This Privacy Policy (“Policy”) explains how ACCELER TECHNOLOGY Sdn. Bhd. (SSM No.: 202403217687 / MA0320718-K), trading as Estate Boost Copilot or “EBC”, collects, uses, stores, discloses and protects personal data in connection with our EBC TA Stamping service and related websites, applications and tools (collectively, the “Services”). This Policy applies to all individuals who access or use the Services, including property agents and other users in Malaysia and elsewhere.
By registering for an account, submitting documents, or otherwise actively using the Services, you acknowledge that you have read and understood this Policy and you give your consent to the collection, use, and processing of your personal data as described herein. If you do not agree with this Policy, please do not access or use the Services.

Data Controller (Contact): ACCELER TECHNOLOGY
Address: Bandar Bukit Tinggi 2, Klang, 41200, Selangor, Malaysia.
Email: estateboostcopilot@gmail.com

Data Protection Officer (DPO): Data Protection Officer, ACCELER TECHNOLOGY
Email: estateboostcopilot@gmail.com
Phone: +60 11-6966 0178 (only Whatsapp)

Use the DPO contact to make data requests, complaints, or questions about privacy practices.

- We collect account/profile info (name, email, phone), uploaded tenancy docs (PDFs/photos), AI-extracted drafts and user-final versions, payment & transaction info (via Billplz/FPX), and technical logs (IP, browser).
- We use data to provide the LHDN tenancy agreement stamping automation, store your Sijil, let you download documents, support you, and improve services (including model improvement unless you request otherwise).
- We do not sell personal data. We will send marketing (including WhatsApp blasts) if you don’t opt-out.
- Most user application data, Sijil and profile info are retained permanently unless you request deletion or special rules apply; unpaid-but-submitted applications are deleted after 30 days (with warning).
- You can request access, correction, deletion and other rights via our DPO.

We collect and process the following categories of personal data:
A. Account & identity: name (first/last), email, password (hashed), phone number, country, position (default: property agent), optional profile picture (Google OAuth profile pic if used).
B. Application documents & content: tenancy agreement PDFs, photos/images (converted to PDF where applicable), scanned signatures, uploaded supporting docs, and the LHDN-issued Sijil PDFs.
C. AI-generated data: AI-extracted drafts, parsed JSON of extracted fields, version history (AI draft + user edits + final submission).
D. Payments & billing: payment status, transaction amount, payment references collected via Billplz/FPX (we do not store raw card credentials).
E. Technical & usage data: IP address, device/OS, browser type/version, user agent, screen resolution (if applicable), cookies, sessionId, userId, JWT tokens (authentication).
F. Communication records: support emails, chat messages (Socket.IO), WhatsApp messages (if enabled), email logs (SMTP via Nodemailer).
G. Logs & monitoring: API call logs, error logs, processing logs, audit trails used for troubleshooting and compliance.

We do not collect government-issued identity numbers (e.g., IC / MyKad) as part of normal onboarding.

- Directly from you: registration, profile edits, form entries, document uploads, payment flows, support interactions.
- Via third parties: Google OAuth (profile & email), Billplz (payment notifications), ConvertAPI (document conversion), LHDN (Sijil issuance), Vercel/Azure/Upstash as infrastructure.
- Automatically: cookies, server logs and telemetry capture IP, UA, session info and usage metrics.

5A. Consequences of Not Providing Personal Data
Providing your personal data to us is voluntary. However, if you do not provide the personal data required to complete your account registration and tenancy agreement stamping application, we will be unable to provide you with our Services or process your application with LHDN.

We process personal data for the following purposes and lawful bases (illustrative mapping for international audiences):

a. Performance of contract / provision of services
Processing tenancy-stamping applications, generating submissions to LHDN, storing Sijil, enabling downloads.
b. Legitimate interests
Fraud prevention, security, service improvement, operational logs and analytics, dispute investigation and abuse prevention.
c. Consent
We process data based on your consent for the following purposes:
- Cookies and Similar Technologies: As described in §8.
- Marketing Communications: As described in §9.
- AI Model Improvement: We may use de-identified or pseudonymized data derived from your documents and application history to train, validate, and improve our AI models. You provide your consent for this purpose when you agree to this Policy. You may object to this processing at any time by contacting our DPO (see §21), and we will cease using your data for future model improvement where feasible. Please note that a full opt-out may be limited by operational constraints.
d. Legal obligations
Tax/accounting record retention, regulatory responses, lawful requests by authorities.

Our Service uses in-house AI to extract data from tenancy agreements and present pre-filled application forms. The AI output is assistive only — you must review & confirm everything in the final “Edit Form — Confirm — Submit” step. We retain both the AI-generated draft and the user-updated final version for audit, dispute resolution and quality improvement. If you request restriction from model training use, notify the DPO; we will respond and, where feasible, honor the request.

We use cookies and similar technologies for authentication and functionality:
- Essential cookies: userId, sessionId, JWT or idToken/accessToken for OAuth.
- Functional cookies: UI preferences (e.g., dark mode).
- By checking the Terms & Conditions and this Privacy Policy during first use you consent to our use of cookies. You may disable cookies via your browser settings (some features may be degraded).

We currently do not use cookies for third-party marketing by default; if this changes we will update the Policy and obtain consent.

We will send service-related notifications (transaction status, application updates) as part of the service. You also consent to receive marketing/advertising messages (URLs/text) via WhatsApp blasts and other channels unless you opt out. To opt-out:

- Click the unsubscribe link or follow instructions in the message; or
- Contact our DPO (estateboostcopilot@gmail.com). We will stop marketing messages within a reasonable timeframe after receiving your opt-out.

