Privacy Policy
Last updated: 29 May 2026
This Privacy Policy explains how Replai Sdn. Bhd. ("Replai", "we", "us") collects, uses, discloses, and protects personal data when you use our website, sign up for our service, or interact over WhatsApp with a business that uses Replai. We handle personal data in accordance with Malaysia's Personal Data Protection Act 2010 ("PDPA").
1. Who we are and our two roles
Replai acts in two capacities:
- As a data user (controller) for the personal data of the businesses and prospects who sign up directly with us (for example, through our waitlist or trial sign-up).
- As a data processor when we process the WhatsApp conversations and related content of a customer's leads on that customer's behalf. In that case, the business using Replai is the data user, and we process the data only to provide the service to them.
2. Personal data we collect
2.1 Information you give us directly
- Name and business name
- WhatsApp number, phone number, and email address
- Industry and business details you provide during sign-up or onboarding
- Sample past conversations you choose to share so Replai can learn your tone of voice
2.2 Information we process through the WhatsApp Business Platform
When you connect your business to Replai, we receive and process messages sent to and from your WhatsApp Business number through Meta's WhatsApp Business Cloud API. This may include:
- Message content (text), and the phone numbers and display names of the people messaging your business
- Media shared in the conversation, such as photos, documents, and voice notes
- Message timestamps, delivery status, and related metadata
2.3 Information collected automatically on our website
- Basic usage and device data (for example, pages viewed and approximate region) via privacy-respecting analytics
- Technical logs needed to keep the service secure and available
3. How and why we use personal data
| Purpose | PDPA basis |
|---|---|
| Provide the service: read incoming enquiries and draft replies in the operator's voice for the operator to approve before sending | Performance of a contract |
| Set up, secure, and support your account | Performance of a contract |
| Improve reply quality and the operator's tone model | Legitimate interest / consent |
| Send service and onboarding communications | Consent / legitimate interest |
| Meet legal, regulatory, and industry-compliance obligations | Legal obligation |
Replai does not sell personal data, and we do not use the content of your WhatsApp conversations to train third-party foundation models. Messages are sent to AI providers only to generate the draft reply for that specific conversation.
4. AI processing and service providers (sub-processors)
To draft replies and run the service, message content and related data are processed by the following categories of providers. We share only what is needed for each provider's function:
| Provider | Purpose |
|---|---|
| Meta Platforms (WhatsApp Business Cloud API) | Sending and receiving WhatsApp messages |
| OpenRouter | Routing requests to AI language models |
| Anthropic, OpenAI, Google, DeepSeek | AI language models that generate draft replies, classify intent, and create embeddings |
| Supabase | Database hosting (Postgres) |
| Upstash | Message queue / Redis |
| Fly.io | Application hosting (Singapore region) |
| Cloudflare | DNS, website hosting, and security |
| Sentry | Error monitoring |
| Doppler | Secrets management |
These providers are bound by their own data-processing and security terms. The list may change as the service evolves; we will keep this page current.
5. International transfers
Some providers process data on servers outside Malaysia. Where personal data is transferred abroad, we take reasonable steps to ensure it remains protected to a standard consistent with the PDPA, including through the providers' contractual safeguards.
6. How long we keep data
- Account and waitlist data: kept while your account is active and for a reasonable period afterward, unless you ask us to delete it sooner.
- Conversation content: retained for as long as needed to provide the service to the business operating the account, then deleted or anonymised.
- Logs and backups: kept for a limited period for security and reliability.
We delete or anonymise personal data when it is no longer needed for the purposes above or when required by law.
7. How we protect data
- Encryption in transit (HTTPS/TLS) between systems
- Access controls and secrets management (no credentials in code)
- Data separated by business ("brand isolation") so one customer's data is not exposed to another
- Monitoring and rapid rollback if a problem is detected
8. Your rights under the PDPA
Subject to the PDPA, you may:
- Request access to the personal data we hold about you
- Request correction of inaccurate or incomplete data
- Withdraw consent or limit how we process your data
- Ask us to delete data where there is no ongoing lawful basis to keep it
If your data is processed by Replai on behalf of a business (for example, you messaged a company that uses Replai), please direct your request to that business; we will assist them in responding. To make a request to Replai directly, contact us using the details below.
9. Children
Replai is intended for businesses and is not directed at children. We do not knowingly collect personal data from anyone under 18. Where a service involves a minor (for example, a tuition enquiry), a parent or guardian is expected to be the point of contact.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will revise the "Last updated" date above and, where appropriate, notify you of significant changes.
11. Contact us
For privacy questions or to exercise your rights, contact our Data Protection contact:
- Email: privacy@replai.my
- Entity: Replai Sdn. Bhd.
