KerjaPay is a simple, affordable payroll and HR software for SMEs in Singapore, Malaysia, Indonesia, the Philippines, and Thailand. It auto-calculates CPF, EPF, SOCSO, BPJS, SSS, and PhilHealth contributions from one dashboard.

How much does KerjaPay cost?

KerjaPay starts at SGD $8/month for up to 10 employees. Growth plan is SGD $16/month for 11-50 employees, and Enterprise is SGD $28/month for 51-200 employees. All plans include a 14-day free trial with no credit card required.

Does KerjaPay handle CPF calculations for Singapore?

Yes, KerjaPay automatically calculates CPF contributions (Ordinary, Special & Medisave accounts with age-based rates), SDL, SHG funds (CDAC, MBMF, SINDA, ECF), Foreign Worker Levy, and generates IRAS tax filing documents (IR8A, IR8S, Appendix 8A/8B).

Does KerjaPay handle EPF and SOCSO for Malaysia?

Yes, KerjaPay automatically calculates EPF, SOCSO, EIS, and PCB contributions for Malaysian employees. All statutory rates are auto-updated when regulations change.

Privacy Policy — KerjaPay

1. Introduction

KerjaPay (“KerjaPay”, “we”, “us”, or “our”) is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, disclose, store, and protect personal data in connection with our payroll and human resource management platform (the “Service”), accessible at kerja.nanocorp.app, including our website, SaaS applications, APIs, and mobile applications.

This policy applies to all individuals whose personal data we process, including our customers (“Customers”), their employees whose data is processed through the Service (“Employee Data Subjects”), website visitors, and prospective customers.

By using our Service, you consent to the collection, use, and disclosure of personal data as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Service.

2. Regulatory Framework

KerjaPay operates across multiple jurisdictions in Southeast Asia. We comply with the following data protection laws:

2.1 Singapore — Personal Data Protection Act 2012 (PDPA)

The Singapore PDPA is our primary governing framework. We adhere to all data protection obligations set out in the PDPA, including the nine main data protection obligations: Consent, Purpose Limitation, Notification, Access and Correction, Accuracy, Protection, Retention Limitation, Transfer Limitation, and Data Breach Notification obligations. We are registered with the Personal Data Protection Commission (PDPC) as required.

2.2 Malaysia — Personal Data Protection Act 2010 (PDPA)

For personal data processed in connection with our Malaysian operations, we comply with the Malaysian PDPA (Act 709), including the seven data protection principles: General Principle, Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle, and Access Principle.

2.3 Indonesia — Undang-Undang Perlindungan Data Pribadi (UU PDP, Law 27 of 2022)

For personal data processed in connection with our planned Indonesian operations, we will comply with Indonesia's UU PDP, including the rights of data subjects, lawful bases for processing, cross-border transfer requirements, and data breach notification obligations as stipulated in the law.

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Customer Account Data

When you register for an Account and use the Service, we collect:

Full name and job title;
Business email address and phone number;
Company name, registration number, and business address;
Billing information and payment details (processed by Stripe; we do not store full payment card numbers);
Account credentials (passwords are hashed and never stored in plaintext); and
Communication preferences.

3.2 Employee Data (Processed on Behalf of Customers)

When Customers use our payroll and HRMS features, they may submit the following categories of employee personal data. KerjaPay acts as a data intermediary (under Singapore PDPA) or data processor for this data:

Identity Information: Full name, National Registration Identity Card (NRIC) number or FIN (Singapore), MyKad/MyPR number (Malaysia), NIK (Indonesia), date of birth, nationality, gender, and marital status;
Employment Information: Employee ID, job title, department, employment start/end dates, employment type (full-time, part-time, contract), work permit details, and reporting structure;
Compensation Data: Basic salary, allowances, bonuses, deductions, overtime, and historical payroll records;
Statutory Contribution Data: CPF contribution details (Singapore), EPF/SOCSO/EIS contribution details (Malaysia), BPJS details (Indonesia), tax identification numbers, and tax filing information;
Banking Information: Bank name, account number, and branch code for salary disbursement;
Leave Records: Leave balances, leave applications, medical certificates, and attendance records; and
Contact Information: Personal email address, phone number, residential address, and emergency contact details.

