Legal
Privacy Policy
Last updated: 14 July 2026
1. Who we are & scope
This Privacy Policy applies to ezychat.io ("we", "us", "ezychat"), a customer engagement and AI-powered omnichannel messaging platform. This policy explains how we collect, use, disclose, and safeguard your personal data in accordance with the Malaysian Personal Data Protection Act 2010 (as amended by the Personal Data Protection (Amendment) Act 2024) and the Singapore Personal Data Protection Act 2012 (as amended 2020), and other applicable laws.
This policy covers our marketing website (available at ezychat.io and its subdomains) and the ezychat platform, which allows organisations to manage customer conversations, route messages through AI, and maintain contact records across multiple communication channels (WhatsApp, Instagram, Messenger, email, web chat). It became effective on 14 July 2026 and governs all personal data we collect and process from that date forward.
If you are a customer's end user (e.g., a contact or customer messaging a business on WhatsApp via the ezychat platform), please know that the organisation you are messaging is the primary data controller for your conversations. They have instructed us to process your data as a processor. We encourage you to review their privacy policy and contact them directly with privacy questions about your relationship with them.
2. Our two roles
We operate in two distinct roles under data protection law, with different responsibilities for each:
| Role | Data & scope | Our obligation |
|---|---|---|
| Data Controller | Your account information (name, email, organisation, billing data) if you sign up as an agent/admin on our platform | We decide how and why we process your data, and we are directly responsible to you for your privacy rights |
| Data Processor | Conversations, contact details, and end-user messages processed on behalf of our customers (the organisations using ezychat) | We process data only as instructed by our customers; we provide them with technical and legal assistance to support their compliance; we do not sell or use this data for our own purposes |
If you are contacting a business via our platform and have questions about your personal data, please reach out to that organisation first — they control your data and can respond most quickly. We are happy to assist them with your requests; contact us at support@ezychat.io.
3. Data we collect
The personal data we collect depends on how you interact with us:
Site visitors: When you browse our marketing website, we collect minimal data. Google Analytics 4 (via Partytown, a privacy-focused loader) gathers aggregated, anonymised usage data (pages visited, session duration, device type). We also store a theme preference in your browser's local storage to remember your dark/light mode choice. Our contact form does not store your message — it submits directly to your email client via a mailto link, and we never receive the data.
Platform customers (agents/admins): To set up an account and use ezychat, we collect your name, email address, phone number, job title, organisation name, and billing details (payment method, billing address). We also log your login history, IP addresses during sessions, and audit events (who accessed which features, when). This data is necessary to deliver the service, enforce security, and meet legal and tax obligations.
End users (contacts/customers): Your customer's contacts can message them via channels connected to ezychat. We process their phone numbers, names, email addresses, conversation history, and message content. Your customer controls this data; they decide which end users' data is imported or synchronised into ezychat. We also process AI-derived attributes — inferred intent (e.g., "complaint", "inquiry"), sentiment scores (e.g., "positive", "negative"), and tags applied by the AI employee — which are flagged as derived data to help agents prioritise responses.
4. Purposes & legal bases
We process your data for the following purposes, under these legal bases:
Service delivery: To provide the ezychat platform, authenticate your login, route messages, store conversations, and generate AI-assisted responses, we rely on your consent (granted when you accept our Terms of Service) and contractual necessity (the service cannot operate without this data). In Singapore, we also rely on the deemed consent exception under PDPA s.16 for necessary processing of personal data for the purpose of providing the service.
Billing & payments: We process payment information (credit card details are handled by Stripe; we do not store them) and billing addresses to charge for subscriptions, calculate overage fees, and comply with tax law. Legal basis: contract and legal obligation.
Security & fraud prevention: We analyse login patterns, monitor for suspicious activity, and maintain audit logs to detect and prevent unauthorised access, fraud, and abuse. Legal basis: legitimate interest in protecting the platform and other users' data.
Legal compliance & regulatory obligations: We retain certain data (audit logs, user identities) to comply with data protection laws, tax laws, and law enforcement requests, and to enforce our Terms of Service. Legal basis: legal obligation and legitimate interest.
Support & customer service: When you contact us, we keep records of your inquiry and our response to help you and improve our service. Legal basis: contract and legitimate interest.
Analytics & product improvement: We analyse aggregated usage patterns (which features are used, where users drop off) to improve the platform and fix bugs. Legal basis: legitimate interest in providing a better service, and analytics are conducted on anonymised data where possible.
