Privacy Policy

CheqPls is a personal expense tracker built for Malaysians. You upload receipt photos, the app reads them using AI, and you get a clear picture of where your money goes. It also estimates which purchases may qualify for LHDN tax relief based on spending categories.

CheqPls is operated by an individual developer based in Malaysia.

When you use CheqPls, we collect and store:

• Account information — email address, display name, and authentication method (email/password or Google OAuth)
• Receipt data — photos you upload, and the extracted information (merchant name, amount, date, category, notes)
• Spending data — your categorised expenses, budget settings, and tax relief category totals
• Profile information — optional fields you may choose to fill in (occupation, state, income range, referral source, goals)
• App preferences — language, colour theme, and sound settings (stored locally on your device)
• Usage data — number of OCR scans performed (for rate limiting and cost tracking)
• Feedback — any bug reports or suggestions you submit through the app

• Receipt scanning — your receipt images are sent to Anthropic (a US-based AI company) for text extraction. Only the image is sent — no user identity, email, or account information is transmitted to Anthropic.
• Expense tracking — your spending data is used to generate your personal dashboard, charts, and insights
• Tax relief estimates — purchases are matched against LHDN relief categories based on spending category. These are estimates only and should be verified with your actual tax filing.
• Service improvement — aggregate, anonymised usage statistics (total receipts scanned, feature usage) help us improve the app. Individual spending data is never shared or used for marketing.

CheqPls uses the following third-party services to operate:

• Supabase (Singapore region) — database, authentication, and image storage. Your data is stored in Singapore.
• Anthropic (United States) — AI-powered receipt reading. Only receipt images are sent; no personal identity data is transmitted.
• Vercel (Singapore region) — web hosting and serverless functions
• Google — OAuth authentication (only if you choose to sign in with Google)

We do not sell, rent, or share your personal data with any other third parties.

Your data is primarily stored in Singapore (Supabase). Receipt images are temporarily transmitted to Anthropic in the United States for AI processing. This transfer is necessary to provide the receipt scanning feature. Anthropic processes the image and returns the extracted text — they do not store your images beyond the processing window.

• All data is transmitted over HTTPS (TLS encryption)
• Receipt images are stored in private Supabase Storage buckets accessible only via time-limited signed URLs
• Passwords are hashed by Supabase Auth (bcrypt) — we never see or store your plaintext password
• Uploaded files are validated for type (magic bytes) and size (10MB limit) before processing
• API endpoints are rate-limited to 30 scans per day per user
• Admin access is restricted by email address

• Active accounts — your data is kept for as long as your account is active. Receipt images are stored with 1-year signed URLs. This aligns with LHDN's recommendation to keep tax records.
• Deleted accounts — when you delete your account, all data is permanently removed: receipt records, images from storage, profile information, achievements, budgets, and API usage logs. This deletion is immediate and irreversible.
• Feedback — feedback messages are retained for service improvement but can be deleted on request.

Under Malaysia's Personal Data Protection Act 2010 (PDPA), you have the right to:

• Access — view all data associated with your account (visible in the app)
• Correction — edit your profile information, receipt details, and categories
• Export — download your receipt data as CSV from the Receipts page
• Deletion — permanently delete your account and all associated data from Settings
• Withdraw consent — you can stop using the service and delete your account at any time

To exercise any of these rights or make a data request, contact us at razzles92@gmail.com.

CheqPls uses:

• Authentication cookies — set by Supabase to maintain your login session
• Language preference cookie — stores your EN/MS language choice so server-rendered pages display in the correct language
• Local storage — stores your colour theme, sound preference, and onboarding status on your device. This data never leaves your browser.

We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

CheqPls is not intended for children under 18. We do not knowingly collect data from minors. If you believe a child has created an account, contact us and we will delete it.

We may update this privacy policy from time to time. Changes will be posted on this page with an updated date. Continued use of CheqPls after changes constitutes acceptance of the updated policy.

In accordance with the PDPA 2024 amendments, the Data Protection Officer for CheqPls is:

Email: razzles92@gmail.com

For any questions about this privacy policy or your data, contact us at razzles92@gmail.com.