1 ·What We Collect
When you use KICU, we collect:
- Account information — email address for sign-in. If you sign in with Apple or Google, we receive your email and display name.
- Receipt data — photos, amounts, categories, merchants, and dates you enter into the app.
- Tax profile data — your IC number, income figures, and dependent information, if you choose to enter them.
- Usage data — anonymous analytics events and crash reports. No personal identifying information is included in these events.
2 ·How We Use Your Data
- To provide the app's features (tracking tax relief claims, generating filing-ready summaries).
- To send filing reminders, if you enable them.
- To fix crashes and improve the app experience.
We do NOT sell your data. We do NOT share it with third parties for marketing.
3 ·Where Data Is Stored
- Your receipt data, tax profile, and contribution data are stored on your device only.
- Your sign-in details (email, display name) are stored with Firebase (Google Cloud).
- Crash reports and anonymous analytics are stored with Firebase.
- Cloud sync for receipt data is currently paused while we complete additional safety checks. We will let you know inside the app before we enable it.
4 ·Third-Party Services We Use
To run KICU, we share limited data with the following providers. Each one is named below so you know exactly who sees what.
- Firebase (by Google Cloud). Provides sign-in, account management, crash reporting, and anonymous analytics. Firebase receives your email address, display name, Firebase user ID, and device diagnostic information.
- Google Gemini (Google LLC). Provides the AI model that reads your receipt photos, EA Forms, and CP58 forms to auto-extract the relevant fields (merchant + amount + date + category for receipts; gross income + EPF + SOCSO + employer name for EA Forms; payer + commission + 2% withholding for CP58). Photos, PDFs, and any extracted text are sent to Google Cloud servers in the United States for processing. Google does not retain the input or use it for model training under the Gemini API terms.
- Apple Sign-In. If you sign in with Apple, Apple receives your sign-in request and returns your email (or a private relay email, if you choose) and your name.
- Google Sign-In. If you sign in with Google, Google receives your sign-in request and returns your email, name, and profile picture.
5 ·Data Transferred Outside Malaysia
Some of these services are hosted outside Malaysia. By using KICU, you consent to the following cross-border data transfers:
- Google (via the Gemini API) receives your receipt photos, EA Forms, and CP58 forms (as photos or PDFs) in the United States for OCR processing.
- Firebase stores your account data on Google Cloud servers, which may be hosted outside Malaysia.
- Apple Sign-In and Google Sign-In involve servers that may be hosted outside Malaysia.
6 ·Your Rights Under PDPA
Under the Personal Data Protection Act 2010 (Malaysia), you have the right to:
- Access your data. View everything KICU has about you in the app.
- Correct your data. Edit any field in-app.
- Withdraw consent. Delete your account and all your data.
- Request a copy. Export as PDF or CSV.
- Lodge a complaint with the Personal Data Protection Commissioner of Malaysia (Jabatan Perlindungan Data Peribadi).
To delete your account and all your data, open Settings then Delete My Data in the app. We will remove your data from your device, from Firebase, and permanently close your account.
7 ·Data Security
We use industry-standard security:
- Encrypted connections (HTTPS) for all data we send or receive.
- Secure authentication managed by Firebase Auth.
- No plain-text passwords are stored.
- Account deletion requires password re-authentication, even if you signed in with Apple or Google.
8 ·Children's Privacy
KICU is not intended for children under 18. We do not knowingly collect data from minors.
9 ·Changes to This Policy
We may update this policy. We will notify you of significant changes via the app.
10 ·Contact Us
Privacy questions · learnestlab@outlook.com
To lodge a complaint with the Malaysian data protection regulator:
Personal Data Protection Commissioner (Jabatan Perlindungan Data Peribadi), Ministry of Communications and Multimedia Malaysia · pdp.gov.my