ZeroKey
Privacy

Privacy policy

How ZeroKey collects, uses, and protects your information.

Last updated · 14 May 2026

ZeroKey is a product of Symprio Sdn Bhd. This policy explains what personal data we collect, why we collect it, how we use it, and the choices you have. We follow the Malaysian Personal Data Protection Act 2010 (PDPA) and apply the same standards regardless of where in the region you sign up from.

What we collect

We collect three kinds of information.

  • Account information: your name, email, organisation name, business registration number, LHDN TIN, and the role you choose when you sign in.
  • Invoice content you upload or send to us: PDFs, images, spreadsheets, structured payloads, and the data we extract from them — buyers, suppliers, items, amounts.
  • Usage and security signals: IP address, browser, device type, the actions you take in the product, and the timestamps. Used for security and audit only.

How we use it

We use the data to deliver the service, to talk to you about your account, to keep your account secure, to meet our regulatory obligations under PDPA and LHDN MyInvois rules, and to improve the product. We do not sell your data. We do not use your invoice content for advertising or for training general-purpose models.

Where it lives

Your data is stored in a Malaysian data centre. We replicate to Singapore for disaster recovery only — failover, not regular operation. We do not move customer data outside the region without explicit consent.

Who we share with

We share data with vendors that help us operate (hosting, monitoring, AI extraction, payments) and only the minimum needed. We list our sub-processors publicly and notify customers before adding new ones materially involved in handling personal data.

Retention

We keep your data while your account is active. After cancellation, we retain it for the period required by Malaysian tax law (currently seven years for invoice records) and then delete it. You can export everything we have on you at any time from the dashboard.

Your rights

Under PDPA, you can:

  • Access the personal data we hold about you.
  • Correct anything that is wrong.
  • Withdraw consent for non-essential processing.
  • Request deletion (subject to legal retention obligations).

Email privacy@symprio.com to exercise any of the above. We respond within ten business days.

Changes to this policy

We update this page when the practice changes. The “last updated” date at the top reflects the most recent change. Material changes that affect your rights are notified by email.

Note for launch. This policy is a working draft pending review by counsel for general availability. If you are evaluating ZeroKey for a regulated deployment, ask for the GA version before signing.