Privacy Policy

• We collect what's needed to run the platform. Mostly contact info (name, email, phone), workspace data (orgs, products, leads, rewards), and basic usage logs.
• We never sell personal data. Period.
• We share data only with sub-processors that help us deliver the service — Supabase, Vercel, Resend — listed in §5 below.
• You can export, correct, or delete your data at any time from /app/settings/privacy or by emailing privacy@advocatto.com.
• Your customers' data belongs to your workspace, not us. We're a data processor for the leads you upload; you're the controller.

Advocato (the “Service”) is operated by VIGOR Digital Solution Sdn. Bhd.(“we,” “us,” “our”), a private limited company incorporated in Malaysia. Our principal domain is advocatto.com. The product is marketed as Advocato(single “t”); the domain uses double “t”. Both refer to the same Service.

This Policy explains what personal data we collect, how we use it, who we share it with, and how to exercise your rights under the Personal Data Protection Act 2010 of Malaysia(Act 709) (“PDPA”) and equivalent international regimes (including the EU General Data Protection Regulation where applicable).

Advocato plays two roles depending on the data:

• Controller — for the personal data of account holders (i.e., the user who signs up, their name, email, sign-in metadata, workspace settings, billing details).
• Processor — for personal data that account holders upload into the Service about their leads, referrers, customers, and contacts. In those cases the account holder is the data controller and Advocato processes the data on their instructions to deliver the Service.

Business customers can request a Data Processing Addendum (DPA) by emailing privacy@advocatto.com.

3.1 Information you give us

• Account info:name, email address, password (stored salted & hashed; we never see the plaintext), profile photo, and the workspace(s) you create or join.
• Workspace content: products and services you list, pipeline stages, referral links, leads and customer contacts you import or capture, deal outcomes, reward configuration, appointment times, and any notes you write.
• Communications: messages you send us via email or in-app support.

3.2 Information collected automatically

• Session data: a single authentication cookie issued by our identity provider (Supabase) — name pattern sb-<project-ref>-auth-token, set with HttpOnly and Secure flags so it's not accessible to JavaScript and only travels over HTTPS.
• Operational logs: IP address, user agent, request paths, status codes, and timestamps — retained for 30 days for security, debugging, and abuse detection.
• Referral telemetry: when a customer opens a referral link (/r/<code>) we record an aggregate visit count and the channel / UTM parameters you set on the link. We do not set cross-site trackers, advertising pixels, or third-party analytics.

3.3 We do not collect

• Payment card data — payment processing is not currently offered through the Service.
• Sensitive personal data (health, religion, political, biometric) — please don't upload it.
• Data about children under 16 — see §11.

We process personal data for these specific, legitimate purposes:

• Service delivery: authentication, running the CRM, attributing referrals to referrers, calculating rewards, sending transactional email (booking confirmations, magic-link sign-in, password resets, lead notifications).
• Security & abuse prevention: rate limiting, detecting account takeover, blocking fraudulent referrals.
• Service improvement: understanding which features are used, fixing bugs. We use aggregate, non-identifying counts.
• Legal compliance: responding to lawful regulator or court requests, enforcing our Terms, defending claims.
• Communications: account notifications and important product changes. Marketing email is opt-in only.

We process under your consent (which you give by signing up), under our contractual obligation to deliver the Service, and under our legitimate interest in keeping the Service safe and improving it.

We use the following infrastructure providers. Each one processes only the data required to perform their function.

We do not sell, rent, or otherwise share personal data with third parties for their own marketing or advertising.

We may disclose data when legally compelled by a Malaysian or other competent authority, but we will give you notice unless we are legally prohibited from doing so.

Personal data is primarily stored and processed in Singapore (Supabase and Vercel) and Japan (Resend). Both jurisdictions maintain data protection regimes considered substantially similar to Malaysia's PDPA. Where data may transit other jurisdictions (e.g., Vercel's global CDN edges) we rely on the consent you provide on sign-up under PDPA s.129 and on standard contractual clauses with the relevant sub-processor where required.

EU/UK customers: we transfer data to Singapore and Japan in reliance on the EU's adequacy decisions for those jurisdictions where applicable, or on the EU Standard Contractual Clauses (Module Two) with our sub-processors.

Under PDPA and equivalent regimes, you have the right to:

• Access the personal data we hold about you. Use Privacy & data → Download my data for an instant JSON export, or email us for a formatted response within 21 days (PDPA s.30(2)).
• Correct or update your data — edit on your profile / settings pages, or email us.
• Delete your account — use Privacy & data → Delete my account. We soft-delete immediately, then permanently destroy after a 30-day grace window.
• Object to or limit certain processing — email privacy@advocatto.com.
• Withdraw consent — at any time, by deleting your account or emailing us.
• Lodge a complaint with the Department of Personal Data Protection (Jabatan Perlindungan Data Peribadi), Malaysia, or your local data-protection authority.

Where you are a data subject whose details a workspace customer has uploaded (e.g., a lead), the controller is that workspace, not Advocato. We will forward your request to them within 7 days. You can also contact us directly and we will assist.

• TLS 1.2+ on every connection; HSTS enforced for 6 months.
• Postgres row-level security in addition to application-layer authorization checks.
• Authentication cookies are HttpOnly, Secure, and SameSite=Lax.
• Service-role credentials live only in server-side environment variables, never shipped to the browser.
• Encrypted backups; password storage uses industry-standard salted hashing.
• Production change is via reviewed code and an end-to-end smoke test on each release.

No system is perfectly secure. If we detect a personal-data breach materially likely to affect you, we will notify you and, where required, the Malaysian Commissioner within 72 hours of becoming aware.

We use one functional cookie: sb-<ref>-auth-token, which keeps you signed in. It carries no advertising or tracking purpose. We do not run third-party analytics, advertising, or social-plugin cookies. Because we don't use non-essential cookies, we don't present a consent banner.

The Service is intended for use by businesses and adults. We don't knowingly collect personal data from anyone under 16. If you believe a child has provided data to us, email us and we'll delete it.

We'll update this page when our practices change. The “Last updated” date at the top reflects the latest revision. Material changes will be announced via in-app notification or email at least 14 days before they take effect, so you can choose to stop using the Service if you don't agree.

For privacy questions, data-subject requests, or to receive a DPA, email us at privacy@advocatto.com. Postal correspondence: VIGOR Digital Solution Sdn. Bhd., Malaysia. The registered office address will be added here before paid launch.