Privacy Policy

Effective Date: 1 June 2026

Last Updated: 21 May 2026

Governing Law: Personal Data Protection Act 2010 (PDPA), Malaysia

Jurisdiction: Malaysia

Your privacy is the foundation of our business — not a checkbox. MobileSuites exists to protect users. We collect only what is necessary to deliver protection and we never sell your data.

1. Who We Are

MobileSuites ("MobileSuites", "we", "our", "us") provides mobile threat protection services through MOBILEXEROZ (real-time DNS threat blocking) and MOBILEXTRACT (Android forensic scan and remediation workflow, iOS forensic investigation and guided selective reset assistance).

Contact our Data Protection Officer: privacy@mobilesuites.app

2. Data We Collect

2.1 Data Collected Automatically (Device)

DNS query metadata — domain names queried, timestamp, threat verdict (blocked/allowed). We do NOT collect the content of web pages you visit.
Device identifier — an anonymous UUID generated at first install. Not linked to your name, phone number, or NRIC.
App package names (MOBILEXTRACT only) — scanned against a threat database to detect malicious apps. Not transmitted to any advertising platform.
FCM token — Firebase Cloud Messaging token for push alerts. Rotates regularly. Not used for marketing.
State-level location — derived from your SIM provider's network region (e.g., "Selangor"). Not GPS. Not street-level.

2.2 Data You Provide

Email address — for account creation, receipts, and security alerts.
Payment information — processed by our payment gateway (Billplz / iPay88). MobileSuites does not store card numbers or bank credentials.
Phone number — only if provided via a Telco partner integration. Stored in masked form (e.g., 601X-XXX-1234).

2.3 Data We Do NOT Collect

Content of your web browsing, messages, emails, or calls
GPS or precise location coordinates
Photos, contacts, or media
NRIC, passport, or government ID numbers
Biometric data

3. How We Use Your Data

To block malicious DNS requests in real time
To detect and alert you about malware on your device
To improve our threat intelligence database (anonymised, aggregated)
To send you security alerts (not marketing) via push notification or email
To process payments and maintain subscription records
To comply with Malaysian law and respond to lawful government requests

4. Telco Partner Data Sharing

If you subscribe via a Telco partner (Maxis, Celcom, Digi, U Mobile, TM, etc.):

The Telco can see anonymised threat statistics for their subscriber base
The Telco can see state-level (not GPS) deployment data
The Telco cannot see your individual browsing activity or DNS queries
The Telco can send you template-only notifications through our platform (e.g., service status) — they cannot send freeform messages
The Telco can suspend your protection service if your account is in arrears — you will be notified before suspension

Your data is scoped to YOUR Telco only. No Telco can see data belonging to another operator's subscribers.

5. Data Retention

DNS block events — 90 days, then aggregated and anonymised
User override audit log — 12 months (for your protection; proves you made an informed decision)
Account data — retained while subscription is active + 6 months after cancellation
Payment records — 7 years (Malaysian tax law requirement)
Threat intelligence data — anonymised and retained indefinitely to improve protection

6. Your Rights Under PDPA 2010

Under Malaysia's Personal Data Protection Act 2010, you have the right to:

Access — request a copy of personal data we hold about you
Correction — request correction of inaccurate data
Withdrawal of consent — withdraw consent to processing (this will terminate your subscription)
Prevent processing — for direct marketing purposes (we do not engage in direct marketing)
Data portability — receive your data in a common machine-readable format

To exercise any right: email privacy@mobilesuites.app. We respond within 21 days.

7. Security Measures

All data transmitted using TLS 1.3 encryption
Database encrypted at rest (Supabase / AWS infrastructure)
API keys stored as one-way SHA-256 hashes — never in plaintext
Sensitive source files protected with GPG encryption
Access to production systems restricted to authorised personnel only
Security audit logs maintained for 12 months

8. Third-Party Services

Supabase — database hosting (AWS Singapore region — data stays in Southeast Asia)
Vercel — API hosting (Edge network)
Firebase (Google) — push notifications only. No analytics, no advertising.
Billplz / iPay88 — payment processing. PCI-DSS compliant.

We do not use Google Analytics, Facebook Pixel, or any advertising tracking technology.

9. Children's Privacy

Our services are not directed at persons under 18. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, contact us immediately.

10. Changes to This Policy

We will notify you of material changes via the app's push notification system and/or email at least 14 days before changes take effect. Continued use of the service after the effective date constitutes acceptance.

11. Contact

Data Protection Officer: privacy@mobilesuites.app
General enquiries: support@mobilesuites.app