Privacy Policy

1. Introduction

iSewa ("we", "us", "our") is a property management platform operated in Malaysia. We operate the website isewa.com.my and the iSewa application (collectively, the "Platform"). This Privacy Policy explains in detail how we collect, use, store, disclose, and protect your personal information when you access or use our Platform.

We are committed to complying with the Malaysian Personal Data Protection Act 2010 ("PDPA") and all applicable data protection regulations. By using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein.

This Privacy Policy applies to all users of the Platform, including property owners, tenants, property agents, contractors, lawyers, developers, buyers, delegates, and any other persons who access or use the Platform.

2. Data Controller

iSewa is the data controller responsible for your personal information collected through the Platform. If you have any questions or concerns regarding data protection, you may contact our Data Protection Officer (DPO):

• Data Protection Officer: dpo@isewa.com.my
• General Support: support@isewa.com.my

Our DPO is responsible for overseeing compliance with the PDPA and this Privacy Policy, and serves as the primary liaison with the Jabatan Perlindungan Data Peribadi (Personal Data Protection Department) of Malaysia.

3. Information We Collect

3.1 Personal Information You Provide

When you register for an account, use our services, or communicate with us, you may provide the following personal information:

• Identity Data: Full name, display name, profile photo, date of birth, and identification numbers (e.g., MyKad/IC number, passport number)
• Contact Data: Email address, phone number (mobile), and residential or business address
• Account Data: Username, password (stored in hashed form using bcrypt), two-factor authentication (2FA/TOTP) secrets, and recovery codes
• Organization Data: Company or organization name, registration number (SSM), and business details for property management companies, agencies, or contractor firms
• Property Data: Property addresses, ownership details, tenancy agreements, unit configurations, property photos, floor plans, and related documents
• Financial Data: Bank account details (encrypted using AES-256-GCM at the field level), invoice records, payment history, billing preferences, and tax-related information
• Communication Data: Messages sent through the Platform's messaging system, maintenance ticket descriptions, announcements, and comments
• Document Data: Files you upload to the Platform, including tenancy agreements, utility bills, receipts, legal documents, and other property-related documentation

3.2 Authentication Data

We support multiple authentication methods and collect associated data:

• Email/Password: Your email and a bcrypt-hashed password; we never store plaintext passwords
• Phone OTP: Your phone number for verification via one-time password (OTP) sent by SMS
• Social Login: When you authenticate via Google, Facebook, or Apple, we receive your name, email, and profile identifier from those services; we do not receive or store your social media passwords
• MyDigital ID: If you authenticate via Malaysia's MyDigital ID, we receive identity verification from the government identity provider
• Two-Factor Authentication: If enabled, we store an encrypted TOTP secret and one-time recovery codes

3.3 Automatically Collected Information

When you access the Platform, we automatically collect certain technical information:

• Device Information: Device type, operating system, browser type and version, screen resolution, and device identifiers
• Network Information: IP address, internet service provider, and approximate geolocation (country/city level)
• Usage Data: Pages visited, features used, timestamps, click patterns, session duration, referral URLs, and search queries within the Platform
• Performance Data: Page load times, error logs, and crash reports to help us improve the Platform's reliability

3.4 Information from Third Parties

We may receive information about you from:

• Property Managers or Owners: When they add you as a tenant, contractor, or other role on their property
• Invitation Links: When you accept an invitation to join a property or organization, we receive the referral context
• Utility Providers: If integrated, we may retrieve utility account information and billing data on your behalf with your consent
• Government Services: Through MyDigital ID or other Malaysian government digital identity services

4. Legal Basis for Processing

Under the PDPA 2010, we process your personal data based on the following lawful grounds:

• Consent (Section 6): When you register for the Platform, you provide explicit consent to process your personal data for the purposes described in this Privacy Policy. Your consent is recorded with a timestamp and version number (consentGivenAt, consentVersion) for auditability.
• Contractual Necessity: Processing necessary to provide you with the Platform's services as agreed in our Terms of Service, including property management, invoicing, maintenance tracking, and communication.
• Legitimate Interests: Processing for the purposes of fraud prevention, platform security, service improvement, and analytics, where such interests are not overridden by your data protection rights.
• Legal Obligations: Processing necessary to comply with Malaysian legal requirements, including financial record-keeping obligations, tax reporting, and court orders.

