UntungLah — Privacy Policy

Last updated: 20 March 2026 | Effective: 1 April 2026

        Summary (plain language): Your business data belongs to you. We store it securely in Google Firebase servers. We do not sell your data. We use it only to provide the Service to you. Our AI features send document images to Google Gemini for processing — no data is retained by Google for training without your consent. You can request deletion of all your data at any time.
    

Introduction and Scope
Data Controller
What Personal Data We Collect
How We Collect Your Data
How We Use Your Data
Legal Basis for Processing
Third-Party Services and Data Processors
AI Processing and Google Gemini
Data Storage and Security
Data Retention
Your Rights Under PDPA 2010
Cookies
Children's Privacy
Changes to This Policy
Contact and Complaints

1. Introduction and Scope

ES Dot Net Enterprise ("we", "us", "our") is committed to protecting and respecting your privacy in accordance with the Personal Data Protection Act 2010 (PDPA 2010) of Malaysia and other applicable laws.

This Privacy Policy explains how we collect, use, store, and share personal data when you use the UntungLah web application and related services (the "Service"). By using the Service, you consent to the processing of your personal data as described in this Policy.

This Policy applies to all users of UntungLah, including sole proprietors, their authorised representatives, and visitors to our website.

2. Data Controller

The data controller for your personal data is:

ES Dot Net Enterprise (SSM 001391879-W)
2-01-37, D'Alamanda, Pudu Impian IV, Jalan Pudu Impian, Taman Pudu Ulu, 56100 Kuala Lumpur, Malaysia
hello@untunglah.com.my

3. What Personal Data We Collect

We collect the following categories of personal data:

Category	Data Collected	Purpose
Identity Data	Full name, display name, profile photo (from Google)	Account identification and display
Contact Data	Email address, phone number, business address	Account communication, invoicing
Business Data	SSM registration number, company name, industry, TIN number	Service eligibility, tax reports, invoice generation
Financial Data	Transaction records, invoice data, sales and expense figures, customer and supplier names	Core Service functionality — bookkeeping and reporting
Document Data	Receipt images, POS reports, and other uploaded documents	AI-powered data extraction features
Payment Data	Payment reference codes, credit top-up history	Credit management, transaction verification
Usage Data	Login timestamps, features used, credit consumption logs	Service improvement, billing, fraud prevention
Technical Data	Browser type, device type, IP address (via Firebase)	Security, authentication, service delivery

We do not collect sensitive personal data as defined under PDPA 2010 (such as health data, religious beliefs, or biometric data) unless you voluntarily provide it in document uploads, in which case it is processed solely for the purpose of the AI extraction feature and is not retained beyond what is necessary.

4. How We Collect Your Data

We collect your data through the following means:

Direct input: When you register an account, update your profile, record transactions, create invoices, or use any feature of the Service;
Google Sign-In: When you authenticate using your Google account, we receive your name, email address, and profile photo from Google;
Document uploads: When you upload receipts, POS reports, or other documents for AI processing;
Automated collection: Usage data and technical data are collected automatically through Firebase Analytics and Firestore as you use the Service.

5. How We Use Your Data

We use your personal data for the following purposes:

Service delivery: To provide, maintain, and improve the bookkeeping, invoicing, reporting, and AI features of UntungLah;
Account management: To manage your account, verify your identity, and handle your credit balance;
Payment verification: To verify manual bank transfer payments and add credits to your account;
Communications: To send you service-related notifications, security alerts, and updates to our Terms or this Policy;
Tax reporting assistance: To generate Borang B pre-fill summaries and other tax-related reports based on your transaction data;
Fraud prevention and security: To detect and prevent unauthorised access, abuse, or fraudulent activity;
Legal compliance: To comply with applicable Malaysian laws and regulatory requirements;
Service improvement: To analyse aggregated, anonymised usage patterns to improve the Service. We do not use your individually identifiable financial data for this purpose.

We will not use your personal data for direct marketing, advertising, or to create profiles for sale to third parties.

6. Legal Basis for Processing

Under PDPA 2010, we process your personal data on the following lawful bases:

Consent: You have given explicit consent at registration and through your continued use of the Service;
Contract performance: Processing is necessary to provide the Service to you under our Terms and Conditions;
Legal obligation: Where processing is required to comply with applicable Malaysian law;
Legitimate interests: For fraud prevention, security, and service improvement purposes, where these interests are not overridden by your privacy rights.

