Privacy Policy

Last updated: 20 May 2026

This Privacy Policy describes how Xavier K., an independent developer (“I”, “me”, or “my”), collects, uses, and protects your personal data when you use KiraKiraLah (“the Service”). It is written to comply with Malaysia's Personal Data Protection Act 2010 (PDPA).

1. Data We Collect

Account & Identity Data

Full name and email address (provided on sign-up or via Google OAuth)
Profile picture (imported from Google if you sign in with Google)
Account role (user or admin)

Authentication Data

Hashed passwords — we use bcrypt; your plain-text password is never stored
OAuth tokens issued by Google (used only to verify your identity)
Session tokens (database-backed, valid for 30 days)

Financial & Expense Records

Expense entries: title, amount, category, date, notes
Income entries: source, amount, date, notes
Recurring expense and income configurations
Any files or images you upload as receipts or attachments

Payment Data

Subscription status and plan tier (free, basic, pro, early_bird) — stored in our database
Stripe customer ID and subscription ID — references to records held by Stripe; we do not store card numbers or banking credentials
Polar customer ID and subscription ID (for non-Malaysian users)

Technical & Device Data

IP address (used for geo-routing payment providers and security logging)
Browser type and User-Agent string
Country derived from IP (used to route Malaysian users to Stripe)

Usage & Activity Data

Activity logs (actions performed in the app, timestamps)
Error and crash reports sent to Sentry for debugging

2. Legal Bases for Processing

Every use of your data is grounded in at least one lawful basis under the PDPA.

Purpose	PDPA basis
Provide and operate the Service	Contractual necessity
Authenticate your identity and secure your account	Contractual necessity / Legitimate interest
Process subscription payments and manage billing	Contractual necessity
Send transactional emails (welcome, receipts, notifications)	Contractual necessity / Consent
Monitor for errors and fix bugs	Legitimate interest
Comply with legal obligations	Legal obligation
Detect and prevent fraud or abuse	Legitimate interest

3. How Long I Keep Your Data

Account and financial records — retained for as long as your account is active. Deleted within 30 days of a verified deletion request.
Session tokens — expire automatically after 30 days of inactivity.
Activity logs — retained for up to 12 months for security and audit purposes, then permanently deleted.
Error reports (Sentry)— retained for 90 days per Sentry's default policy.
Payment records — Stripe and Polar retain transaction records as required by their own policies and applicable financial regulations. I retain subscription status references until your account is deleted.

4. Third-Party Services (Data Processors)

I share your data with the following processors only to the extent necessary to operate the Service. Each processor is bound by a data processing agreement and may not use your data for their own purposes.

Service	Purpose	Location
Google OAuth	Social sign-in	USA
Stripe	Payment processing (Malaysian users)	USA
Polar.sh	Payment processing (non-Malaysian users)	USA
Resend	Transactional email delivery	USA
Neon DB	PostgreSQL database hosting (production)	USA
Vercel	Application hosting and CDN (production)	USA / Global
Hetzner Online	Staging server and database	Finland, EU
Sentry	Error monitoring and crash reporting	USA

5. Cross-Border Data Transfers

The production environment (Vercel, Neon DB) and several processors (Stripe, Polar, Resend, Google, Sentry) are based in the United States. The staging environment runs on Hetzner Online servers in Helsinki, Finland (within the EEA) — no cross-border transfer occurs for data processed there.

For users in Malaysia (PDPA)

By using the Service, you acknowledge the transfer of your personal data to the United States for production services. Each transfer is subject to appropriate contractual safeguards (data processing agreements) consistent with the PDPA.

6. Cookies & Tracking

The Service uses only strictly necessary cookies.

Session cookie (better-auth.session_token) — essential to keep you logged in. Expires after 30 days.
Theme preference — stores your light/dark mode choice in local storage. Contains no personal data.

I do not use advertising cookies, third-party tracking pixels, or analytics scripts.

7. Your Rights

To exercise any of the rights below, email [email protected]. I will respond within 21 days as required by the PDPA.

Your rights under the PDPA

Access — request a copy of the personal data I hold about you.
Correction / Rectification — request that inaccurate or incomplete data be corrected. Most profile data can be updated directly in account settings.
Deletion / Erasure — request that your account and associated personal data be deleted. Processed within 30 days. Some data may be retained where required by law or for legitimate security purposes.
Restrict processing — request that I pause processing your data in certain circumstances.
Withdraw consent — where processing is based on consent, you may withdraw at any time without affecting prior processing.

8. Data Security

All data is transmitted over HTTPS/TLS.
Passwords are hashed using bcrypt before storage — never stored in plain text.
Database access is restricted to the application server only; no direct public access is permitted.
Payment card data is never handled or stored by me — it is entered directly into Stripe or Polar's hosted checkout pages.
Sessions automatically expire after 30 days of inactivity.

9. Children's Privacy

The Service is not directed at individuals under the age of 18. I do not knowingly collect personal data from children. If you believe a child has provided data without parental consent, please contact me and I will delete it promptly.

10. Changes to This Policy

I may update this Privacy Policy from time to time. When I do, I will revise the “Last updated” date at the top of this page. For material changes, I will notify you by email or by a prominent notice in the app at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

11. Contact

For any questions, concerns, or data subject requests regarding this Privacy Policy, please contact:

Xavier K.

Email: [email protected]