Privacy Policy
Last updated: 11 May 2026
Xpensea ("we", "us", "our") is operated by Shard Lab Sdn Bhd (Malaysia) and Shard Lab (Thailand) Co., Ltd. This Privacy Policy describes how we collect, use, store, and protect your personal data when you use the Xpensea platform ("Service").
We are committed to complying with the Malaysia Personal Data Protection Act 2010 (PDPA) and the Thailand Personal Data Protection Act B.E. 2562 (2019) (PDPA).
1. Data Controller
Depending on the country where your organization is registered, the Data Controller of your personal data is:
- Malaysia: Shard Lab Sdn Bhd — Level 8, Tower A, Bangsar South, 59200 Kuala Lumpur, Malaysia.
- Thailand: Shard Lab (Thailand) Co., Ltd. — Silom Complex, 11th Floor, Bangkok 10500, Thailand.
The third-party services listed in §6 below act as Data Processors on our behalf, bound by data processing agreements.
2. Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Identity | Name, email, phone number | Account creation, authentication, communication |
| Organization | Company name, TIN, BRN, address, MSIC/TSIC code | Company registration, e-Invoice preparation (Phase 2) |
| Financial | Expense amounts, categories, merchant info, receipt images | Expense management, reporting, tax compliance |
| Payment | QR payment records, amounts, merchant details | Payment processing, budget management |
| Technical | IP address, browser type, login timestamps | Security, audit trail, service improvement |
We do not knowingly collect sensitive personal data (race, religion, political opinions, health, biometric data) and ask that you do not upload such data via receipts, expense notes, or other fields.
3. Legal Bases for Processing
We process your personal data on the following legal bases. Where more than one basis applies, the most specific basis takes precedence:
- Performance of a contract — to deliver the Service you or your organization has signed up for (account access, expense submission, payment processing, approvals, reporting).
- Compliance with a legal obligation — to retain financial records under LHDN (Malaysia) and Revenue Department (Thailand) tax record-keeping rules, anti-money laundering laws, and e-Invoice obligations.
- Legitimate interest — to secure the Service against fraud and abuse, maintain audit logs, and improve product functionality, provided this does not override your rights and freedoms.
- Consent — for optional communications, marketing, or features that go beyond what is needed to deliver the Service. You may withdraw consent at any time without affecting the lawfulness of prior processing.
4. How We Use Your Data
- Providing and maintaining the expense management and QR payment service
- Processing payments through integrated payment gateways
- Sending notifications (email, SMS, WhatsApp, Line) related to your expense approvals and account activity
- Generating reports and analytics for your organization
- Complying with legal obligations including tax reporting requirements
- Preventing fraud and ensuring platform security
5. Cookies and Similar Technologies
We use cookies and similar browser storage strictly to operate the Service:
- Strictly necessary: authentication session, CSRF tokens, security flags. These cannot be disabled.
- Functional: language preference, theme (light/dark), last-viewed organization.
We do not currently use advertising cookies or third-party tracking pixels. If this changes, we will update this Policy and obtain consent where required.
6. Third-Party Data Processors
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (AWS) | Database, authentication, file storage | All account and transaction data |
| Xendit | QR payment processing | Payment amounts, merchant IDs |
| Twilio | SMS / WhatsApp delivery (invites, OTP, notifications) | Phone numbers, message content |
| Line Corporation | Line Messaging API (Thailand notifications) | Line user ID, message content |
| Vercel | Application hosting | IP addresses, request logs |
| Google (Gemini) | Receipt scan processing (OCR) | Receipt images (transient processing) |
All third-party processors are bound by data processing agreements, maintain appropriate security certifications (ISO 27001, SOC 2 where applicable), and process data only on our documented instructions.
7. Automated Processing and AI
We use automated systems in two narrow areas:
- Receipt OCR (Google Gemini): When you upload a receipt, the image is sent to Google's Gemini vision model to extract structured data (merchant, amount, date, tax). The extracted data is presented for your review and edit before submission. No automated decision is made about expense approval based solely on OCR output.
