Privacy Policy

Last Updated: 13 February 2026

1. Introduction & Roles

Xantec Solutions Sdn Bhd ("we", "us", or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy outlines how we collect, use, disclose, and safeguard your personal data in compliance with the Personal Data Protection Act 2010 ("PDPA") of Malaysia.

Data Controller vs Data Processor: For the purposes of the PDPA, the Customer is the Data User (Controller) who determines the purposes and means of processing personal data. Xantec Solutions Sdn Bhd acts as the Data Processor. We process personal data solely on the instructions of the Customer and do not determine the purposes of such processing.

2. Customer Warranties & Authority

By using our services and providing data (including third-party personal data such as employee or vendor details) for e-Invoicing submission, the Customer warrants that:

• They have obtained all necessary lawful authority and consents required under the PDPA to share such data with Xantec for processing.
• The data provided is accurate, complete, and legally compliant for submission to the Lembaga Hasil Dalam Negeri (LHDN).
• The Customer is solely responsible for the legality of the data provided to the middleware.

3. Data We Collect

We may collect and process various types of personal and business data, including but not limited to:

• Contact Information: Name, email address, telephone number, and office address.
• Business Identification: Company name, Business Registration Number (BRN), and Tax Identification Number (TIN).
• Integration Data: API keys, ERP/POS system metadata, and transaction headers required for LHDN MyInvois submission.
• Usage Data: Application logs, IP addresses, and browser information for system monitoring and security auditing.

4. Purpose of Processing

In accordance with the Notice and Choice Principle of the PDPA, we collect data for the following purposes:

• To facilitate the submission of e-invoices to the LHDN MyInvois portal on your behalf.
• To provide technical support and system maintenance for the middleware.
• To comply with statutory and regulatory requirements imposed by the LHDN and other Malaysian authorities.
• To maintain temporary operational logs required for system troubleshooting and security.

5. Disclosure of Personal Data

We do not sell or rent your personal data to third parties. However, we may disclose your data to:

• The Lembaga Hasil Dalam Negeri (LHDN) for the fulfillment of e-invoicing requirements.
• Authorized Sub-processors (e.g., cloud hosting partners like AWS, Microsoft Azure, or Google Cloud) who assist in operating our services under strict confidentiality agreements.
• Law enforcement or government agencies when required by law or legal process.

6. Cross-Border Data Transfer

Your personal and business data may be processed or stored outside of Malaysia (for example, on cloud servers located in Singapore or other global regions). We ensure that any such transfers are conducted under equivalent data protection safeguards as required by the PDPA.

7. Data Security & Breach Notification

We implement industry-standard technical and organizational measures to protect your data, including:

• Industry-standard encryption for data in transit and at rest.
• Role-Based Access Control (RBAC) to limit data access.
• Regular security monitoring and commercially reasonable vulnerability assessments.

Data Breach Notification: In the event of a suspected data breach, Xantec will take reasonable steps to notify affected Customers. Any such notification is provided as a courtesy and does not constitute an admission of liability or fault by Xantec. We do not guarantee real-time or immediate notice.

8. Retention of Data

Xantec retains data only for as long as operationally necessary to fulfill the transmission of e-invoices and for technical troubleshooting.

Consistency with Terms of Service: While Malaysian Law requires businesses to maintain a 7-year audit trail, Xantec is a processing tool, not a perpetual storage vault. The legal obligation for statutory 7-year retention rests solely with the Customer. We strongly advise regular manual backups and data exports.

9. Your Rights & No Automated Decisions

Under the PDPA, you have the right to access and correct your data. Furthermore:

• No Automated Decision-Making: Xantec does not use automated algorithms to make decisions that have legal or significant effects on the Customer or their data subjects.
• Withdrawal of consent may result in the inability to use Xantec's middleware services.

10. Not Legal or Tax Advice

The information provided on this website and within our documentation does not constitute legal, tax, or regulatory advice. Customers must consult with their own professional advisors to ensure their business practices comply with Malaysian law.

11. Changes to This Policy

Xantec reserves the right to update this Privacy Policy at any time. We will make reasonable efforts to notify customers of any material changes via email or system notifications; however, your continued use of the service constitutes acceptance of the latest version of this Policy.

12. Contact Our Data Protection Officer

For inquiries regarding the PDPA or your personal data, please contact our Data Protection Officer: