Privacy Policy

1. Introduction

Welcome to BALAM AI ("we", "us", "our", or "BALAM"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our AI-powered chat widget platform and related services (collectively, the "Services").

This Privacy Policy is designed to comply with the Malaysia Personal Data Protection Act 2010 (PDPA) and its 2024 amendments (effective in phases from January to June 2025), as well as internationally recognised privacy standards including the EU General Data Protection Regulation (GDPR), the EU AI Act (Regulation 2024/1689), the California Consumer Privacy Act (CCPA/CPRA), Brazil's LGPD, South Africa's POPIA, China's PIPL, Singapore's PDPA, Thailand's PDPA, Australia's Privacy Act 1988, the UK Data Protection Act 2018 / UK GDPR, and the Illinois Biometric Information Privacy Act (BIPA).

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use our Services.

1.1 Scope

This Privacy Policy applies to:

• Business Users who access our dashboard and configure AI assistants
• End Users who interact with AI chat widgets embedded on third-party websites
• Social Media Users who communicate with AI assistants via WhatsApp, Messenger, Telegram, Instagram, or TikTok
• Email Users who receive AI-assisted email responses
• Phone Users who interact with AI assistants via VoIP/SIP calls
• Website Visitors who access our public-facing pages

1.2 Relationship to Terms of Service

This Privacy Policy forms part of, and should be read together with, our Terms of Service. In the event of any conflict between this Privacy Policy and the Terms of Service on matters of data protection, this Privacy Policy prevails.

2. Who We Are

BALAM AI is an AI-powered multi-tenant chat widget platform that enables businesses to embed intelligent conversational interfaces on their websites. Our Services include:

• Embeddable chat widget for websites
• AI-powered conversational assistants using large language models
• Voice input/output capabilities (speech-to-text and text-to-speech)
• Social media messaging integrations (WhatsApp, Facebook Messenger, Telegram, Instagram, TikTok)
• Email integration (Gmail, Outlook, IMAP, POP3)
• VoIP/SIP phone call handling
• Analytics and reporting dashboard
• Document upload and retrieval-augmented generation (RAG)
• External tool and API integrations (MCP/OpenAPI)

2.1 Data Controller vs. Data Processor

Depending on the context:

• For Business Users (Dashboard Users): BALAM AI acts as the Data Controller for your account information. We determine the purposes and means of processing your registration data, authentication data, and account configuration data.
• For End Users (Chat Widget Users): The business that embeds our widget on their website is the Data Controller, and BALAM AI acts as the Data Processor on their behalf. The Business User determines the purposes of processing End User data; we process it according to their instructions and our Terms of Service.
• For Social Media and Email Users: The Business User who configured the integration is the Data Controller; BALAM AI acts as the Data Processor.

Where we act as a Data Processor, we process personal data only on documented instructions from the Data Controller (the Business User), in accordance with GDPR Article 28 and the Malaysia PDPA.

2.2 Data Protection Officer

In compliance with the PDPA 2024 amendments (effective June 2025) and GDPR Article 37, we have appointed a Data Protection Officer (DPO). Our DPO can be contacted at:

• Title: Data Protection Officer, BALAM AI
• Email: admin@ibalam.ai
• Response Time: Within 21 days as required by the PDPA

2.3 EU Representative

If you are located in the EU/EEA and wish to exercise your rights under GDPR, or if a supervisory authority wishes to contact us, our designated EU representative under GDPR Article 27 can be reached at:

• Email: admin@ibalam.ai

2.4 UK Representative

If you are located in the United Kingdom, our designated UK representative under UK GDPR Article 27 can be reached at:

• Email: admin@ibalam.ai

3. Data We Collect

We collect different types of data depending on how you interact with our Services. This section provides a comprehensive overview of all categories of data we collect, organised by user type.

3.1 Business User Data (Dashboard Users)

When you register for a BALAM AI business account, we collect:

Data Type	Examples	Purpose	Lawful Basis
Identity Data	Full name, username, profile picture	Account creation and management	Contract, Consent
Contact Data	Email address	Account verification, notifications, support	Contract, Consent
Authentication Data	Hashed password (PBKDF2), JWT session tokens, API keys (hashed)	Secure account access	Contract, Security
Configuration Data	Assistant settings, widget customisations, integration credentials (Fernet encrypted)	Service delivery	Contract
Payment Data	Stripe Customer ID, subscription details, billing history (no card numbers stored)	Billing and subscription management	Contract, Legal Obligation
OAuth Tokens	Google/Microsoft OAuth tokens (Fernet encrypted)	Email and social media integration	Consent
Uploaded Content	Documents (PDF, DOCX, PPTX, XLSX, TXT) uploaded for knowledge bases	RAG knowledge retrieval	Contract, Consent

3.2 End User Data (Chat Widget Users)

When end users interact with chat widgets embedded on websites, the following data may be collected:

Data Type	Examples	Purpose	Lawful Basis
Chat Messages	Text messages sent to and received from the AI assistant	Conversation continuity, service delivery	Contract, Consent
User Identifier	Anonymous unique identifier (HMAC-SHA256 signed, not personally identifiable)	Maintain conversation context across sessions	Legitimate Interest
Voice Data (Biometric)	Audio recordings (when voice input is used) — temporary only	Speech-to-text transcription	Explicit Consent
Device Information	Browser type, operating system, screen size, device type	Analytics, service optimisation	Legitimate Interest
Interaction Data	Widget opens, clicks, scroll depth, time spent, message counts, response times	Analytics, user experience improvement	Legitimate Interest
Location Data	Country, timezone (derived from IP, not precise geolocation)	Language preferences, analytics	Legitimate Interest
Referrer Data	Website URL where widget is embedded	Origin validation, analytics	Legitimate Interest, Security