5. How We Use Your Information

We use your personal information for the following purposes:

5.1 Service Provision

• Creating and maintaining your account on the Platform
• Authenticating your identity and managing access permissions based on your roles
• Processing property management operations including invoicing, payment tracking, and billing
• Managing maintenance requests, work orders, and contractor assignments
• Storing and organizing property-related documents securely
• Enabling communication between Platform users (owners, tenants, agents, contractors, etc.)
• Supporting delegation features (family members, property managers)

5.2 Communication

• Sending service notifications, such as invoice due dates, maintenance updates, and lease reminders
• Delivering security alerts, including login notifications, 2FA prompts, and suspicious activity warnings
• Providing platform announcements, feature updates, and important service changes
• Responding to your inquiries and support requests

5.3 Platform Improvement

• Analyzing usage patterns and trends to improve features and user experience
• Conducting internal research and development for new Platform features
• Monitoring Platform performance, debugging issues, and ensuring stability
• Generating anonymized, aggregated statistics for business reporting

5.4 Security and Compliance

• Detecting, preventing, and responding to fraud, security incidents, and abuse
• Enforcing our Terms of Service and acceptable use policies
• Maintaining audit trails for compliance and accountability
• Complying with Malaysian legal and regulatory requirements

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data to any third party for marketing purposes. We may share your information only in the following circumstances:

6.1 Between Platform Users

Property-related data is shared between connected users as necessary for property management operations. For example:

• Property owners can see tenant contact information and tenancy details
• Tenants can see relevant property details and owner/agent contact information
• Agents can access properties they are assigned to manage on behalf of owners
• Contractors can view maintenance ticket details for jobs assigned to them
• Delegates can access properties they have been granted permission by the owner

The scope of shared information is limited to what is necessary for each role and is controlled by the role-based permission system within the Platform.

6.2 Third-Party Service Providers

We engage trusted third-party service providers to support the Platform's operations. These providers are contractually required to process your data only on our instructions and in compliance with applicable data protection laws. Our categories of service providers include:

• Cloud Infrastructure: Hosting and storage providers for Platform data and file uploads
• Email Delivery: Services for sending transactional emails, notifications, and alerts
• SMS/OTP Delivery: Providers for sending phone verification codes and SMS notifications
• Payment Processing: Third-party payment gateways for processing subscription payments (Pro plan)
• Authentication Providers: Social login providers (Google, Facebook, Apple) and MyDigital ID for identity verification
• Analytics: Privacy-focused analytics services that help us understand Platform usage

6.3 Legal Requirements

We may disclose your personal information when we believe in good faith that disclosure is necessary to:

• Comply with applicable Malaysian law, regulation, or legal process (including court orders)
• Respond to lawful requests from government authorities, including the Jabatan Perlindungan Data Peribadi
• Protect the rights, property, or safety of iSewa, our users, or the public
• Investigate or prevent potential violations of our Terms of Service

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to this Privacy Policy resulting from such a transaction.

7. Data Security

We take the security of your personal data seriously and implement comprehensive security measures consistent with industry best practices and PDPA requirements:

7.1 Encryption

• Data in Transit: All communications between your device and our servers are encrypted using TLS (Transport Layer Security)
• Data at Rest: Sensitive personal data, including IC numbers and bank account details, is encrypted using AES-256-GCM field-level encryption
• Passwords: User passwords are hashed using bcrypt with appropriate salt rounds; we never store plaintext passwords

7.2 Authentication and Access Control

• Secure JWT (JSON Web Token) authentication with refresh token rotation to prevent token theft
• Optional two-factor authentication (2FA/TOTP) for enhanced account security
• Account lockout protection after multiple failed login attempts
• Recovery codes for account access in case of 2FA device loss
• Role-based access control (RBAC) ensuring users can only access data relevant to their role

7.3 Infrastructure Security

• HTTP security headers (Content Security Policy, X-Frame-Options, etc.) enforced via Helmet
• Rate limiting on API endpoints to prevent brute-force and denial-of-service attacks
• Input validation and sanitization to prevent injection attacks
• Regular security audits and vulnerability assessments
• Comprehensive audit logging of security-relevant events

7.4 Personnel Controls

Access to personal data by our staff is limited to personnel who require it for their job functions, and all staff with access are bound by confidentiality obligations.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Our specific retention periods are:

8.1 Automated Data Purge

We operate an automated data retention enforcement system:

• A daily automated process (running at 2:30 AM MYT) permanently deletes user accounts that have been in soft-deleted status for more than 30 days
• Expired login sessions are cleaned automatically on a daily basis
• All automated purge operations are recorded in our audit logs for compliance accountability

9. Your Rights Under the PDPA

Under the Malaysian Personal Data Protection Act 2010, you have the following rights regarding your personal data:

9.1 Right of Access

You have the right to request access to the personal data we hold about you. You may submit a Data Subject Access Request (DSAR) through the Platform or by emailing our DPO at dpo@isewa.com.my. We will respond to verified access requests within 21 days, as required by the PDPA.

Your data export will include: profile information, consent records and history, tenancy records and invoices, property and ownership records, uploaded document metadata, audit log entries, and security event records.

