Legal

Privacy Policy

Last updated: 31 May 2026

Notice: This document is pending legal review and is provided for transparency purposes. For questions, contact hello@saffly.my.

[COMPANY NAME] ("Saffly", "we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have — in accordance with Malaysia's Personal Data Protection Act 2024 (PDPA 2024).

This Policy applies to all users of the Saffly mobile application ("App") and website at saffly.my. By using the Service, you consent to the collection and use of your data as described in this Policy.

We do not sell your personal data. We never have, and we never will.

1. Information We Collect

1.1 Information You Provide Directly

  • Phone number — Required for registration and OTP authentication. This is your primary account identifier.
  • Display name — Optional. Used to personalise your in-app experience and appear on your profile.
  • Email address — Optional. May be provided for receipt delivery or account recovery.

1.2 Transaction Information

  • Donation history — The institutions and campaigns you have donated to, amounts (in sen), dates, and payment references.
  • Payment status — Whether a donation was completed, pending, or failed. We do not store your bank account number or internet banking credentials — these remain with your bank and HerePay.
  • Digital receipts — Generated automatically for each completed donation and stored on your behalf.

1.3 Information Collected Automatically

  • Device information — Device model, operating system version, and App version. Used for debugging and compatibility.
  • Session data — Timestamps of App sessions and feature interactions. Used to understand how the App is used and to improve it.
  • Error and crash logs — Anonymised diagnostic data collected when the App encounters an error. Does not include personal data.

1.4 Information We Do Not Collect

  • Bank account numbers, internet banking credentials, or card details (handled entirely by HerePay);
  • Precise GPS location (we may offer general location-based filtering in future, with your explicit consent);
  • Contacts, camera, or microphone data;
  • Data from minors — see Section 7.

2. How We Use Your Information

We use the data we collect for the following purposes:

  • Account creation and authentication — To verify your identity via OTP and create your user account;
  • Donation processing — To initiate, record, and confirm payments via FPX through HerePay;
  • Receipt generation — To produce and store digital receipts for each completed donation;
  • Giving history — To display your personal donation history within the App;
  • Service communications — To send transactional notifications (e.g., donation confirmation, receipt availability);
  • Service improvement — To analyse usage patterns, diagnose technical issues, and improve App features;
  • Legal compliance — To meet our obligations under Malaysian law, including financial record-keeping and regulatory reporting where required.

We will not use your data for purposes other than those listed above without obtaining your explicit consent first.

3. Information Sharing and Disclosure

We do not sell, rent, or trade your personal data to any third party, for any purpose, ever.

We share data only with the following trusted service providers, strictly for the purposes listed:

3.1 HerePay

Our payment service provider, authorised under Malaysia's Payment Services Act 2019. HerePay receives the minimum data necessary to initiate and process FPX payments (amount, reference, redirect URLs). HerePay handles all sensitive payment data and is bound by their own regulatory obligations. We do not receive or store your banking credentials.

3.2 Supabase

Our authentication and database platform. Supabase stores your account data (phone number, display name, email), donation records, and app data on servers hosted on cloud infrastructure. Supabase processes data in accordance with its Data Processing Agreement and applicable data protection law.

3.3 Cloudflare

We use Cloudflare for infrastructure, DNS management, and serving our website and admin panel. Cloudflare may process network request metadata (IP addresses, request logs) for security and performance purposes. Cloudflare's privacy practices are governed by their privacy policy.

3.4 Twilio

We use Twilio (via Supabase Auth) to deliver one-time passwords (OTPs) via SMS. Twilio receives your phone number for the sole purpose of delivering the OTP message. Twilio does not retain this data beyond the delivery window.

3.5 Legal Disclosure

We may disclose your personal data if required to do so by a Malaysian court order, law enforcement authority, or regulatory body, or if we believe in good faith that such disclosure is necessary to protect the rights, safety, or property of Saffly, our users, or the public.

4. Data Security

We take the security of your personal data seriously and implement technical and organisational measures appropriate to the risks involved:

  • Encryption in transit — All data exchanged between the App and our servers is encrypted using TLS (HTTPS);
  • Secure token storage — Authentication tokens are stored in the device's secure storage (not in plain SharedPreferences or localStorage), reducing the risk of token theft;
  • Bank account encryption — Institution bank account details held by us are encrypted at rest using AES-256-GCM before being stored in the database;
  • Access controls — Access to personal data is restricted to authorised personnel with a legitimate operational need;
  • Regular reviews — We conduct periodic reviews of our security practices and update them as threats evolve.

No system is perfectly secure. In the event of a data breach that is likely to affect your rights, we will notify you as required under PDPA 2024 and take all reasonable steps to contain and remediate the breach.

5. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected:

  • Active account data (phone number, display name, email) — Retained for the lifetime of your account. If you delete your account, this data is permanently removed within 30 days, except where retention is required by law.
  • Donation records (amounts, references, institution, date, status, receipts) — Retained for 7 years from the date of the transaction. This period is required for financial compliance, audit obligations, and to allow disputes or investigations to be properly resolved.
  • Error and diagnostic logs — Retained for up to 90 days, after which they are automatically deleted. These logs do not contain personally identifiable information.

Upon account deletion, your personal profile data is removed and your donation history is anonymised — transaction records are retained but no longer linked to your identity.

6. Your Rights Under PDPA 2024

Under Malaysia's Personal Data Protection Act 2024, you have the following rights with respect to your personal data:

  • Right of Access — You may request a copy of the personal data we hold about you. We will provide this within a reasonable time.
  • Right to Correction — You may request that we correct any personal data that is inaccurate, incomplete, or outdated. You can update your display name and email directly in the App at any time.
  • Right to Withdraw Consent — You may withdraw your consent to our processing of your personal data at any time by requesting account deletion. Please note that withdrawal of consent may affect your ability to use the Service, and certain data may be retained as required by law.
  • Right to Limit Processing — In certain circumstances, you may request that we limit the processing of your data to storage only, pending resolution of a dispute or correction request.

To exercise any of these rights, contact us at hello@saffly.my with your registered phone number and a description of your request. We will respond within 14 business days.

7. Children's Privacy

The Saffly Service is not intended for, and should not be used by, individuals under the age of 18. We do not knowingly collect or solicit personal data from minors.

If we become aware that we have inadvertently collected personal data from a person under 18 years of age, we will take immediate steps to delete that data and terminate the associated account. If you believe a minor has registered an account on our platform, please notify us at hello@saffly.my.

8. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable Malaysian law. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page;
  • Notify you via an in-app notification or by email (if an email address is on file) at least 14 days before the changes take effect, where practicable.

Your continued use of the Service following any changes constitutes your acceptance of the revised Policy. If you do not agree with the updated Policy, you may request account deletion by contacting us.

9. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or the handling of your personal data, please contact us:

We take all privacy enquiries seriously and aim to respond within 5 business days.