3.3 Social Media Platform Data

When users communicate via integrated social media platforms:

• WhatsApp: Phone number, message content, delivery status
• Facebook Messenger: Page-scoped user ID, message content
• Telegram: Telegram user ID, username (if public), message content
• Instagram: Instagram user ID, message content
• TikTok: Business ID, message content (available in supported regions only; not available in US, EEA, or UK)

3.4 Email Data

When Business Users connect email accounts through our email integration:

• Email message content, subject lines, and metadata (sender, recipient, timestamps)
• Thread information and conversation context
• OAuth tokens (Fernet encrypted) for Gmail and Outlook
• IMAP/POP3 credentials (Fernet encrypted) for other providers

Email data is accessed solely through authorised OAuth protocols or configured connections and processed only for the purpose of providing AI assistant services.

3.4.1 Google API Data — Limited Use Compliance

Data obtained through Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

1. We only use Google user data to provide and improve user-facing features of our Services
2. We do not transfer Google user data to third parties except as necessary to provide the Services, as required by law, or with explicit user consent
3. We do not use Google user data for advertising or to serve advertisements
4. We do not allow humans to read Google user data unless we have your affirmative agreement, it is necessary for security purposes, it is necessary to comply with law, or the data is aggregated and anonymised
5. Our use of Google user data complies with the Google API Services User Data Policy

3.5 Sensitive Personal Data

Under the Malaysia PDPA (as amended in 2024), "sensitive personal data" includes information about physical or mental health, political opinions, religious beliefs, criminal offences, biometric data (including voice data), and other categories as defined by law.

We do not intentionally collect sensitive personal data, except for:

• Voice Data: When you use our voice features, we temporarily process your voice data which constitutes biometric data classified as sensitive personal data under the PDPA. This includes speech-to-text conversion and text-to-speech generation. Your explicit consent is required before any voice data is collected or processed. Voice recordings are processed in real-time and temporary files are automatically deleted.

3.5.1 Illinois BIPA Disclosure (Voice Biometric Data)

If you are located in Illinois, the following additional disclosures apply under the Illinois Biometric Information Privacy Act (740 ILCS 14):

• Biometric data collected: Voice recordings submitted through the voice input feature
• Purpose: Speech-to-text transcription to facilitate AI chat interactions
• Storage: Voice recordings are NOT stored permanently. Audio is processed in real-time for transcription and immediately deleted. No biometric templates or voiceprints are created or retained.
• Retention schedule: Temporary voice files are deleted immediately after transcription; residual TTS output files are cleaned up hourly. No biometric data is retained beyond the processing session.
• Destruction protocol: Automatic file deletion upon transcription completion; hourly cleanup task for residual files with file-level locking
• No sale or disclosure: We do not sell, lease, trade, or otherwise profit from biometric data. Biometric data is not disclosed to third parties except as required for transcription processing.
• Consent: Your explicit, informed written consent is obtained before any voice data collection through the microphone permission prompt and our pre-collection disclosure

Users may voluntarily include other sensitive information in chat messages. Business Users are responsible for:

• Configuring their AI assistants to avoid requesting sensitive data
• Obtaining explicit consent if sensitive data collection is necessary
• Complying with additional PDPA requirements for sensitive data processing

3.6 Data Received from Third Parties

In accordance with GDPR Article 14, we may receive personal data from the following third-party sources:

• OAuth Providers (Google, Microsoft): Name, email address, and profile picture when you sign in using OAuth2
• Social Media Platforms (Meta, Telegram, TikTok): Platform user IDs, usernames, and message content when users contact your AI assistant through these platforms
• Stripe: Payment status, subscription events, and billing metadata (no card numbers)
• Business User Uploads: Documents containing personal data that Business Users upload to knowledge bases

Where we receive your data from a third party, we will provide you with notice of this processing within one month of receipt, or at the time of first communication if the data is used to contact you.

4. Data We Do NOT Collect

For transparency, we explicitly confirm that BALAM AI does NOT collect, process, or store the following categories of data:

• Payment card numbers or bank account details: All payment processing is handled entirely by Stripe. We never receive, process, or store your credit card numbers, debit card numbers, CVV codes, or bank account details.
• Government-issued identity documents: We do not collect passport numbers, national identity card numbers, driving licence numbers, or Social Security numbers.
• Precise geolocation: We derive approximate location (country, timezone) from IP addresses but do NOT collect GPS coordinates or precise geolocation data.
• Biometric templates or voiceprints: While we temporarily process voice audio for transcription, we do NOT create, store, or retain biometric templates, voiceprints, or facial recognition data.
• Health or medical data: We do not intentionally collect health, medical, or genetic information.
• Political, religious, or philosophical beliefs: We do not intentionally collect data about political opinions, religious beliefs, or philosophical affiliations.
• Racial or ethnic origin: We do not collect data about race or ethnicity.
• Sexual orientation or sex life: We do not collect data about sexual orientation or sex life.
• Trade union membership: We do not collect data about trade union membership.
• Criminal conviction data: We do not collect data about criminal convictions or offences.
• Browsing history on third-party sites: Our widget does not track user browsing activity outside of the host website where the widget is embedded.
• Keystrokes or screen recordings: We do not log keystrokes, capture screenshots, or record screen activity.
• Contact lists or address books: We do not access or import users' contact lists or address books.

