Privacy Policy

Last updated: 7 May 2026 · Compliant with the Malaysian Personal Data Protection Act (PDPA) 2010

1. Introduction

RS Automation Solutions (SSM: 202603043461) ("we", "our", "us") operates PintarRPH at pintarrph.com. This Privacy Policy explains how we collect, use, and protect your personal data in accordance with the Malaysian Personal Data Protection Act 2010 (PDPA).

2. Data We Collect

2.1 Account Information

• Name and email address (during registration)
• School name and state (optional, for analytics)
• License key and activation status

2.2 Usage Data

• Number of RPH and RPT generated (for fair usage and analytics)
• Subjects and year levels selected
• Timestamps of generation activity
• Application version and platform type

2.3 Payment Data

• Transaction references from ToyyibPay (FPX)
• We do NOT store bank account numbers, card numbers, or FPX credentials. All payment processing is handled by ToyyibPay.

2.4 Data We Do NOT Collect

• IC numbers or MyKad numbers
• Student data or student names
• Location data or GPS coordinates
• Microphone, camera, or contacts access

3. How We Use Your Data

• License management: To validate your license and provide access to the Service.
• Service improvement: Aggregated, anonymized usage statistics help us improve content quality and subject coverage.
• Support: To respond to your support requests and resolve technical issues.
• Communication: To notify you of important updates, new features, or license expiry.

4. AI Processing

• Lesson plan generation uses Google Gemini AI. Your subject and topic selections are sent to Google's API to generate content.
• No personally identifiable information (name, email, IC) is sent to AI providers.
• Google's data usage policies apply to AI processing. We use the API mode which does not retain prompts for training.

5. Data Storage and Security

• Data is stored on our secured servers hosted in Malaysia, with encrypted connections (HTTPS/TLS).
• License data and analytics are stored on the Activation Server with encrypted connections.
• We use industry-standard security measures including JWT authentication, HMAC integrity verification, and Fernet encryption (AES-128 + HMAC-SHA256) for sensitive credentials.

6. Data Sharing

We do NOT sell, rent, or share your personal data with third parties, except:

• Payment processor: ToyyibPay processes your FPX payments.
• AI provider: Google Gemini processes lesson plan generation requests (no personal data included).
• Google Drive (only if you opt in): See section 7 below.
• Legal requirements: If required by Malaysian law or court order.

7. Google Drive Integration (Optional)

PintarRPH offers an optional integration to sync your generated weekly RPH (Rancangan Pengajaran Harian) workbooks to your personal Google Drive account. This integration is only activated if you explicitly connect a Google account via Settings → Google Drive → Connect.

7.1 OAuth scope and access

• We request only the https://www.googleapis.com/auth/drive.file OAuth scope, the most restricted Drive scope available.
• This scope grants us permission ONLY to create, read, and modify files that PintarRPH itself creates.
• We cannot access, view, or modify any files that already exist in your Google Drive prior to using PintarRPH.
• We cannot browse or list your Drive contents.
• We do not request access to Gmail, Calendar, Contacts, or any other Google service.

7.2 What we store on your Google Drive

• A single PintarRPH/<year>/ folder created on your Drive root.
• Weekly XLSX workbooks named RPH_M<week>_<year>.xlsx (e.g. RPH_M11_2026.xlsx).
• Each file is automatically converted to native Google Sheets format upon upload.
• All content stored on your Drive is your own RPH content — generated lesson plans, weekly schedules, and curriculum data you produced through PintarRPH. No analytics or telemetry is uploaded to your Drive.

7.3 What we store on our servers

• Your Google account email (the verified Delima account you authenticated with).
• An encrypted OAuth refresh token, used only to make subsequent uploads on your behalf.
• A mapping table of (week → Drive file ID) so re-syncs can update the existing file rather than creating duplicates.
• Refresh tokens are encrypted at rest using Fernet (AES-128 + HMAC-SHA256). The encryption key is stored in server environment variables, separate from the database.

7.4 Delima account requirement

• The Drive integration is restricted to verified Delima Google Workspace accounts (email ending in @moe-dl.edu.my).
• This restriction is enforced at the OAuth callback. If you authenticate with a non-Delima account (such as personal Gmail), we will reject the connection and not store any tokens.
• This ensures your school RPH stays within the official KPM cloud infrastructure (Delima).

7.5 Disconnecting the Drive integration

• You can disconnect at any time via PintarRPH Settings → Google Drive → Disconnect.
• Disconnection revokes our refresh token at Google and clears our stored credentials immediately.
• Files we previously created on your Drive remain in your Drive — they are yours to keep, edit, or delete.
• You can also revoke our access independently via your Google Account: myaccount.google.com/permissions.

7.6 Compliance with Google API Services User Data Policy

PintarRPH's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

8. Data Retention

• Account data is retained for the duration of your active license plus 12 months.
• Anonymized analytics data may be retained indefinitely for service improvement.
• Encrypted Google Drive refresh tokens are deleted immediately upon disconnect.
• You may request deletion of your account and personal data at any time.

9. Your Rights (Under PDPA 2010)

You have the right to:

• Access your personal data held by us.
• Correct inaccurate personal data.
• Withdraw consent for data processing (which may affect Service availability).
• Request deletion of your personal data.

10. Cookies

The web application uses essential session cookies for authentication. We do not use tracking cookies or third-party analytics cookies.

11. Children's Privacy

PintarRPH is designed for educators, not students. We do not knowingly collect data from children under 18. If you believe a minor has provided us with personal data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated date. Continued use of the Service constitutes acceptance of the updated policy.

13. Contact

For privacy-related inquiries or to exercise your PDPA rights, contact us at:

• Company: RS Automation Solutions (SSM: 202603043461)
• Email: [email protected]
• Website: pintarrph.com