We share personal data only as required to deliver the Service and with contractual safeguards:
Service providers / processors (non-exhaustive):

- Billplz (FPX) — payment processing & transaction notifications.
- Vercel — primary web hosting & Blob storage for uploaded files and Sijil PDFs.
- Microsoft Azure — compute, AI workloads, admin backend.
- Upstash (Redis) — sessions & cache.
- ConvertAPI / pdf-lib / Sharp — document conversion & image processing.
- Google — OAuth profile info (if used).
- LHDN — recipient of stamping applications and issuer of Sijil (government processing).
- Email & messaging providers — SMTP provider, WhatsApp API vendor.
We maintain Data Processing Agreements (DPAs) or similar contracts requiring processors to implement appropriate safeguards and to use data only to provide the contracted services.

We do not sell or trade personal data.

Because our infrastructure and some processors operate globally, your personal data may be transferred outside Malaysia (e.g., cloud providers’ data centers). Prior to transfers we will implement appropriate safeguards (DPAs, contractual clauses, or equivalents). If required by law, we will obtain consent for cross-border transfers or put in place additional protections. You may request details of any cross-border transfer and the safeguards used by contacting the DPO.

You may exercise the following rights by contacting the DPO:

- Access: request copy of your personal data.
- Correction: request amendment of inaccurate/incomplete data.
- Deletion: request erasure (subject to legal/contractual retention obligations and the 30-day rule for unpaid apps).
- Portability: request export of your data in a structured, commonly used format where feasible (we currently support PDF downloads of uploaded documents and Sijil and can provide JSON export upon request).
- Restriction / objection: request to limit processing, object to direct marketing, or object to automated decision-making where applicable.

We will acknowledge requests and respond within applicable legal timeframes (typically 30 days for ordinary requests — we will notify you if an extension is necessary). We may require identity verification before fulfilling sensitive requests.

We apply commercially reasonable security controls:

- Transport security (HTTPS/TLS) for all data in transit.
- Password hashing with bcrypt.
- Authentication via JWT / OAuth for sessions.
- Role-based access control for internal systems.
- Secure storage of files in Vercel Blob / Azure with provider-enforced encryption at rest.
- Rate limiting, logging, and monitoring to detect abuse.

Breach response: If a personal data breach becomes notifiable under Malaysian PDPA or applicable law, we will follow PDPC guidelines and notify the PDPC and affected data subjects where required, containing the information mandated by law (circumstances, likely consequences, remedial actions). Contact the DPO for incident reports.

Important: you told us you currently do not maintain separate offline backups; data exists in live DB/Redis/Blob. This heightens the importance of robust infrastructure-level redundancy and monitoring. We strongly recommend implementing a documented backup and disaster recovery plan.

You requested no minimum age restriction and no age-verification flow. Accordingly:

- We do not impose a minimum age to access the Services.
- If you are below the age of legal capacity in your jurisdiction, you represent that you have obtained parental or guardian consent to use the Services and provide personal data.
- If a parent/guardian believes a child’s data is present and wants it removed, contact the DPO and we will investigate and take appropriate action consistent with applicable law.

Recommendation: Although you prefer no age gate, many jurisdictions require parental consent for children — consider publishing guidance for parents and adding an age flag in the future.

Users consent to our cookies and tracking by checking the Terms & Conditions and this Privacy Policy on first use (the checkbox constitutes affirmative consent). You can also manage cookies through your browser settings. We plan to provide a cookie preference center in the future.

We will send marketing messages including WhatsApp blasts and direct messages containing URLs and text. You may opt out anytime via the unsubscribe mechanism in messages or by contacting the DPO.

Our Services may contain links to third-party sites. This Policy does not cover third-party practices. We encourage you to review their privacy policies before sharing personal data.

We may revise this Policy periodically. Material changes will be published with an updated “Effective Date”. For significant changes we will endeavor to notify account holders by email or in-app notice.

This Policy and our processing activities are governed by the laws applicable to ACCELER TECHNOLOGY (Malaysia). For disputes relating to privacy or data processing, please contact the DPO first. You may also lodge a complaint with Malaysia’s Personal Data Protection Commissioner (PDPC) or other supervisory authority in your jurisdiction.

Data Protection Officer (DPO)
ACCELER TECHNOLOGY Sdn. Bhd.
Email: estateboostcopilot@gmail.com
Phone: +60 11-6966 0178 (only Whatsapp)
Address: Bandar Bukit Tinggi 2, Klang, 41200, Selangor, Malaysia

- Downloads: Users can download their uploaded application PDFs and the issued Sijil PDF at any time (no expiry) via their account.
- Unpaid applications: Unpaid submissions will receive a warning; if payment is not completed within 30 days the application data will be deleted automatically.
- Data for model improvement: By default we may use de-identified data for model improvement; to opt out, contact the DPO. Full opt-out may be subject to operational limitations.
- Collection of Identity Numbers: We do not require your national identity number (e.g., NRIC / MyKad) during the standard account registration process. If a specific LHDN workflow or legal requirement necessitates the collection of such information in the future, we will provide a separate, specific notice and request your consent at that time.
- Data Backup and Recovery: You acknowledge that your data is stored in our active cloud infrastructure (database, cache, and blob storage). We rely on the high-availability and redundancy measures provided by our cloud partners (Vercel, Azure). We are actively working on implementing a formal, independent backup and disaster recovery plan to further enhance data resilience.

This Policy is drafted to reflect your operations and international best practices (PDPA, GDPR-aware and CCPA-notes). It is strongly recommended you obtain a legal review by a qualified Malaysian data protection lawyer to:

1. Confirm PDPA-specific wording, mandatory notices, and cross-border transfer mechanics;
2. Review retention times for compliance with tax/accounting and LHDN obligations;
3. Validate breach-notification procedures in line with PDPC guidance.