7. Third-Party Services and Data Processors

We use the following third-party services to operate UntungLah. These services process your data on our behalf as data processors:

Service Provider	Purpose	Data Shared	Location
Google Firebase (Alphabet Inc.)	Authentication, database, file storage, hosting	All user and business data	Singapore (asia-southeast1)
Google Gemini AI (Alphabet Inc.)	AI receipt and document processing	Uploaded document images only	Processed via Google Cloud
Google Fonts (Alphabet Inc.)	Typography	IP address only	Global CDN

We do not sell, rent, or share your personal data with any other third parties for commercial purposes. We may disclose your personal data where required by Malaysian law, court order, or regulatory authority, and we will notify you where permitted to do so.

8. AI Processing and Google Gemini

When you use AI-powered features (receipt scanning, PDF import, photo import), the document or image you upload is transmitted to Google's Gemini AI API for processing. You should be aware that:

Document images are sent to Google's servers for AI analysis. We use Google's API under terms that restrict Google from using your data to train AI models without your consent;
We do not permanently store the raw document images unless you explicitly save the associated transaction — images used only for processing are not retained beyond the session;
If your documents contain sensitive personal data (such as identity card numbers, medical information, or information about third parties), you should consider redacting such information before uploading;
We cannot guarantee the confidentiality of data in transit to Google's servers, though transmission is encrypted via HTTPS.

By using AI features, you consent to the transmission of your documents to Google Gemini for processing as described above. You may choose not to use AI features without affecting your access to other parts of the Service.

9. Data Storage and Security

Your data is stored on Google Firebase servers located in Singapore. By using the Service, you consent to your data being transferred to and stored in Singapore.

We implement the following security measures:

All data transmission is encrypted using TLS/SSL;
Firebase Security Rules restrict data access so that each user can only access their own data;
Authentication is handled by Google Sign-In with industry-standard OAuth 2.0 protocols;
Admin access to user data is restricted to authorised personnel with a verified administrator email address;
We do not store payment card details — all credit top-ups are via manual bank transfer.

While we take reasonable technical precautions, no system is completely secure. We will notify you as soon as reasonably practicable if we become aware of a data breach that affects your personal data.

10. Data Retention

We retain your personal and business data for as long as your account is active. Upon account deletion:

Your data will be deleted from our active database within 30 days of your deletion request;
Anonymised usage statistics may be retained for service improvement purposes;
We may retain records of your account for up to 7 years where required by Malaysian law (e.g. Income Tax Act 1967) or for fraud prevention purposes.

You are independently responsible under Section 82 of the Income Tax Act 1967 to maintain business records for a minimum of 7 years. We encourage you to export your data before requesting account deletion.

11. Your Rights Under PDPA 2010

Under the Personal Data Protection Act 2010 (Malaysia), you have the following rights regarding your personal data:

Right of access: You may request a copy of the personal data we hold about you;
Right of correction: You may request correction of any inaccurate or incomplete personal data;
Right to withdraw consent: You may withdraw consent to the processing of your personal data at any time. Note that withdrawal may mean we can no longer provide the Service to you;
Right to prevent processing for direct marketing: You may request that we cease using your data for any direct marketing purposes (we do not currently engage in direct marketing);
Right to data portability: You may request an export of your transaction data in a standard format (CSV) through the Service's built-in export function;
Right to erasure: You may request deletion of your account and personal data, subject to our legal retention obligations.

To exercise any of these rights, please contact us at hello@untunglah.com.my. We will respond within 21 days. We may request proof of identity before processing your request.

12. Cookies

UntungLah uses localStorage and sessionStorage in your browser (not traditional cookies) to remember your language preference and maintain your login session. These are stored locally on your device and are not transmitted to us.

Firebase may set cookies for authentication and analytics purposes. You may configure your browser to block cookies, but this may affect the functionality of the Service, including your ability to remain logged in.

We do not use advertising cookies or cross-site tracking technologies.

13. Children's Privacy

The Service is not directed at persons under the age of 18. We do not knowingly collect personal data from children under 18. If you believe a minor has registered an account, please contact us at hello@untunglah.com.my and we will promptly delete the account.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes via your registered email address or through a notice within the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the Policy was last revised.

Your continued use of the Service following notification of changes constitutes your acceptance of the updated Policy.

15. Contact and Complaints

For privacy-related enquiries, requests, or complaints:

Email: hello@untunglah.com.my
Business: ES Dot Net Enterprise (SSM 001391879-W)
Address: 2-01-37, D'Alamanda, Pudu Impian IV, Jalan Pudu Impian, Taman Pudu Ulu, 56100 Kuala Lumpur, Malaysia

If you are not satisfied with our response to a privacy complaint, you may lodge a complaint with the Department of Personal Data Protection Malaysia at www.pdp.gov.my.

This Privacy Policy was prepared with reference to the Personal Data Protection Act 2010 (Malaysia) and Google Firebase's Data Processing and Security Terms.

Privacy Policy

Contents