Privacy Policy

1. Introduction

com1 ("we", "us", or "our") operates the com1.app platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. It is published in English and Bahasa Malaysia in accordance with section 7 of the Personal Data Protection Act 2010 (Malaysia). In the event of any inconsistency between the two language versions, the English version prevails.

com1 is operated from Malaysia and intended primarily for businesses and individuals located in Malaysia and Southeast Asia. We do not actively market our services to, or specifically target, residents of the European Economic Area, the United Kingdom, the United States, or other jurisdictions whose data-protection regimes would apply by virtue of such targeting. Where this notice contains region-specific addenda (see sections 11 and 12), they are provided as a courtesy to incidental users who reach com1 from those jurisdictions and not as an indication that com1 directs its services to those markets.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password. We also store your language and theme preferences. If you subscribe to a paid plan, payment is processed by Paddle — we do not store your credit card details directly.

Team and Organization Data

We store your team name, locale, timezone, date and time format preferences, country, and subscription details (plan, trial dates, subscription status).

Business Data

We store the data you enter into com1, including but not limited to: projects, tickets, milestones, contacts, corporations, invoices, estimates, recurring invoices, payments, time logs, notes, comments, items, bank accounts, hourly rates, payment terms, and business cards. Where you enter information about other individuals (such as contacts, employees, or invoice parties) you confirm that you are authorised to provide that information to us for the purposes described in this notice.

File Uploads

Files you upload (attachments on invoices, estimates, tickets, and team logos) are stored in Amazon S3. Each file is scoped to your team and accessible only via time-limited signed URLs.

Hosting and Infrastructure Data

If you use our hosting features, we store metadata about servers, databases, deployments, SSL certificates, container configurations, environment variables, and backup schedules that you configure through com1. Servers and databases are provisioned in your own AWS account — we access them only through temporary, scoped IAM credentials (AssumeRole) to perform the operations you request.

AI Assistant Data

If you use the AI assistant feature, your messages and conversation history are sent to Anthropic (Claude) for processing. We also use Voyage AI to generate text embeddings for semantic search. We track token usage for billing purposes. AI features are optional and can be disabled in your privacy settings.

Audit Logs

We maintain audit logs of significant actions within your team (such as server provisioning, deployments, and configuration changes) for accountability and troubleshooting purposes.

Source of Data

Most personal data we hold is provided directly by you when you register, configure your team, or use the service. We may also receive personal data about you indirectly when you are invited to join an existing team by another user, or when a team owner enters your information as a contact, employee, or invoice party. For data received indirectly, the team owner is the source and is responsible for ensuring you have been informed of this notice.

Obligatory and Optional Information

Your name, email address, and password are obligatory in order to create an account and use the service — without these we cannot authenticate you, send you transactional notifications, or recover your account. Tax identifiers, business registration numbers, and addresses are obligatory only if you use invoicing or e-invoicing features (LHDN MyInvois requires them). AI assistant usage, hosting integrations, and optional third-party connections (Dropbox, AWS S3 backup) are entirely optional. Refusal to provide obligatory information will mean we cannot provide the relevant feature; refusal of optional information has no consequence beyond unavailability of that specific feature.

3. How We Use Your Information

We use your information to:

• Provide, maintain, and improve our services
• Process subscriptions and billing through Paddle
• Send transactional emails (confirmations, password resets, magic login links, invoice reminders, team invitations, and notification digests)
• Generate PDF invoices and estimates
• Submit e-invoices to MyInvois (LHDN) on your behalf when you use the Malaysian e-invoicing feature
• Perform scheduled database backups to your configured storage targets
• Power AI-assisted features using your conversation data, where you have enabled them
• Monitor and analyze aggregate usage trends to improve user experience

4. Data Storage and Security

Your data is stored on secure servers hosted by Amazon Web Services (AWS), using managed PostgreSQL databases (RDS). We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction, as required under the Security Principle (section 9) of the Personal Data Protection Act 2010.

Passwords are hashed using Argon2. Session tokens are cryptographically signed and hashed (SHA-256) before storage. Sensitive credentials (Dropbox tokens, backup storage keys, database passwords, MyInvois credentials) are encrypted at rest in our database.

File uploads are stored in Amazon S3 with private access controls. Downloads are served through time-limited signed URLs.