9.2 Right to Correction

You have the right to request correction of any inaccurate or incomplete personal data. You may update most of your information directly through your profile settings. For data that cannot be self-corrected, please contact our DPO.

9.3 Right to Withdraw Consent

You may withdraw your consent for the processing of your personal data at any time. You may do this through the Platform's settings or by contacting our DPO. Please note that withdrawing consent may affect your ability to use certain features of the Platform, and we will inform you of any consequences before processing your withdrawal.

Consent withdrawal does not affect the lawfulness of processing carried out before the withdrawal or processing that is based on other lawful grounds (e.g., legal obligations).

9.4 Right to Deletion

You may request deletion of your account and associated personal data at any time. Upon receiving a deletion request:

• Your account will be immediately soft-deleted (deactivated)
• You will have a 30-day grace period during which you may reactivate your account
• After 30 days, your personal data will be permanently and irreversibly deleted
• Certain data may be retained beyond this period where required by law (e.g., financial records for 7 years)

9.5 Right to Prevent Processing

You have the right to prevent the processing of your personal data for direct marketing purposes. We do not engage in direct marketing to users, but you may opt out of non-essential communications through your notification preferences in the Platform settings.

9.6 How to Exercise Your Rights

To exercise any of your rights, you may:

• Use the relevant self-service options within the Platform (profile settings, account deletion)
• Email our DPO at dpo@isewa.com.my
• Write to us at the address provided in the Contact section below

We may ask you to verify your identity before processing your request to ensure the security of your personal data.

10. Data Breach Notification

In the event of a personal data breach that is likely to cause significant harm to affected data subjects, we will:

• Notify the Jabatan Perlindungan Data Peribadi (PDPA Commissioner) within 72 hours of becoming aware of the breach
• Notify affected data subjects without undue delay, providing details of the breach, the potential consequences, and the measures we have taken or propose to take
• Document the breach in our internal incident management system, including severity level, affected data categories, number of affected users, root cause analysis, and remediation steps

11. International Data Transfers

Your data is primarily stored and processed in Malaysia. In some cases, your data may be processed in other jurisdictions when using third-party cloud infrastructure or service providers. Where such transfers occur, we ensure that:

• Appropriate safeguards are in place, including contractual data protection terms with our service providers
• The receiving jurisdiction provides an adequate level of data protection, or appropriate contractual measures are implemented
• Transfers comply with the requirements of the PDPA 2010 (Section 129)

12. Cookies and Tracking Technologies

12.1 Essential Cookies

We use strictly necessary cookies for the following purposes:

• Authentication: Session cookies to maintain your logged-in state and manage secure access
• Security: CSRF (Cross-Site Request Forgery) protection tokens
• Preferences: Language and theme preference storage

These cookies are essential for the Platform to function and cannot be disabled.

12.2 Analytics Cookies

We may use privacy-focused analytics to understand how users interact with the Platform. These analytics are configured to:

• Not collect or store personally identifiable information
• Use anonymized or aggregated data only
• Not share data with advertising networks

12.3 Third-Party Cookies

We do not use advertising or remarketing cookies. We do not allow third-party advertising networks to place cookies on the Platform.

12.4 Managing Cookies

You can control and manage cookies through your browser settings. Please note that disabling essential cookies may prevent certain features of the Platform from functioning properly.

13. Automated Decision-Making

The Platform does not use automated decision-making or profiling that produces legal effects or similarly significantly affects you. Any automated processing (such as billing cycle predictions or maintenance priority suggestions) is used solely to assist users and does not replace human decision-making.

14. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children under 18 years of age. If we become aware that we have collected personal data from a child under 18, we will take immediate steps to delete such data from our systems.

If you are a parent or guardian and believe your child has provided us with personal data, please contact our DPO at dpo@isewa.com.my so that we can take appropriate action.

15. Third-Party Links

The Platform may contain links to third-party websites, services, or resources that are not operated by us. We are not responsible for the privacy practices of these third parties and recommend that you review their privacy policies before providing any personal data.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform's features, or legal requirements. When we make material changes:

• We will update the "Last updated" date at the top of this page
• We will notify registered users by email or through the Platform's notification system
• Where required by the PDPA, we will obtain fresh consent for material changes affecting how we process your personal data
• We maintain a version history of consent to ensure auditability

Your continued use of the Platform after any changes constitutes your acceptance of the updated Privacy Policy.

17. Complaints

If you believe that we have not handled your personal data in accordance with this Privacy Policy or the PDPA 2010, you may:

• Contact our DPO at dpo@isewa.com.my to raise your concern
• Lodge a complaint with the Jabatan Perlindungan Data Peribadi (Personal Data Protection Department of Malaysia) at www.pdp.gov.my

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us:

iSewa

• Data Protection Officer: dpo@isewa.com.my
• General Support: support@isewa.com.my