Privacy Policy

At miu.ai, safeguarding your personal information is at the heart of what we do. We are dedicated to protecting your privacy and handling your data with care and transparency. This Privacy Policy explains how MIU AI SDN. BHD. (“miu.ai,” “we,” “us,” or “our”) collects, uses, discloses, secures, and retains personal data, as well as the choices and rights available to you.

Scope and applicability: This Policy applies to personal data processed when you: (a) visit or interact with our websites, web apps, mobile apps, chat widgets, or other online properties that link to this Policy; (b) use our chatbot and related services, APIs, SDKs, and integrations (collectively, the “Services”); (c) communicate with us (e.g., support, sales, marketing); or (d) are an end-user interacting with a chatbot deployed by one of our business customers. This Policy does not apply to third-party services you choose to integrate (e.g., Meta/WhatsApp, Facebook, Instagram, CRMs), which have their own privacy practices.

Roles: For personal data of website visitors, prospects, and our direct users (e.g., account admins and agents), miu.ai acts as a data controller (or “business” under some laws). For personal data of end users processed on behalf of a customer through a deployed chatbot, miu.ai acts as a data processor (or “service provider”). Where miu.ai acts as a processor, our Data Processing Addendum (“DPA”) governs in addition to this Policy.

Information we collect: Depending on how you interact with us, we may collect:

• Account and profile data: Name, email address, role, password or authentication tokens, organization details, billing contacts, and plan selections.
• Customer content and configuration: Prompts, knowledge base materials, training data you upload, chatbot configurations, tags, labels, and metadata.
• End-user conversation data: Messages, transcripts, attachments, forms, feedback, and conversation metadata (timestamps, channel, language, routing, sentiment signals).
• Usage and device data: IP address, device identifiers, browser type, operating system, pages viewed, referring/exit pages, date/time stamps, feature usage, and diagnostics.
• Integration and channel data: Identifiers or handles on connected platforms (e.g., WhatsApp, Facebook, Instagram), message metadata, and webhooks/APIs data necessary to enable integrations.
• Payment and transaction data: Payment method details (processed by our payment processors), billing address, purchase history, plan terms, and tax information. We do not store full credit card numbers.
• Support and communications: Content of support requests, emails, chat with our agents, feedback, surveys, and call recordings where allowed by law.
• Cookies and similar technologies: Session identifiers, authentication cookies, analytics cookies, and preferences (see Section 10).

---

1. Legal Basis for Processing

We process personal data only where we have a valid legal basis. Depending on your jurisdiction (e.g., EEA/UK), our legal bases include:

• Contract: To provide, operate, and support the Services you have requested, including account administration, authentication, and customer support.
• Legitimate interests: To secure and improve the Services, prevent fraud and abuse, analyze and understand usage, personalize experiences, and communicate service-related updates. We balance these interests against your rights and expectations.
• Consent: For certain analytics or marketing activities, placement of non-essential cookies, or where required by law. You may withdraw consent at any time.
• Legal obligations: To comply with applicable laws, regulations, audits, and lawful requests by public authorities.
• Vital interests/public interest (rare): To protect your or others’ vital interests or for tasks in the public interest, where applicable.

---

2. Data Minimization

We collect and process only the personal data that is relevant, adequate, and reasonably necessary for the purposes described in this Policy. Our practices include:

• Configurable data collection in widgets and forms to limit inputs to what is required.
• Limiting access to personal data to personnel with a need-to-know for the stated purposes.
• Regular reviews of data fields and retention periods to remove unnecessary data.

---

3. Purpose Limitation

We use personal data solely for the purposes for which it was collected, including to:

• Deliver, maintain, and support the Services (including authentication, conversation continuity, routing, and diagnostics).
• Personalize and optimize chatbot responses and user experiences within your workspace configuration.
• Provide analytics, dashboards, and insights to our customers about their chatbot interactions and performance.
• Communicate with you about service updates, security alerts, billing, and administrative messages.
• Provide customer support and troubleshoot issues you report.
• Monitor, detect, and prevent security incidents, fraud, and misuse of the Services.
• Develop new features and improve functionality using aggregated and/or de-identified data.
• Comply with legal obligations and enforce our agreements.

We do not use Customer Data to train generalized models made available to other customers unless you have expressly opted in. We may use aggregated, de-identified signals to improve reliability, safety, and performance.

---

4. Data Security

Your data’s security is paramount to us. We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, accidental loss, and unlawful processing, including:

• Encryption in transit (HTTPS/TLS) and encryption at rest for supported data stores.
• Bearer Authentication for API access; role-based access controls and least-privilege principles.
• Audit logging, vulnerability management, and periodic security reviews.
• Network segmentation, key management, and secrets handling best practices.
• Employee access safeguards, confidentiality obligations, and security awareness training.
• Incident response procedures and breach notification processes aligned with legal requirements.

No security program can guarantee absolute protection. You are responsible for implementing reasonable security controls within your environment (e.g., managing user access, enabling MFA where available, protecting your devices and networks).