Marketing communications: If you have engaged with us (e.g., downloaded a resource, filled out the contact form), we may send you occasional updates about new features or special offers, but only if you have opted in. You can opt out at any time. Legal basis: consent.
5. AI processing disclosure
The ezychat platform includes AI employees — autonomous agents that read incoming messages, generate responses, and route conversations to the right human agent. This section explains how AI processing works and your rights.
What is sent to Anthropic: When an AI employee processes a message, the message text and relevant context (customer name, conversation history, organisation knowledge base excerpts) are sent to Anthropic's servers in the United States to generate a reply. Anthropic is our subprocessor for AI inference. We do not send passwords, payment details, internal notes not relevant to the reply, or other sensitive data beyond what is necessary to generate a helpful response.
No model training on customer data: Under Anthropic's commercial terms, they do not train their large language models on message text or data we submit via their API. Your conversations are used only for inference (generating a reply in real time) and are deleted after processing, subject to Anthropic's standard API data retention policies. Anthropic may use aggregated, anonymised usage statistics to improve their services.
AI-off mode: If your organisation requires that all conversation text remain in Malaysia or Singapore and not be sent to Anthropic's US servers, you can enable AI-off mode, which disables AI replies and routes all messages to human agents only. This mode is available on all plans.
AI outputs are machine-generated: Replies generated by the AI employee are automatically produced by a large language model. They are probabilistic — not deterministic — and may contain errors, hallucinations, outdated information, or tone mismatches. AI-generated text is always labelled as such in the inbox so agents can review it before sending to the customer. The organisation using ezychat is responsible for configuring the AI employee appropriately, reviewing all outbound messages before sending, and maintaining a human escalation path for sensitive issues.
Not professional advice: The AI employee is designed to handle routine customer service inquiries. It is not trained to provide medical, legal, financial, or other professional advice. Organisations in regulated industries (healthcare, finance, legal) must not rely on AI-generated replies for compliance-critical decisions. Human review is mandatory before any customer-facing communication.
Your customer (the organisation) controls whether the AI employee is enabled, what instructions it follows, and what it says. If you have concerns about AI-generated replies you receive, contact the organisation directly.
6. Disclosure & subprocessors
We do not sell, rent, trade, or lease personal data to third parties for marketing purposes. We share personal data only in the following limited circumstances:
Subprocessors: We engage carefully vetted third-party service providers (subprocessors) to deliver the service. All subprocessors are contractually bound to protect your data and process it only as instructed.
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, database storage, caching | Singapore (ap-southeast-1) |
| Anthropic | AI inference for message processing and reply generation | United States |
| Meta Platforms (WhatsApp Cloud API) | Message delivery and channel integration | United States & regional |
| Stripe | Payment processing and billing | United States |
| Google Analytics 4 (Google Ireland Limited) | Site analytics and aggregated usage tracking | Ireland / United States |
| Sentry | Error reporting and application monitoring | United States |
Disclosures required by law: We may disclose personal data if required by court order, subpoena, or legal process in Malaysia or Singapore. In such cases, we will (where legally permitted) notify you so you can seek protective measures.
Merger or asset sale: If ezychat.io is acquired or merged with another company, personal data may be transferred as part of that transaction. We will provide notice and allow you to opt out if our privacy practices materially change.
7. International transfers
Malaysia: Under the Personal Data Protection Act 2010 (as amended 2024), section 129 permits transfer of personal data to jurisdictions determined by the Minister to have substantially similar protections, or to other jurisdictions if we have implemented appropriate safeguards (contractual clauses, consent, or other mechanisms). We comply with this requirement by implementing Data Processing Agreements with all subprocessors that include standard contractual clauses approved under Malaysian law. We conduct transfer impact assessments to ensure data sent to Anthropic (US) and other subprocessors is adequately protected.
Singapore: Under the Personal Data Protection Act 2012, section 26 restricts transfer of personal data to countries without comparable data protection laws unless the individual consents or we implement comparable safeguards. We rely on contractual data processing agreements with our subprocessors and, where applicable, standard contractual clauses, to ensure comparable protection for data transferred to the United States and other jurisdictions.
By default, data is processed in Singapore (AWS ap-southeast-1).: Customer conversations and contact data are stored in AWS Singapore unless you enable AI-off mode or use a region-specific workspace. AI processing (via Anthropic) requires sending message text to the United States; you can disable this by using AI-off mode, which keeps all data in Singapore.
