Data Policy

1. Overview

Efficlog collects only the data necessary to provide our internship logbook service. We operate with a minimal data footprint — we do not track your behaviour outside the app, build advertising profiles, or sell data to any party.

Our primary data storage is in Malaysia and Singapore (cloud infrastructure). Some data is processed by third-party services based in the United States, as described in the Cross-Border Transfers section below.

2. Data Storage

Your data is stored across the following systems:

System	Data Stored	Purpose
Primary Database (MySQL)	User accounts, profiles, log entries, supervisor relationships, subscriptions, audit logs	Core application data
Cache (Redis)	Session tokens, rate limit counters, temporary AI analysis results, OTP codes	Performance and security
File Storage	Images attached to log entries	Log image hosting
Apple App Store / Google Play	Subscription status, billing history (via RevenueCat)	Payment processing

All databases are encrypted at rest. Cached data (Redis) is volatile and not persistently stored beyond its TTL (time-to-live) — OTP codes expire in 15 minutes, session data in hours.

3. Data Retention Periods

We retain your data only for as long as necessary:

Data Type	Retention Period	Reason
Account & profile data	Until account deletion	Required to provide service
Log entries & images	Until deleted by user or account deletion	User-controlled content
AI analysis results	Until associated log is deleted or account deleted	Linked to log entries
Security audit logs	90 days	Fraud detection and security monitoring
OTP codes	15 minutes	Authentication security
Access tokens (JWT)	15 minutes	Session security
Refresh tokens	7 days	Session continuity
Payment & billing records	7 years	Malaysian financial regulation requirement
Exported PDF files (cached)	1 hour (server cache only)	Performance optimisation

4. Security Measures

We implement multiple layers of security to protect your data:

• Encryption in transit — all communication between the app and our servers uses HTTPS/TLS
• Encryption at rest — database and file storage are encrypted at rest
• No password storage — we use OTP-only authentication; your password is never stored
• Short-lived tokens — access tokens expire in 15 minutes to limit exposure from token theft
• Rate limiting — OTP requests limited to 5 per 15 minutes; login attempts limited to 10 per hour per IP to prevent brute force
• Image validation — uploaded images are validated by MIME type and file signature (magic bytes) to prevent malicious uploads
• Filename sanitisation — filenames are sanitised to prevent path traversal attacks
• Security headers — HSTS, Content Security Policy, X-Frame-Options, and other headers are enforced
• Audit logging — all authentication events are logged with risk scoring for anomaly detection

5. Cross-Border Data Transfers

Efficlog is a Malaysian product and we store primary data in Southeast Asia. However, some data is processed by services with servers in other countries:

Service	Country	Data Transferred	Safeguard
Google Gemini	United States	Log entry text (for AI analysis only)	Google Cloud Data Processing Agreement
RevenueCat	United States	Subscription status, billing events	RevenueCat Data Processing Agreement

These transfers are made only where necessary to provide the features you request. Both Google and Stripe are certified under internationally recognised security and privacy frameworks. By using AI analysis or Pro subscription features, you consent to these transfers.

6. AI Data Processing

When you request an AI log analysis or readiness assessment, the text content of your log entry is sent to Google Gemini for processing. We want to be transparent about how this works:

• Only the text content of your log is sent — not your name, student ID, or other personal identifiers
• AI processing happens on-demand — we do not continuously stream your data to AI services
• Analysis results are cached in our database using a content hash — if you request analysis again for unchanged content, we return the cached result without calling the AI service again
• Google's data processing terms apply to content processed through Gemini — we recommend reviewing Google's privacy terms if you have concerns
• You can opt out of AI features entirely by simply not using them — log creation, submission, and PDF export work without any AI processing

7. Data Deletion

You can delete your data in two ways:

To request data deletion without deleting your account, or if you are unable to access the app, email hello@efficlog.com with the subject "Data Deletion Request". We will process your request within 30 days.

8. Data Breach Response

In the unlikely event of a data breach that affects your personal data, we will:

• Investigate and contain the breach within 24 hours of discovery
• Notify affected users via email within 72 hours
• Report to the Personal Data Protection Commissioner Malaysia as required by the PDPA
• Provide clear information about what data was affected and steps you can take

9. Your Data Controls

You have direct control over your data within the app:

• Edit profile — update your name, university, department, and internship dates at any time
• Delete logs — permanently delete any log entry and its associated images
• Manage notifications — control which notifications you receive in Settings
• Export your data — export your logs as PDF at any time
• Delete account — permanently remove your account and all data from Settings

For data requests not covered by in-app controls (e.g. a machine-readable copy of all your data), contact us at hello@efficlog.com.

10. Contact Us

For any data-related questions, access requests, or concerns:

• Email: hello@efficlog.com
• Subject line: "Data Request — [your registered email]"
• Company: Efficlog Technology
• Country: Malaysia

We aim to respond to all data requests within 5 business days, and to complete them within 30 days as required by the PDPA.