Privacy Policy — GetPay
Last updated: 2026-05-13 Version: v1.1
This Privacy Policy explains how TELEBORT AI STUDIO PLT (LLP0046066-LGN) ("Telebort", "we", "us", "our") collects, uses, discloses, and protects personal data in connection with the GetPay service, accessible at https://getpay.cc (the "Service").
This Policy is issued pursuant to the Personal Data Protection Act 2010 ("PDPA") of Malaysia. Telebort is the data controller for personal data processed in connection with the Service.
1. Scope
1.1 This Policy applies to personal data we collect about: (a) users who register for and use the Service ("Customers"); (b) end users whose data Customers process through the Service (e.g., your customers, suppliers, employees — "Customer Data Subjects"); (c) visitors to https://getpay.cc.
1.2 Where you process personal data of Customer Data Subjects through the Service, you (the Customer) are the data controller and we act as a data processor on your behalf. The terms of that processing are described in our standard Data Processing Agreement.
2. Personal Data We Collect
We collect the following categories of personal data:
2.1 Account and Identity Data
- Full name, email address, phone number, business name, position
- Authentication credentials (hashed; we never see your password in plain text)
- Identity verification information (where required for compliance with anti-money-laundering law)
2.2 Billing and Payment Data
- Billing name and address
- Payment method details (processed by our payment processor; we do not store card numbers)
- Transaction history and invoice records
2.3 Service Usage Data
- IP address, browser type, device identifiers, operating system
- Pages viewed, features used, click streams, session duration
- Error logs, performance metrics
2.4 Customer-Uploaded Data
- Accounting records, invoices, bills, bank transactions, customer/supplier records, journal entries
- Documents you upload (receipts, PDFs, contracts)
- Any personal data of third parties (your customers, suppliers, employees) that you choose to enter into the Service — for which you are the data controller
2.5 Communication Data
- Support tickets, chat messages, emails to our team
- Survey responses, feedback
2.6 Cookies and Similar Technologies
- Strictly necessary cookies (session management, security)
- Analytics cookies (with your consent)
- See section 9 for details
3. Sources of Personal Data
3.1 Directly from you — when you register, configure your account, upload data, or contact support.
3.2 From your use of the Service — automatically collected usage data, device data, and cookies.
3.3 From third-party integrations you connect — e.g., bank transaction imports, MyInvois portal, payment gateway providers.
3.4 From third parties — identity verification providers, fraud-prevention services, business directories (where lawful).
4. Purposes and Legal Basis for Processing
We process personal data for the following purposes, with the indicated legal basis under the PDPA:
| Purpose | Legal basis (PDPA) |
|---|---|
| Provide, operate, and improve the Service | Contract performance; legitimate interest |
| Authenticate users and secure accounts | Contract performance; legitimate interest |
| Process payments and billing | Contract performance; legal obligation |
| Comply with tax, accounting, anti-money-laundering, and other legal obligations | Legal obligation |
| Communicate with you (transactional emails, support, service announcements) | Contract performance; legitimate interest |
| Send marketing communications | Consent (you may opt out at any time) |
| Detect, prevent, and respond to fraud, security incidents, and abuse | Legitimate interest; legal obligation |
| Develop and improve features, including AI/machine-learning models trained on aggregated or de-identified data | Legitimate interest (with safeguards) |
| Defend or assert legal claims | Legitimate interest; legal obligation |
5. How We Share Personal Data
We do not sell personal data. We may share personal data with the following categories of recipients:
5.1 Service Providers (Sub-processors)
We engage trusted third-party service providers to operate the Service. Current sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | United States / Singapore |
| Vercel | Application hosting, edge compute | United States / global |
| Anthropic | AI processing (for AI-assisted features) | United States |
| Stripe (where applicable) | Payment processing | United States / Singapore |
| Email delivery providers | Transactional email | United States / EU |
A current list is available on request to studio.telebort@gmail.com. Each sub-processor is bound by confidentiality and data protection obligations.
AI sub-processor — no-training assurance. Under our agreement with Anthropic, Anthropic does not train its AI models on data we send through the AI features (per Anthropic's commercial terms). That sub-processor relationship is inference-only — i.e., real-time AI outputs returned to you. This is distinct from the "AI/machine-learning models trained on aggregated or de-identified data" line in clause 4 above, which refers to Telebort's own model-improvement activities and is governed by the safeguards described there.
5.2 Authorities and Law Enforcement
We may disclose personal data when required by law, subpoena, court order, or to protect legal rights, prevent fraud, or comply with anti-money-laundering / tax-reporting obligations (including LHDN submissions where you direct us to submit e-Invoices on your behalf).
5.3 Business Transfers
If we are involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction, subject to confidentiality.
