This policy explains how Zenta Technologies Sdn. Bhd. collects, uses, protects, and retains personal data in connection with the GetZenta platform — and what rights you hold under Malaysian law.
Effective: 31 March 2026Last updated: 7 May 2026Processor: Zenta Technologies Sdn. Bhd. (202501060152)Governing law: PDPA 2010 (Malaysia)
Section 01
The Gatekeeper Principle: Data User vs. Data Processor
Under Malaysia's Personal Data Protection Act 2010 (PDPA 2010), roles in data handling are legally defined. These distinctions determine who holds accountability for what.
You are the Data User (Controller)
The User — the Auditor, SME owner, or business entity operating on GetZenta — is the "Data User" under PDPA 2010. You determine the purpose for which personal data is collected and processed. You hold primary legal accountability for the lawfulness of your data inputs and for obtaining all necessary consents from your own clients and data subjects before processing their information through the platform.
We are the Data Processor
Zenta Technologies Sdn. Bhd. is the "Data Processor". We process personal data only on your instruction and only for the purposes you have defined. We do not determine the purpose of processing. We do not sell, rent, trade, or commercially exploit user data for any purpose beyond platform delivery.
Your Warranty
By using GetZenta, you warrant that you have obtained all necessary consents from your clients, staff, and data subjects to process their documents through the platform. You acknowledge responsibility for the lawfulness of your data inputs under the Income Tax Act 1967 and PDPA 2010.
GetZenta applies the principle of data minimisation — we collect only what is necessary to deliver the service you have requested. Nothing more.
Account & Identity Data
Full name, email address, and mobile number for account creation
Organisation name, registration number (if provided), and business type
Role assignment within the platform: Auditor, SME, or Staff
Authentication credentials — stored in hashed form. We never store plaintext passwords.
Receipt & Document Data
Images and files of receipts, invoices, and supporting documents you submit
AI-extracted fields: merchant name, transaction date, total amount, tax values, and transaction reference numbers
Confidence scores and risk signals generated during AI extraction
Business purpose notes and descriptions you add to records
Audit Trail & Review Data
Human review decisions, override reasons, and approval timestamps
Compliance state changes and exception routing history
Reviewer identity associated with each decision (organisation-scoped)
Usage & Technical Data
Session metadata, platform interaction logs, and feature usage patterns
Credit consumption records and subscription status
Device type, browser, and security metadata, including IP address where required for security monitoring
Error logs used to diagnose and resolve technical issues
We do not read, analyse, or store document content for any purpose beyond the extraction workflow you initiate. We do not collect data beyond what you submit.
Section 03
How We Use Your Data
Personal data is used exclusively for the following defined purposes. We do not use your data for advertising, third-party profiling, or any purpose outside this list.
Platform Delivery
To operate GetZenta, process receipts, generate evidence trails, manage your workspace, and deliver the features described in our Terms of Service.
Compliance Support
To support LHDN MyInvois workflows, ISA 230 and ISA 500 audit documentation, and PDPA 2010 data governance — as directed by you as the Data User.
Security & Integrity
To detect and respond to security incidents, prevent abuse, enforce access controls, and maintain the integrity of the tenant-isolation architecture.
Service Communications
To send transactional notices: account verification, password resets, credit usage alerts, and subscription status updates. We do not send marketing communications without your explicit consent.
Legal & Regulatory Obligations
To comply with applicable Malaysian law, respond to lawful regulatory requests, and maintain records required under the Income Tax Act 1967 and PDPA 2010.
ℹ️
We do not use your data to train AI models. Your receipt data and audit trail records are not used as training inputs for any machine learning system operated by Zenta Technologies or its sub-processors.
Section 04
AI & Automated Processing Disclosure
In compliance with the Notice and Choice Principle under PDPA 2010, we disclose that GetZenta uses authorised third-party AI services, including optical character recognition (OCR) and document understanding processors — to extract structured data from documents you submit.
What AI Does in GetZenta
Reads receipt and invoice images to extract structured fields
Generates confidence scores to indicate extraction reliability
Identifies risk signals such as high-value transactions or unclear merchants
Routes low-confidence or high-risk records to a human review queue
What AI Does Not Do
AI does not make final compliance determinations or grant LHDN submission readiness status
AI does not certify audit evidence, issue professional opinions, or replace auditor judgment
AI does not approve high-risk records — these are always escalated to human review
AI output is never presented as legally binding without human review and sign-off
Human-in-the-Loop Architecture
GetZenta is architecturally designed to prevent solely automated decision-making on compliance-critical matters. Every extracted record requires a Human Override or Approval by the User before it is treated as certified evidence. This is a structural guarantee built into the platform, not a policy preference.
AI Sub-Processors
AI processing is performed through third-party cloud AI services. We do not name specific model versions in this policy as our technical stack may be updated without notice — naming a specific version would create a misleading disclosure lock. Our active AI sub-processors are maintained in the Data Processing Policy, which is updated whenever a material change occurs.
Where we have control over AI processing configuration, we minimise data retention by the AI provider beyond the scope of the immediate processing request.