3.3 Website Usage Data

When you visit our website, we automatically collect:

IP address and approximate geographic location;
Browser type, version, and language;
Device type, operating system, and screen resolution;
Pages visited, time spent on pages, and navigation paths;
Referring URL; and
Cookies and similar tracking technologies (see Section 11).

3.4 Communications Data

When you contact us for support or inquiries, we collect the content of your communications, including emails, chat messages, and feedback submitted through our platform.

4. Purposes of Processing

In accordance with the Purpose Limitation Obligation under the Singapore PDPA (Section 18), we collect, use, and disclose personal data only for the following purposes:

4.1 Service Delivery

Processing payroll calculations and generating payslips;
Calculating and reporting statutory contributions (CPF, SDL, EPF, SOCSO, EIS, PCB, BPJS, PPh 21);
Managing leave applications and attendance records;
Maintaining employee databases and HR records;
Generating compliance reports and analytics;
Providing the employee self-service portal; and
Processing payments and managing subscriptions.

4.2 Service Improvement

Analysing usage patterns to improve features and user experience;
Conducting internal research and development;
Debugging and troubleshooting technical issues; and
Generating aggregated, anonymised analytics (which do not constitute personal data).

4.3 Communication

Sending service-related notifications (e.g., payroll processing confirmations, system alerts);
Responding to support requests and inquiries;
Sending product updates and feature announcements; and
Marketing communications (only with your express consent; you may opt out at any time).

4.4 Legal and Regulatory Compliance

Complying with applicable laws, regulations, and government requests;
Enforcing our Terms of Service;
Preventing fraud, security threats, and illegal activities; and
Responding to legal processes (e.g., court orders, subpoenas).

5. Consent

5.1 Customer Consent

By creating an Account and using the Service, you provide your consent to the collection, use, and disclosure of your personal data as described in this Privacy Policy. In accordance with Section 14 of the Singapore PDPA, we will notify you of the purposes for which your data is collected at or before the time of collection.

5.2 Employee Consent

As a Customer, you are the data controller (or “organisation” under the PDPA) with respect to your employees' personal data. You are responsible for:

Obtaining valid consent from your employees before submitting their personal data to the Service, in accordance with Sections 13 and 14 of the Singapore PDPA;
Informing your employees of the purposes for which their personal data will be collected, used, and disclosed through the Service;
Providing your employees with access to this Privacy Policy; and
Complying with all applicable data protection laws in relation to your employees' personal data.

5.3 Withdrawal of Consent

You may withdraw your consent for the collection, use, or disclosure of your personal data at any time by contacting us at privacy@kerja.nanocorp.app. Please note that withdrawal of consent may affect our ability to provide the Service to you. We will inform you of the likely consequences of withdrawing consent before processing your request, as required by Section 16 of the Singapore PDPA.

Under the Malaysian PDPA, you may exercise your right to withdraw consent under the Notice and Choice Principle (Section 7). Under Indonesia's UU PDP, withdrawal of consent is a right of the data subject under Article 8.

6. Disclosure of Personal Data

We may disclose your personal data to the following categories of recipients:

6.1 Service Providers

We engage trusted third-party service providers who process personal data on our behalf, including:

Cloud Infrastructure: Vercel and PostgreSQL hosting providers for application hosting and data storage;
Payment Processing: Stripe for processing subscription payments (Stripe's privacy policy applies to payment data);
Analytics: Website analytics providers for understanding usage patterns; and
Communication: Email service providers for sending transactional and marketing communications.

All service providers are contractually bound to process personal data only for the purposes specified by us and to implement appropriate security measures.

6.2 Statutory Authorities

In the course of providing payroll services, we may be required to process or generate data for submission to statutory authorities, including the Central Provident Fund Board (CPF Board), Inland Revenue Authority of Singapore (IRAS), Employees Provident Fund (EPF/KWSP), Social Security Organisation (SOCSO/PERKESO), and equivalent bodies in other jurisdictions. Such disclosures are made by the Customer through the Service, and KerjaPay acts as a facilitator in generating the required reports.

6.3 Legal Requirements

We may disclose personal data where required by law, regulation, legal process, or governmental request, including to comply with a court order, subpoena, or direction from the Personal Data Protection Commission (PDPC) of Singapore or equivalent authorities.

