Replai
Home Terms

Privacy Policy

Last updated: 29 May 2026

This Privacy Policy explains how Replai Sdn. Bhd. ("Replai", "we", "us") collects, uses, discloses, and protects personal data when you use our website, sign up for our service, or interact over WhatsApp with a business that uses Replai. We handle personal data in accordance with Malaysia's Personal Data Protection Act 2010 ("PDPA").

1. Who we are and our two roles

Replai acts in two capacities:

  • As a data user (controller) for the personal data of the businesses and prospects who sign up directly with us (for example, through our waitlist or trial sign-up).
  • As a data processor when we process the WhatsApp conversations and related content of a customer's leads on that customer's behalf. In that case, the business using Replai is the data user, and we process the data only to provide the service to them.

2. Personal data we collect

2.1 Information you give us directly

  • Name and business name
  • WhatsApp number, phone number, and email address
  • Industry and business details you provide during sign-up or onboarding
  • Sample past conversations you choose to share so Replai can learn your tone of voice

2.2 Information we process through the WhatsApp Business Platform

When you connect your business to Replai, we receive and process messages sent to and from your WhatsApp Business number through Meta's WhatsApp Business Cloud API. This may include:

  • Message content (text), and the phone numbers and display names of the people messaging your business
  • Media shared in the conversation, such as photos, documents, and voice notes
  • Message timestamps, delivery status, and related metadata

2.3 Information collected automatically on our website

  • Basic usage and device data (for example, pages viewed and approximate region) via privacy-respecting analytics
  • Technical logs needed to keep the service secure and available

3. How and why we use personal data

PurposePDPA basis
Provide the service: read incoming enquiries and draft replies in the operator's voice for the operator to approve before sendingPerformance of a contract
Set up, secure, and support your accountPerformance of a contract
Improve reply quality and the operator's tone modelLegitimate interest / consent
Send service and onboarding communicationsConsent / legitimate interest
Meet legal, regulatory, and industry-compliance obligationsLegal obligation

Replai does not sell personal data, and we do not use the content of your WhatsApp conversations to train third-party foundation models. Messages are sent to AI providers only to generate the draft reply for that specific conversation.

4. AI processing and service providers (sub-processors)

To draft replies and run the service, message content and related data are processed by the following categories of providers. We share only what is needed for each provider's function:

ProviderPurpose
Meta Platforms (WhatsApp Business Cloud API)Sending and receiving WhatsApp messages
OpenRouterRouting requests to AI language models
Anthropic, OpenAI, Google, DeepSeekAI language models that generate draft replies, classify intent, and create embeddings
SupabaseDatabase hosting (Postgres)
UpstashMessage queue / Redis
Fly.ioApplication hosting (Singapore region)
CloudflareDNS, website hosting, and security
SentryError monitoring
DopplerSecrets management

These providers are bound by their own data-processing and security terms. The list may change as the service evolves; we will keep this page current.

5. International transfers

Some providers process data on servers outside Malaysia. Where personal data is transferred abroad, we take reasonable steps to ensure it remains protected to a standard consistent with the PDPA, including through the providers' contractual safeguards.

6. How long we keep data

  • Account and waitlist data: kept while your account is active and for a reasonable period afterward, unless you ask us to delete it sooner.
  • Conversation content: retained for as long as needed to provide the service to the business operating the account, then deleted or anonymised.
  • Logs and backups: kept for a limited period for security and reliability.

We delete or anonymise personal data when it is no longer needed for the purposes above or when required by law.

7. How we protect data

  • Encryption in transit (HTTPS/TLS) between systems
  • Access controls and secrets management (no credentials in code)
  • Data separated by business ("brand isolation") so one customer's data is not exposed to another
  • Monitoring and rapid rollback if a problem is detected

8. Your rights under the PDPA

Subject to the PDPA, you may:

  • Request access to the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Withdraw consent or limit how we process your data
  • Ask us to delete data where there is no ongoing lawful basis to keep it

If your data is processed by Replai on behalf of a business (for example, you messaged a company that uses Replai), please direct your request to that business; we will assist them in responding. To make a request to Replai directly, contact us using the details below.

9. Children

Replai is intended for businesses and is not directed at children. We do not knowingly collect personal data from anyone under 18. Where a service involves a minor (for example, a tuition enquiry), a parent or guardian is expected to be the point of contact.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will revise the "Last updated" date above and, where appropriate, notify you of significant changes.

11. Contact us

For privacy questions or to exercise your rights, contact our Data Protection contact:

  • Email: privacy@replai.my
  • Entity: Replai Sdn. Bhd.
Replai · Built in Malaysia 🇲🇾
Home Privacy Terms Contact © 2026 Replai