Legal

Privacy Policy

Effective date: 3 July 2026  ·  Version 1.0  ·  Mengira Holdings Sdn Bhd

Contents

  1. Who We Are
  2. Our Principles
  3. What We Collect and Why
  4. Third-Party Services
  5. Your Rights Under PDPA
  6. Data Retention
  7. Security
  8. What We Will Never Do
  9. Data Breach Response
  10. Changes to This Policy
  11. Contact Us

1. Who We Are

Kira is an AI-powered personal finance app developed by Mengira Holdings Sdn Bhd ("we", "us", "our"). Kira helps you track spending by scanning receipts and logging expenses automatically.

This Privacy Policy explains what personal data we collect, how we use it, and your rights under the Personal Data Protection Act 2010 (PDPA) of Malaysia.

By using Kira, you consent to the practices described in this policy.

2. Our Principles

Privacy by default. We collect the minimum data needed to deliver the feature. If a feature can work without a piece of data, we don't collect it.
No bank login, ever. Kira never asks for banking credentials and never integrates with Open Banking APIs to pull transaction data automatically.
Your data is not a product. Individual transaction data is never sold, shared with advertisers, or disclosed to any government body without a court order.
Transparency over convenience. We tell you exactly what is collected, where it goes, and how long it is kept — in plain language.

3. What We Collect and Why

Data TypeWhat SpecificallyWhy It's Used
Account dataName, email address, hashed passwordAuthentication and account management
Payment method registryBank name, card nickname, last 4 digits, card typeAuto-tagging transactions from receipts. Last 4 digits only — never full card numbers.
Transaction recordsMerchant name, amount, date, category, payment method, notesYour spending history — the core product
Receipt imagesPhotos you take or uploadOCR processing to extract transaction data; linked to your transaction record
Spending limitsRM limits you set per categoryDrives notification alerts
Notification preferencesWhich alerts you enableDelivering the right push notifications
Device push tokenYour device's APNs / FCM tokenSending spending alerts to your phone
Session dataJWT access and refresh tokensKeeping you logged in securely

What we explicitly do not collect

4. Third-Party Services

Kira uses the following external services to operate. Each receives limited data to perform its function.

ServiceData SharedNotes
Supabase (database & auth)Transactions, account info, spending limitsSOC 2 Type II certified. Hosted in Singapore (ap-southeast-1). Row-Level Security enforced.
Anthropic Claude API (OCR)Receipt images sent as base64 for text extractionImages are processed and not retained. US-based service — cross-border transfer disclosed here.
Apple APNs / Google FCMDevice push token; notification textNotification content does not include transaction amounts.
Apple App Store / Google PlayApp binary; anonymised crash reports (if you consent)Standard platform terms apply.

Cross-border transfers: The Anthropic Claude API processes data on servers outside Malaysia. This is required for receipt scanning to function. By using the scan feature, you consent to this transfer.

5. Your Rights Under PDPA

RightHow Kira Delivers It
Right to accessExport all your transactions as PDF from Settings → Export PDF at any time.
Right to correctEvery transaction field is editable. Changes take effect immediately.
Right to withdraw consentDelete your account from Settings → Account. All data is removed within 30 days.
Right to knowThis Privacy Policy, written in plain language. No buried legalese.
Right to objectAnonymised aggregate analytics are opt-in only. Default is opted out.

6. Data Retention

We keep your data for as long as your account is active. When you delete your account:

7. Security

8. What We Will Never Do

9. Data Breach Response

If a data breach occurs that affects your personal data:

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make changes that reduce your rights, we will give you 30 days notice by email and in-app notification, and you will have the option to delete your account before the changes take effect.

The effective date at the top of this page always shows when this version was last updated.

11. Contact Us

For any privacy questions, data access requests, or account deletion:

Email: privacy@mengira.com.my

Company: Mengira Holdings Sdn Bhd

We aim to respond to all privacy enquiries within 5 business days.