⚠️
AI outputs are evidence signals, not professional advice. For all tax, audit, or compliance decisions, consult a qualified Malaysian tax agent or MIA-registered auditor.
Section 05
Payment & Credit Data
GetZenta operates on a credit-based subscription model. Users purchase Evidence Credits to consume platform services. All monetary transactions are processed through third-party payment gateways. GetZenta does not store card numbers, bank credentials, or full payment instrument details of any kind.
What GetZenta Receives from Payment Processors
Transaction reference number and payment status (succeeded / failed / refunded)
Amount charged, currency, and timestamp
Account identifier used for credit allocation
Subscription tier and renewal status confirmation
What GetZenta Never Stores
Card numbers or CVV codes
Card expiry dates
Bank account numbers
Online banking credentials
FPX transaction PIN or OTP
e-Wallet login credentials
Payment Processor
Card and banking data is handled exclusively by an authorised payment processor under its own PCI-DSS compliance framework. GetZenta receives payment confirmation, not payment credentials.
Processor
Purpose
Jurisdiction
Compliance Standard
Authorised Payment Processor
Card payments and subscription billing
Global infrastructure
PCI-DSS compliant payment processing
Additional local payment methods (FPX, e-wallet) may be added in future. This section will be updated before any new gateway is activated.
Credit Balance Data
Your Evidence Credit balance, top-up history, and consumption records are stored within GetZenta's platform database under the same RLS and access control framework as all other user data. Credits are non-transferable between organisations and expire six months from the date of purchase unless otherwise agreed in writing.
🛡️
If you believe an unauthorised transaction has been charged to your account, contact us immediately at info@zentatechnologies.com. We will investigate and liaise with the authorised payment processor where required.
Section 06
Seven Security Principles
As your Data Processor, we fulfil our obligations under the Security Principle of PDPA 2010 through the following layers of technical and organisational control. These describe the architecture in active deployment.
01
Data Minimisation
We extract only the fields required for the defined LHDN MyInvois and audit evidence workflow. No additional fields are extracted, stored, or retained beyond what the User submits for processing.
02
Encryption at Rest & in Transit
All data is encrypted at rest and in transit using industry-standard security controls. Encryption is applied at the infrastructure layer — not relying solely on application-level configuration.
03
Database-Enforced Tenant Isolation
GetZenta enforces tenant isolation at the database layer. Every user action is scoped to the authenticated user's organisation context and membership role. Organisation A cannot access Organisation B's records by design — not by policy.
04
Role-Based Access Control
Platform access is governed by three role tiers — Auditor, SME, and Staff — each with distinct permission scopes. Administrative infrastructure access is limited to authorised Zenta Technologies personnel, protected by multi-factor authentication.
05
Security-Assessed Infrastructure
Primary infrastructure runs on managed, security-assessed platform services in a Southeast Asia regional environment. Sub-processors including authorised cloud AI services and payment processors are assessed for security compliance before engagement.
06
Immutable Evidence Decisions
Once an evidence record is locked, the decision trail — AI extraction output, reviewer identity, override reason, and timestamp — cannot be altered without generating a visible audit event. This supports PDPA accountability and ISA 230 documentation requirements.
07
Human-in-the-Loop Review Gate
High-risk, high-value, or low-confidence records are routed to human review before any compliance determination is made. This architectural safeguard prevents automated decision-making on matters with material compliance consequences.
Section 07
Data Retention & the 7-Year Rule
Retention at GetZenta is governed by two intersecting obligations: the PDPA 2010 principle that data should not be kept longer than necessary, and the requirement under the Income Tax Act 1967 that tax-related records be retained for seven years.
Active Subscription
Zenta Technologies maintains your certified evidence records, audit trail data, and account information for the full duration of your active subscription. All records remain accessible to you during this period.
Post-Termination
Upon account closure, you are responsible for exporting your compliance records before deactivation. GetZenta retains your data for 90 days following account closure to allow for data export, after which records are securely deleted or anonymised unless:
An extended retention arrangement has been separately agreed in writing
A legal hold or regulatory requirement prevents deletion
Anonymised aggregate data (no personal identifiers) is retained for internal service improvement
The 7-Year Compliance Window
GetZenta's default 90-day post-closure window is intentionally shorter than the 7-year statutory requirement under the Income Tax Act 1967. You, as the Data User, hold legal responsibility for maintaining your 7-year archive. Export your records before closing your account, or contact us to discuss an extended retention arrangement prior to termination.
⚠️
Export your data before closing your account. GetZenta's 90-day post-closure window does not satisfy the 7-year retention requirement under Malaysian tax law. Maintaining a compliant archive is your responsibility as Data User.
Section 08
Cross-Border Data Transfers
GetZenta's primary infrastructure is hosted in a Southeast Asia regional environment, supporting regional data processing for Malaysian compliance workflows. However, some platform functions involve transient cross-border data processing.
Where Your Data May Travel
AI processing: Receipt images and extracted fields are transmitted to cloud AI services for OCR processing. These services may operate on infrastructure outside Malaysia and Singapore.
