Privacy Policy

Last updated: 9 May 2026

1. Who We Are

Incorpus is operated by S Rank Sdn. Bhd. (Company No. 202501046409 (1647817-H)) ("Incorpus", "we", "us", or "our"). This Privacy Policy explains how we collect, use, disclose, store, protect, retain, and delete personal data and business records when you use incorpus.app and related Incorpus services.

This policy is intended to support compliance with the Personal Data Protection Act 2010 [Act 709] of Malaysia, as amended from time to time. It does not replace any privacy notice, employment notice, customer notice, professional engagement letter, or statutory obligation that your business may need to issue separately.

2. Your Workspace Data

Incorpus provides software for company workspaces. You control the business records, documents, accounting entries, tax support workpapers, user access decisions, and professional handoff exports that you place inside your workspace. You are responsible for ensuring that you have the right to upload, process, retain, submit, and share that information.

We process workspace data to provide the service, keep the platform secure, maintain audit trails, support billing and support workflows, and carry out instructions initiated by authorised users, such as document exports or MyInvois submissions.

3. Information We Collect

3.1 Account and Identity Data

We collect information such as your name, email address, authentication status, workspace membership, roles, permissions, invitation records, and login metadata. Authentication is handled through WorkOS; we do not store your password directly.

3.2 Company and Statutory Profile Data

You may provide company names, SSM registration numbers, tax identification numbers, SST details, addresses, entity type, fiscal year settings, document numbering settings, bank account details, and other information needed to run a Malaysian business workspace.

3.3 Business and Financial Records

Incorpus processes records that you create, import, upload, or generate, including invoices, bills, quotations, purchase orders, receipts, payments, journal entries, bank transactions, attachments, statutory records, compliance tasks, reports, and export packs.

3.4 Integration and Submission Data

If you configure integrations, we may process the data needed for those integrations, including MyInvois credentials, certificates, submission payloads, validation responses, email delivery metadata, and payment-link metadata.

3.5 Billing, Support, and Technical Data

We collect subscription status, plan, invoice and payment status, support messages, server logs, IP address, browser/device metadata, error reports, audit logs, and security events. Payment card and FPX processing are handled by Stripe; Incorpus does not store full card numbers.

4. How We Use Information

We use information to:

  • Provide, operate, secure, monitor, and improve Incorpus
  • Authenticate users and enforce workspace roles, permissions, and tenant isolation
  • Generate documents, reports, ledgers, workpapers, reminders, and export packs
  • Submit MyInvois data to LHDN when an authorised user configures and initiates that workflow
  • Send transactional emails, document emails, invitations, billing notices, and service updates
  • Process subscriptions, invoices, renewals, cancellations, and usage limits
  • Investigate errors, security incidents, suspected abuse, and support requests
  • Comply with laws, regulations, court orders, government requests, and accounting requirements

5. Service Providers and Disclosure

We do not sell your personal data or workspace data. We disclose information only where needed to:

  • Operate the platform: infrastructure, database, storage, authentication, email, billing, observability, logging, and support providers such as Supabase, Cloudflare, WorkOS, Stripe, Resend, Sentry, and hosting infrastructure providers
  • Complete authorised workflows: LHDN MyInvois submissions, transactional emails, payment links, file downloads, exports, and workspace invitations
  • Support workspace collaboration: users, accountants, company secretaries, auditors, employees, or advisers that a workspace owner or administrator invites or permits
  • Meet legal requirements: where disclosure is required by Malaysian law, regulation, legal process, or a valid government request

6. Cross-Border Processing

Some service providers may process or store information outside Malaysia. Where this happens, we take reasonable steps to use providers and contractual arrangements that support confidentiality, security, and lawful processing of the data.

7. Security

Incorpus uses technical and organisational controls designed to protect data against unauthorised access, disclosure, alteration, and loss. These include role-based access, functional permissions, row-level security for tenant isolation, encrypted and signed session cookies, audit logs, period locks, upload controls, and encrypted document storage support where configured.

No internet service can guarantee perfect security. You remain responsible for choosing trustworthy workspace users, protecting your devices and email accounts, reviewing permissions, and exporting or backing up records that your business must retain.

8. Retention, Cancellation, and Deletion

We retain active workspace data for as long as your subscription or authorised trial remains active. After cancellation, workspace data is normally retained for 120 days so that you can reactivate or export records. After that period, data is scheduled for deletion unless we are required or permitted to retain specific records for legal, billing, security, dispute, or compliance reasons.

Malaysian businesses may have statutory record-retention obligations. Incorpus helps you store and export records, but you are responsible for exporting and retaining any records your business, tax agent, accountant, company secretary, or auditor requires after your Incorpus subscription ends.

9. Exports and Portability

Workspace owners can request full company data exports and professional handoff exports such as the Accounting Pack, Audit Support Pack, Tax Pack, and Compliance Archive. These exports are intended to help you preserve records and provide evidence to accountants, tax agents, company secretaries, auditors, or other authorised advisers.

10. Your Rights

Subject to applicable law, you may request access to personal data we hold about you, correction of inaccurate personal data, withdrawal of consent where processing is based on consent, deletion where available, or information about how your personal data is processed. Some requests may be limited by contractual, security, legal, accounting, tax, audit, or fraud-prevention obligations.

To make a request, contact us at privacy@incorpus.app. We may need to verify your identity and workspace authority before acting on a request.

11. Cookies

We use essential cookies for authentication, session security, and OAuth login flows. We do not use third-party advertising cookies. If analytics or additional tracking technologies are introduced later, this policy will be updated accordingly.

12. Changes to This Policy

We may update this Privacy Policy as the product, law, infrastructure, or service providers change. Material changes will be communicated through the service, email, or another reasonable method. The updated date above shows when this page was last revised.

13. Contact

For questions about this Privacy Policy or our data practices, contact privacy@incorpus.app.