Privacy, in plain view.

This policy explains what Kanta collects, why we collect it, and what you can do about it. It applies to the Kanta mobile app and kanta.co. Kanta is operated by Staple Software Solutions (Business Reg. No. 202503317027), a sole proprietorship registered in Malaysia.

We follow the Malaysia Personal Data Protection Act 2010 (PDPA). If you're in the EU or UK, we honour GDPR rights on request even though we're not primarily based there.

Two categories of data, from two kinds of people:

From company administrators (the person who signs up their business):

• Name, email, phone number (optional), password (hashed, never stored in clear text)
• Company name and company code
• Payment information — never touched by us; handled entirely by Xendit

From employees using the app:

• Name, email, phone number, password (hashed)
• Check-in and check-out timestamps
• GPS coordinates only at the moment of check-in or check-out, to verify you're at the office. Never continuously tracked.
• The office location you scanned

• Background location when the app isn't open
• Keystrokes, screenshots, or device activity
• Biometric data
• Your browsing history outside Kanta
• Any data about non-employees

• To run Kanta — logging attendance, showing history, exporting reports
• To bill you — via Xendit, for monthly subscriptions
• To respond to you — when you email support
• To fix bugs — error logs may include email addresses

We do not sell your data. We do not use it to train AI models. We do not share it with advertisers.

Four processors, each with a specific job:

• Supabase — authentication, password storage, and database hosting. Data is stored in their cloud infrastructure.
• Xendit — payment processing for subscriptions. They receive your name, email, and payment method. They never send us raw card numbers.
• Vercel — hosts kanta.co. Access logs (IP address, user agent) are processed by them.
• Railway / our hosting provider — runs our backend servers.

We don't use third-party analytics tools that track users across sites. No Google Analytics, Facebook Pixel, Segment, Intercom — none of that.

Infrastructure for our providers (Supabase, Vercel, etc.) may be hosted outside Malaysia — typically in Singapore, the US, or the EU. By using Kanta, you consent to this cross-border transfer. We only work with providers that commit to industry- standard security practices.

• Active customer: we keep your data as long as your company is using Kanta.
• Cancelled employee (by admin): the employee account is deactivated; attendance records are preserved with the company.
• Deleted company: when an admin deletes their company, all associated data is permanently removed within 24 hours. There is no recovery.
• Billing records: we keep invoice records for 7 years to meet Malaysian tax law requirements, even after company deletion.

Under the PDPA you can:

• Ask what data we have about you (Right of Access)
• Correct incorrect data (Right of Correction)
• Ask us to stop processing it (Right to Withdraw Consent)
• Delete your account — employees from the mobile app, admins via company deletion

Email support@getkanta.app with "PDPA request" in the subject and we'll respond within 21 days.

We use HTTPS everywhere. Passwords are hashed by Supabase using bcrypt. Payment card data never touches our servers — it goes directly from your browser to Xendit. Access to production systems is limited to the two people who operate Kanta.

No system is unhackable. If we learn of a breach that affects your data, we will notify you via email within 72 hours.

Kanta is for workplaces. We don't knowingly collect data from anyone under 16. If you believe a child's data is in our system, email us and we'll remove it.

If we change this policy, we'll update the "last updated" date above and — for material changes — email active account holders. Continued use of Kanta after a change means you accept the new terms.

Privacy questions or PDPA requests: support@getkanta.app

Postal: Staple Software Solutions, Malaysia. Street address on request.