Privacy Policy
What we collect, what we don't, and your rights.
Last updated: 2026-05-06
This Privacy Policy explains how MyShieldra (“we”, “us”, or “our”) collects, uses, and protects your information when you use the MyShieldra app, website, and related services (the “Service”). MyShieldra is operated from Malaysia. This policy is intended to comply with the Malaysia Personal Data Protection Act 2010, as amended (PDPA), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), where those laws apply.
1. Introduction
MyShieldra is a caller ID and spam reporting app designed to show community reports for unknown numbers while collecting as little personal information as possible. This policy is effective from the date listed at the top and applies to all users of the Service worldwide.
2. Information we collect
We collect only the information necessary to operate the Service:
| Category | Source | Purpose | Retention |
|---|---|---|---|
| Account information, such as email, name, and sign-in provider ID | Your sign-in provider | Create and manage your account, authenticate requests, and provide support | Until account deletion, plus up to 30 days for backups and abuse prevention |
| Device push token | Your device | Send service and phone-list update notifications | While your device is active; inactive tokens are pruned |
| Spam reports or flags you submit, including phone number, category, and optional comment | You | Build and maintain the community spam list shown to users | Retained while useful for the spam list; anonymized on account deletion |
| App integrity verification data | Your device and app integrity provider | Verify that requests come from a genuine app instance and reduce abuse | Processed as needed for verification |
| Server and website logs, such as IP address, request time, basic device/browser metadata, and error data | Your app, browser, and our service providers | Security, debugging, abuse prevention, and reliability | Usually 30 days, unless needed for security investigation |
3. Information we explicitly do NOT collect
The following data is never collected by the Service:
- Call history or call logs. We have no API or capability to read which calls you made or received.
- Caller lookup query subjects. Our caller lookup uses Private Information Retrieval (PIR) cryptography. Our server returns answers without learning which number you queried. This is a mathematical guarantee, not a policy promise.
- Contacts or address book. Never accessed, never uploaded.
- Location data. Never collected.
- Microphone or camera. Never accessed.
- Advertising identifiers (IDFA, etc.). Not used. The Service contains no advertising.
4. How we use your information
We use the information in Section 2 only to:
- Provide and maintain the Service (account, sign-in, push delivery)
- Maintain the community spam list (your reports and flags help other users understand unknown calls)
- Detect and prevent abuse, fraud, and false reports
- Comply with legal obligations
- Communicate with you about service updates when necessary
We do not use your data for advertising, cross-context behavioral advertising, profiling, or sale to third parties.
5. Third-party services
We use trusted service providers to operate the Service:
- Google Firebase for authentication, app integrity checks, and push notifications. See https://firebase.google.com/support/privacy.
- Cloudflare for DNS, CDN, security, and DDoS protection for our website and API endpoints. See https://www.cloudflare.com/privacypolicy/.
- Infrastructure providers for hosting our backend, database, and private caller ID services.
These providers may process personal data only as needed to provide their services to us, such as account sign-in data, device push tokens, app integrity verification data, IP addresses, request metadata, and security logs. We do not allow them to use your personal data for advertising on our behalf.
6. Data sharing and disclosure
We do not sell your personal data, rent it, or share it for cross-context behavioral advertising. We may disclose information only:
- To the third-party processors listed above, strictly to operate the Service
- When required by law or valid legal process
- To protect the rights, property, or safety of MyShieldra, our users, or the public
- In connection with a merger, acquisition, or sale of assets, with notice to you
The community spam list (phone numbers and categories) is shared with all users of the Service by design - that is how the Service works. Reports and labels shown to other users do not reveal the identity of the person who submitted them.
7. Data retention
- Account data: retained until account deletion plus up to 30 days for backup, audit, and abuse-prevention purposes.
- Submitted reports: retained while useful for the community spam list. Upon account deletion, reports are anonymized - your user ID is replaced with NULL. Optional comments may be deleted or stripped from retained reports where reasonably possible.
- FCM tokens: retained while your device is active. Tokens inactive for more than 90 days are automatically pruned.
- Server logs: retained for 30 days, then deleted, unless a longer period is reasonably necessary to investigate abuse, fraud, or security incidents.
8. Your rights
You may exercise the following rights at any time by using in-app controls where available or by emailing support@myshieldra.com:
- Access: request a copy of all data tied to your account.
- Correction: edit your account information via the app or by contacting support.
- Deletion: delete your account through the in-app account deletion flow. This permanently deletes account data and anonymizes your reports.
- Portability: export your account data as JSON.
- Withdraw consent: stop using the Service at any time.
We may need to verify your identity before acting on a request. We respond to requests within 30 days unless a longer period is permitted by applicable law, and we will explain if we cannot fulfill a request because of legal, security, or technical reasons.
9. International data transfers
Your information may be transferred to and processed in countries other than your country of residence, including the United States and other locations where Firebase, Cloudflare, or infrastructure providers operate. When we transfer personal data outside Malaysia or another protected jurisdiction, we rely on appropriate safeguards such as contractual protections, standard contractual clauses where applicable, and technical controls that limit access to the data.
10. Children’s privacy
The Service is rated 4+ on the App Store but our Terms of Service require account holders to be at least 13 years old. Users aged 13 to 17 must have parental consent. We do not knowingly collect data from children under 13. If we learn that we have collected such data, we will delete the account and associated information promptly. Parents who believe their child has provided us with personal data may contact us at support@myshieldra.com.
11. Security
We protect your data with industry-standard measures, including:
- TLS encryption for all network traffic
- Firebase App Check to block requests from unverified app instances
- Generic error responses to avoid information disclosure
- Server-side input validation
- Restricted, role-based access to production systems
No system is perfectly secure. If we become aware of a personal data breach that requires notification under applicable law, we will notify the relevant authority and/or affected users as required. If you believe your account has been compromised, contact us immediately.
12. Regional privacy rights
Different privacy laws may give you additional rights depending on where you live. These sections are grouped by region to keep this policy readable. You can exercise any applicable right by contacting support@myshieldra.com. If you are a data subject under the Malaysia Personal Data Protection Act 2010, as amended (PDPA), you may have the right to: If the PDPA requires us to appoint a Data Protection Officer or publish additional contact details for the Service, we will update this policy accordingly. If you are located in the EEA, UK, or Switzerland, you may have rights under GDPR or similar laws, including: Our lawful bases for processing may include consent, performance of a contract to provide the Service, legitimate interests for fraud prevention, security, and Service operation, and legal obligations where we are required to retain or disclose information. If we are required to appoint an EU or UK representative before offering the Service in those markets, we will publish the representative's contact details in this policy. California residents may have rights under the CCPA/CPRA, including the right to: We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We do not intentionally collect sensitive personal information beyond what is necessary to provide and secure the Service. Authorized agents may submit requests where permitted by law, but we may require proof of authorization and identity verification.Malaysia PDPA
EEA, UK, and Switzerland
California
13. Changes to this policy
We may update this Privacy Policy from time to time. We will post any changes on this page and update the “Last updated” date. Material changes will be communicated via the app or by email when feasible. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
14. Contact us
For any privacy questions, requests, or complaints, contact:
MyShieldra
Operator/controller: MyShieldra, Malaysia
Email: support@myshieldra.com
If you need to send a formal legal or privacy notice by post, contact us by email first so we can provide the appropriate mailing address for your request.