Your data, handled with care.

ChatPilot (“we,” “our,” or “us”) operates an AI-powered unified messaging platform that enables businesses to communicate with their customers via WhatsApp, Instagram, Facebook Messenger, TikTok, Telegram, Gmail, and other messaging channels.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data in compliance with the Personal Data Protection Act 2010 (PDPA) of Malaysia and its subsidiary regulations. By using our services, you consent to the practices described in this policy.

This policy applies to personal data processed in connection with commercial transactions. It covers:

• Business subscribers and account holders (“you”)
• End users and team members authorised by you
• Your customers whose data is processed through our platform

Under the PDPA, “personal data” means information that relates, directly or indirectly, to a data subject who is identifiable from that information. We collect the following categories:

Account and identity information

• Name, email address, and password
• Company name, business registration number, and contact details
• Billing information (processed securely through third-party payment processors)
• Messaging platform credentials you connect (WhatsApp Business, Instagram, Facebook Messenger, TikTok, Telegram, Gmail, etc.)

Message and communication data

Our platform processes messages exchanged between you and your customers across all connected channels. This includes:

• Message content and attachments
• Timestamps and delivery status
• Read receipts and message metadata
• Associated contact information (phone numbers, email addresses, social media handles)
• Conversation context and history

Usage and technical data

• Features used, pages visited, and actions taken within the platform
• Time spent in the application
• Device information (browser type, operating system, IP address)
• Log data (access times, errors encountered, performance metrics)

Sensitive personal data

Under the PDPA, “sensitive personal data” includes information relating to physical or mental health, political opinions, religious beliefs, the commission of offences, or other information prescribed by the Minister. We do not intentionally collect sensitive personal data. If any such data is incidentally present in messages processed through our platform, we will handle it with heightened care and will seek your express consent before processing it for any purpose beyond service delivery.

In accordance with the Notice and Choice Principle under the PDPA, we inform you that your personal data is collected and processed for the following purposes:

• Service delivery: To provide, maintain, and improve ChatPilot's features and platform functionality
• AI processing: To power AI assistant features including message routing, automated responses, suggested replies, and analytics
• Customer support: To respond to your inquiries and provide technical assistance
• Security and fraud prevention: To detect, prevent, and address technical issues, unauthorised access, and fraudulent activity
• Analytics and improvements: To understand usage patterns and improve our services
• Billing and administration: To manage your subscription, process payments, and send invoices
• Communications: To send service-related notifications, updates, and — with your consent — marketing communications
• Legal compliance: To comply with applicable laws, regulations, and court orders

You have the right to choose whether to provide your personal data. However, certain data is necessary for the operation of our services. Where data is optional, we will indicate this clearly at the point of collection.

We process your personal data on the following legal bases under the PDPA:

• Consent: Where you have given express consent, including for marketing communications and optional features
• Contractual necessity: Where processing is necessary to perform our agreement with you (e.g., service delivery, billing)
• Legal obligation: Where processing is required to comply with Malaysian law or court orders
• Legitimate interests: Where processing is necessary for our legitimate business interests (e.g., fraud prevention, security, platform improvements), provided these do not override your rights and interests

In accordance with the Disclosure Principle under the PDPA, we do not sell your personal data or your customers' personal data to third parties. We disclose data only in the following circumstances:

Service providers and processors

We share data with third-party service providers acting as data processors on our behalf, including:

• Meta (WhatsApp Business API, Instagram & Messenger APIs): For message delivery and platform integration
• TikTok, Telegram, Google: For respective platform integrations
• Cloud infrastructure providers: For secure hosting, storage, and content delivery
• Analytics services: To improve our platform and user experience
• Payment processors: For billing and subscription management
• AI model providers: To power AI-assisted features

All service providers are contractually bound to process data only on our instructions and to maintain appropriate security standards.

Legal requirements

We may disclose personal data when required by Malaysian law, a court order, or a lawful request from a governmental authority, including the Personal Data Protection Commissioner.

Business transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected parties and ensure the receiving party maintains equivalent data protection standards.

With your consent

We may share data with third parties when you have explicitly authorised us to do so.

