How we handle your data

Kilat (referred to as "we", "us", or "the Service") is operated for the benefit of Malaysian online sellers. This policy explains what data we collect, why, and what your rights are under Malaysia's Personal Data Protection Act 2010 (PDPA).

Last updated: 24 May 2026

1. What we collect

Account information

Your name, email, and profile photo (received from Google when you sign in)
Your Google account ID (so we can recognise you on return visits)

Photos you upload

The original product photos you upload
The AI-generated images we produce for you

Usage data

How many photos you've processed (for plan quota tracking)
Your current subscription plan and payment status
Approximate technical info (browser type, language) — no precise location, no tracking cookies

2. How we use your data

We use your data only to operate the Service:

To process your photos — sending them to our AI partners so they can generate the new image
To remember your account — so you can come back and see your history
To enforce plan limits — so we know how many photos you've used this month
To take payment — through our payment processors when you subscribe

We will never sell your data, share it with advertisers, or use your product photos to train AI models.

3. Third parties that handle your data

To deliver the Service we share specific data with the following processors. Each is bound by their own privacy obligations:

Google (Firebase Authentication, Firestore, Storage) — stores your account info, photos, and history. Servers in Singapore.
OpenAI — receives your uploaded photo to identify what it is. OpenAI's policy: they do not train on API data by default.
Replicate / Black Forest Labs (Flux Kontext) — receives your uploaded photo to generate the new image.
Netlify — hosts our app and routes traffic.
Stripe and Billplz (when payments are active) — process your subscription payment. We never see your card number.

4. How long we keep your data

Original photos: auto-deleted after 7 days
AI-generated photos: auto-deleted after 30 days
Account record: kept until you ask us to delete it

5. Your rights under PDPA 2010

As a Malaysian user (and we extend the same rights to non-Malaysian users), you have the right to:

Ask what data we hold about you
Correct any inaccurate data
Withdraw consent and delete your account
Object to specific uses of your data

To exercise any right, email support@kilat.studio and we'll respond within 7 days.

6. Children

Kilat is not directed at children under 13. If you become aware that a child has provided us data, contact us and we will delete it.

7. Cookies and tracking

We use essential storage only — to keep you signed in and remember your language preference. We do not use advertising cookies or tracking pixels.

8. Changes to this policy

If we make material changes, we'll show a notice in the app before the change takes effect. The "Last updated" date at the top will always reflect the latest version.

9. Contact

Email: support@kilat.studio