Legal and compliance
Privacy Policy
Last updated: July 8, 2026
I.S.A.A.C is a CSV analytics application that helps users upload, inspect, edit, visualize, save, and ask questions about their own data. This policy explains what data the app handles, why it is used, and the controls we expect to maintain before public launch. This policy should be reviewed by qualified counsel before a production release.
Data we process
We may process account identifiers, email addresses, organization membership, subscription status, uploaded CSV content, generated analytics, chart metadata, AI prompts, AI answers, API token metadata, usage counts, audit logs, payment receipt metadata, and technical security logs. We process this information to provide the service, enforce plan limits, protect the platform, debug failures, and comply with payment and accounting obligations.
Onboarding and consent data
During first-time setup, we ask about profession, company size, industry, primary CSV goal, and how the user discovered I.S.A.A.C. This helps tune examples, product analytics, support, pricing, and future onboarding. The app records policy acceptance timestamps and policy versions so access is only granted after consent.
Malaysia PDPA-oriented notice
For Malaysia users, personal data should be processed for lawful commercial purposes, limited to what is reasonably necessary, protected with appropriate safeguards, retained only as needed, and made available for access or correction requests where legally required. Users may withdraw consent where applicable, but doing so can limit or end access to features that require processing.
CSV files and saved datasets
Uploaded CSV data is parsed to create dashboards, filters, summaries, editable CSV sheet views, and AI context. Unsaved uploads are handled in the active browser session. Saved workspaces store dataset rows and metadata in the authenticated organization database so users can reload them later. Users should not upload data unless they have permission to process it in I.S.A.A.C and with the configured AI provider.
AI processing
When AI is enabled, a compact summary of the uploaded CSV, selected sample rows, and the user question may be sent to Groq through a server-side API route. API keys are never intentionally exposed to the browser. AI output can be incomplete or incorrect, so users must verify important decisions against the underlying data.
Payments and billing data
Card subscriptions are designed to be processed by Stripe. Local Malaysian one-time monthly access payments are designed to be processed by a gateway such as HitPay. I.S.A.A.C should store payment provider customer IDs, subscription status, invoice IDs, receipt links, amounts, currencies, and status metadata. It should not store raw card numbers, bank passwords, or e-wallet credentials.
Service providers
Production may use Supabase or Neon for database/auth, Groq or another AI provider for language model responses, Stripe for card subscriptions, HitPay or another Malaysian gateway for FPX, DuitNow, and e-wallet payments, analytics/error monitoring providers, email providers, and hosting/CDN providers. The final provider list should be published before public launch and updated when providers change.
Security controls
Server-side secrets are stored in environment variables. Sessions use signed HTTP-only cookies. Protected APIs require authentication or hashed agent API tokens. Security headers, input limits, same-origin checks, payment webhook signature verification, and usage rate limits are part of the current control set.
Retention and deletion
Users can request account and data deletion through the Delete Account page. Production launch still needs a formal retention schedule for saved CSV rows, logs, invoices, backups, and deleted-account records. Payment and tax records may need to be retained for legally required periods.
International transfers
AI, hosting, database, error tracking, and payment providers may process data outside Malaysia depending on the services selected for production. The production operator should publish the final provider list before public launch.
User choices
Users can log out, avoid saving temporary uploads, revoke agent API tokens, export edited CSV files, and request account deletion. Business users should maintain their own backup copies of important CSV files.
Access, correction, deletion, and consent withdrawal
Users should be able to request a copy of account information, correct inaccurate profile details, delete saved datasets, revoke API tokens, request account deletion, or withdraw optional marketing consent. Some billing, tax, security, and fraud-prevention records may need to be retained for lawful business purposes.
Children and restricted users
I.S.A.A.C is intended for business, professional, and authorized educational use. Users who are not allowed to enter contracts or process uploaded data under their local law should not create an account without proper authorization.
Contact
For privacy questions, contact the operator listed on the Support page. Replace placeholder emails with the official company contact before production or app store submission.