Privacy Policy

1. Introduction & Data Controller

MIU AI SDN. BHD. (Company Registration No. 1482748-D) ("miu.ai," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you access or use our AI chatbot platform and related services (collectively, the "Services").

As the Data Controller, we are responsible for determining the purposes and means of processing personal data in relation to our platform operations, customer accounts, and direct interactions with users of our website and services.

Data Controller Information:

• Legal Entity: MIU AI SDN. BHD.
• Registration Number: 1482748-D
• Registered Address: No. 21, Jalan Sempilai, Taman Tenaga Off Jalan Cheras, 56000 Kuala Lumpur, Malaysia
• Email: [email protected]
• Phone: +60 11-1633 6320

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our data practices, please discontinue use of our Services immediately.

2. Scope & Applicability

This Privacy Policy applies to all individuals who interact with miu.ai, including:

• Website Visitors: Individuals who browse our website at miu.ai without creating an account
• Registered Users: Individuals who create accounts on our platform
• Customers: Businesses and individuals who subscribe to our paid services
• End Users: Individuals who interact with chatbots created by our Customers using our platform
• Integration Users: Individuals who interact with our Services through third-party platforms (WhatsApp, Facebook, Instagram, Telegram, LINE, etc.)

3. Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set forth below:

• "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, phone numbers, IP addresses, device identifiers, and online identifiers.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Subject" means the natural person to whom Personal Data relates.
• "Customer" means a business or individual who has registered for an account on miu.ai to create and manage chatbots.
• "End User" means an individual who interacts with a chatbot created by a Customer using the miu.ai platform.
• "Chatbot" means an AI-powered conversational agent created using our platform.
• "Credits" means the usage units that measure AI interactions, token consumption, and other platform features.
• "Training Data" means content provided by Customers to train their chatbots, including documents, Q&A pairs, website content, and other knowledge base materials.
• "Conversation Data" means the messages, media, and metadata exchanged between End Users and chatbots.
• "Third-Party Platforms" means external messaging services and social media platforms integrated with our Services, including WhatsApp, Facebook Messenger, Instagram, Telegram, and LINE.

4. Categories of Personal Data Collected

We collect various categories of personal data depending on how you interact with our Services:

4.1 Account & Registration Data

When you create an account or register for our Services, we collect:

• Full name and display name
• Email address
• Company or organization name
• Phone number
• Country and timezone
• Website URL
• Company logo and avatar images
• Bio and profile description
• Language and communication preferences
• Account credentials (securely hashed)

4.2 Billing & Payment Data

When you subscribe to our paid services, we collect:

• Stripe customer ID and payment method tokens (we do not store full credit card numbers)
• Subscription plan details and billing cycle
• Invoice history and payment records
• Credit balance and usage history
• Billing address (when provided)
• Tax identification numbers (where applicable)

4.3 Conversation & Message Data

When chatbots interact with End Users, the following data may be collected:

• Text messages and chat transcripts
• Images, photos, and visual media
• Videos and video messages
• Audio files and voice messages
• Documents and file attachments
• Location data (when shared by End Users)
• Contact information (when shared by End Users)
• Message metadata (timestamps, read receipts, delivery status)
• Platform-specific identifiers (WhatsApp ID, Telegram ID, etc.)

4.4 Training & Knowledge Base Data

When Customers train their chatbots, we process:

• Uploaded documents (PDF, DOCX, TXT files with OCR processing)
• Question and Answer (Q&A) pairs created by Customers
• Crawled website content from Customer-specified URLs
• Vector embeddings generated from training content
• Knowledge base configurations and settings

4.5 Analytics & Usage Data

We collect data about how you use our Services:

• AI interaction events and response metrics
• Flow builder usage and conversation flow history
• Token consumption and credit usage
• Chat metrics (response times, completion rates, handoff rates)
• Feature usage patterns
• Dashboard interactions and settings changes

4.6 Security & Audit Data

For security purposes, we collect:

