Privacy Policy

Plain-language summary: We keep what you tell MavWise on secure servers, use it only to power the app for you, never sell it, and let you delete it any time. You have rights under the Personal Data Protection Act 2010 (Act 709) — see Section 9 below.

1. Who we are (the "Data User")

This Privacy Policy is issued by Maverick Intelligence Sdn Bhd ("we", "us"), a private limited company incorporated in Malaysia, in our capacity as the data user under Section 4 of the Personal Data Protection Act 2010 (Act 709) ("PDPA").

Data Protection Officer (DPO): dpo@mavwise.com

2. Personal data we collect

• Identification: username, email address, optional Telegram user-id when you pair your account.
• Financial inputs: transactions you log (amount, category, merchant, item, currency, date), budgets, debts and their balances, savings goals — all entered by you voluntarily.
• Receipt images: photos or PDFs you upload for AI scanning. Stored hashed + raw for as long as the linked transaction exists.
• Telegram metadata: when paired, your Telegram display name and chat-id, used to deliver push notifications.
• Usage data: minimal — login timestamp, XP/streak counters, AI-coach output cache for retrieval.
• Technical data: standard server logs (IP address, request path, HTTP status, user-agent) retained 30 days for abuse prevention.

We do not knowingly collect data from anyone under 18.

3. Purposes of processing (PDPA Section 6)

• To provide and operate the MavWise Service (budgeting, AI coach, payoff plans, gamification, notifications).
• To compute personalised insights using the language model (see Section 5 — cross-border transfer).
• To deliver push notifications you opted into (Settings → Notifications).
• To prevent abuse, fraud, duplicate transactions and reward farming.
• To comply with Malaysian law and respond to lawful requests by regulators (e.g. Bank Negara Malaysia, Inland Revenue Board, JPDP).

4. Legal basis (PDPA Sections 6 & 7)

We process your data on the following bases:

• Your consent — given when you ticked the consent box at signup, recorded with a timestamp in our database.
• Performance of a contract — to provide the Service you signed up for.
• Compliance with legal obligation — where required by Malaysian law.

5. Cross-border transfer (PDPA Section 129)

To deliver AI insights we send a minimised text summary of your financial data (no PII fields, no raw receipt content) to OpenAI's API servers, which may be located outside Malaysia (typically the United States). OpenAI is contractually obliged not to use API content for model training. You consent to this cross-border transfer when you accept this Privacy Policy.

Database hosting is on Railway Inc. (US-based PaaS) in Postgres, encrypted at rest and in transit. By accepting this policy you consent to processing on Railway infrastructure.

6. Disclosure (PDPA Section 8)

We do not sell your personal data. We disclose data only to:

• Sub-processors strictly necessary to operate the Service (OpenAI for AI inference, Telegram BotAPI for notifications, Railway for hosting, OpenAI Vision for receipt OCR);
• Law enforcement or regulators if compelled by valid Malaysian legal process;
• A successor entity in the event of merger, acquisition or corporate restructuring (with the same privacy commitments).

7. Retention (PDPA Section 10)

• Account + transactional data — retained while your account is active.
• Receipt image files — retained while the linked transaction exists.
• Server logs — retained 30 days.
• Backups — retained 30 days then rotated.
• On account deletion — all personal data purged within 90 days, except where retention is required by tax law (Section 82 of the Income Tax Act 1967, max 7 years for financial records).

8. Security (PDPA Section 9)

• HTTPS / TLS 1.2+ in transit for all dashboard and API traffic.
• Passwords stored only as salted hashes via Werkzeug PBKDF2.
• Per-tenant data isolation enforced at the query layer (every read / write is scoped by the linked Telegram user id of the signed-in account).
• Random pairing codes (15-min expiry) for Telegram linking.
• Server-side input validation and parameterised SQL (no string-concat queries).
• Daily idempotency caps on XP and tokens to prevent abuse.

9. Your rights (PDPA Sections 30–34)

• Right of access (Section 30) — request a copy of your personal data.
• Right to correct (Section 34) — request correction of inaccurate data.
• Right to withdraw consent (Section 38) — at any time, by emailing the DPO.
• Right to prevent processing for direct marketing (Section 43) — toggle off notifications in Settings.
• Right to data portability — request your data in a machine-readable format.
• Right to deletion — request full erasure subject to legal retention obligations.

To exercise any of these rights, contact dpo@mavwise.com. We will respond within 21 days as required by PDPA Section 30(7).

10. Children's data

MavWise is not intended for users under 18. If we discover we have collected data from a minor without verifiable parental consent, we will delete it promptly.

11. Cookies & local storage

The dashboard uses one essential session cookie to keep you logged in, and your browser's localStorage for non-personal UI preferences (font size, theme, language, last-picked sub-tab). No third-party analytics or ad-tracking cookies are used.

12. Data breach notification

In the event of a personal-data breach posing significant risk to affected users, we will notify the Personal Data Protection Department (JPDP) and affected users within 72 hours of becoming aware, in line with the upcoming mandatory-breach-notification requirements of the PDPA 2024 amendments.

13. Updates to this policy

We may update this policy from time to time. Material changes will bump the version number above and prompt you to re-consent at next login. Minor wording changes will be published without re-prompting but recorded in our change log.

14. Complaints

If you are not satisfied with our handling of your data, you may lodge a complaint with the Personal Data Protection Department, Ministry of Digital Malaysia (www.pdp.gov.my).

Drafted in line with Personal Data Protection Act 2010 (Act 709) and the 2024 amendments. Provided as a working draft — review by qualified legal counsel is recommended before public release.