mobile application and website at mudahcukai.com.my. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information in accordance with the Personal Data Protection Act 2010 (PDPA 2010) of Malaysia.

By using MudahCukai, you consent to the practices described in this policy. If you do not agree, please discontinue use of the app and website.

We collect the minimum data necessary to provide the service:

• Email address — used as your primary login identity and to deliver OTP codes
• Phone number (optional) — if provided, used for WhatsApp or SMS OTP delivery
• Company / business name — for multi-company tax profile management
• Tax profile data — assessment year, income type, relief claims you enter manually
• Device identifiers — for session management and security (stored server-side as hashed tokens)

Receipt images are captured locally and synchronised securely to private cloud storage linked to your account. Text extraction from your receipt images runs entirely on-device and is never transmitted to our servers. Images are accessible only to you and authorised members of your company via time-limited signed links — there is no permanent public access to any receipt.

Your personal data is used solely to:

• Authenticate you via One-Time Password (OTP) sent to your email or phone
• Associate your tax profile and relief data with your account across devices
• Maintain session security using encrypted JWT tokens
• Send transactional communications (OTP codes, account notifications)
• Comply with applicable laws and regulations

We do not use your data for marketing, advertising, profiling, or sale to third parties.

When you log in or register, a 6-digit OTP code is sent to your email address. OTP codes expire in 5 minutes and are stored as a one-way secure hash on our servers — the original code is never retained after use.

Email delivery is powered by SendGrid. If you provide a phone number and elect to receive OTPs via WhatsApp or SMS, delivery may be routed through Twilio. Both providers process data in accordance with their respective privacy policies and are contractually bound to handle your data securely.

We enforce a rate limit of 3 OTP requests per email per 15 minutes to prevent abuse.

Account and tax profile data is stored on our VPS server located in Malaysia, in a PostgreSQL database with restricted access. We apply the following security measures:

• TLS/HTTPS encryption for all data in transit
• Secure encryption for sensitive data at rest on your device
• JWT access tokens with 15-minute expiry; refresh tokens with 7-day expiry
• HttpOnly cookies for web sessions to prevent XSS token theft
• Database credentials never stored in source code (environment variables only)
• OTP codes stored as one-way secure hashes — originals are never persisted

Despite our security measures, no method of transmission or storage is 100% secure. We encourage you to use a strong, unique email address and to log out of shared devices.

• OTP codes — deleted automatically after expiry (5 minutes)
• JWT refresh tokens — expire after 7 days; revoked on logout
• Account data — retained while your account is active
• Tax profile data — retained per assessment year, linked to your account

You may request deletion of your account and all associated data at any time by contacting us at hello@mudahcukai.com.my. We will process deletion requests within 14 business days.

MudahCukai uses the following third-party services. Each has its own privacy policy:

• SendGrid (Twilio) — email OTP delivery
• Twilio — WhatsApp / SMS OTP delivery (when phone number provided)
• Google Fonts — typography (loaded from Google CDN)
• Font Awesome — icons (loaded from Cloudflare CDN)

We do not share your personal data with any other third parties, except as required by law.

Under the Personal Data Protection Act 2010, you have the right to:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate or incomplete data
• Withdrawal of consent — withdraw consent to processing at any time
• Erasure — request deletion of your account and associated data
• Complaint — lodge a complaint with the Department of Personal Data Protection Malaysia

To exercise any of these rights, contact us at hello@mudahcukai.com.my. We will respond within 14 business days.

MudahCukai is intended for individuals who are required to file income tax in Malaysia. We do not knowingly collect personal data from individuals under 18 years of age. If you believe a minor has provided us with personal data, please contact us immediately.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via the app or email. Continued use of MudahCukai after changes constitutes acceptance of the updated policy.

The "Last updated" date at the top of this page reflects the most recent revision.

For privacy-related questions, data requests, or complaints:

• Email: hello@mudahcukai.com.my
• Website: mudahcukai.com.my