5. Third-Party Services

We use the following third-party services to operate com1. Each processes only the data necessary for its function:

• Amazon Web Services (AWS) — cloud infrastructure, database hosting (RDS), file storage (S3), email delivery (SES), and server provisioning (EC2) for hosting features
• Paddle — subscription billing and payment processing
• Anthropic (Claude) — AI assistant conversations and responses
• Voyage AI — text embeddings for semantic search
• Sentry — error tracking and crash reporting (exception traces and request context)
• Cloudflare — DNS, DDoS protection, and content delivery
• MyInvois (LHDN) — Malaysian government e-invoicing submission, if you use this feature
• Microsoft Clarity — session-replay and interaction-heatmap analytics on public marketing pages only (never inside the authenticated app). Clarity runs in a limited, cookieless mode (no cookies set) until you accept our PDPA cookie banner, at which point it switches to full analytics with cookies

Optional Integrations You Connect

You may optionally connect the following services. We access only the data necessary to provide the requested functionality, using credentials you provide:

• Dropbox — used as a backup storage destination for your database backups. We authenticate via OAuth 2.0 and store encrypted access and refresh tokens. We upload backup files to your Dropbox account and automatically refresh tokens to maintain the connection.
• AWS S3 (your own account) — used as an alternative backup storage destination. We store your provided access credentials in encrypted form and use them solely to upload backups.
• AWS IAM (your own account) — if you use hosting features, you provide an IAM role ARN. We assume this role with temporary credentials to provision and manage servers, databases, and storage in your AWS account.

→ View the full sub-processor list with DPA status and review dates

Cross-Border Transfers

Your personal data is processed and stored on the following infrastructure: AWS compute (EC2/ECS), database (RDS), object storage (S3), and container registry (ECR) are hosted in **AWS Asia Pacific (Malaysia)** — the `ap-southeast-5` region in Kuala Lumpur. **AWS Simple Email Service (SES)** is the only AWS exception: it is hosted in **AWS Asia Pacific (Singapore)** — the `ap-southeast-1` region — because SES is not yet available in the Malaysia region; only outbound transactional email metadata (recipient address, subject, message body) transits Singapore for delivery. Anthropic, Voyage AI, and Sentry process data on infrastructure located in the **United States**; these are only engaged for accounts that have granted the optional `AI features` consent in Privacy Settings. **Microsoft Clarity** also processes data in the United States, but only for unauthenticated visitors to our public marketing pages who have acknowledged the cookie banner — it is never engaged inside the authenticated app and receives no account, team, or customer data. Cloudflare operates a global content delivery network for static assets and DDoS protection.

Under section 129 of the Personal Data Protection Act 2010 (as amended in 2024), we transfer your personal data outside Malaysia on the following bases: (a) the transfer is necessary for the performance of our contract with you; (b) for optional features (AI assistant), we rely on your express consent recorded in your privacy settings; and (c) we have assessed that the receiving jurisdictions provide a level of protection substantially similar to the Act, supported by data processing agreements with each processor that bind them to equivalent security and confidentiality obligations. You may request a copy of the cross-border transfer impact assessment by contacting our Data Protection Officer.

6. Data Retention

We retain your account data for as long as your account is active. Session tokens expire after 14 days. Magic login links expire after 15 minutes.

When you close your account we apply the following decision tree: (a) if you are the sole owner of a team that other members are still using, we will ask you to transfer ownership to another member before your account can be closed — without a transfer the remaining members would be locked out; (b) if you are the sole owner of a team that has no other members and no retained financial records, both your account and the team are deleted in full; (c) if you are the sole owner of a team that holds financial records still subject to the seven (7)-year statutory retention under the Income Tax Act 1967 and the Companies Act 2016 (notably invoices and payments), your account is anonymised in place — your name, email, and credentials are scrubbed and you can no longer log in, but the team and the retained records remain on file for the legal retention period; (d) in every other case (no owned teams, or you are merely a member of someone else's team), your account is deleted in full and your audit-log actor reference is replaced with the label "deleted user".

Database backups are retained according to the schedule and retention policy you configure. Backup files may be stored in our S3 bucket, your own S3 bucket, or your Dropbox account depending on your configuration.

7. Your Rights Under PDPA

Under the Personal Data Protection Act 2010 (Malaysia, as amended in 2024), you have the following rights with respect to your personal data:

• Right of access (section 30) — request a copy of the personal data we hold about you
• Right of correction (section 34) — request correction of inaccurate or incomplete data
• Right of deletion — request deletion of your account and associated personal data, subject to retention obligations described in section 6
• Right of data portability (section 43A) — receive your invoices, contacts, and other data you provided in a structured, commonly-used, machine-readable format
• Disconnect third-party integrations (Dropbox, AWS) at any time
• Right to withdraw consent (section 38) — withdraw your consent to processing where consent is the basis (e.g., AI features, optional integrations, marketing)
• Right to prevent direct marketing (section 43) — request that we cease using your personal data for direct marketing

To exercise any of these rights, use the controls in your in-app privacy settings (Settings → Privacy) or contact our Data Protection Officer at [email protected]. We will respond within twenty-one (21) days as required by the Act.