5. How We Collect Data

5.1 Widget Embedding (Script Injection)

Our Services involve embedding JavaScript code on third-party websites. When a business user adds our widget code to their website:

1. The widget script loads from our servers
2. A chat interface is rendered on the page within an isolated Shadow DOM container
3. Data is transmitted between the user's browser and our servers via secure WebSocket connections (WSS)
4. Analytics data is collected through the widget (session metrics, device information, interaction data)

The widget operates within an isolated Shadow DOM container to minimise interference with the host website and provide CSS isolation. However, the Shadow DOM does not constitute a security sandbox; JavaScript within the widget has access to the host page's network context.

5.2 Voice Data Processing

When voice features are enabled:

• Speech-to-Text (STT): Audio is captured from the user's microphone (with explicit consent), transmitted to our servers via encrypted WebSocket connections, processed using our STT engines (NVIDIA Parakeet, faster-whisper, or OpenAI Whisper), and immediately deleted after transcription. Audio is not stored as permanent voiceprint biometric templates.
• Text-to-Speech (TTS): AI responses are converted to synthetic audio using Kokoro (local) or ElevenLabs (cloud) services and streamed to the user. Synthetic voice outputs are artificially generated and do not use or replicate any individual's biometric voice data.

5.3 Analytics Collection

We automatically collect analytics data to improve our Services, including:

• Session duration and engagement metrics
• Message counts and response times
• Feature usage (voice, links clicked, file uploads)
• Error rates and technical performance data
• Device and browser information
• Widget interaction patterns (opens, scrolls, clicks)

Analytics data is collected via WebSocket connections, NOT through cookies or third-party tracking pixels. We do not use Google Analytics, Facebook Pixel, or similar third-party analytics services for widget interactions.

5.4 Email Processing

When email integration is enabled:

• Emails are polled at regular intervals from connected accounts
• Incoming emails are filtered (spam, automated messages, and promotions are excluded)
• Email content is processed through AI assistants to generate responses
• OAuth tokens are automatically refreshed; IMAP/POP3 credentials are stored encrypted
• Processed email records are maintained for deduplication purposes

5.5 VoIP/SIP Processing

When phone call features are enabled:

• Phone calls are handled through VoIP/SIP technology
• Callers are notified that calls may be processed by AI before proceeding
• Voice audio from calls is processed by STT engines for transcription
• AI-generated responses may be delivered via TTS during calls
• Call recordings (if applicable) are encrypted and stored securely

5.6 External Tool and API Processing

When Business Users configure external tools and API integrations:

• User queries may be analysed to determine if an external tool invocation is appropriate
• Data necessary for tool execution (query parameters, identifiers) may be transmitted to third-party API endpoints configured by the Business User
• Tool responses are processed and incorporated into AI assistant responses
• All tool invocations are logged for audit purposes

Business Users are responsible for ensuring that any external tools they configure comply with applicable data protection laws and that appropriate data processing agreements are in place with the tool providers.

6. AI and Automated Processing

6.1 How We Use AI

In compliance with the EU AI Act (Regulation 2024/1689) Article 50, Malaysia's National Guidelines on AI Governance and Ethics (AIGE), the California AI Transparency Act (SB 942), and the Colorado AI Act (SB 205), we disclose the following about our AI processing:

When you interact with our AI assistants, your data is processed as follows:

1. Input Analysis: Your text message or transcribed speech is analysed to understand intent
2. Knowledge Retrieval (RAG): Relevant information is retrieved from configured knowledge bases using vector similarity search (all-MiniLM-L6-v2 embeddings, 384 dimensions)
3. Response Generation: A large language model generates a response based on your input, retrieved context, and system instructions
4. Quality Assessment: If enabled, a reflection system evaluates the response on multiple dimensions (accuracy, completeness, clarity, relevance, tone, engagement, actionability) and may generate an improved response
5. Delivery: The response is streamed to you via WebSocket; for voice, it is converted to synthetic speech

6.2 AI Model Identification and Transparency

In compliance with the EU AI Act Article 50 and the California AI Transparency Act (SB 942), we identify the AI models used in our Services:

• Primary Language Model: Qwen3 (4B parameter, quantised) — developed by Alibaba Cloud, licensed under Apache 2.0
• Fallback Language Model: LLaMA 3.1 (8B parameter) — developed by Meta, licensed under Llama Community License Agreement
• Embedding Model: all-MiniLM-L6-v2 (384-dimensional) — open-source sentence-transformers model
• STT Engines: NVIDIA Parakeet TDT, faster-whisper (large-v3-turbo), OpenAI Whisper — all run locally on our infrastructure
• TTS Engines: Kokoro (local, open-source) and ElevenLabs (cloud service for multilingual voices)

All primary AI models run locally on our infrastructure in Malaysia. No user data is sent to external AI model providers for inference, except where ElevenLabs cloud TTS is explicitly selected for multilingual voice synthesis.