• Login audit trail (timestamps, IP addresses, user agents)
• Session data and authentication tokens
• API key usage and access logs
• Failed authentication attempts
• Account activity logs

4.7 Third-Party Integration Data

When you connect third-party services, we may collect:

• Firebase Cloud Messaging (FCM) tokens for push notifications
• Google Calendar OAuth tokens and calendar metadata
• Zapier OAuth credentials and webhook configurations
• Monday.com integration credentials
• WhatsApp Business API credentials and phone number IDs
• Meta (Facebook/Instagram) page tokens and permissions
• Telegram bot tokens
• LINE channel credentials

4.8 Device & Technical Data

We automatically collect technical information:

• Mobile device identifiers (for mobile app users)
• Browser type, version, and settings
• Operating system and platform
• Network information and connection type
• Screen resolution and device characteristics
• Referring URLs and navigation paths

5. Legal Bases for Processing

Under the General Data Protection Regulation (GDPR) Article 6 and similar privacy laws, we process personal data based on the following legal grounds:

5.1 Contract Performance (Article 6(1)(b))

Processing necessary to fulfill our contractual obligations to you:

• Creating and managing your account
• Providing access to our platform and features
• Processing payments and managing subscriptions
• Delivering customer support
• Enabling chatbot creation, training, and deployment

5.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests:

• Improving and optimizing our Services
• Ensuring platform security and preventing fraud
• Analyzing usage patterns to enhance user experience
• Administering business operations
• Marketing our services to existing customers (with opt-out)

5.3 Legal Obligation (Article 6(1)(c))

Processing required to comply with applicable laws:

• Maintaining financial and tax records
• Responding to lawful requests from authorities
• Complying with anti-money laundering regulations
• Meeting data retention requirements

5.4 Consent (Article 6(1)(a))

Processing based on your explicit consent:

• Receiving marketing communications and newsletters
• Participating in surveys and research
• Using optional features that require additional data collection

6. Purpose of Data Processing

We process your personal data for the following specific purposes:

• Platform Operation: Enabling core functionality including account management, chatbot creation, conversation handling, and team collaboration features
• AI Response Generation: Processing queries through our AI systems to generate chatbot responses using customer-specific knowledge bases
• Payment Processing: Managing subscriptions, processing payments through Stripe, tracking credit usage, and generating invoices
• Multi-Channel Messaging: Facilitating conversations across WhatsApp, Facebook Messenger, Instagram, Telegram, LINE, and web chat widgets
• Calendar Integration: Syncing appointments and events with Google Calendar when connected by users
• Push Notifications: Delivering real-time alerts and notifications through mobile apps and web browsers
• Analytics & Insights: Generating usage reports, performance metrics, and conversation analytics for Customers
• Security & Fraud Prevention: Detecting, preventing, and investigating security incidents, unauthorized access, and fraudulent activities
• Customer Support: Responding to inquiries, troubleshooting issues, and providing technical assistance
• Service Improvement: Analyzing usage patterns to enhance features, fix bugs, and optimize performance
• Legal Compliance: Meeting regulatory requirements and responding to lawful requests

7. AI & Machine Learning Data Usage

7.1 Training Data Isolation

We maintain strict isolation of Customer training data:

• Customer training data is used exclusively for that Customer's chatbot(s)
• Training data is NEVER shared across different Customer accounts
• Each Customer's knowledge base operates in a segregated environment
• Vector embeddings are stored separately for each Customer

7.2 Retrieval-Augmented Generation (RAG)

Our platform uses RAG technology to enhance AI responses:

• Chatbots retrieve information from Customer-specific knowledge bases
• Retrieved context is combined with AI models to generate responses
• No cross-contamination between different Customers' data occurs

7.3 AI Sub-processors

We use the following AI service providers as sub-processors:

• OpenAI: For natural language processing, response generation, and embeddings
• Google Gemini: For alternative AI model capabilities and multimodal processing

These providers process data in accordance with their respective privacy policies and our data processing agreements.