6.4 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred to the successor entity. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

7. Cross-Border Transfer of Personal Data

As a multi-country payroll platform, personal data may be transferred across national borders. We ensure that all cross-border transfers comply with the applicable data protection laws:

7.1 Singapore PDPA — Transfer Limitation Obligation

In accordance with Section 26 of the Singapore PDPA, we will not transfer personal data outside of Singapore unless we have taken appropriate steps to ensure that the recipient provides a standard of protection comparable to the PDPA. Such steps include:

Entering into legally binding agreements with recipients that provide a comparable standard of protection;
Ensuring the recipient is subject to enforceable data protection laws or binding corporate rules that provide comparable protection; or
Obtaining your consent to the transfer after informing you that the recipient may not provide an equivalent level of protection.

7.2 Malaysia PDPA — Cross-Border Transfer

Under the Malaysian PDPA (Section 129), personal data shall not be transferred outside Malaysia unless to a country specified by the Minister or where the data subject has given consent. We comply with these requirements for all Malaysian data.

7.3 Indonesia UU PDP — International Transfer

Under Indonesia's UU PDP (Article 56), cross-border transfers of personal data are permitted where the receiving country provides an equivalent level of data protection, there are adequate and binding safeguards, or the data subject has given explicit consent. We will comply with these requirements for all Indonesian data.

8. Data Retention

In accordance with the Retention Limitation Obligation under Section 25 of the Singapore PDPA, we retain personal data only for as long as it is necessary to fulfil the purposes for which it was collected or as required by applicable laws and regulations.

8.1 Retention Periods

Data Category	Retention Period	Basis
Customer Account Data	Duration of Account + 1 year	Contractual necessity; post-termination transition
Payroll Records	Duration of Account + 5 years	Singapore Employment Act (Section 95A) — employers must retain records for at least 2 years; tax filing requirements of up to 5 years
Statutory Contribution Records	Duration of Account + 7 years	CPF Act; IRAS requirements; EPF Act 1991 (Malaysia)
Employee Personal Data	Duration of Account + 2 years	Employment-related legal obligations; limitation period for employment claims
Website Usage Data	13 months	Analytics purposes
Support Communications	Duration of Account + 1 year	Service improvement and dispute resolution

8.2 Deletion

Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised such that it can no longer be associated with an identified or identifiable individual. Data stored in backups will be overwritten in accordance with our backup rotation schedule (no longer than 90 days after deletion from production systems).

9. Data Security

In accordance with the Protection Obligation under Section 24 of the Singapore PDPA and the Security Principle under the Malaysian PDPA (Section 9), we implement reasonable security arrangements to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.

9.1 Technical Measures

Encryption in Transit: All data transmitted between your browser/application and our servers is encrypted using TLS 1.2 or higher;
Encryption at Rest: Personal data is encrypted at rest using AES-256 encryption;
Access Controls: Role-based access controls (RBAC) ensure that only authorised personnel can access personal data;
Authentication: Multi-factor authentication (MFA) is supported for Account access;
Network Security: Firewalls, intrusion detection systems, and regular vulnerability scanning; and
Secure Infrastructure: Our Service is hosted on enterprise-grade cloud infrastructure with SOC 2 compliance.

9.2 Organisational Measures

Staff training on data protection and security practices;
Data protection impact assessments for new features and processes;
Incident response procedures for data breaches;
Regular security audits and penetration testing; and
Contractual obligations on service providers to maintain appropriate security.

10. Your Rights

10.1 Rights Under Singapore PDPA

Under the Singapore PDPA, you have the right to:

Access (Section 21): Request access to your personal data held by us and information about how it has been used or disclosed in the past year;
Correction (Section 22): Request correction of any error or omission in your personal data;
Withdrawal of Consent (Section 16): Withdraw consent for the collection, use, or disclosure of your personal data;
Data Portability (Section 26H): Request that your personal data be transmitted to another organisation in a commonly used machine-readable format, where applicable; and
Do Not Call (DNC): If your Singapore telephone number is registered on the DNC Registry, we will not send marketing messages to that number unless you have given us clear and unambiguous consent.

10.2 Rights Under Malaysia PDPA

Under the Malaysian PDPA, you have the right to:

Access your personal data (Access Principle, Section 12);
Request correction of inaccurate personal data (Section 34);
Withdraw consent (Notice and Choice Principle, Section 7);
Prevent processing likely to cause damage or distress; and
Make a complaint to the Commissioner (Department of Personal Data Protection).