6.3 No Training on User Data

6.4 AI Transparency and Limitations

• All interactions are with AI, not humans. Our assistants are powered by artificial intelligence language models.
• Hallucination Risk: AI-generated responses may contain errors, inaccuracies, fabricated information ("hallucinations"), or incomplete information. Responses should not be relied upon as the sole source of truth for critical decisions.
• Responses are generated by open-source large language models and are not pre-written by humans
• Synthetic voice outputs are artificially generated, not recordings of natural persons
• AI-generated content is identified as such in our systems
• We implement guardrails to constrain AI assistant behaviour, but no guardrail system is infallible

6.5 Automated Decision-Making and Profiling

Our AI assistants provide automated responses for informational and customer service purposes. In accordance with GDPR Article 22, POPIA Section 71, PIPL Article 24, and the PDPA's forthcoming Automated Decision-Making guidelines:

• Our AI assistants do not make decisions with legal effects or similarly significant impact on individuals
• AI responses are informational and are not intended to be legally binding determinations
• We do not engage in profiling that produces legal effects. Analytics data is used only in aggregate form for service improvement.
• You have the right to request human review of any AI-generated response that significantly affects your rights or interests
• You have the right to express your point of view and contest any automated determination
• You have the right to receive an explanation of how the AI generated its response

6.5.1 Legitimate Interest Balancing Test

Where we rely on legitimate interests as a legal basis for processing, we have conducted a legitimate interest assessment (balancing test) considering:

• The purpose of processing and whether it is proportionate
• The nature of the data and the impact on data subjects
• Whether data subjects would reasonably expect the processing
• Available safeguards to mitigate impact

You have the right to object to processing based on legitimate interests. To do so, contact our DPO at admin@ibalam.ai.

To exercise these rights, contact our Data Protection Officer at admin@ibalam.ai.

6.6 AI-Generated Outputs as Personal Information

In accordance with the Australian OAIC guidance on AI, AI-generated outputs (including inferences and summaries) about identifiable individuals are treated as personal information and handled under applicable data protection laws.

6.7 EU AI Act Risk Classification

Under the EU AI Act (Regulation 2024/1689), our AI systems are classified as follows:

• Chat Widget AI Assistants: Classified as Limited Risk (Article 50 transparency obligations apply). Users are informed they are interacting with AI. We comply with transparency requirements including disclosure of AI involvement and content labelling.
• Reflection/Quality Assessment System: Internal quality control that does not directly interact with end users. Not separately classified.
• RAG Retrieval System: Information retrieval component that assists the AI response generation. Not separately classified.

None of our AI systems fall within the High-Risk category (Annex III) or involve prohibited practices (Article 5). Our AI assistants do not perform biometric identification, social scoring, emotional recognition in workplaces, or manipulation of vulnerable persons.

6.8 AI Bias Monitoring

We are committed to fairness and non-discrimination in our AI systems. Our approach includes:

• Using open-source AI models with publicly documented training methodologies
• Implementing configurable guardrails that Business Users can customise to prevent biased outputs
• Monitoring AI response quality through our reflection system
• Providing mechanisms for users to flag inappropriate or biased AI responses

6.9 Opt-Out of AI Processing

You have the right to opt out of AI-automated processing:

• End Users: You may choose not to interact with the AI chat widget. Where available, you may request to speak with a human representative instead.
• Business Users: You may disable AI features for specific assistants or platforms through the dashboard.
• Voice Processing: You may decline microphone access to prevent voice data processing.
• Email Processing: Business Users may disconnect email integrations at any time through the dashboard.

7. Legal Basis for Processing

7.1 Malaysia PDPA Compliance

Under the Malaysia PDPA 2010 (as amended in 2024), we process personal data in accordance with the seven data protection principles:

1. General Principle: Personal data is processed only with the consent of the data subject, unless an exemption applies.
2. Notice and Choice Principle: We provide this Privacy Policy as notice of our data practices and offer choices regarding processing.
3. Disclosure Principle: Personal data is disclosed only for the purposes for which it was collected or directly related purposes.
4. Security Principle: We implement appropriate technical and organisational measures to protect personal data.
5. Retention Principle: Personal data is retained only as long as necessary for the stated purposes.
6. Data Integrity Principle: We take reasonable steps to ensure personal data is accurate, complete, and up to date.
7. Access Principle: Data subjects may request access to and correction of their personal data.

7.2 Consent (PDPA Sections 6-7)

For general data processing, we rely on your consent, which is obtained:

• When you register for a BALAM AI account (explicit consent)
• When you use the chat widget after being presented with the embedded site's privacy notice (implied consent)
• When you enable voice features and grant microphone permission (explicit consent required for biometric/sensitive data)
• When you connect email accounts via OAuth (explicit consent)
• When you initiate or continue a VoIP call after notification (explicit consent)

7.3 Contractual Necessity

Processing is necessary to provide the Services you or your organisation has requested, including account management, service delivery, billing, and support.

7.4 Legitimate Interests

We may process data for legitimate business purposes such as fraud prevention, security, analytics, and service improvement, balanced against your privacy rights. See Section 6.5.1 for our balancing test approach.

7.5 Legal Obligation

We process data where required by law, including tax compliance (Malaysian Income Tax Act 1967, 7-year retention), anti-money laundering regulations, regulatory reporting, and compliance with court orders.