7.4 AI Output Disclaimers

Users and Customers acknowledge and agree that:

• AI responses may be inaccurate, incomplete, or contain factual errors
• AI systems may "hallucinate" or generate plausible-sounding but incorrect information
• AI outputs should not be relied upon without human verification
• miu.ai makes no representations or warranties regarding AI accuracy
• Customers are responsible for all content generated by their chatbots

8. Data Sharing with Third Parties

We do NOT sell your personal data. We may share data with the following categories of third parties:

8.1 Infrastructure Providers

Cloud hosting, content delivery networks, and database services that help us operate our platform securely and reliably.

8.2 Payment Processors

Stripe: We use Stripe to process payments. Stripe receives payment information necessary to complete transactions. See Stripe's Privacy Policy.

8.3 AI Service Providers

OpenAI and Google Gemini: Process conversation data and training content to generate AI responses. These providers operate under data processing agreements with appropriate safeguards.

8.4 Messaging Platforms

When you integrate with third-party messaging platforms, data is shared with:

• Meta Platforms (WhatsApp, Facebook, Instagram): Message content, user identifiers, and metadata
• Telegram: Message content and user identifiers
• LINE Corporation: Message content and user identifiers

8.5 Integration Partners

When you connect third-party integrations:

• Google (Calendar): Calendar event data for appointment scheduling
• Monday.com: Task and project data for workflow automation
• Zapier: Data specified in your automation workflows

8.6 Analytics Providers

We may use analytics services to understand platform usage and improve our Services. These providers receive aggregated and anonymized data where possible.

8.7 Legal Disclosures

We may disclose personal data when required by law or in response to:

• Valid legal processes (subpoenas, court orders, search warrants)
• Government or regulatory requests
• Protection of our legal rights or defense against claims
• Prevention of fraud, security threats, or illegal activities
• Protection of the safety of any person

9. International Data Transfers

Our Services operate globally, and your data may be transferred to and processed in countries other than your country of residence, including:

• Malaysia: Our primary place of business and data storage
• United States: Where some of our service providers (including AI providers and payment processors) are located
• European Union: For certain infrastructure and services
• Other jurisdictions: As necessary to provide our Services

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland to countries without an adequate level of data protection, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with appropriate security obligations
• Verification of adequate protection levels in recipient countries

10. Data Retention Policies

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Our specific retention periods are:

• Active Account Data: Retained for the duration of your account plus 30 days after account termination
• Conversation History: Retained according to Customer-configured settings (default: 90 days); Customers may adjust retention periods in their dashboard
• Training Data & Knowledge Base: Retained until removed by the Customer or account termination
• Billing & Payment Records: 7 years from the transaction date (as required for tax and legal compliance)
• Security & Audit Logs: 2 years from the date of the logged event
• Backups: Deleted within 30 days after primary data deletion
• Marketing Consent Records: Retained for 3 years after consent withdrawal

Upon account deletion request, we will delete your personal data within 30 days, except for data we are required to retain by law or for legitimate business purposes (e.g., billing records, legal claims).

11. Data Security Measures

We implement comprehensive technical and organizational measures to protect your personal data:

11.1 Encryption

• Data in Transit: All data transmitted between your browser/app and our servers is encrypted using TLS 1.2 or higher
• Data at Rest: Sensitive data is encrypted using industry-standard encryption algorithms

11.2 Authentication & Access Control

• Password Security: Passwords are hashed using bcrypt with appropriate work factors
• Role-Based Access Control (RBAC): Access to data and features is restricted based on user roles and permissions
• API Key Management: Secure generation, storage, and rotation of API keys

11.3 Infrastructure Security

• Secure cloud infrastructure with network isolation
• Regular security assessments and vulnerability scanning
• Intrusion detection and monitoring systems
• Regular backup and disaster recovery procedures

11.4 Incident Response

• Documented incident response procedures
• 24/7 security monitoring
• Regular security training for staff

12. User Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data.
• Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data or completion of incomplete data.
• Right to Erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances ("right to be forgotten").
• Right to Restriction (Article 18): You have the right to request that we limit the processing of your personal data in certain situations.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to Object (Article 21): You have the right to object to processing based on legitimate interests, including profiling, and to object to direct marketing at any time.
• Right to Withdraw Consent (Article 7): Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

To exercise these rights, please contact us at [email protected]. We will respond to your request within 30 days. We may require verification of your identity before processing your request.

