Privacy Policy

Account information — your name, email address, and profile photo provided when you sign up (via Google or email/password).

Receipt images — photos or scanned images you upload via the camera scan feature, stored securely in our cloud infrastructure.

Email content — emails forwarded to your unique r3sit.ai inbound address. The raw email (including any PDF attachments) is stored securely for processing and audit trail.

Touch 'n Go phone number— if you use the Touch 'n Go eWallet statement import feature, you may provide your TNG-registered phone number so we can decrypt your password-protected statement PDF. This number is stored encrypted at rest and is used solely for PDF decryption.

Extracted receipt data — structured information our AI reads from your receipts: merchant name, date, line items, quantities, prices, and totals. Stored in our database.

Semantic embeddings — numerical vector representations of your receipt data, used to power natural language search.

Usage data — logs of actions taken within the app (e.g., pages visited, features used), used to improve the service. No third-party analytics scripts are loaded on the client side.

Receipt extraction — images and email content are processed by AI services to extract structured receipt data. Where sub-processors are involved (see §4), they are contractually bound to process your data only on our instructions and for no other purpose.

Semantic search— extracted data is converted into embeddings to power natural language queries like “how much did I spend on groceries last month?”

AI chat — your receipt history is used as context for answering conversational queries about your spending.

Tax relief categorization — for Pro subscribers, extracted items are matched against LHDN relief categories to help estimate claimable amounts. This is informational only — not professional tax advice.

Service communications — we may send transactional emails (e.g., receipt processed, account alerts). We do not send marketing emails without explicit opt-in.

All data is stored within Amazon Web Services (AWS) in the ap-southeast-1 (Singapore) region. Receipt images and raw emails are stored in cloud object storage. Structured data is stored in a managed relational database. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

Cross-border transfer: By storing data in Singapore, your personal data is transferred outside Malaysia. Singapore is recognised as providing an adequate level of data protection comparable to the PDPA 2010, and AWS is bound by standard contractual data protection obligations. We take all reasonable steps to ensure your data receives equivalent protection.

Access to your data is restricted to you alone. We enforce row-level isolation in our database — no user can access another user's receipts.

Authentication is handled by Auth0, a trusted third-party identity provider. We do not store passwords ourselves.

Data breach notification: In the event of a personal data breach that is likely to result in a risk to your rights or interests, we will notify you and the relevant authorities within 72 hours of becoming aware of the breach, where reasonably practicable.

We share your personal data with the following sub-processors solely to provide the Service. Each is bound by data processing agreements that restrict use of your data to our instructions:

• Auth0 (Okta) — authentication and user management
• Amazon Web Services (AWS) — cloud infrastructure, storage, and AI processing (including AWS Bedrock for receipt extraction and natural language features)
• Stripe — payment processing for Pro subscriptions
• Axiom — application logging and observability (receives anonymised usage logs and error traces)

We do not sell, rent, or share your personal data with any other third parties for marketing or advertising purposes. We do not use your receipt data to train AI models.

Your receipt data is retained for as long as your account is active. You can delete individual receipts at any time from the dashboard.

When you delete your account, all personal data — including receipt images, extracted data, embeddings, and email content — is permanently deleted within 30 days.

Raw email files are retained for 90 days after processing and then automatically deleted, unless you request earlier removal.

Under the Personal Data Protection Act 2010 (Malaysia), you have the following statutory rights:

• Access (s.30) — request a copy of the personal data we hold about you
• Correction (s.34) — request that inaccurate or incomplete data be corrected
• Withdraw consent (s.38) — withdraw your consent to processing at any time (this may limit your ability to use the service)
• Prevention of harmful processing (s.42) — request that we cease or restrict processing that is causing or is likely to cause you damage or distress

In addition, as a contractual right under our Terms and Conditions, you may delete your account at any time, which will result in permanent deletion of all your personal data within 30 days.

To exercise any of these rights, contact us at support@r3sit.ai. We will respond within 14 days.

We use session cookies for authentication. We do not use tracking or advertising cookies. You can disable cookies in your browser, but this will prevent you from logging in.

r3sit.ai is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with their data, please contact us immediately.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or an in-app notice at least 14 days before taking effect. The effective date at the top of this page reflects the most recent revision.

If you have any questions about this Privacy Policy or how we handle your data:

• Email: support@r3sit.ai
• Company: Jeveloper Tech (202403328793 / AS0488378-U)
• Address: 8, Lorong Pengkalan Machang 3, Taman Pengkalan Machang, Sungai Dua, 13800 Butterworth, Pulau Pinang, Malaysia