PDPA notice

Last updated · 14 May 2026

This notice is provided under the Personal Data Protection Act 2010 (“PDPA”). It explains how Symprio Sdn Bhd (“we”) collects and processes personal data through the ZeroKey service.

Personal data we collect

• Account profile — name, business email, organisation name, role.
• Organisation profile — business registration number, LHDN TIN, address.
• Invoice content — buyer and supplier names, addresses, contact numbers, identification numbers, line items, amounts.
• Usage records — IP address, browser, actions taken, timestamps.

Purpose

We process personal data for these purposes: to provide the service you subscribed to, to communicate with you about your account, to comply with Malaysian tax and e-invoicing regulations, to investigate security incidents, and to improve the product. We do not use your invoice content for advertising.

Disclosure

We disclose personal data to: LHDN (for invoice submission, with your authorisation), our processing vendors (hosting, monitoring, payments) under written contracts, our professional advisors, and regulators where legally required.

Cross-border transfer

Your personal data is stored in a Malaysian data centre. We replicate to Singapore for disaster recovery only and apply equivalent protections in both locations.

Retention

We retain personal data while your account is active and for the period required by Malaysian tax law after closure (currently seven years for invoice records). After that period, we delete it.

Your rights

You have the right to:

• Request access to the personal data we hold about you.
• Request correction of inaccurate data.
• Withdraw consent for non-essential processing.
• Lodge a complaint with the Personal Data Protection Commissioner of Malaysia.

Contact

Email privacy@symprio.com for any PDPA matter. We respond within ten business days.

Note for launch. This notice is a working draft pending review by counsel for general availability.