7.6 GDPR Lawful Bases (Article 6)

For processing of EU/EEA residents' data, we rely on:

• Consent (Art. 6(1)(a)): For voice data, optional analytics, and marketing communications
• Contract (Art. 6(1)(b)): For providing the Services
• Legitimate Interest (Art. 6(1)(f)): For security, fraud prevention, and service improvement
• Legal Obligation (Art. 6(1)(c)): For tax and regulatory compliance

8. How We Use Your Data

We use collected data for the following purposes:

Purpose	Data Used	Legal Basis
Provide AI chat services	Chat messages, user identifier, knowledge base data	Contract, Consent
Maintain conversation history	Chat messages, timestamps	Contract, Consent
Voice transcription and synthesis	Audio data (temporary), text output	Explicit Consent
Email processing and AI responses	Email content, metadata, thread information	Consent, Contract
Social media messaging	Platform user IDs, message content	Consent, Contract
VoIP/phone call processing	Voice audio (temporary), call metadata	Explicit Consent
External tool and API execution	Query data, tool parameters, execution logs	Contract, Consent
Analytics and reporting	Interaction data, device info, session metrics	Legitimate Interest
Account management	Identity, contact, authentication data	Contract
Billing and payments	Payment data (via Stripe), credit usage	Contract, Legal Obligation
Security and fraud prevention	IP addresses, usage patterns, rate limiting data	Legitimate Interest, Security
Service improvement	Aggregated and anonymised analytics	Legitimate Interest
Legal compliance	As required by applicable law	Legal Obligation

9. Data Sharing and Sub-Processors

9.1 Business Users

Chat data from widgets is accessible to the Business User who created the assistant. They can view conversation history, analytics, and user interactions through their dashboard.

9.2 Sub-Processors

We use the following categories of third-party service providers (sub-processors) who assist in delivering our Services:

Category	Provider(s)	Purpose	Data Transferred	Location
Cloud Infrastructure	Server hosting provider	Server hosting and data storage	All platform data	Malaysia
AI Processing	Ollama (local)	LLM inference (on-premises)	Chat messages, knowledge context	Malaysia (local)
Observability	LangSmith (optional)	AI tracing and monitoring	AI interaction traces (if enabled)	USA
Voice Services	ElevenLabs (cloud TTS)	Text-to-speech generation	Text content for speech synthesis	USA
Payment Processing	Stripe	Payment handling, billing	Payment information, Stripe Customer IDs	USA
Social Media	Meta (WhatsApp, Messenger, Instagram)	Messaging integration	Message content, platform user IDs	Various (Meta infrastructure)
Social Media	Telegram	Messaging integration	Message content, Telegram user IDs	Various (Telegram infrastructure)
Social Media	TikTok	Messaging integration	Message content, business IDs	Various (TikTok infrastructure)
Email	Google (Gmail), Microsoft (Outlook)	Email integration via OAuth	Email content, OAuth tokens	USA

9.3 Sub-Processor Obligations

We require all sub-processors to:

• Enter into data processing agreements that comply with GDPR Article 28 and the Malaysia PDPA
• Implement appropriate technical and organisational security measures
• Process data only on our documented instructions
• Assist with data subject rights requests
• Notify us of any data breaches without undue delay
• Delete or return personal data upon termination of the sub-processing relationship

We will notify Business Users of any material changes to our sub-processor list at least thirty (30) days in advance, providing an opportunity to object.

9.4 Legal Requirements

We may disclose data when required by law, court order, or government request, including but not limited to requests from the Personal Data Protection Commissioner, MCMC, the National Cyber Security Agency (NACSA), law enforcement agencies, or tax authorities. We will notify you of such requests where legally permitted.

9.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of the business assets, with appropriate notice provided to affected data subjects at least thirty (30) days before the transfer.

9.6 No Sale to Data Brokers

We do NOT sell, rent, lease, or trade personal data to data brokers, advertisers, or any third party for their own commercial purposes.

10. Cross-Border Data Transfers

10.1 PDPA Section 129 Compliance

Under Section 129 of the Malaysia PDPA (as amended in 2024), personal data may be transferred outside Malaysia subject to appropriate safeguards. The previous whitelist approach has been replaced with a risk-based framework.

Our Services involve data transfers to the following jurisdictions:

Service	Destination	Transfer Mechanism
ElevenLabs (Cloud TTS)	USA	Transfer Impact Assessment + Consent / SCCs
Stripe (Payments)	USA	Transfer Impact Assessment + Contractual Necessity
Google OAuth / Gmail	USA	Transfer Impact Assessment + Consent
Microsoft OAuth / Outlook	USA	Transfer Impact Assessment + Consent
LangSmith (optional)	USA	Transfer Impact Assessment + Consent / SCCs
Meta (WhatsApp, Messenger, Instagram)	Various	Transfer Impact Assessment + Consent
Telegram	Various	Transfer Impact Assessment + Consent

10.2 Transfer Safeguards

We ensure adequate protection for cross-border transfers through:

• Transfer Impact Assessments (TIA): Conducted for all recipient jurisdictions, reviewed every 3 years or upon legal changes
• Standard Contractual Clauses (SCCs): EU GDPR SCCs (Commission Implementing Decision (EU) 2021/914) and ASEAN Model Contractual Clauses where applicable
• UK International Data Transfer Agreement (IDTA): For transfers of UK personal data
• Contractual Data Protection Clauses: With all sub-processors
• Encryption: All data is encrypted in transit (TLS 1.3) and at rest (Fernet encryption / AES)
• Explicit Consent: Obtained before cross-border processing where required
• Ongoing Monitoring: We monitor changes in recipient jurisdiction laws

10.3 Data Residency

Our primary data processing and storage infrastructure is located in Malaysia. All AI model inference (LLM, STT, embedding) is performed locally on our Malaysian infrastructure. Data leaves Malaysia only when explicitly required by the services listed in Section 10.1 above.

