Layak
Layak

Privacy Notice

Effective: 21 April 2026

Layak is a hackathon submission to the MyAI Future Hackathon. This notice describes what we collect, what we do with it, and the rights you keep under Malaysia's Personal Data Protection Act 2010 (PDPA).

1. What we collect

  • Google account profile when you sign in: email, display name, profile photo, and the Firebase user identifier.
  • Documents you upload to run an evaluation — typically a MyKad, a payslip or income screenshot, and a utility bill.
  • Evaluation history: the structured profile we extracted from your documents and the schemes you matched against, persisted in Firestore so you can see your past runs.
  • Consent timestamp recorded when you tick the PDPA checkbox on sign-up.

2. What we do not store

  • Your full MyKad number, and any IC tail. The persisted profile carries no IC information of any kind; the manual-entry path doesn't even ask for it.
  • The original bytes of your uploaded files. Extraction runs in-memory inside a single request, and the raw files are discarded once the structured profile is produced.
  • IC numbers, authentication tokens, or document content in any log line.

3. Why we collect it

  • To match you against 20 tracked Malaysian scheme entries using deterministic rules with source-backed citations.
  • To generate your draft application packets, every page watermarked "DRAFT — NOT SUBMITTED."
  • To show you a history of your past evaluations on the dashboard.
  • To enforce per-user fair-use rate limits on the free tier.

4. Where it lives

All processing and storage happens in Google Cloud, asia-southeast1 region. The Cloud Run services and the Firestore database are owned by the Layak team. Authentication is handled by Firebase Authentication, also under our project.

5. How long we keep it

  • Free-tier evaluations are deleted after 30 days by an automated nightly job.
  • Pro-tier evaluations persist until you delete them.
  • You can request immediate deletion of your account and all linked records at any time from the Settings page.

6. Your PDPA rights

  • Access — download a JSON export of your profile and full evaluation history.
  • Deletion — remove your account, your Firestore records, and your Firebase Auth identity in one action.
  • Withdrawal — revoke consent by deleting your account. Further sign-in attempts will require fresh consent.

7. What we never do

  • We never submit anything on your behalf to LHDN, JPN, JKM, or any government portal. Every output is a draft packet you submit manually.
  • We never share your data with third parties for advertising.
  • We do not sell your data.

8. Demo and hackathon scope

Layak is a non-production hackathon project. Use synthetic documents wherever possible during the demo period. Do not upload another person's MyKad or financial documents without their explicit consent.

9. Contact

Reach the team via the project's GitHub repository. For PDPA-specific queries, open an issue tagged pdpa.