13. User Rights Under CCPA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You have the right to know what personal information we collect, use, disclose, and sell about you.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out: You have the right to opt-out of the sale or sharing of your personal information. Note: We do not sell personal information.
• Right to Non-Discrimination: You have the right not to receive discriminatory treatment for exercising your CCPA rights.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information.

Verification Procedures: To protect your privacy, we will verify your identity before responding to your request. You may be required to provide information that matches our records.

Authorized Agents: You may designate an authorized agent to submit requests on your behalf. We may require proof of authorization and verification of your identity.

14. User Rights Under PDPA Malaysia

If you are located in Malaysia, you have the following rights under the Personal Data Protection Act 2010 (PDPA):

• Right of Access (Section 30): You have the right to request access to your personal data that we hold and information about how it has been processed.
• Right to Correction (Section 34): You have the right to request correction of any personal data that is inaccurate, incomplete, misleading, or not up-to-date.
• Right to Withdraw Consent (Section 38): You may withdraw consent to the processing of your personal data at any time by giving notice in writing.
• Right to Prevent Direct Marketing (Section 43): You have the right to require us to cease processing your personal data for direct marketing purposes.
• Right to Stop Processing (Section 43): You may request that we cease processing your personal data where it is causing or likely to cause substantial damage or distress.

To exercise these rights, please submit a written request to [email protected]. A processing fee may apply for access requests as permitted under the PDPA.

15. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience:

15.1 Essential Cookies

Required for basic functionality:

• Session management and authentication
• Security features and fraud prevention
• User preferences and settings
• Load balancing and performance optimization

15.2 Analytics Cookies

Used to understand how visitors interact with our Services:

• Page views and navigation patterns
• Feature usage statistics
• Error and performance monitoring

15.3 Marketing Cookies

Used with your consent for marketing purposes:

• Personalized advertising
• Campaign effectiveness measurement
• Remarketing and retargeting

15.4 Managing Cookies

You can manage cookie preferences through:

• Your browser settings (blocking or deleting cookies)
• Our cookie consent banner when you first visit our site
• Contacting us to update your preferences

Note: Disabling certain cookies may affect the functionality of our Services.

16. Children's Privacy

Our Services are not intended for or directed at children:

• Users must be at least 18 years old or the age of majority in their jurisdiction
• For EEA users, the minimum age is 16 years (or lower if permitted by member state law)
• We do not knowingly collect personal data from children under these age thresholds

If we discover that we have collected personal data from a child without appropriate consent, we will take immediate steps to delete such information. If you believe a child has provided us with personal data, please contact us at [email protected].

17. Third-Party Platform Interactions

When you use miu.ai chatbots through third-party messaging platforms, please be aware:

17.1 Platform-Specific Processing

• WhatsApp: Messages are transmitted through WhatsApp's infrastructure. Meta's privacy policy applies to their processing.
• Facebook & Instagram: Interactions are subject to Meta's Platform Terms and Privacy Policy.
• Telegram: Subject to Telegram's Privacy Policy.
• LINE: Subject to LINE's Privacy Policy.

17.2 Disclaimer

miu.ai is not responsible for the data practices of third-party platforms. We encourage you to review their respective privacy policies. When you interact with a chatbot through these platforms, you are subject to both this Privacy Policy (regarding miu.ai's processing) and the platform's own privacy policy.

