Privacy Notice
Last updated: 13 June 2026
This Privacy Notice explains how BCISM Sdn Bhd (Company No. 1333873-P) (“Caprix”, “we”, “us”, or “our”) collects, uses, discloses, stores, and protects your personal data when you access or use the Caprix website, applications, and services (collectively, the “Service”). We are committed to handling your personal data in accordance with the Malaysian Personal Data Protection Act 2010 (“PDPA”) and, where applicable, other data protection laws including the EU/UK General Data Protection Regulation (“GDPR”).
By using the Service, you acknowledge that you have read and understood this Notice. Please read it together with our Terms of Use.
1. Who we are
The Service is operated by BCISM Sdn Bhd (Company No. 1333873-P), a company incorporated in Malaysia with its registered address at:
No. 64 & 66, Level 1, Bangunan Juruukur,
Jalan 52/4, 46200 Petaling Jaya,
Selangor, Malaysia.
For all privacy-related enquiries, we act as the data controller (or “data user” under the PDPA) of your personal data. You can reach us at support@caprix.bcism.org.my.
2. Scope of this notice
This Notice applies to personal data we process about visitors, registered users, and customers of the Service. It does not apply to third-party websites, products, or services that we do not own or control, even where they are linked from the Service.
3. Personal data we collect
(a) Information you provide to us
- Account data — your name, email address, and password. Passwords are managed by our authentication provider in hashed form; we do not have access to your plaintext password.
- Profile & subscription data — your selected plan, subscription status, and credit balance.
- Payment data — when you purchase a subscription or credits, payments are processed by Stripe. We do not collect or store your full card number; we receive limited billing details and transaction metadata (e.g. amount, currency, status, customer/subscription identifiers).
- User content — the prompts, questions, project details, quantities, pricing, Bill of Quantities (BOQ) entries, and other information you input into the Service.
- Communications — information you provide when you contact us for support or otherwise correspond with us.
(b) Information we collect automatically
- Usage data — chat sessions and messages, credits consumed, features used, and timestamps.
- Device & technical data — IP address, browser type, device and operating system information, and log data such as access times and error logs.
- Local storage — limited data stored in your browser (see Section 4).
(c) Information from third parties
- Our payment processor (Stripe) provides us with the transaction status and identifiers needed to activate your plan or credits.
- Our authentication and infrastructure providers process sign-in events on our behalf.
5. How we use your data
We process personal data to:
- create and manage your account and authenticate you;
- provide, operate, and maintain the Service, including generating AI responses, estimates, and BOQ documents;
- process payments, manage subscriptions, allocate and reset credits, and prevent duplicate or fraudulent transactions;
- send transactional and service emails (e.g. welcome, payment receipts, payment-failure and cancellation notices, low-credit warnings, and account/security notifications);
- provide customer support and respond to your enquiries;
- maintain the security, integrity, and reliability of the Service, and detect, prevent, and address abuse, fraud, or technical issues;
- improve and develop the Service, including troubleshooting and analytics on an aggregated basis;
- comply with legal and regulatory obligations and enforce our Terms.
We send transactional emails because they are necessary to provide the Service. We will only send non-essential or marketing communications where permitted, and you may opt out of those at any time.
6. Legal basis for processing
Under the PDPA, we process your personal data on the basis of your consent and as necessary for the performance of a contract with you (the provision of the Service). Where the GDPR applies to you, we rely on one or more of the following legal bases: (i) performance of a contract; (ii) our legitimate interests in operating, securing, and improving the Service, provided these are not overridden by your rights; (iii) your consent; and (iv) compliance with a legal obligation.
7. AI processing of your content
The Service uses third-party large language model (AI) providers to generate responses. When you submit a prompt or content, the relevant input is transmitted to our AI provider (currently Anthropic, which provides the Claude models) for the sole purpose of generating a response back to you. Such input may be processed on servers located outside Malaysia (see Section 9).
We do not sell your content, and we do not use your content to train our own models. Our AI provider processes the data as our service provider under its applicable terms. Please do not submit sensitive personal data, confidential third-party information, or anything you are not authorised to share through the Service.
8. Disclosure & third-party service providers
We do not sell your personal data. We disclose personal data only to the following categories of recipients, who process it on our behalf or as required:
| Provider | Purpose | Data involved |
|---|---|---|
| Supabase | Database, authentication, and backend hosting | Account, profile, subscription, credits, and user content |
| Stripe | Payment processing & subscription billing | Billing details, transaction and customer identifiers |
| Anthropic (Claude) | AI generation of responses | The prompts/content you submit |
| Web & email hosting (cPanel host) | Website hosting and outbound email delivery | Server logs, email address, message content |
We may also disclose personal data: (i) to comply with applicable law, regulation, legal process, or a lawful governmental request; (ii) to enforce our Terms or protect the rights, property, or safety of Caprix, our users, or others; and (iii) in connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honour this Notice.
9. International data transfers
Some of our service providers store or process data on servers located outside Malaysia. Where we transfer personal data across borders, we take reasonable steps to ensure it receives an adequate level of protection, including through the contractual and security commitments of our providers. By using the Service, you consent to such transfers where consent is the applicable basis.
10. Data retention
We retain personal data for as long as your account is active or as needed to provide the Service, and thereafter only as necessary to: comply with our legal obligations (such as tax and accounting requirements), resolve disputes, prevent fraud and abuse, and enforce our agreements. When data is no longer required, we will delete or anonymise it. You may request deletion of your account as described in Section 12.
11. Security
We implement reasonable technical and organisational measures designed to protect personal data, including encryption in transit (HTTPS), access controls, row-level security on our database, and restricted handling of secrets and credentials. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for notifying us promptly of any unauthorised use.
12. Your rights
Subject to applicable law, you have the right to:
- access the personal data we hold about you;
- correct or update inaccurate or incomplete data;
- withdraw consent to processing (this may limit your ability to use the Service);
- limit or object to the processing of your data in certain circumstances;
- request deletion of your account and associated personal data; and
- where the GDPR applies, request data portability and lodge a complaint with a supervisory authority.
To exercise any of these rights, email us at support@caprix.bcism.org.my. We may need to verify your identity before responding, and we will respond within the timeframes required by applicable law. Some data may be retained where we have a legal basis or obligation to do so.
13. Children
The Service is intended for users who are at least 18 years old and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.
14. Third-party links
The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy policies before providing them with any personal data.
15. Changes to this notice
We may update this Notice from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will revise the “Last updated” date above and, where changes are material, we may provide additional notice. Your continued use of the Service after the changes take effect constitutes your acknowledgement of the updated Notice.
16. Contact & complaints
If you have questions, requests, or complaints regarding this Notice or our handling of your personal data, please contact:
BCISM Sdn Bhd (Company No. 1333873-P)
No. 64 & 66, Level 1, Bangunan Juruukur, Jalan 52/4, 46200 Petaling Jaya, Selangor, Malaysia
Email: support@caprix.bcism.org.my
If you are not satisfied with our response, you may lodge a complaint with the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi) of Malaysia, or, where applicable, with your local data protection supervisory authority.