10.4 GDPR Transfer Mechanisms

For transfers of EU/EEA personal data, we rely on EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and conduct supplementary Transfer Impact Assessments.

10.5 Brazil LGPD Transfer Mechanisms

For transfers of Brazilian personal data, we comply with ANPD Resolution CD/ANPD No. 19/2024 and adopt Brazilian Standard Contractual Clauses where applicable.

11. Data Retention

We retain personal data only as long as necessary for the purposes outlined in this policy, in compliance with the PDPA Retention Principle (Section 10):

Data Category	Retention Period	Basis
Chat messages	Until deleted by Business User or account closure	Service delivery
Voice recordings (raw audio)	Deleted immediately after transcription; TTS files cleaned hourly	Data minimisation
Email messages	Until deleted by Business User or account closure	Service delivery
Analytics data	24 months from collection	Service improvement
Account information	Duration of account + 30 days	Legal, contractual
Session data (Redis)	7 days	Authentication
Cached data (Redis)	5 minutes to 24 hours depending on type	Performance
Payment/billing records	7 years (Malaysian tax requirements)	Legal Obligation
Social media deduplication records	7 days	Service delivery
Data breach records	Minimum 2 years (PDPA requirement)	Legal Obligation
Processed email deduplication records	Daily cleanup	Service delivery
Tool invocation audit logs	12 months	Security, compliance
RAG vector embeddings	Until source document deleted or assistant removed	Service delivery

11.1 Data Deletion and Destruction

Upon account termination, we will delete or return your personal data within 30 days, except where retention is required by law (e.g., 7-year tax records). Our deletion process includes:

• Database records: Hard deletion from PostgreSQL databases
• Vector embeddings: Deletion of associated Qdrant collections
• Cached data: Automatic expiry from Redis caches
• Files: Secure deletion of uploaded documents and generated files
• Backups: Removal from backup systems within the next backup rotation cycle

Anonymised and aggregated data that does not identify individuals may be retained indefinitely for statistical purposes.

11.2 Data Deletion Verification

Upon request, we can provide written confirmation that your personal data has been deleted from our active systems. Backup system deletion is completed within 90 days of the deletion request.

12. Your Rights

12.1 Rights Under Malaysia PDPA

Under the Malaysia Personal Data Protection Act 2010 (as amended 2024), you have the following rights:

Right	PDPA Section	Response Time	Description
Right of Access	Sections 30-33	21 days (extendable by 14 days)	Request access to your personal data held by us
Right of Correction	Section 34	Reasonable time	Request correction of inaccurate, incomplete, misleading, or outdated data
Right to Withdraw Consent	Section 38	Reasonable time	Withdraw consent for data processing at any time (does not affect prior lawful processing)
Right to Prevent Processing	Section 42	Reasonable time	Request cessation of processing where it causes unwarranted substantial damage or distress
Right to Prevent Direct Marketing	Section 43	Reasonable time	Absolute right to opt out of direct marketing communications
Right to Data Portability	Section 43A (new)	Prescribed period	Request your data in a structured, commonly used format (effective June 2025)

12.2 Additional Rights Under GDPR (EU/EEA Residents)

If you are located in the European Union or European Economic Area, you additionally have:

• Right to Erasure (Art. 17): Request deletion of your personal data (within 30 days)
• Right to Restriction (Art. 18): Request restriction of processing in certain circumstances
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Data Portability (Art. 20): Receive your data in a machine-readable format (JSON or CSV)
• Right Regarding Automated Decisions (Art. 22): Not be subject to solely automated decisions with legal effects; right to human intervention
• Right to Lodge Complaint: With your local data protection supervisory authority

12.3 Additional Rights Under UK GDPR (United Kingdom Residents)

If you are located in the United Kingdom, you have equivalent rights to those listed in Section 12.2 under the UK GDPR / Data Protection Act 2018. You may lodge complaints with the Information Commissioner's Office (ICO).

12.4 Additional Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you additionally have:

• Right to Know: What personal information we collect, use, disclose, and sell (within 45 days)
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt out of the sale or sharing of personal information
• Right to Limit: Limit use of sensitive personal information
• Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights
• Right Regarding ADMT: Right to opt out of automated decision-making technology (effective January 2027)

12.5 Additional Rights Under Other Jurisdictions

• Brazil (LGPD): Right to anonymisation, blocking, or deletion; right to information about sharing; right to review of automated decisions (Article 20)
• South Africa (POPIA): Right to challenge automated decisions (Section 71); right to lodge complaint with the Information Regulator
• China (PIPL): Right to request explanation of automated decisions (Article 24); right to refuse decisions made solely through automated means
• Singapore PDPA: Right of access, correction, and to withdraw consent
• Thailand PDPA: Right of access, rectification, erasure, restriction, portability, and objection
• Australia Privacy Act: Right of access (APP 12) and correction (APP 13); disclosure of automated decision-making (effective December 2026)

12.6 Exercising Your Rights

To exercise any of your rights, please contact our Data Protection Officer:

• Email: admin@ibalam.ai
• Subject Line: "Data Subject Request — [Your Right]"
• Response Time: Within 21 days (PDPA), 30 days (GDPR/UK GDPR), or 45 days (CCPA) as applicable

We may request verification of your identity before processing requests. We will not charge a fee for processing rights requests unless requests are manifestly unfounded or excessive. If we cannot fulfil a request, we will explain the reasons and inform you of your right to complain to the relevant supervisory authority.