8. Retention
We retain personal data only for as long as necessary. Here are our retention periods by data type:
| Data type | Retention period | Notes |
|---|---|---|
| Agent/admin account data (name, email, password hash) | Duration of membership + 7 years | Required for audit and tax compliance; after account deletion, anonymised records are retained for legal hold |
| Conversations & messages | Configurable by your organisation (default: 2 years) | Your organisation sets the retention policy via the admin portal; we delete conversations older than the policy date automatically |
| Contact records (name, phone, email) | Configurable by your organisation (default: 2 years) | Follows the same org policy as conversations; deletion severs the link between the contact and their conversations (which remain anonymised in the audit trail) |
| Audit events & logs (login history, feature access, changes) | 7 years | Retained for regulatory compliance and internal investigations; personal references are removed when the underlying data is deleted |
| Billing records & invoices | 7 years | Required by Malaysian and Singapore tax law |
| Site analytics (GA4) | 14 months (Google's default) | Aggregated, anonymised data; no individual profiles retained |
Deletion & erasure: When you request deletion of your account or contact data, we permanently erase personally identifiable information from active systems. Conversations and messages are anonymised (the contact link is removed, but the content may be retained for audit purposes with no association to you). Backup systems may retain data briefly for disaster recovery, but it will be purged within 30 days of the deletion request. We do not restore deleted data except as required to comply with legal holds or law enforcement requests.
9. Security
We implement comprehensive technical and organisational measures to protect personal data against unauthorised access, alteration, and loss:
Encryption in transit: All data transmitted between your browser, mobile app, and our servers is encrypted using TLS 1.2 or higher. This prevents eavesdropping on your messages and credentials.
Encryption at rest: Data stored in our database is encrypted using AES-256-GCM encryption with keys managed by AWS Key Management Service (KMS). Channel credentials (WhatsApp, Instagram tokens) are further protected with envelope encryption, so even compromised database backups cannot reveal active credentials without access to the key store.
Password security: Agent and admin passwords are hashed using industry-standard algorithms and are never stored in plaintext. Even our system administrators cannot see your password.
Network isolation: Our database and cache servers are isolated within a private virtual cloud (VPC) and are not accessible directly from the internet. All access is routed through application servers via authenticated connections only.
Access controls: We implement role-based access control (RBAC) so team members access only the data necessary for their role. All access is logged and monitored.
Regular security audits: We conduct regular security testing and code reviews to identify and patch vulnerabilities. We also maintain error-tracking and performance-monitoring systems that help us detect anomalies quickly.
No guarantee: While we have taken comprehensive steps to protect your data, no security system is perfect. We cannot guarantee that your data will never be compromised. If a breach occurs, we will notify affected individuals and regulatory authorities as required by law (see section 11 below).
10. Your rights
You have the following rights under Malaysian and Singapore data protection law:
Right to access: You have the right to request a copy of the personal data we hold about you. We will provide this in a structured, machine-readable format (where applicable) within 21 days of your request.
Right to correction: If your personal data is inaccurate or incomplete, you can request that we correct it. We will update your data and notify relevant recipients of the correction.
Right to withdraw consent: If we are processing your data based on your consent (e.g., marketing communications), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
Right to limit processing: Under the Malaysian PDPA, you can request that we restrict how we use your personal data (e.g., limiting it to storage only while you contest its accuracy). Under the Singapore PDPA, you can request that we stop processing your data if it is no longer necessary for the stated purpose.
Right to erasure ("right to be forgotten"): You can request deletion of your personal data, subject to legal and contractual exceptions (e.g., we may retain data to comply with tax law or defend legal claims). If you are an end user and your organisation is the data controller, contact your organisation first to request erasure.
Right to data portability: You can request that we provide your personal data in a machine-readable format so you can transfer it to another service.
Right to lodge a complaint: You have the right to lodge a complaint with the Personal Data Protection Commissioner (Malaysia) or the Personal Data Protection Commission (Singapore) if you believe we have violated your rights.
How to exercise your rights: To exercise any of these rights, email us at support@ezychat.io with details of your request. Please include your name, email address, and account ID (if applicable) so we can verify your identity. We will respond within 21 days of your request (or provide a timeline for more complex requests). We may ask for additional information to confirm your identity and locate your data. For end users whose data is controlled by an organisation: if you submit a request to us, we will forward it to the organisation (as required by the Data Processing Agreement), and they will respond directly to you.