In accordance with the Security Principle under the PDPA, we take practical steps to protect your personal data against loss, misuse, modification, unauthorised or accidental access, disclosure, alteration, and destruction. Our security measures include:

• Encryption of data in transit using TLS/HTTPS
• Encryption at rest for stored data
• Regular security audits and vulnerability assessments
• Strict access controls, role-based permissions, and multi-factor authentication
• Staff training on data protection obligations
• Incident response procedures for data breaches

No method of transmission over the Internet is 100% secure. While we implement robust safeguards, we cannot guarantee absolute security. In the event of a personal data breach, we will notify you and the relevant authorities as required under the PDPA.

In accordance with the Retention Principle under the PDPA, we retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.

• Account data: Retained for the duration of your active subscription and for up to 7 years thereafter for legal and tax compliance purposes
• Message data: Retained according to your account settings and applicable legal requirements; configurable in your account settings
• Usage and log data: Retained for up to 12 months for security and analytics purposes
• Billing records: Retained for 7 years as required by Malaysian law

Upon account deletion, we will retain only what is legally required for compliance, dispute resolution, and fraud prevention. All other data will be permanently deleted within 30 days of your deletion request.

In accordance with the Data Integrity Principle under the PDPA, we take reasonable steps to ensure that the personal data we process is accurate, complete, not misleading, and kept up to date. You are responsible for ensuring the accuracy of the personal data you provide to us. We encourage you to update your account information promptly when changes occur.

As a data subject under the PDPA, you have the following rights:

• Right of access (Section 30): Request access to the personal data we hold about you, including information about how it is being processed
• Right of correction (Section 34): Request correction of personal data that is inaccurate, incomplete, misleading, or not up to date
• Right to prevent processing causing damage or distress (Section 42): Request that we cease or not begin processing your personal data where such processing is causing or is likely to cause unwarranted damage or distress to you
• Right to prevent processing for direct marketing (Section 43): Opt out of the processing of your personal data for direct marketing purposes at any time
• Right to withdraw consent: Withdraw consent for processing activities based on consent at any time, without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, please contact our Personal Data Officer at hello@runchatpilot.com. We will respond to your request within 21 days. In some cases, we may need to verify your identity before processing your request. We may charge a prescribed fee for access and correction requests as permitted under the PDPA.

We may decline requests where permitted by law (e.g., where complying would prejudice the prevention or detection of crime, or where the data must be retained for legal compliance). We will inform you of any such refusal and the reasons for it.

In accordance with Section 129 of the PDPA, we will not transfer your personal data outside of Malaysia unless the destination country provides a level of data protection substantially similar to that afforded under the PDPA, or unless one of the prescribed exceptions applies (e.g., your consent, contractual necessity, or legal proceedings).

Our services may involve transfers to countries including, but not limited to, the United States (for cloud infrastructure and AI processing), Singapore, and the European Union. Where required, we implement appropriate safeguards such as contractual protections to ensure your data receives adequate protection in these jurisdictions.

We use cookies and similar technologies to enhance your experience, analyse usage, and assist in our service operations. Cookies we use include:

• Essential cookies: Required for the platform to function (authentication, session management)
• Analytics cookies: Used to understand how our platform is used and to improve it
• Preference cookies: Used to remember your settings (e.g., theme preferences)

You can control cookie preferences through your browser settings. Note that disabling essential cookies may prevent the service from functioning correctly. For non-essential cookies, we will obtain your consent where required.

ChatPilot is a business-to-business service not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected personal data from a minor, please contact us immediately at hello@runchatpilot.com and we will take prompt steps to delete such data.

Our service may contain links to third-party websites or services. We are not responsible for the personal data practices of these external sites. We encourage you to review their privacy policies before providing any personal data.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date, and where required, by direct notification. Your continued use of ChatPilot after the effective date of changes constitutes your acceptance of the updated policy.

In accordance with the PDPA, we have designated a Personal Data Officer responsible for ensuring our compliance with the Act. If you have any questions, concerns, or requests regarding this Privacy Policy or our personal data practices, please contact:

• Personal Data Officer
• Email hello@runchatpilot.com
• WhatsApp +60 11-7383 8321

If you are not satisfied with how we handle your personal data or your request, you may lodge a complaint with the Department of Personal Data Protection Malaysia (JPDP) at www.pdp.gov.my.