8. Cookies

We use four essential first-party cookies for the service itself: (1) `_com1_key` — your encrypted session, set on every request; HttpOnly + SameSite=Lax. (2) `_csrf_token` — protects against cross-site request forgery on form submissions; HttpOnly + SameSite=Lax. (3) `_com1_web_user_remember_me` — a signed token that keeps you logged in across browser sessions when you tick "remember me" at sign-in; expires after 60 days; HttpOnly + SameSite=Lax. (4) `pdpa_acked_v3` — records that you have acknowledged the cookie banner so we don't show it again; expires after 1 year; SameSite=Lax. On our **public marketing pages only** (homepage, pricing, features, blog, case studies, privacy notice, public tools, and shareable business cards) we use Microsoft Clarity — a session-replay and interaction-heatmap analytics tool operated by Microsoft Corporation. Clarity loads in a **limited, cookieless mode by default**: before you accept the cookie banner it **sets no cookies**, assigns only a temporary per-page-view identifier, and we rely on our legitimate interest in understanding our marketing pages (see section 11.1). **When you click "Accept" on the cookie banner above**, Clarity switches to full analytics and only then sets the following cookies and storage keys: `_clck` (Clarity user ID, first-party), `_clsk` (Clarity session ID, first-party), `CLID` (cross-site Clarity ID, third-party, set by `clarity.ms`), `MUID` (Microsoft user ID, third-party, set by `c.bing.com`; shared with Microsoft Advertising for analytics and ad-personalisation across all Microsoft sites), `ANONCHK` (MUID-to-ANID transfer flag, always set to 0 because Clarity does not use ANID), `MR` (MUID refresh flag, third-party), and `SM` (MUID synchronisation flag across Microsoft domains, third-party). In both modes Clarity processes session interaction events (clicks, scrolls, page URLs, your IP address, and user agent) — for EU/UK/Switzerland visitors the data importer is Microsoft Ireland Operations Limited (MIOL), with onward transfers to Microsoft Corporation in the United States covered by Standard Contractual Clauses and Microsoft's EU-US Data Privacy Framework certification, and these visitors are kept in cookieless mode until they provide consent. For visitors elsewhere, data is processed directly by Microsoft Corporation in the United States. Recordings are retained by Microsoft for 30 days; aggregated heatmap data is retained for 13 months (Microsoft's published data-retention policy). Clarity is **never loaded inside the authenticated app or on auth forms**, so no team, customer, invoice, or account data is ever sent to Microsoft. Clarity respects your browser's Do Not Track signal (`navigator.doNotTrack`). To withdraw consent and return Clarity to cookieless mode, clear the `pdpa_acked_v3` cookie in your browser; you will be prompted again on next visit. We do not embed any social-media share buttons that would set cookies on your device.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page, updating the version identifier, and where appropriate prompting you to acknowledge the new version on your next login. Previous versions remain accessible at /privacy/v/<version>.

10. Contact Us

For questions about this Privacy Policy or to exercise your rights under the Act, contact our Data Protection Officer at [email protected]. For general support inquiries, contact [email protected].

11. Additional Rights for EEA / UK Residents

If you are located in the European Economic Area, the United Kingdom, or Switzerland, the following additional disclosures apply alongside the rights described in section 7. Where the rights described in section 7 (Malaysian PDPA) and the rights described in this section overlap, you may exercise whichever provides the stronger protection.

11.1 Lawful basis for processing

We rely on the following lawful bases under Article 6 of the GDPR:

• Performance of a contract (Art. 6(1)(b)) — for account creation, authentication, billing, and core service delivery
• Legitimate interests (Art. 6(1)(f)) — for fraud prevention, service security, error tracking via Sentry, aggregate usage analytics, and limited cookieless marketing-funnel analytics via Microsoft Clarity on public pages before you accept the cookie banner (Clarity respects browser Do Not Track signals; for EU/UK/Switzerland visitors Clarity stays cookieless until consent). Where you accept the banner, the analytics cookies Clarity then sets rely on your **consent** instead (see below). You may object to processing based on legitimate interests at any time (see section 11.2)
• Your consent (Art. 6(1)(a)) — for AI assistant features and any optional integrations or marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal
• Compliance with legal obligation (Art. 6(1)(c)) — for retention of invoicing and payment records under applicable Malaysian tax and corporate law

We do not process special categories of personal data within the meaning of Article 9 of the GDPR in the ordinary course of providing the service.

