Privacy Policy

TwentyCore Sdn Bhd (Registration No. 1670365P), a company incorporated in Malaysia with its principal place of business in Selangor (“TwentyCore”, “we”, “us”, or “our”), is committed to protecting the privacy and personal data of our users in accordance with the Personal Data Protection Act 2010 (Act 709) (“PDPA”).

This Privacy Policy describes how we collect, use, disclose, and protect personal data when you use our platform at app.twentycore.ai and our website at twentycore.ai (together, the “Service”).

2.1 Account Information. When you register, we collect your name, email address, phone number, company name, company registration number, and job title.

2.2 Business Data. Data you enter into the Service in the course of using our ERP modules, including but not limited to customer records, financial transactions, inventory data, employee records (for HR/Payroll), production data, and quality records (“Customer Data”). You are the data controller for Customer Data; we process it on your behalf.

2.3 Payment Information. Payment card details are collected and processed directly by our payment processor, Stripe, Inc. We receive only a tokenised reference and the last four digits of your card. We do not store full card numbers on our servers.

2.4 Usage Data. We automatically collect technical information when you use the Service, including IP address, browser type, device information, pages visited, features used, timestamps, and error logs.

2.5 Communication Data. Records of support requests, emails, and feedback you send to us.

We process personal data for the following purposes:

• Service Delivery: To provide, operate, and maintain the TwentyCore platform and its features.
• Account Management: To manage your account, process subscriptions, and handle billing.
• Support: To respond to your enquiries, provide technical support, and communicate service updates.
• Security: To detect, prevent, and address fraud, abuse, security incidents, and technical issues.
• Improvement: To analyse usage patterns and improve the Service, including through aggregated and anonymised analytics.
• Compliance: To comply with legal obligations, including Malaysian statutory requirements.
• Communication: To send you important notices about the Service, security alerts, and (with your consent) product updates or newsletters. You may opt out of marketing communications at any time.

Under the PDPA, we process your personal data based on the following grounds:

• Consent: By using the Service and providing your data, you consent to its processing as described in this policy. You may withdraw consent at any time, though this may affect our ability to provide the Service.
• Contractual Necessity: Processing required to perform our obligations under the Terms of Service.
• Legal Obligation: Processing required to comply with applicable laws (e.g., tax records, employment records, LHDN e-Invoice requirements).
• Legitimate Interest: Processing for security, fraud prevention, and service improvement where such interests are not overridden by your data protection rights.

We do not sell your personal data. We share data only with the following categories of third parties, and only to the extent necessary:

We may also disclose personal data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of TwentyCore, our users, or the public.

Your data is primarily stored on DigitalOcean servers in the Singapore region, which provides low latency for Malaysian users. Some data may be processed in other jurisdictions through our third-party service providers (e.g., Stripe in the United States, Sentry in the United States).

In accordance with Section 129 of the PDPA, we ensure that any transfer of personal data outside Malaysia is made only to jurisdictions that provide an adequate level of data protection, or with appropriate safeguards including contractual obligations on the receiving party.

By using the Service, you consent to such cross-border transfers as described in this policy.

We retain your data as follows:

• Account Data: Retained for the duration of your active subscription, plus 30 days after account closure to allow for data export.
• Customer Data: Retained for the duration of your active subscription. Permanently deleted 30 days after account closure.
• Financial Records: Retained for 7 years as required by Malaysian tax and corporate law (Companies Act 2016, Income Tax Act 1967).
• Usage & Log Data: Retained for up to 12 months for security and analytical purposes, then anonymised or deleted.
• Support Records: Retained for 3 years after resolution.

We use the following types of cookies:

• Essential Cookies: Required for authentication, session management, and security (e.g., JWT tokens, CSRF protection). These cannot be disabled.
• Functional Cookies: Remember your preferences such as language, timezone, and interface settings.
• Analytics Cookies: Help us understand how the Service is used so we can improve it. These are anonymised and do not track you across other websites.

We do not use third-party advertising cookies or cross-site tracking technologies. You can manage cookie preferences through your browser settings, though disabling essential cookies may prevent the Service from functioning correctly.

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Multi-tenant row-level security ensuring strict data isolation between tenants.
• Regular security assessments and vulnerability scanning.
• Two-factor authentication (TOTP) available for all user accounts.
• Role-based access control (RBAC) limiting data access to authorised personnel.
• Automated backups with point-in-time recovery capability.
• Structured audit logging of all data access and modifications.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Under the Personal Data Protection Act 2010, you have the following rights regarding your personal data:

• Right of Access (Section 12): You may request access to the personal data we hold about you and obtain a copy.
• Right of Correction (Section 34): You may request correction of any inaccurate or incomplete personal data.
• Right to Withdraw Consent: You may withdraw your consent to the processing of your personal data at any time by contacting us. This does not affect the lawfulness of processing before withdrawal.
• Right to Prevent Processing (Section 42): You may request that we cease processing your personal data in certain circumstances, such as for direct marketing purposes.
• Right to Data Portability: You may export your Customer Data at any time through the Service’s built-in export functions.

To exercise any of these rights, please contact us at hello@twentycore.ai. We will respond to your request within 21 days as required by the PDPA.

If you use our HR & Payroll module, you may store employee personal data including identification numbers (IC/passport), bank account details, salary information, and statutory contribution records (EPF, SOCSO, EIS, PCB). As the employer, you are the data controller for this data, and you are responsible for:

• Obtaining appropriate consent from your employees for the processing of their personal data.
• Providing your employees with a privacy notice regarding their data.
• Ensuring accuracy and completeness of employee records.
• Complying with the PDPA and Employment Act 1955 with respect to employee data.

We process employee data on your behalf and in accordance with your instructions, subject to the security measures described in this policy.

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that data promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes at least 14 days before they take effect by email or through the Service. The “Last updated” date at the top of this policy indicates when it was last revised.

If you believe that we have not handled your personal data in accordance with the PDPA, you may lodge a complaint with the Jabatan Perlindungan Data Peribadi (Department of Personal Data Protection):

We encourage you to contact us first at hello@twentycore.ai so that we can try to resolve your concern directly.

For any questions or requests regarding this Privacy Policy or your personal data, please contact us: