Last updated: 16 July 2026. This policy is issued by ECAVA Sdn. Bhd. (200501009701) ("ECAVA", "we"), the operator of the Bilvx platform ("the Service").
What we collect
The Service stores the data you enter to run e-Invoicing and accounting for your companies:
Account data — your name, email address and, where you set one, a password (never stored in readable form). Google sign-in shares your Google account identifier and email with us.
Business data — company profiles (including tax identification numbers), customers, suppliers, invoices, bills, payments, journal entries and reports you create.
Captured documents — images or PDFs you upload to AI Document Capture, together with the values extracted from them and your confirmations or corrections.
Operational records — records of submissions to LHDN, of emails the Service sends you, and of AI capture usage.
Cookies — a single session cookie that keeps you signed in. The Service sets no advertising or cross-site tracking cookies.
Who your data is shared with
We do not sell personal data. The Service transmits data to third parties only to do what you asked it to do:
LHDN (Lembaga Hasil Dalam Negeri Malaysia) — invoice data you submit is transmitted to the MyInvois system as required for e-Invoicing.
An AI extraction service — when you upload a document to AI Document Capture, the document is sent to an AI service so it can be read.
An email delivery service — transactional emails (such as verification and password-set messages) are delivered through a mail provider.
Retention
Invoices, accounting records and their audit trails are kept while your account is active. The Service is not a backup or archival system: this section describes our practice, not a guarantee against loss — keep your own copies of the records the law requires you to keep (see the Terms of Service).
Captured document originals may be removed beyond your plan's retained-document limit; that removal does not extend to the document's details, extracted values or your confirmations.
Operational records are working data and are cleared periodically.
Your rights (Personal Data Protection Act 2010)
Under the Malaysian Personal Data Protection Act 2010 you may request access to, and correction of, personal data the Service holds about you. Most business data is directly viewable and editable in the application; for anything else, or to request account deletion, contact us at the support address published on the Service. Requests must be made in writing and we will verify your identity before providing any data; the Act permits a prescribed fee for access requests, which may be charged; and requests the Act allows to be refused — including those that are repeated or substantially similar to one recently dealt with, or that would require disproportionate effort — may be refused. We will respond within the timeframes the Act requires.
Security
Your data is kept separate per company, and what you can see and do is governed by your role. Sessions expire after inactivity. No system is perfectly secure; if you suspect a problem with your account, report it to us immediately.
Changes to this policy
We may update this policy as the Service evolves. The "Last updated" date above changes when we do, and material changes will be announced in the application.