Privacy Policy

Key Points — read this first

We receive your WhatsApp number when you message us. It is stored encrypted (AES-256-CBC), not in plain text.
We use your message content only to process your scam report. We do not use it for advertising or profiling.
We do not sell your data. Ever. We share it only with the service providers named in this policy.
You can request access, correction, or deletion of your data at any time.
Questions: email hello@myspa.bot with subject Privacy Query

1. Who We Are

MySPA (Malaysia Scam Prevention Agent) is a community scam reporting service operating in Malaysia. MySPA is currently in the process of formal business registration in Malaysia (SSM). This policy will be updated with the registered entity name upon completion.

For data protection matters, see Section 12.

2. What "Anonymous" Actually Means

MySPA's tagline includes the word "Anonymous." This means:

No account creation or registration is required
We do not ask for your name, NRIC, or any identity document
Your reports are not publicly attributed to you
Other users cannot see who submitted a report

Important: "Anonymous" does not mean MySPA does not receive your phone number. WhatsApp requires a sender number for every message. When you message MySPA, we receive your WhatsApp phone number. It is stored encrypted — but it is personal data under PDPA Malaysia, and we are transparent about that here.

3. What Data We Collect

Data	How collected	Why	Kept for
Your WhatsApp phone number	Automatically via WhatsApp Cloud API when you message us	Process your report; prevent abuse and duplicate submissions	3 years from last activity
Message content (number, link, or text you send)	You send it to us	Run scam checks against the community database	3 years
Screenshots (Full Flag only)	You send them to us	OCR text extraction as evidence; original image is discarded after processing	Extracted text: 3 years. Original image: deleted immediately after OCR.
Full Flag narrative	You provide it in the conversation	Generate a structured case report	5 years
Case ID and report data	Generated by MySPA on case completion	Community database; future submission to authorities	5 years
Timestamps	Automatically recorded	Rate limiting, deduplication, audit trail	3 years

We do not collect: your real name, NRIC, banking credentials (unless you voluntarily include them in a Full Flag narrative), location data, device identifiers, browser cookies, or IP address.

4. How We Store and Protect Your Data

Phone numbers — AES-256-CBC encryption at rest. Your encrypted phone number is never passed to any AI model or returned in any API response.
Message content and reports — stored in PostgreSQL on Railway's infrastructure in the United States.
Screenshots — processed by Claude (Anthropic) for text extraction, then immediately discarded. Only the extracted text is stored.
In transit — all data is transmitted over TLS (HTTPS).

Encryption ≠ Anonymous: AES-256-CBC encryption means your phone number is not stored in plain text. However, under PDPA Malaysia, encrypted phone numbers remain personal data — MySPA holds the decryption keys and can decrypt them. "Encrypted" and "anonymous" are not the same thing.

5. Who We Share Your Data With

We share your data only with the following service providers who process it on our behalf. We do not sell your data to anyone.

Sub-processor	Location	Purpose
Meta Platforms Ireland Ltd	Ireland / Global	WhatsApp Cloud API — all messages you send pass through Meta's infrastructure before reaching MySPA
Railway Inc.	United States	Database and application server hosting
Vercel Inc.	United States	This website (myspa.bot) hosting
Anthropic PBC	United States	AI processing (Claude) — used for scam classification and screenshot OCR. Message content is sent to Anthropic's API for these purposes only.

We do not share your personal data with any government body, law enforcement agency, or advertiser. If a Malaysian court order requires disclosure, we will comply and notify you where we are legally permitted to do so.

6. Cross-Border Data Transfers

MySPA's backend infrastructure (Railway, Vercel, Anthropic) is hosted in the United States. Malaysia's PDPA requires us to disclose this. The United States does not have a data protection adequacy decision from Malaysia's Personal Data Protection Commissioner.

By using MySPA, you consent to the transfer of your personal data to the United States for the purposes described in this policy. We have contractual obligations with each sub-processor requiring them to protect your data to a standard consistent with PDPA Malaysia.

7. Your Rights Under PDPA Malaysia

Under the Personal Data Protection Act 2010 (as amended 2024), you have the right to:

Access — request a copy of the personal data we hold about you
Correction — request that inaccurate data be corrected
Deletion — request deletion of your data (subject to our legitimate retention obligations)
Withdrawal of consent — withdraw consent at any time; this will limit our ability to process future reports from you
Data portability — request your data in a common machine-readable format
Objection — object to specific processing activities

To exercise any right, email hello@myspa.bot (subject: Data Rights Request) with your WhatsApp number and the right you wish to exercise. We will respond within 21 days.

To lodge a complaint with the regulator: Personal Data Protection Department (JPDP) at pdp.gov.my.

8. Data Breach Notification

In the event of a data breach that is likely to cause significant harm to you, we will notify you within 7 days of becoming aware of it.

We will notify the Personal Data Protection Commissioner within 72 hours of becoming aware of any notifiable breach, as required by Section 12B of PDPA Malaysia (Amendment Act 2024).

9. WhatsApp and Meta

All messages sent to MySPA are transmitted through Meta's WhatsApp Cloud API. Meta Platforms Ireland Limited is a data sub-processor — they receive and transmit your messages as part of their infrastructure.

MySPA does not use message data for advertising, profiling, or any purpose unrelated to scam checking. We comply with WhatsApp's Business Policy.

Meta's own privacy policy: facebook.com/privacy/policy

10. Children

MySPA is not intended for users under 18 years of age. If you are under 18, please do not use this service. If we become aware that a user is under 18, we will delete their data.

11. Changes to This Policy

We will notify users of material changes via the MySPA WhatsApp channel at least 14 days before they take effect. The effective date at the top of this page will be updated. Continued use of MySPA after that date constitutes acceptance of the revised policy.

12. Contact

For any queries relating to this policy, email hello@myspa.bot. Please start your subject line with the nature of your request — e.g. Privacy Query, Data Rights Request, or Dispute — so we can respond appropriately.

Governing law: Laws of Malaysia. Disputes are subject to the exclusive jurisdiction of the courts of Kuala Lumpur, Malaysia.