XportStack

Last updated: May 2026

Privacy Policy

How we handle your data, in plain English. No lawyer-speak. Same legal substance.

1. Who we are

Hi. XportStack is built and run by Doluvo Sdn Bhd, a Malaysian company based in Shah Alam, Selangor. If anything in this policy is unclear or you have a question we did not cover, write to privacy@xportstack.com. A real person will reply.

2. What we collect

Here is everything we collect when you use XportStack. Nothing more, nothing hidden.

  • Account data: your name, email, company name, and country. We need this to create your account.
  • Business data: the export data you put into XportStack. Distributor records, product information, quote details, shipment records, certifications. This data belongs to you, not us.
  • Usage data: how you use XportStack. Which pages you visit, which features you use, what actions you take. We use this to figure out what is working and what is broken.
  • Communication data: messages you send us through email or any contact form on the site.
  • Payment data: we never store your card details. Payments are processed by Stripe, our payment provider. We only see and store the transaction record and billing info needed for our accounts.

3. What we do with it

We use the data we collect for four things, and only four:

  • Run the platform: making XportStack actually work for you.
  • Billing and support: invoices, product updates, replies when you write to us.
  • Improve the product: understanding which features help and which fall flat.
  • Comply with Malaysian law: meeting our obligations under the Personal Data Protection Act 2010.

Three things we will never do: sell your data, share your business data with other XportStack customers, or use your business data to train any AI model. These are not just promises. They are clauses in our Terms of Service.

4. Why we are allowed to process your data

Different pieces of data are processed for different reasons. Here is what justifies each one under Malaysian PDPA and GDPR-style frameworks:

  • Contract: we have to process some data to actually deliver the XportStack service you subscribed to.
  • Legitimate interests: we use anonymised usage data to improve the product and protect the platform from abuse.
  • Legal obligation: we process some data because Malaysian law requires us to.
  • Consent: for any marketing emails, we send only with your explicit consent. You can withdraw consent any time, either by clicking unsubscribe in any email or by writing to privacy@xportstack.com.

5. Where your data lives and how we protect it

Your data sits on servers run by Supabase. Everything is encrypted at rest and in transit. Database-level row security makes it architecturally impossible for one XportStack customer to see another customer's data, even by accident.

Our own team does not have routine access to your business data. If we ever need to look at it, we only do so with your permission, and every access is logged with who looked, when, and why.

We hold your data for as long as your account is active. If you cancel your subscription, your data stays accessible for 30 days so you can export everything you need. After that, we permanently delete it on request. You can ask for deletion any time at privacy@xportstack.com.

6. When your data leaves Malaysia

XportStack is operated from Malaysia and most of your data is processed in Malaysia. But some of the services we use to run the platform may process data in other countries. Supabase may store data on servers outside Malaysia. Stripe processes billing data outside Malaysia.

When personal data is transferred outside Malaysia, we make sure appropriate safeguards are in place. This follows the requirements of the Personal Data Protection Act 2010 and the Cross-Border Personal Data Transfer framework introduced by the 2024 PDPA amendments.

If you are an XportStack customer whose distributors or team members are located in the European Union or United Kingdom, please note that personal data about those individuals may be processed through XportStack's infrastructure. As the data controller, you are responsible for making sure your use of XportStack complies with your obligations under the EU GDPR or UK GDPR. Our Data Processing Agreement at xportstack.com/dpa is built to support that compliance.

Questions about cross-border transfers? Write to privacy@xportstack.com.

7. Your rights

Under the Personal Data Protection Act 2010 (and similar rights under GDPR-style frameworks), you have the right to:

  • Access the personal data we hold about you.
  • Correct anything we have wrong.
  • Withdraw consent to marketing communications at any time.
  • Request deletion of your personal data, subject to our legal obligations.

To exercise any of these rights, write to privacy@xportstack.com. We reply within 21 days, usually much sooner.

8. Taking your data with you

Your data belongs to you. Always. You can export everything from your XportStack account in under 60 seconds using the Export All Data button in Settings. The export comes out as CSV, which opens in Excel, Google Sheets, or any spreadsheet tool. This works whether your subscription is active, paused, or cancelled.

9. The services we rely on

XportStack uses these third-party services to run the platform. Each one has its own privacy policy and we have data processing agreements in place with them where required:

  • Supabase for database hosting and authentication.
  • Vercel for application hosting.
  • Stripe for subscription billing.
  • Loops for product and account email.

We do not sell your data to any of them. They process it only to provide their service to us.

10. Cookies

We use only the cookies XportStack needs to work. Mostly that means keeping you logged in. No advertising cookies. No tracking cookies. No third-party analytics that follow you around the web. If we ever add analytics, we will update this page and ask for your consent first.

11. When this policy changes

If we change this policy in any meaningful way, we will email you and update the Last updated date at the top of this page. Small fixes like correcting typos do not count. If you keep using XportStack after a meaningful change, that means you agreed to the new version. If you do not agree, you can cancel your subscription and export your data.

12. Talk to us

Questions about this policy or how we handle your data? Write to privacy@xportstack.com. If our reply does not satisfy you, you have the right to contact the Department of Personal Data Protection Malaysia.