18. Customer Responsibilities as Data Controllers

When Customers use miu.ai to create chatbots that collect and process End User data, Customers act as Data Controllers. As Data Controllers, Customers are responsible for:

• Legal Basis: Ensuring a valid legal basis exists for collecting and processing End User data
• Privacy Notices: Providing appropriate privacy notices to End Users before data collection
• Consent: Obtaining necessary consent where required by applicable law
• Data Subject Rights: Responding to data subject access requests and other rights requests from End Users
• Data Protection Impact Assessments: Conducting assessments where required
• Compliance: Ensuring compliance with all applicable data protection laws in jurisdictions where they operate

miu.ai provides a Data Processing Agreement (DPA) for Customers who require one to meet their compliance obligations. Contact us at [email protected] to request a DPA.

19. Broadcast & Marketing Campaign Data

Our platform enables Customers to send broadcast messages and marketing campaigns. Regarding this data:

• Campaign Data: We store campaign content, recipient lists, scheduling information, and delivery metrics
• Customer Responsibility: Customers are solely responsible for ensuring they have proper consent and legal basis to send marketing communications to recipients
• Opt-Out Mechanisms: Customers must provide and honor opt-out mechanisms for marketing recipients
• Anti-Spam Compliance: Customers must comply with applicable anti-spam laws (CAN-SPAM, GDPR, CASL, etc.)

20. Mobile Application Data

When you use our mobile applications, we may collect additional data:

• Device Information: Device type, operating system, unique device identifiers
• Push Notification Tokens: Firebase Cloud Messaging (FCM) tokens for delivering notifications
• App Usage Data: Features used, session duration, interaction patterns
• Camera/Microphone: Only when explicitly granted permission for specific features (sending media, voice messages)
• Location: Only when explicitly granted permission and required for specific features

You can manage app permissions through your device settings at any time.

21. Internal AI Assistant Data

Our platform includes internal AI assistant features for team use. Regarding this data:

• Internal AI assistant queries and responses are processed separately from customer-facing chatbots
• Data is used only to provide the AI assistant service and improve its functionality
• Internal AI data is not shared with external parties except AI sub-processors (OpenAI, Google Gemini)
• Customers can configure data retention settings for internal AI interactions

22. Data Breach Notification

In the event of a personal data breach:

22.1 Regulatory Notification

• For breaches affecting EEA data subjects, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where feasible and required under GDPR)
• For breaches affecting Malaysian data subjects, we will comply with notification requirements under the PDPA

22.2 Customer Notification

• We will notify affected Customers without undue delay
• Notifications will include the nature of the breach, data affected, and recommended actions
• Customers are responsible for notifying their End Users as required by applicable law

22.3 Individual Notification

Where required by law and the breach is likely to result in high risk to individuals' rights and freedoms, we will notify affected individuals directly.

23. Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

• Material Changes: For significant changes affecting your rights, we will provide prominent notice via email and/or in-app notification at least 30 days before the changes take effect
• Minor Changes: For minor updates (e.g., clarifications, formatting), we will update the "Last updated" date
• Continued Use: Your continued use of our Services after the effective date of changes constitutes acceptance of the updated Privacy Policy

We encourage you to periodically review this Privacy Policy for the latest information on our privacy practices.

24. Data Protection Contact

For privacy-related inquiries, to exercise your data subject rights, or to raise concerns about our data practices, please contact us:

MIU AI SDN. BHD.
Attn: Data Protection
No. 21, Jalan Sempilai, Taman Tenaga Off Jalan Cheras, 56000 Kuala Lumpur, Malaysia
Email: [email protected]
Phone: +60 11-1633 6320

Response Commitment:

• We will acknowledge receipt of your request within 5 business days
• We will respond to data subject rights requests within 30 days (or as required by applicable law)
• Complex requests may require additional time; we will inform you of any extension

25. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of Malaysia, without regard to its conflict of law provisions.

For users in the European Union, European Economic Area, or United Kingdom: Nothing in this Privacy Policy limits your rights under the GDPR or local data protection laws. You have the right to lodge a complaint with your local supervisory authority. The GDPR and applicable member state laws will govern any conflicts with this Privacy Policy.

For users in California: Nothing in this Privacy Policy limits your rights under the CCPA/CPRA.

For users in Malaysia: The Personal Data Protection Act 2010 (PDPA) applies to processing of your personal data.