10.3 Rights Under Indonesia UU PDP

Under Indonesia's UU PDP, you have the right to:

Be informed about the processing of your personal data (Article 5);
Access your personal data (Article 6);
Request correction, updating, or supplementation of inaccurate data (Article 7);
Withdraw consent (Article 8);
Request deletion of personal data (Article 9);
Object to automated decision-making (Article 10);
Restrict or suspend the processing of personal data (Article 11); and
Data portability — receive personal data in a commonly used format (Article 13).

10.4 Exercising Your Rights

To exercise any of the above rights, please contact our Data Protection Officer at privacy@kerja.nanocorp.app. We will respond to your request within 30 days, as required by the Singapore PDPA. A reasonable fee may be charged for manifestly unfounded or excessive requests (in accordance with Section 28 of the Singapore PDPA).

If you are an Employee Data Subject and wish to exercise your rights, please first contact your employer (our Customer). If your employer is unable to assist, you may contact us directly.

11. Cookies and Tracking Technologies

We use the following types of cookies and tracking technologies:

Type	Purpose	Duration
Strictly Necessary	Authentication, security, session management. Required for the Service to function.	Session / up to 30 days
Analytics	Understanding how visitors interact with our website, including page views and navigation patterns.	Up to 13 months
Functional	Remembering user preferences such as language and region settings.	Up to 12 months

We do not use advertising or third-party tracking cookies. You can manage cookie preferences through your browser settings. Please note that disabling strictly necessary cookies may impair the functionality of the Service.

12. Data Breach Notification

12.1 Singapore PDPA — Notifiable Data Breaches

In accordance with Part VIA of the Singapore PDPA (Sections 26A–26E), in the event of a data breach that is likely to result in significant harm to affected individuals, or is of a significant scale (affecting 500 or more individuals), we will:

Notify the Personal Data Protection Commission (PDPC) within 3 calendar days of assessing that the breach is notifiable;
Notify affected individuals as soon as practicable; and
Take reasonable steps to mitigate the effects of the breach.

12.2 Malaysia and Indonesia

For data breaches affecting personal data subject to the Malaysian PDPA, we will notify the Commissioner and affected data subjects in accordance with applicable regulations. For data subject to Indonesia's UU PDP, we will notify the supervisory authority and data subjects within 3 x 24 hours of becoming aware of a data breach, as required by Article 46 of the UU PDP.

12.3 Customer Notification

We will notify affected Customers of any data breach involving their Customer Data without undue delay, providing details of the nature of the breach, the data affected, the measures taken to address the breach, and recommended actions for the Customer.

13. Children's Data

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor without parental consent, we will take steps to delete such data promptly.

14. Do Not Call Registry (Singapore)

In compliance with the Do Not Call (DNC) provisions of the Singapore PDPA (Part IX), we will not send marketing messages (including voice calls, text messages, or fax messages) to Singapore telephone numbers registered on the DNC Registry unless you have given us clear and unambiguous consent to do so. You may register your number on the DNC Registry at www.dnc.gov.sg.

15. Data Protection Officer

In accordance with the Singapore PDPA Accountability obligation, we have appointed a Data Protection Officer (DPO) responsible for ensuring our compliance with data protection laws. You may contact our DPO for any inquiries or concerns regarding the processing of your personal data:

Data Protection Officer
KerjaPay
Email: privacy@kerja.nanocorp.app

16. Third-Party Links

Our website and Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you interact with.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will provide notice of material changes at least 30 days before they take effect through email notification or prominent notice within the Service. The “Last Updated” date at the top of this policy indicates when the most recent revisions were made.

Your continued use of the Service after the effective date of any modifications constitutes your acknowledgement and acceptance of the updated Privacy Policy.

18. Complaints

If you are dissatisfied with the way we handle your personal data, you may first contact our Data Protection Officer at privacy@kerja.nanocorp.app. We will investigate and respond to your complaint within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority:

Singapore: Personal Data Protection Commission (PDPC) — www.pdpc.gov.sg
Malaysia: Department of Personal Data Protection (JPDP) — www.pdp.gov.my
Indonesia: The supervisory authority as established under the UU PDP

19. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:

KerjaPay
General Inquiries: kerja@nanocorp.app
Data Protection Officer: privacy@kerja.nanocorp.app
Website: kerja.nanocorp.app