Privacy Policy

BukuCloud Sdn Bhd(“BukuCloud”, “we”, “us”), company registration 202401234567 (1234567-X), operates the BukuCloud cloud-accounting platform. This policy explains what personal data we collect when you use the platform (the website at bukucloud.com and the application), how we use it, and your rights under Malaysia's Personal Data Protection Act 2010 (PDPA) and its 2024 amendments.

Registered office: Wisma KFC, Jln Sultan Ismail, 50250 Kuala Lumpur, Malaysia.

• Account data: name, email, phone number, role, password (hashed only — we never see your plain-text password).
• Company data: business name, SSM / TIN / SST registration numbers, address, banking details for invoice display.
• Customer and supplier records you create: names, emails, phone numbers, addresses, financial transactions you choose to record.
• Receipts and invoices: images and PDFs you upload and the OCR line-items extracted from them.
• Payment data: processed by ToyyibPay. We store the bill ID, last 4 digits of the card, and the receipt — never your full card number or CVV.
• Usage telemetry: IP address, user-agent, login timestamps, audit log of actions taken inside your tenant.
• Support communications: emails, chat messages and any attachments you send when asking for help.

• To provide the accounting software you signed up for.
• To send invoices, statements and reminders on your behalf to your customers.
• To run optical character recognition on receipts you upload — default is on-device Tesseract; Google Gemini is used only if your tenant explicitly enables it in settings.
• To process subscription payments through ToyyibPay and issue you a tax invoice.
• To submit e-Invoices to LHDN MyInvois on your behalf, when you enable that feature.
• To meet legal record-keeping obligations under the Income Tax Act 1967 (7 years for financial records).
• To investigate suspected security incidents, fraud, or abuse.
• To improve the product — aggregate, de-identified usage analytics only.

We do not sell your personal data, and we do not use your accounting data to train any third-party machine-learning model.

Under PDPA, we process your personal data on the following bases: your consent (collected at sign-up via a checkbox and stored with timestamp + version); the performance of a contract (the subscription you bought); compliance with Malaysian law (Income Tax Act, MyInvois rules); and our legitimate interest in keeping the platform secure and improving it. You can withdraw consent at any time by contacting our DPO at dpo@bukucloud.com.

We share the minimum data necessary with these vendors. Each sub-processor is bound by a written agreement with confidentiality and security obligations no weaker than this policy.

All accounting data is stored in AWS Asia Pacific (Singapore region). Each tenant gets its own logically isolated database. Data in transit uses TLS 1.2+. Data at rest is encrypted with AES-256. Daily encrypted backups are retained for 30 days.

• Active account data — kept for as long as your account is active.
• Financial records (invoices, bills, journal entries) — kept for 7 years after account closure to satisfy the Income Tax Act 1967, with personally identifying fields (customer / supplier names, contacts) redacted on erasure.
• Audit logs — 18 months.
• Failed payment attempts — 30 days.
• Receipt files— follow your tenant's retention policy (configurable per tenant).
• Aggregated, de-identified analytics — may be retained indefinitely.

You have the following rights under PDPA:

• Access — download a full copy of your data from Settings → Data export. You can request one export every 24 hours.
• Correction — edit your profile and company information at any time inside the app.
• Erasure — request account deletion from Settings → Delete account. There is a 30-day cooling-off period before hard deletion.
• Withdraw consent — email dpo@bukucloud.com.
• Restrict / object to processing — email the DPO with the specific processing activity you want paused.
• Lodge a complaint — with the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi, Malaysia).

We respond to all data-subject requests within 21 days, the statutory PDPA window.

Data is transmitted over TLS, stored in encrypted-at-rest databases (AES-256) and isolated per tenant (each company gets its own database — Stancl Tenancy). Passwords are hashed using bcrypt. Receipt files are stored on private S3 with tenant-prefixed paths and short-lived signed URLs. Two-factor authentication (TOTP) is available on every plan; tenant administrators can require it for all staff. Logs are scrubbed of sensitive fields before being written. Suspected breaches are reported to the PDPC within 72 hours where required.

Some of our sub-processors are based outside Malaysia (e.g. Postmark in the United States). Where we transfer your personal data to a country whose laws do not provide protection comparable to PDPA, we rely on Section 129(2) PDPA exemptions (consent, performance of a contract, or our legitimate interest with appropriate safeguards). The current list and locations are in section 5.

BukuCloud is a business product. We do not knowingly collect data from children under 13. If you believe we have, contact dpo@bukucloud.com and we will delete it.

We will publish material changes here and bump the version number at the top of this page. If a change affects how we process your data, we will email you and prompt you to re-accept on your next login.

Data Protection Officer: dpo@bukucloud.com. General privacy enquiries: privacy@bukucloud.com.

Postal address: BukuCloud Sdn Bhd, Wisma KFC, Jln Sultan Ismail, 50250 Kuala Lumpur, Malaysia.

You also have the right to lodge a complaint with the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi), Ministry of Communications, Malaysia.