11.2 Your additional rights

In addition to the rights described in section 7, the GDPR grants you:

• Right to restriction of processing (Art. 18) — request that we limit processing of your personal data while we verify accuracy or assess the lawfulness of processing. To exercise, contact our Data Protection Officer at [email protected].
• Right to object (Art. 21) — object to processing based on legitimate interests, including direct marketing. For specific processing purposes, use the controls in your privacy settings (Settings → Privacy); for any objection not covered there, contact our Data Protection Officer at [email protected].

We will respond to all rights requests within one (1) month of authenticated receipt, extendable by two (2) further months for complex or numerous requests with notice to you (Art. 12(3)).

11.3 Right to lodge a complaint with a supervisory authority

Under Article 77 of the GDPR you have the right to lodge a complaint with a supervisory authority in the EU member state where you reside, where you work, or where the alleged infringement took place. Without an EU establishment, com1 does not have a single lead supervisory authority — each EU data protection authority has competence under Article 56(2). For UK residents, the relevant authority is the Information Commissioner's Office (ICO).

11.4 EU representative

Article 27 of the GDPR requires non-EU controllers offering services to EU data subjects to designate a representative in the Union. com1 will appoint an Article 27 representative when we begin marketing to or onboarding EU customers; until then this obligation is not engaged. Contact details for our representative will be inserted in this section once the appointment is made.

11.5 Automated decision-making

com1 does not engage in automated decision-making producing legal or similarly significant effects on you within the meaning of Article 22 of the GDPR.

11.6 International transfers

For transfers of your personal data outside the EEA / UK to a country that does not benefit from an adequacy decision, com1 relies on Standard Contractual Clauses (SCCs) approved by the European Commission. The applicable SCCs are auto-incorporated into each sub-processor's data processing agreement (see section 5 and the sub-processor list). Copies of the SCCs and our transfer impact assessments are available from our Data Protection Officer on request.

12. Additional Rights for Virginia Residents

If you are a natural person residing in Virginia and use com1 in an individual or household context, the following disclosures apply alongside the rights described in section 7. The Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.) does not apply to commercial or employment-context use of com1.

12.1 Categories of personal data and purposes

The categories of personal data we process and the purposes for which we process them are described in sections 2 and 3 of this notice.

12.2 Categories shared with third parties

The categories of third parties with whom we share personal data are described in section 5 of this notice. We do not sell your personal data, do not engage in targeted advertising, and do not engage in profiling that produces legal or similarly significant effects (see section 12.5).

12.3 Your rights under the Virginia CDPA

In addition to the rights described in section 7, the Virginia CDPA grants you:

• Right to confirm processing and access (§ 59.1-577(A)(1) and (2)) — exercised via the data export feature in your privacy settings
• Right to correct (§ 59.1-577(A)(3)) — exercised via your profile settings
• Right to delete (§ 59.1-577(A)(4)) — exercised via the account closure flow in your privacy settings
• Right to portability (§ 59.1-577(A)(5)) — included in the data export
• Right to opt out (§ 59.1-577(A)(6)) — see section 12.5 below; com1 does not engage in any of the processing activities that trigger this right

We will respond to all rights requests within forty-five (45) days of authenticated receipt, extendable by another forty-five (45) days for complex requests with notice to you.

12.4 Right to appeal

If we deny a rights request, you have the right to appeal that decision (§ 59.1-577(C)). To appeal, email [email protected] with the subject line "VA CDPA appeal" and include the original request reference. We will respond to your appeal within sixty (60) days. If the appeal is denied, you may submit a complaint to the Office of the Virginia Attorney General at https://www.oag.state.va.us/.

12.5 Sale of personal data, targeted advertising, and profiling

com1 does not engage in the sale of personal data, targeted advertising, or profiling that produces legal or similarly significant effects on consumers within the meaning of the Virginia Consumer Data Protection Act. No opt-out mechanism is required because none of these processing activities occur. If this changes in the future, we will update this notice and provide opt-out controls before any such processing begins.

12.6 Sensitive data

com1 does not knowingly collect or process "sensitive data" within the meaning of § 59.1-571 of the Virginia Code (racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, precise geolocation, or personal data of a known child). If you become aware that any such data has been collected by com1 in error, please contact our Data Protection Officer at [email protected].