Effective date: 3 July 2026 · Version 1.0 · Mengira Holdings Sdn Bhd
Kira is an AI-powered personal finance app developed by Mengira Holdings Sdn Bhd ("we", "us", "our"). Kira helps you track spending by scanning receipts and logging expenses automatically.
This Privacy Policy explains what personal data we collect, how we use it, and your rights under the Personal Data Protection Act 2010 (PDPA) of Malaysia.
By using Kira, you consent to the practices described in this policy.
| Data Type | What Specifically | Why It's Used |
|---|---|---|
| Account data | Name, email address, hashed password | Authentication and account management |
| Payment method registry | Bank name, card nickname, last 4 digits, card type | Auto-tagging transactions from receipts. Last 4 digits only — never full card numbers. |
| Transaction records | Merchant name, amount, date, category, payment method, notes | Your spending history — the core product |
| Receipt images | Photos you take or upload | OCR processing to extract transaction data; linked to your transaction record |
| Spending limits | RM limits you set per category | Drives notification alerts |
| Notification preferences | Which alerts you enable | Delivering the right push notifications |
| Device push token | Your device's APNs / FCM token | Sending spending alerts to your phone |
| Session data | JWT access and refresh tokens | Keeping you logged in securely |
Kira uses the following external services to operate. Each receives limited data to perform its function.
| Service | Data Shared | Notes |
|---|---|---|
| Supabase (database & auth) | Transactions, account info, spending limits | SOC 2 Type II certified. Hosted in Singapore (ap-southeast-1). Row-Level Security enforced. |
| Anthropic Claude API (OCR) | Receipt images sent as base64 for text extraction | Images are processed and not retained. US-based service — cross-border transfer disclosed here. |
| Apple APNs / Google FCM | Device push token; notification text | Notification content does not include transaction amounts. |
| Apple App Store / Google Play | App binary; anonymised crash reports (if you consent) | Standard platform terms apply. |
Cross-border transfers: The Anthropic Claude API processes data on servers outside Malaysia. This is required for receipt scanning to function. By using the scan feature, you consent to this transfer.
| Right | How Kira Delivers It |
|---|---|
| Right to access | Export all your transactions as PDF from Settings → Export PDF at any time. |
| Right to correct | Every transaction field is editable. Changes take effect immediately. |
| Right to withdraw consent | Delete your account from Settings → Account. All data is removed within 30 days. |
| Right to know | This Privacy Policy, written in plain language. No buried legalese. |
| Right to object | Anonymised aggregate analytics are opt-in only. Default is opted out. |
We keep your data for as long as your account is active. When you delete your account:
If a data breach occurs that affects your personal data:
We may update this Privacy Policy from time to time. If we make changes that reduce your rights, we will give you 30 days notice by email and in-app notification, and you will have the option to delete your account before the changes take effect.
The effective date at the top of this page always shows when this version was last updated.
For any privacy questions, data access requests, or account deletion:
Email: privacy@mengira.com.my
Company: Mengira Holdings Sdn Bhd
We aim to respond to all privacy enquiries within 5 business days.