Payment processing: Transaction data is processed by authorised payment processors under their own jurisdictional framework and PCI-DSS compliance programme.
Our Safeguards
By using GetZenta, you consent to the processing of data via our cloud partners as described above. We ensure all material sub-processors provide a level of data protection equivalent to PDPA 2010 requirements through contractual arrangements and compliance certifications — including recognised security and payment-processing standards.
Where we control AI processing configuration, we minimise data retention by the AI provider beyond the scope of the immediate request.
A full sub-processor list with jurisdictions and compliance standards is maintained in the Data Processing Policy.
Section 09
Your Rights Under PDPA 2010 (Section 30)
Under Section 30 of the Personal Data Protection Act 2010, you have the following rights in relation to personal data Zenta Technologies holds about you. These rights apply to your own personal data — not to the personal data of your clients, which you control as the Data User.
Right of Access S.30(1)(a)
Request a copy of the personal data we hold about you and information about how it is being processed.
Right of Correction S.30(1)(b)
Request correction of inaccurate, incomplete, misleading, or outdated personal data we hold.
Withdraw Consent S.38
Withdraw consent to processing of your personal data at any time, subject to any legal or contractual obligations requiring continued retention.
Prevent Processing S.42
Request that we cease or not begin processing your personal data for purposes likely to cause substantial damage or distress.
Data Portability Platform
Export your evidence records, audit trail, and account data in standard formats (CSV / JSON) via the platform's export function.
Right to Complain PDPC
Lodge a complaint with the Personal Data Protection Commissioner of Malaysia if you believe your rights have been violated.
How to Exercise Your Rights
Submit a written request to our Data Protection Officer at dpo@getzenta.com.my. We acknowledge within 3 business days and respond substantively within 21 days, in accordance with PDPA 2010 timelines. We may verify your identity before processing access or correction requests to protect your data from unauthorised access.
ℹ️
These rights apply to your own personal data held by Zenta Technologies. If you are an Auditor or SME managing your clients' data, those obligations are governed by your role as Data User.
Section 10
Cookies & Analytics
GetZenta's web presence at getzenta.com.my uses a minimal set of cookies necessary for the site to function. We do not use cookies for advertising targeting or cross-site tracking.
Essential Cookies
Required for the platform to function. Cannot be disabled without breaking core features:
Session cookies — maintain your authenticated session within the platform
Security cookies — support CSRF protection and platform security mechanisms
Preference cookies — remember your display preferences within the interface
Analytics
We may use privacy-respecting analytics tools to understand aggregate usage patterns — which features are most used and where users encounter friction. Where analytics are deployed, tools are configured to anonymise IP addresses and are not connected to advertising networks. You may opt out via your browser settings or a tracking-blocker extension.
No Advertising Cookies
GetZenta does not use advertising cookies, remarketing pixels, or third-party tracking for commercial targeting. We do not sell advertising space on the platform or on getzenta.com.my.
In the event of a suspected or confirmed personal data breach, Zenta Technologies follows a structured notification process designed to protect affected individuals and meet obligations under PDPA 2010 as amended.
Our 24-Hour Internal Commitment
In the event of a suspected breach affecting your organisation's data, Zenta Technologies will notify the affected User(s) within twenty-four (24) hours of internal confirmation. This lead time allows you, as the Data User, to fulfil your own notification obligations to the PDPA Commissioner within the statutory 72-hour window.
What a Breach Notification Will Include
Nature of the breach and categories of data affected
Approximate number of records or individuals affected, where known
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact details of our Data Protection Officer for further enquiries
Scope of Our Liability
Our notification obligation covers the security of the GetZenta platform and data under our control as Data Processor. We are not liable for breaches originating from:
The User's own hardware, devices, or local network
Compromised login credentials caused by the User's own security practices
Unencrypted transmission of data by the User outside of the platform
Third-party services accessed independently by the User
In compliance with the 2025 PDPA Guidelines on Data Protection Officers, Zenta Technologies Sdn. Bhd. has appointed a Data Protection Officer to oversee data governance, handle access and correction requests, and serve as the primary point of contact for PDPA-related matters.
📞Privacy and security matters are handled through verified email channels only
📍Kuala Lumpur, Malaysia
⏱Acknowledgement within 3 business days · Substantive response within 21 days
DPO Responsibilities
Handling Section 30 data access and correction requests
Managing consent withdrawal requests under Section 38
Coordinating breach notification and incident response
Liaising with the Personal Data Protection Commissioner of Malaysia
Overseeing sub-processor due diligence and Data Processing Agreements
Filing a Complaint with the PDPC
If you are dissatisfied with our response to a data-related concern, you have the right to file a complaint directly with the Personal Data Protection Commissioner of Malaysia:
This Privacy Policy reflects GetZenta's data governance practices as of the effective date above. It does not constitute legal advice. Zenta Technologies reserves the right to update this policy to reflect changes in law, technology, or business practice. Material changes will be communicated to registered Users via email or in-platform notice with a minimum of 14 days' prior notice.