---

5. Third-Party Sharing

We do not sell personal data. We disclose personal data to third parties only as described below and with appropriate contractual protections:

• Service providers/Subprocessors: Cloud hosting, analytics (e.g., Google Analytics), email/SMS delivery, customer support, payment processing, logging/monitoring, and professional services providers. We remain responsible for their performance and require data protection commitments.
• Integrations and channels you choose: If you connect third-party platforms (e.g., WhatsApp, Facebook, Instagram, email providers, CRMs), we will share data necessary to enable the integration per your configuration. Your use of such platforms is governed by their privacy policies and terms.
• Business transfers: In connection with a merger, acquisition, financing, or sale of assets, personal data may be transferred to a successor, subject to this Policy’s protections.
• Legal and compliance: Where required by law, subpoena, court order, or to protect rights, safety, and property of miu.ai, our users, or others, consistent with applicable law.

You may request a current list of material Subprocessors. Where required by law or contract, we will provide notice of material changes to our Subprocessors.

---

6. User Rights

Subject to applicable law and our role (controller vs. processor), you may have the following rights:

• Access: Request confirmation of whether we process your personal data and obtain a copy.
• Correction: Request that we correct inaccurate or incomplete data.
• Deletion: Request deletion of personal data, subject to legal exceptions.
• Restriction/Objection: Request restriction of processing or object to processing based on legitimate interests or direct marketing.
• Portability: Receive personal data in a portable format and request transmission to another controller where technically feasible.
• Consent withdrawal: Withdraw consent at any time for processing based on consent.

EEA/UK/Switzerland: You have the rights listed above under GDPR/UK GDPR/FADP. California (CPRA): You may have rights to know/access, correct, delete, and to opt out of “sale” or “sharing” for cross-context behavioral advertising. We do not sell or share your personal information as defined by CPRA. We do not use or disclose sensitive personal information for purposes other than those permitted by CPRA. Other US states: Similar rights may apply in certain states; we will honor requests as required by law.

Exercising your rights: If we act as controller (e.g., for your account/website interactions), contact us at [email protected]. If we act as processor for a business customer, please direct your request to that customer (the data controller); we will assist them as required by our DPA. We may need to verify your identity and may deny requests where an exception applies. We will not discriminate against you for exercising your rights.

---

7. Data Retention

We retain personal data only for as long as necessary to provide the Services, fulfill the purposes outlined in this Policy, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention practices include:

• Account and profile data: Retained for the life of the account and a reasonable period thereafter (e.g., up to 90 days) unless a longer period is required by law.
• Conversation transcripts and end-user content: Retained while your account is active to maintain conversation continuity and as configured by your administrators. If no setting is chosen, retention may be indefinite while the account remains active.
• Operational and security logs: Retained for a limited period (e.g., 12–24 months) for troubleshooting, audit, and security purposes.
• Billing and transaction records: Retained as required for tax, accounting, and compliance (e.g., 7 years or as mandated by law).
• Backups: Stored for a limited time per our backup schedules and then securely purged.

Upon verified request or following account termination, we will delete or return personal data within a commercially reasonable period, except where retention is required by law or stored in backups for a limited time. Aggregated or de-identified data may be retained indefinitely.

---

8. Protection of Minors’ Data

Our Services are not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child under 16 has provided personal data to us, contact us at [email protected] and we will take appropriate steps to delete such data. If you are a customer deploying our widgets on properties directed at children or likely to be accessed by children, you must not enable collection of children’s data without our prior written agreement and appropriate safeguards.

---

9. International Data Transfers

We may transfer personal data to countries where we or our Subprocessors operate. Where required, we implement appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and other lawful transfer mechanisms. We also assess transfers for adequacy and risk and implement supplementary measures where necessary.

---

10. Cookie Use for Logging In

We use cookies and similar technologies to operate and secure the Services. Categories include:

• Strictly necessary and authentication cookies: Enable login, maintain sessions for admins/agents, route requests, and ensure security (e.g., CSRF protection). These cannot be switched off in our systems and are essential for service operation.
• Functional cookies: Remember preferences (e.g., language, UI settings) to enhance your experience.
• Analytics cookies: Help us understand usage and performance (e.g., Google Analytics). Where required by law, we obtain consent for these cookies. You can opt out of Google Analytics via your browser or the Google Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/gaoptout.

Managing cookies: You can manage cookie preferences via browser settings and, where provided, our site’s cookie banner or preference center. Blocking certain cookies may impact functionality.

For any questions or concerns regarding our data privacy practices, please contact us at [email protected]. Our team is here to assist you with privacy-related inquiries.

---

11. Feedback and Complaints

We value your feedback and will work to resolve complaints. Please contact us at [email protected] with “Privacy” in the subject line. If you are in the EEA/UK/Switzerland and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection authority. Individuals in other regions may have similar rights to contact their supervisory authority or regulator.

---

12. Policy Updates

We regularly review and update this Policy to reflect changes in our practices, technologies, and legal requirements. We will post updates on this page and, where changes are material, notify registered users via email and/or in-product notifications. The “Last modified” date at the top indicates when the Policy was last updated. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.