Privacy Policy
Last updated: 2 April 2026
Xpensea ("we", "us", "our") is operated by Shard Lab Sdn Bhd (Malaysia) and Shard Lab (Thailand) Co., Ltd. This Privacy Policy describes how we collect, use, store, and protect your personal data when you use the Xpensea platform ("Service").
We are committed to complying with the Malaysia Personal Data Protection Act 2010 (PDPA) and the Thailand Personal Data Protection Act B.E. 2562 (2019) (PDPA).
1. Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Identity | Name, email, phone number | Account creation, authentication, communication |
| Organization | Company name, TIN, BRN, address, MSIC/TSIC code | Company registration, e-Invoice preparation (Phase 2) |
| Financial | Expense amounts, categories, merchant info, receipt images | Expense management, reporting, tax compliance |
| Payment | QR payment records, amounts, merchant details | Payment processing, budget management |
| Technical | IP address, browser type, login timestamps | Security, audit trail, service improvement |
2. How We Use Your Data
- Providing and maintaining the expense management and QR payment service
- Processing payments through integrated payment gateways
- Sending notifications (email, SMS) related to your expense approvals and account activity
- Generating reports and analytics for your organization
- Complying with legal obligations including tax reporting requirements
- Preventing fraud and ensuring platform security
3. Third-Party Data Processors
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (AWS) | Database, authentication, file storage | All account and transaction data |
| Xendit | QR payment processing | Payment amounts, merchant IDs |
| Twilio | SMS delivery (invites, OTP, notifications) | Phone numbers, message content |
| Vercel | Application hosting | IP addresses, request logs |
| Google (Gemini) | Receipt scan processing | Receipt images (transient processing) |
All third-party processors are bound by data processing agreements and maintain appropriate security certifications.
4. Data Retention
- Active account data: retained while your account is active
- Financial records (expenses, payments, receipts): retained for 7 years after creation, per LHDN (Malaysia) and Revenue Department (Thailand) tax record-keeping requirements
- Audit logs: retained for 7 years for legal compliance
- Deactivated accounts: personal data may be anonymized upon request, while financial records are retained per legal obligations
5. Your Rights
Under Malaysia PDPA 2010:
- Access: Request access to your personal data
- Correction: Request correction of inaccurate data
- Withdrawal: Withdraw consent for data processing (subject to legal retention obligations)
Under Thailand PDPA 2019:
- Access: Request access to your personal data
- Correction: Request correction of inaccurate data
- Erasure: Request deletion of personal data (subject to legal retention obligations)
- Portability: Request transfer of data in a machine-readable format
- Objection: Object to data processing in certain circumstances
- Withdrawal: Withdraw consent at any time
6. Data Security
We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), encryption at rest, role-based access controls, and regular security monitoring. Access to personal data is restricted to authorized personnel on a need-to-know basis.
7. Data Anonymization
Upon a valid erasure request, we anonymize personal identification data (name, email, phone) while retaining financial records in an anonymized form to meet legal obligations. This process is irreversible.
8. Cross-Border Data Transfers
Your data may be processed in countries where our service providers operate (including the United States and Singapore). We ensure adequate data protection measures are in place for all cross-border transfers.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.
10. Contact Us
For questions about this Privacy Policy, data access requests, or to exercise your rights under PDPA:
- Email: privacy@shardlab.io
- Shard Lab Sdn Bhd — Level 8, Tower A, Bangsar South, 59200 Kuala Lumpur, Malaysia
- Shard Lab (Thailand) Co., Ltd. — Silom Complex, 11th Floor, Bangkok 10500, Thailand