13. Your Choices and Controls

We believe in giving you meaningful control over your data. Here are the choices available to you:

13.1 Account Controls (Business Users)

• Profile Management: Update or delete your profile information through the dashboard at any time
• Assistant Configuration: Control what data your AI assistants collect and how they respond
• Integration Management: Connect or disconnect social media, email, and tool integrations at any time
• Data Export: Export your data in machine-readable format (JSON/CSV) through the dashboard or by contacting our DPO
• Account Deletion: Request complete account deletion through the dashboard or by contacting us
• Chat History: View, search, and delete conversation histories through the dashboard

13.2 End User Controls

• Voice Features: Decline microphone access to prevent voice data collection
• Chat Participation: Choose not to interact with the chat widget
• Data Deletion: Request deletion of your chat data through the Business User or by contacting us directly

13.3 Communication Preferences

• Marketing Communications: Opt out at any time using the unsubscribe link in emails or by contacting us
• Service Notifications: Essential service notifications (security alerts, billing issues, Terms changes) cannot be opted out of while maintaining an active account

13.4 Browser and Device Controls

• Cookies: Manage cookie preferences through your browser settings
• Do Not Track / GPC: We honour the Global Privacy Control (GPC) signal as required by the CCPA/CPRA
• LocalStorage: Clear browser localStorage to remove widget session data

14. Data Security

We implement comprehensive security measures to protect your personal data, following industry best practices and applicable regulatory requirements.

14.1 Technical Measures

• Encryption at Rest: Fernet encryption (AES-128-CBC + HMAC-SHA256) for sensitive data including social media tokens, email credentials, and API keys. Double-encryption prevention with "enc::" prefix detection.
• Encryption in Transit: TLS for all HTTP connections; WSS (WebSocket Secure) for real-time communications
• Authentication: JWT tokens with rotation and blacklisting, single-session enforcement (only latest JTI valid), PBKDF2 password hashing with SHA256, HMAC-SHA256 user ID signing
• Access Control: Role-based permissions, API key authentication with O(1) prefix lookup, principle of least privilege
• Network Security: HSTS (1 year), secure cookies, CSRF middleware, rate limiting (6 classes with IP and user-based controls), SSRF protection (private IP blocking)
• Input Validation: XSS prevention (bleach sanitisation, Shadow DOM isolation), input validation at all API boundaries, parameterised database queries
• Webhook Security: Platform-specific HMAC signature verification, two-tier deduplication (Redis cache + DB atomic operations)
• DDoS Protection: Multi-tier rate limiting (per-endpoint, per-user, per-IP), WebSocket connection limits, request throttling

14.2 Organisational Measures

• Employee security awareness training
• Access logging and monitoring with correlation IDs (django-guid)
• Regular security assessments and code reviews
• Incident response procedures with defined escalation paths
• Principle of least privilege for system access
• Background checks for personnel with access to personal data

14.3 Security Incident Classification

We classify security incidents using the following severity levels:

• Critical (P1): Active data breach, unauthorised data exfiltration, complete service compromise — immediate response
• High (P2): Potential data exposure, partial system compromise, vulnerability exploitation — response within 4 hours
• Medium (P3): Suspicious activity, failed intrusion attempts, policy violations — response within 24 hours
• Low (P4): Minor policy deviations, informational alerts — response within 72 hours

14.4 Vulnerability Disclosure

If you discover a security vulnerability in our Services, we encourage responsible disclosure. Please report vulnerabilities to:

• Email: admin@ibalam.ai
• Subject Line: "Security Vulnerability Report"

We commit to acknowledging receipt within 48 hours and providing an initial assessment within 7 days. We will not take legal action against security researchers who act in good faith and follow responsible disclosure practices.

14.5 Business Continuity and Disaster Recovery

We maintain business continuity and disaster recovery procedures to protect against data loss:

• Regular automated database backups
• Infrastructure monitoring and alerting (PM2 process management, Flower task monitoring)
• Defined recovery procedures for each critical system component
• Redis persistence for cache and session data

14.6 Compliance Certifications

We are committed to achieving and maintaining the following security certifications:

• Current: Compliance with Malaysia PDPA, GDPR, CCPA/CPRA, and applicable data protection frameworks
• Roadmap: We are working towards SOC 2 Type II and ISO 27001 certification. Please contact us for the latest status on our certification journey.

15. Data Breach Notification

In compliance with the PDPA 2024 amendments (Section 12B, effective June 2025) and the Malaysia Cybersecurity Act 2024:

15.1 Notification to Authorities

• Malaysia PDPA: We will notify the Personal Data Protection Commissioner within 72 hours of becoming aware of a data breach that poses a risk of significant harm
• Malaysia Cybersecurity Act 2024 (NCII): For breaches involving National Critical Information Infrastructure, we will notify the National Cyber Security Agency (NACSA) within 6 hours as required by law
• GDPR: We will notify the relevant EU supervisory authority within 72 hours (Article 33)
• UK GDPR: We will notify the Information Commissioner's Office (ICO) within 72 hours
• Singapore PDPA: We will notify the PDPC if the breach is likely to result in significant harm and affects 500+ individuals, within 3 calendar days
• Thailand PDPA: We will notify the PDPC within 72 hours
• Brazil LGPD: We will notify the ANPD within a reasonable time
• Australia Notifiable Data Breaches: We will notify the OAIC and affected individuals as soon as practicable for eligible data breaches under the Privacy Act 1988
• South Africa POPIA: We will notify the Information Regulator and affected data subjects as soon as reasonably possible
• China PIPL: We will notify the Cyberspace Administration of China (CAC) and affected individuals immediately upon discovery