- Fraud and policy flagging: Heuristic checks may flag unusual patterns (duplicate receipts, out-of-policy categories) for human review by an Administrator or Manager. These flags never auto-reject an expense — a human reviewer always makes the final decision.
We do not engage in profiling or fully automated decision-making that produces legal or similarly significant effects on you. You retain the right to request human review of any automated output.
8. Data Retention
- Active account data: retained while your account is active.
- Financial records (expenses, payments, receipts): retained for 7 years after creation, per LHDN (Malaysia) and Revenue Department (Thailand) tax record-keeping requirements.
- Audit logs: retained for 7 years for legal compliance.
- Deactivated accounts: personal data may be anonymized upon request, while financial records are retained per legal obligations.
9. Your Rights
Under Malaysia PDPA 2010:
- Access: Request access to your personal data.
- Correction: Request correction of inaccurate data.
- Withdrawal: Withdraw consent for data processing (subject to legal retention obligations).
- Limit processing: Request that we limit the processing of your personal data for direct marketing.
Under Thailand PDPA 2019:
- Access: Request access to your personal data.
- Correction: Request correction of inaccurate data.
- Erasure: Request deletion of personal data (subject to legal retention obligations).
- Portability: Request transfer of data in a machine-readable format.
- Restriction: Request that processing be restricted in certain circumstances.
- Objection: Object to processing based on legitimate interest.
- Withdrawal: Withdraw consent at any time.
- Complaint: Lodge a complaint with the Personal Data Protection Committee (PDPC) of Thailand.
To exercise any of these rights, contact us using the details in §14. We will respond within 30 days. There is no charge for reasonable requests.
10. Data Security
We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS 1.2+), encryption at rest, role-based access controls, multi-factor authentication for administrative access, audit logging, and regular security monitoring. Access to personal data is restricted to authorized personnel on a need-to-know basis.
11. Data Breach Notification
In the event of a personal data breach likely to result in risk to your rights and freedoms, we will:
- Notify the Thailand PDPC within 72 hours of becoming aware, where the breach affects data subjects in Thailand, as required by §37(4) of the Thailand PDPA.
- Notify the Malaysian Personal Data Protection Commissioner as required under prevailing PDPA Malaysia guidance.
- Notify affected users directly, without undue delay, when the breach is likely to result in high risk to their rights.
12. Cross-Border Data Transfers
Your data may be processed outside Malaysia and Thailand by the sub-processors listed in §6. Primary destinations include the United States (Supabase/AWS, Vercel, Google, Twilio) and Singapore (regional infrastructure for Xendit and Line).
For cross-border transfers we rely on the following safeguards:
- Data processing agreements that bind sub-processors to a level of protection equivalent to the originating jurisdiction.
- For Thailand transfers: reliance on adequacy decisions of the PDPC where available, or appropriate safeguards (binding corporate rules, standard contractual clauses) under §28 of the Thailand PDPA.
- For Malaysia transfers: reliance on §129 PDPA permissions (necessary for performance of contract, your consent, or transfers to places offering substantially similar protection).
13. Children's Data
Xpensea is a business product intended for employees and administrators of registered companies, who are typically adults. We do not intentionally collect data from individuals under 20 (Thailand) or under 18 (Malaysia). If we learn we have collected such data without appropriate consent, we will delete it.
14. Data Anonymization
Upon a valid erasure request, we anonymize personal identification data (name, email, phone) while retaining financial records in an anonymized form to meet legal obligations. This process is irreversible.
15. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. Continued use of the Service after changes constitutes acceptance of the updated policy.
16. Contact Us
For privacy questions, data subject requests, or to contact our Data Protection Officer:
- Data Protection Officer (DPO): cch726@shardlab.com
- General privacy inquiries: info.xpensea@gmail.com
- Malaysia: Shard Lab Sdn Bhd — Level 8, Tower A, Bangsar South, 59200 Kuala Lumpur, Malaysia.
- Thailand: Shard Lab (Thailand) Co., Ltd. — Silom Complex, 11th Floor, Bangkok 10500, Thailand.