11. Data breach notification
Malaysia: Under the Personal Data Protection (Amendment) Act 2024, if a personal data breach is likely to cause significant harm to affected individuals, we will notify the Personal Data Protection Commissioner (JPDP) and affected individuals without undue delay (as soon as practicable, generally within 72 hours of discovery). "Significant harm" includes but is not limited to financial loss, identity theft, discrimination, or injury to reputation.
Singapore: Under PDPA Part 6A (2020 amendments), we will notify the Personal Data Protection Commission (PDPC) and affected individuals of a notifiable breach if the breach is likely to result in significant harm to the individuals and affects 500 or more individuals, or if the breach involves sensitive personal data (e.g., financial or health information). Notification must be made without undue delay.
Our commitment: We maintain an incident response plan to detect, investigate, and contain any breach as quickly as possible. We will:
- Immediately investigate any suspicious activity or report of unauthorized access
- Determine the scope of the breach (which data, which individuals, when it occurred)
- Notify affected individuals and regulators as required by law
- Provide details of the breach, the likely consequences, and measures we are taking to remedy it and prevent recurrence
- Cooperate with regulatory authorities' investigations
If your organisation uses ezychat and we suffer a data breach affecting your customers' conversations or contact data, we will notify your organisation's administrators immediately so they can notify their end users. You (the organisation) will be responsible for notifying your end users in compliance with your own privacy obligations.
12. Data Protection Officer
Appointment: We have appointed a Data Protection Officer (DPO) in accordance with the Personal Data Protection (Amendment) Act 2024 (Malaysia) and the Personal Data Protection Act 2012 s.11(3) (Singapore), as applicable. The DPO is responsible for monitoring our compliance with data protection law, handling data subject requests, and serving as the contact point for regulatory authorities.
Contact the DPO: You can reach our Data Protection Officer at support@ezychat.io. The DPO will investigate your request and coordinate a response, or forward it to the appropriate team member.
14. Marketing communications
If you have engaged with us (e.g., by attending a webinar, downloading a resource, or filling out the contact form), we may send you occasional marketing emails about new features, case studies, or special offers. All marketing emails include an unsubscribe link at the bottom — click it to opt out at any time.
Singapore Do Not Call (DNC) Registry: We comply with Singapore's Do Not Call registry and similar regulations in other jurisdictions. We do not engage in telemarketing (voice calls, SMS, fax) to individuals who have registered with the DNC registry. If you receive unsolicited marketing calls or SMS from us or our partners, you can lodge a complaint with the Personal Data Protection Commission (Singapore).
Opt-out: You can opt out of marketing communications at any time by clicking the unsubscribe link in our emails or by emailing us at support@ezychat.io with "unsubscribe" in the subject line. We will honour your opt-out request within 10 business days.
15. Children
The ezychat platform is intended for business use by organisations and adults (18 years and older). We do not intentionally collect personal data from individuals under 18 years of age. If we become aware that we have collected data from a minor, we will delete it promptly. Parents or guardians who believe their child's data has been collected can contact us at support@ezychat.io.
If your organisation uses ezychat to communicate with minors (e.g., a school or family business using WhatsApp), you are responsible for obtaining appropriate parental consent and complying with laws that protect children's privacy. We cannot be responsible for your organisation's legal obligations to minors.
16. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes (e.g., broadening the scope of data collection, introducing new subprocessors, or changing retention periods), we will notify you by email or by posting a prominent notice on our website. The "Last updated" date at the top of this policy will always reflect the most recent revision.
Your continued use of the ezychat platform or website after such changes means you accept the updated policy. If you do not agree with a material change, you can terminate your account and stop using the service.
17. Contact & complaints
Questions about this policy: If you have questions or concerns about this Privacy Policy, your personal data, or our privacy practices, please contact us at support@ezychat.io. We will respond within 21 days.
Complaints to regulators: If you believe we have violated your data protection rights, you have the right to lodge a complaint with the supervisory authority in your jurisdiction:
- Malaysia: Personal Data Protection Commissioner (JPDP), Level 3, Tower 1 Plaza Sentrum, Jalan Rakyat, 50150 Kuala Lumpur. Phone: +60 3 2615 1800. Email: enquiry@pdpc.gov.my
- Singapore: Personal Data Protection Commission (PDPC), 6 Raffles Quay, #05-21 Singapore 048580. Email: info@pdpc.gov.sg
Lodging a complaint with a regulator does not prevent you from pursuing other remedies (e.g., legal action) under applicable law.
Other relevant links: For more information on data protection and your rights, visit: