Privacy Policy

1. Introduction

Welcome to BALAM AI ("we", "us", "our", or "BALAM"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our AI-powered chat widget platform and related services (collectively, the "Services").

This Privacy Policy is designed to comply with the Malaysia Personal Data Protection Act 2010 (PDPA) and its 2024 amendments, as well as internationally recognized privacy principles. We are committed to protecting your personal data and being transparent about how we handle it.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use our Services.

2. Who We Are

BALAM AI is an AI-powered multi-tenant chat widget platform that enables businesses to embed intelligent conversational interfaces on their websites. Our Services include:

• Embeddable chat widget for websites
• AI-powered conversational assistants
• Voice input/output capabilities (speech-to-text and text-to-speech)
• Social media messaging integrations (WhatsApp, Facebook Messenger, Telegram)
• Analytics and reporting dashboard

2.1 Data Controller vs. Data Processor

Depending on the context:

• For Business Users (Dashboard Users): BALAM AI acts as the Data Controller for your account information.
• For End Users (Chat Widget Users): The business that embeds our widget on their website is the Data Controller, and BALAM AI acts as the Data Processor on their behalf.

3. Data We Collect

We collect different types of data depending on how you interact with our Services:

3.1 Business User Data (Dashboard Users)

When you register for a BALAM AI business account, we collect:

Data Type	Examples	Purpose
Identity Data	Full name, username, profile picture	Account creation and management
Contact Data	Email address	Account verification, notifications, support
Authentication Data	Hashed password, session tokens	Secure account access
Configuration Data	Assistant settings, widget customizations, API keys	Service delivery

3.2 End User Data (Chat Widget Users)

When end users interact with chat widgets embedded on websites, the following data may be collected:

Data Type	Examples	Purpose
Chat Messages	Text messages sent to and received from the AI assistant	Conversation continuity, service delivery
User Identifier	Anonymous unique identifier (signed, not personally identifiable)	Maintain conversation context across sessions
Voice Data	Audio recordings (when voice input is used)	Speech-to-text transcription
Device Information	Browser type, operating system, screen size, device type	Analytics, service optimization
Interaction Data	Widget opens, clicks, scroll depth, time spent	Analytics, user experience improvement
Location Data	Country, timezone (derived from IP, not precise location)	Language preferences, analytics
Referrer Data	Website URL where widget is embedded	Origin validation, analytics

3.3 Social Media Platform Data

When users communicate via integrated social media platforms:

• WhatsApp: Phone number, message content, delivery status
• Facebook Messenger: Page-scoped user ID, message content
• Telegram: Telegram user ID, username (if public), message content

3.4 Sensitive Personal Data

Under the Malaysia PDPA, "sensitive personal data" includes information about physical or mental health, political opinions, religious beliefs, criminal offenses, and other categories as defined by law.

We do not intentionally collect sensitive personal data. However, users may voluntarily include such information in chat messages. Business users are responsible for:

• Configuring their AI assistants to avoid requesting sensitive data
• Obtaining explicit consent if sensitive data collection is necessary
• Complying with additional PDPA requirements for sensitive data processing

4. How We Collect Data

4.1 Widget Embedding (Script Injection)

Our Services involve embedding JavaScript code on third-party websites. When a business user adds our widget code to their website:

1. The widget script loads from our servers
2. A chat interface is rendered on the page
3. Data is transmitted between the user's browser and our servers via secure WebSocket connections

The widget operates within an isolated Shadow DOM container to minimize interference with the host website and enhance security.

4.2 Voice Data Processing

When voice features are enabled:

• Speech-to-Text: Audio is captured from the user's microphone, transmitted to our servers, processed using OpenAI Whisper technology, and immediately deleted after transcription
• Text-to-Speech: AI responses are converted to audio using Kokoro (local) or ElevenLabs (cloud) services and streamed to the user

4.3 Analytics Collection

We automatically collect analytics data to improve our Services, including:

• Session duration and engagement metrics
• Message counts and response times
• Feature usage (voice, links clicked, file uploads)
• Error rates and technical performance data

5. Legal Basis for Processing (PDPA Compliance)

Under the Malaysia PDPA 2010, we process personal data based on the following principles:

5.1 Consent (Sections 6-7)

For general data processing, we rely on your consent, which is obtained:

• When you register for a BALAM AI account (explicit consent)
• When you use the chat widget after being presented with the embedded site's privacy notice (implicit consent)
• When you enable voice features and grant microphone permission (explicit consent)

5.2 Contractual Necessity

Processing is necessary to provide the Services you or your organization has requested.

5.3 Legitimate Interests

We may process data for legitimate business purposes such as fraud prevention, security, and service improvement, balanced against your privacy rights.

6. How We Use Your Data

We use collected data for the following purposes:

Purpose	Data Used	Legal Basis
Provide AI chat services	Chat messages, user identifier	Contract, Consent
Maintain conversation history	Chat messages, timestamps	Contract, Consent
Voice transcription and synthesis	Audio data (temporary), text output	Consent
Analytics and reporting	Interaction data, device info	Legitimate Interest
Account management	Identity, contact, authentication data	Contract
Security and fraud prevention	IP addresses, usage patterns	Legitimate Interest
Service improvement	Aggregated analytics	Legitimate Interest
Legal compliance	As required	Legal Obligation

7. Data Sharing and Disclosure

7.1 Business Users

Chat data from widgets is accessible to the business user who created the assistant. They can view conversation history, analytics, and user interactions through their dashboard.

7.2 Service Providers

We may share data with trusted third-party service providers who assist in delivering our Services:

• Cloud Infrastructure: Server hosting and data storage
• AI Processing: Ollama (local LLM), LangSmith (observability)
• Voice Services: ElevenLabs (text-to-speech, if enabled)
• Social Media Platforms: Meta (WhatsApp, Messenger), Telegram

7.3 Legal Requirements

We may disclose data when required by law, court order, or government request, or to protect our rights, safety, or property.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the business assets, with appropriate notice provided.

8. Cross-Border Data Transfers

Under Section 129 of the Malaysia PDPA, personal data may only be transferred outside Malaysia to places that provide adequate protection.

Our Services may involve data transfers to:

• Cloud servers located in various regions
• Third-party services (e.g., ElevenLabs) that may process data internationally

We ensure adequate protection through:

• Selecting providers with strong privacy commitments
• Contractual data protection clauses
• Encryption in transit and at rest

9. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy:

Data Category	Retention Period
Chat messages	Until deleted by business user or account closure
Voice recordings (raw audio)	Deleted immediately after transcription
Analytics data	24 months from collection
Account information	Duration of account + 30 days
Session data	14 days
Cached data (Redis)	5 minutes to 24 hours depending on type

10. Your Rights Under PDPA

Under the Malaysia Personal Data Protection Act 2010, you have the following rights:

10.1 Right of Access (Section 30)

You may request access to your personal data held by us. We will provide the information within 21 days of receiving your request.

10.2 Right of Correction (Section 34)

You may request correction of inaccurate, incomplete, misleading, or outdated personal data.

10.3 Right to Withdraw Consent (Section 38)

You may withdraw your consent for data processing at any time. This will not affect the lawfulness of processing conducted before withdrawal.

10.4 Right to Prevent Processing (Section 42)

You may request that we cease processing your personal data in certain circumstances.

10.5 Right to Data Portability

You may request your data in a structured, commonly used format.

10.6 Exercising Your Rights

To exercise any of these rights, please contact us at:

• Email: admin@ibalam.ai
• Response Time: Within 21 days as required by PDPA

We may request verification of your identity before processing requests.

11. Data Security

We implement comprehensive security measures to protect your personal data:

11.1 Technical Measures

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Authentication: JWT tokens with rotation, PBKDF2 password hashing
• Access Control: Role-based permissions, API key authentication
• Network Security: Firewalls, DDoS protection, rate limiting

11.2 Organizational Measures

• Employee security training
• Access logging and monitoring
• Regular security assessments
• Incident response procedures

11.3 Data Breach Notification

In compliance with the PDPA 2024 amendments, we will notify the Personal Data Protection Commissioner and affected individuals as soon as practicable upon becoming aware of a data breach that poses a risk of significant harm.

12. Children's Privacy

Our Services are not directed to children under 18 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us immediately.

13. Cookies and Tracking

Our dashboard uses cookies for:

• Essential cookies: Session management, CSRF protection
• Preference cookies: UI settings (e.g., sidebar state)

The embeddable chat widget does NOT use cookies. User identification is handled through signed tokens stored in browser localStorage with the user's consent.

14. Third-Party Links

Our Services may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. For significant changes, we will provide notice through our Services or via email to registered business users.

Continued use of our Services after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us:

• Email: admin@ibalam.ai
• General Support: admin@ibalam.ai

16.1 Complaints

If you are not satisfied with our response, you have the right to lodge a complaint with the Personal Data Protection Commissioner of Malaysia:

• Website: www.pdp.gov.my
• Hotline: 03-8000 8000

17. Governing Law

This Privacy Policy is governed by the laws of Malaysia, including the Personal Data Protection Act 2010 and its amendments. Any disputes shall be subject to the exclusive jurisdiction of the Malaysian courts.