5.4 With Your Consent
We may share personal data for purposes not listed above only with your consent.
6. International Data Transfers
6.1 Your personal data may be transferred to and processed in countries outside Malaysia, including the United States, Singapore, and the European Union, where some of our sub-processors operate.
6.2 We rely on contractual safeguards (data processing agreements, standard contractual clauses, or equivalent) to protect personal data transferred outside Malaysia, in accordance with Section 129 of the PDPA.
7. Data Retention
7.1 We retain personal data only as long as necessary to fulfil the purposes set out in this Policy, comply with legal obligations, resolve disputes, and enforce agreements.
7.2 General retention guidelines:
| Data category | Retention period |
|---|---|
| Account and identity data | Duration of subscription + 7 years (to meet Malaysian tax-record retention under Section 82 of the Income Tax Act 1967) |
| Customer-uploaded accounting records | Duration of subscription + 7 years, or as you instruct upon termination |
| Billing and payment records | 7 years from the date of the transaction |
| Service usage logs | 13 months (rolling) |
| Communication records | 3 years from the date of the communication |
| Marketing consent records | Until withdrawn + 3 years |
7.3 Upon termination of your account, we will retain Customer-uploaded data for thirty (30) days in exportable form, after which we may delete it (subject to legal retention obligations in clause 7.2).
8. Security
8.1 We implement reasonable technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS) and at rest (where applicable)
- Access controls and authentication (including multi-factor authentication options)
- Regular security testing and code review
- Segregation of duties and least-privilege access for our team
- Logging and monitoring of administrative actions
- Incident response procedures
8.2 No system is perfectly secure. In the event of a personal data breach likely to cause harm, we will notify affected data subjects and the Personal Data Protection Commissioner as required under applicable law.
8.3 You are responsible for protecting your account credentials and notifying us promptly of any unauthorized access.
9. Cookies and Similar Technologies
9.1 We use cookies and similar technologies for the following purposes:
| Category | Purpose | Consent required? |
|---|---|---|
| Strictly necessary | Session management, security, load balancing | No |
| Functional | Remembering preferences (language, theme) | Implied consent |
| Analytics | Aggregated usage statistics | Yes (opt-in) |
| Marketing | None currently | N/A |
9.2 You may manage cookie preferences via your browser settings. Disabling strictly necessary cookies will impair the Service.
10. Your Rights Under the PDPA
If you are a data subject whose personal data we process, you have the following rights under the Personal Data Protection Act 2010:
- Right of Access (Section 30) — Request access to your personal data and a description of the processing.
- Right of Correction (Section 34) — Request correction of inaccurate, incomplete, misleading, or outdated data.
- Right to Withdraw Consent (Section 38) — Withdraw consent at any time. We will cease processing within a reasonable period.
- Right to Prevent Processing Likely to Cause Damage or Distress (Section 42) — Require us to cease processing for purposes likely to cause substantial damage or distress.
- Right to Prevent Processing for Direct Marketing (Section 43) — Require us to cease processing for direct marketing.
Submitting Requests
To exercise these rights, contact studio.telebort@gmail.com. We will respond within twenty-one (21) days of receipt of a complete request, as required by Section 31 of the PDPA. A prescribed fee may apply for access requests.
Right to Lodge a Complaint
If you are dissatisfied with our handling of your personal data, you may lodge a complaint with the Personal Data Protection Commissioner Malaysia at https://www.pdp.gov.my.
11. Children's Data
The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child, we will delete it promptly.
12. Customer Data Subjects (Data Processing on Your Behalf)
12.1 Where you (the Customer) upload personal data about third parties (your customers, suppliers, employees) into the Service, you are the data controller for that data and we act as your data processor.
12.2 Our processing on your behalf is governed by our standard Data Processing Agreement (available on request). In summary, we will:
- Process Customer Data only on your documented instructions
- Implement appropriate security measures
- Engage sub-processors subject to equivalent data protection obligations
- Assist you in responding to data subject requests
- Notify you of personal data breaches without undue delay
- Return or delete Customer Data on termination
13. Changes to This Policy
13.1 We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent revision.
13.2 For material changes, we will provide notice via email or in-Service notification at least thirty (30) days before the effective date. Continued use of the Service after the effective date constitutes acceptance.
14. Contact
For privacy questions, requests, or complaints:
TELEBORT AI STUDIO PLT (LLP0046066-LGN) Data Protection Contact: studio.telebort@gmail.com Address: George Town, Pulau Pinang, Malaysia
Version log
- v1.0 — 2026-05-11 — Initial draft (Claude Code, studio/legal/ kit launch)
- v1.1 — 2026-05-13 — Add AI sub-processor no-training assurance after §5.1 sub-processor table (per Anthropic Commercial Terms Section B)