Privacy Policy

Last updated: 20 March 2026

1. Introduction

Incorpus ("we", "us", "our") operates the incorpus.app platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. This policy is governed by the Personal Data Protection Act 2010 (PDPA) of Malaysia.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and authentication credentials (managed through our identity provider, WorkOS). We do not store passwords directly.

2.2 Company Information

You provide business details including company name, registration number (SSM), tax identification number, registered address, fiscal year configuration, and bank account details necessary for the operation of the platform.

2.3 Financial Data

The platform processes invoices, bills, journal entries, bank transactions, tax records, and other financial documents you create or import. This data is stored in your company workspace and is not shared across companies.

2.4 Usage Data

We collect standard server logs, error reports (via Sentry), and aggregate usage metrics to maintain and improve the service. We do not track individual user behavior for advertising purposes.

3. How We Use Your Information

We use collected information to:

  • Provide and maintain the Incorpus platform
  • Process your financial documents and generate reports
  • Submit e-Invoices to LHDN MyInvois on your behalf (when configured)
  • Send transactional emails (invoices, reminders, payment confirmations)
  • Manage your subscription and billing
  • Provide customer support
  • Comply with legal obligations under Malaysian law

4. Data Storage & Security

Your data is stored on Supabase (PostgreSQL) infrastructure with row-level security (RLS) ensuring strict company-level tenant isolation. Document attachments are stored on Cloudflare R2 with server-side encryption (AES-256-GCM). Sessions use AES-256-GCM encrypted, HMAC-SHA256 signed cookies.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, as required by the PDPA.

5. Data Sharing

We do not sell your personal data. We share data only with:

  • Service providers: WorkOS (authentication), Stripe (billing), Resend (email delivery), Cloudflare (storage and CDN), Sentry (error monitoring)
  • Government authorities: LHDN for e-Invoice submissions when you configure and initiate MyInvois integration
  • Legal requirements: when required by Malaysian law, regulation, or legal process

6. Data Retention

Your data is retained for the duration of your active subscription. Upon cancellation, we retain data for 120 days to allow for reactivation, after which it is permanently deleted. Financial records are retained in accordance with the 7-year retention requirements under the Companies Act 2016, Income Tax Act 1967, and LLP Act 2012 as applicable to your entity type.

7. Your Rights Under PDPA

Under the Personal Data Protection Act 2010, you have the right to:

  • Access your personal data held by us
  • Correct any inaccurate personal data
  • Withdraw consent for data processing (subject to contractual and legal obligations)
  • Request deletion of your personal data (subject to retention requirements)

To exercise these rights, contact us at privacy@incorpus.app.

8. Company Data Export

Company owners can export all company data at any time through the Company Data Export feature. This provides a complete, portable copy of all business records, documents, and configuration for the company.

9. Cookies

We use essential cookies only: encrypted session cookies for authentication and OAuth nonce cookies for login security. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active users of material changes via email. The "Last updated" date at the top of this page indicates when the policy was last revised.

11. Contact

For questions about this Privacy Policy or our data practices, contact us at privacy@incorpus.app.