Our commitment: We collect only what we need to provide the Services. We do not sell your data. We do not use your conversation data to train AI models. Your customers' messages stay yours.
1 Who We Are
relai ("we", "us", "our") is operated by RELAI SOLUTIONS (Registration No. 202603138146 / IP0625990-V), a company registered in Malaysia. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our Services.
relai operates under Malaysian law and complies with the Personal Data Protection Act 2010 (PDPA). For the purposes of PDPA, relai is the data processor for your customers' data, and you (our subscriber) are the data user.
2 Information We Collect
We collect information in three categories:
Account & billing data — information you provide when you sign up:
- Name, email address, and password (hashed)
- Business name and contact details
- Payment method details (processed by our payment provider — we do not store raw card numbers)
Platform data — generated through your use of the Services:
- Conversation messages between your account and your customers
- Contact information synced from connected messaging platforms (names, phone numbers, profile metadata)
- AI provider API keys you choose to store (encrypted at rest)
- Calendar integration data (booking events, availability)
- Dashboard activity logs (who replied, bot toggle actions, etc.)
Technical data — collected automatically:
- IP addresses and browser/device information (for security and abuse prevention)
- Session tokens (stored in secure, httpOnly cookies)
- Service logs for debugging and uptime monitoring
| Data Type | Purpose | Retention |
|---|
| Account credentials | Authentication & account management | Until account deleted |
| Conversation messages | Dashboard display & AI context | Per plan (30–90 days or custom) |
| API keys | AI model & integration authentication | Until removed by user |
| Session logs | Security & fraud prevention | 30 days |
| Billing records | Financial compliance | 7 years (Malaysian law) |
3 How We Use Your Information
We use your data strictly to:
- Provide the Services — routing messages, generating AI responses, displaying the dashboard
- Maintain your account — authentication, billing, and subscription management
- Improve reliability — monitoring uptime, diagnosing errors, and resolving bugs
- Communicate with you — service notifications, billing alerts, and updates (you can opt out of marketing emails)
- Comply with legal obligations — responding to lawful requests from Malaysian authorities
We do not use your conversation data to train AI models. Messages sent to third-party AI providers (Anthropic, OpenAI, Google) are subject to their respective data usage policies. We recommend reviewing those policies, particularly if you handle sensitive customer data.
4 Data Sharing & Third Parties
We do not sell, rent, or trade your personal data. We share data only in these circumstances:
Service providers (data processors acting on our behalf):
- Cloud infrastructure — AWS (Amazon Web Services) for server hosting in Singapore (ap-southeast-1)
- AI providers — Anthropic, OpenAI, or Google, depending on the model you select. Message content is sent to these providers to generate AI responses
- Payment processing — our payment gateway provider (details disclosed at checkout)
Platform integrations (at your direction):
- Meta (WhatsApp, Instagram, Facebook Messenger) — messages are transmitted through Meta's APIs per their Platform Terms
- Google Calendar — appointment and booking data shared when you enable the Calendar integration
Legal disclosure: We may disclose data if required by a court order, regulatory authority, or applicable Malaysian law. We will notify you of such requests where legally permitted.
Data stays in Southeast Asia: Our primary servers are located in AWS Singapore (ap-southeast-1). AI API calls are routed to the respective provider's global endpoints — this means message content may be processed outside Malaysia when AI models are used.
5 Data Storage & Security
We implement industry-standard security measures to protect your data:
- Encryption in transit: All data is transmitted over HTTPS/TLS. WebSocket connections use WSS.
- Encryption at rest: API keys and sensitive credentials are encrypted using AES-256 before being stored in the database.
- Access controls: Production database access is restricted to application services. No direct public access is permitted.
- Password security: User passwords are hashed using bcrypt — we cannot recover plaintext passwords.
- Backups: Daily encrypted database backups are retained for 30 days.
While we take reasonable precautions, no system is 100% secure. In the event of a data breach that may affect your rights, we will notify you within 72 hours of becoming aware, as required by applicable law.
6 Data Retention
We retain your data for as long as your account is active or as needed to provide the Services. Specific retention periods:
- Conversation history: Retained per your subscription plan (30 days for Starter, 90 days for Growth, custom for Agency). You can delete individual conversations at any time from the dashboard.
- Account data: Retained until you delete your account. Upon deletion, account data is removed within 30 days.
- Billing records: Retained for 7 years as required under Malaysian financial regulations.
- Security logs: Retained for 30 days for abuse prevention, then automatically purged.
After account deletion, we may retain anonymised, aggregated data (e.g., usage statistics) that cannot identify you.
7 Your Rights (PDPA)
Under the Malaysian Personal Data Protection Act 2010, you have the right to:
- Access — request a copy of personal data we hold about you
- Correction — request correction of inaccurate or incomplete data
- Withdrawal of consent — withdraw consent for processing where consent is the basis; note this may affect your ability to use the Services
- Prevent processing for direct marketing — opt out of marketing communications at any time via the unsubscribe link in emails or by contacting us
- Erasure / Data deletion — request deletion of your personal data. We will remove your account and associated data within 30 days of a verified request. To request deletion, email admin@relai.my with the subject line "Data Deletion Request" and include the email address associated with your account.
To exercise these rights, email us at admin@relai.my. We will respond within 21 days as required under PDPA.
As a subscriber, you are also the data user for your customers' data processed through our platform. You are responsible for ensuring your customers' PDPA rights are upheld and for providing them with your own privacy notice.
8 Cookies & Analytics
Our web dashboard uses cookies for the following purposes:
- Session cookies: Strictly necessary — keep you logged in during your session. Cannot be disabled without breaking authentication.
- Preference cookies: Remember your UI settings (theme, sidebar state) across sessions.
We do not currently use third-party analytics cookies or advertising cookies on the dashboard. The marketing landing page (relai) may use minimal analytics to measure page visits; this data is anonymised and not linked to your account.
9 Children's Privacy
The Services are intended for business use and are not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us immediately at admin@relai.my and we will delete it promptly.
10 Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will notify you of material changes by email or by a prominent notice in the dashboard at least 14 days before they take effect.
The "Last updated" date at the top of this page indicates when the policy was last revised.
11 Contact Us
For privacy-related enquiries, data access requests, or to report a concern:
- Email: admin@relai.my
- Company: RELAI SOLUTIONS (202603138146 / IP0625990-V), Malaysia
We take privacy concerns seriously and aim to respond within 5 business days for general enquiries, and within 21 days for formal PDPA requests.