15.2 Notification to Affected Individuals

• Malaysia PDPA: Within 7 days after initial notification to the Commissioner, if the breach is likely to cause significant harm
• GDPR: Without undue delay, when the breach is likely to result in a high risk to rights and freedoms (Article 34)
• Other jurisdictions: As required by applicable law

15.3 Breach Notification Content

Our breach notifications will include:

• The nature of the personal data breach and categories of data affected
• The approximate number of data subjects affected
• The likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact details of our Data Protection Officer
• Recommendations for individuals to mitigate potential adverse effects

15.4 Breach Records

We maintain a comprehensive breach register with records retained for a minimum of 2 years as required by the PDPA, documenting all breaches regardless of whether they require notification.

16. Children's Privacy

Our Services are not directed to children. Age requirements vary by jurisdiction:

• Malaysia: Under 18 years of age (consent must be obtained from a parent, guardian, or person with parental responsibility)
• EU/EEA (GDPR): Under 16 years (or lower per Member State, minimum 13) requires parental consent
• United Kingdom: Under 13 years (Age Appropriate Design Code applies to services likely accessed by children)
• California (CCPA): Under 16 years requires opt-in consent; under 13 years requires parental consent
• Other jurisdictions: As defined by applicable law

We do not knowingly collect personal data from children under the applicable age threshold. If you become aware that a child has provided us with personal data without appropriate consent, please contact us immediately. If we become aware of such collection, we will take steps to delete the data promptly.

Business Users embedding our Widget on websites that may be accessed by minors should implement appropriate age verification or parental consent mechanisms.

17. Cookies and Tracking

17.1 Dashboard Cookies

Our dashboard uses cookies for:

• Essential cookies: Session management (7-day TTL), CSRF protection, authentication tokens
• Preference cookies: UI settings (e.g., sidebar state, theme preference)

17.2 Chat Widget

The embeddable chat widget does NOT use cookies. User identification is handled through HMAC-SHA256 signed tokens stored in browser localStorage. Analytics data is transmitted via WebSocket connections, not cookie-based tracking.

17.3 Cookie Consent

In jurisdictions requiring prior consent for cookies and tracking technologies (including the EU under the ePrivacy Directive, UK, and Brazil):

• Essential cookies are deployed without prior consent (strictly necessary for service delivery)
• Non-essential cookies require explicit, affirmative opt-in consent
• Consent must be freely given, specific, informed, and unambiguous
• We honour the Global Privacy Control (GPC) signal as required by the CCPA/CPRA

17.4 Business User Obligations

Business Users embedding our Widget are responsible for including disclosure of the Widget in their cookie/privacy notice and obtaining appropriate consent in their jurisdiction before loading the Widget.

18. Do Not Sell or Share

BALAM AI does NOT sell or share personal information as defined under the CCPA/CPRA.

We do not:

• Sell personal information to third parties for monetary or other valuable consideration
• Share personal information for cross-context behavioural advertising
• Use personal information obtained through Google APIs for advertising purposes
• Transfer personal data to third parties for their own marketing purposes
• Disclose personal information to data brokers

If you wish to exercise your right to opt out of any future sale or sharing (should our practices change), you may contact us at admin@ibalam.ai or use the "Do Not Sell or Share My Personal Information" mechanism if available on our Platform.

19. Third-Party Links

Our Services may contain links to third-party websites and integrate with third-party platforms. We are not responsible for the privacy practices of these external services. We encourage you to review their privacy policies, including:

• Meta: Meta Privacy Policy (WhatsApp, Messenger, Instagram)
• Telegram: Telegram Privacy Policy
• TikTok: TikTok Privacy Policy
• Stripe: Stripe Privacy Policy
• Google: Google Privacy Policy
• Microsoft: Microsoft Privacy Statement
• ElevenLabs: ElevenLabs Privacy Policy

20. Privacy by Design and Data Protection

In accordance with GDPR Article 25 (Data Protection by Design and by Default) and the Malaysia AIGE Framework, we incorporate privacy considerations into the design and development of our Services:

20.1 Privacy by Design Principles

• Proactive not Reactive: We anticipate and prevent privacy-invasive events before they happen
• Privacy as Default: Personal data is protected automatically. No action is required by users to protect their privacy.
• Privacy Embedded into Design: Privacy is integral to our system architecture, not an add-on
• Full Functionality: We accommodate all legitimate interests without unnecessary trade-offs
• End-to-End Security: Data is protected throughout its entire lifecycle
• Visibility and Transparency: Our practices are documented and verifiable
• Respect for User Privacy: We keep the interests of the individual uppermost

20.2 Data Minimisation

We collect only the minimum personal data necessary to provide our Services:

• End users are identified by anonymous HMAC-SHA256 tokens, not personal identifiers
• Voice data is processed in real-time and immediately deleted — we do not retain audio recordings
• Analytics data is collected in aggregate where possible
• We do not collect data "just in case" it might be useful in the future

20.3 Data Protection Impact Assessments (DPIA)

In accordance with GDPR Article 35, we conduct Data Protection Impact Assessments for processing activities that are likely to result in a high risk to individuals' rights and freedoms, including:

• AI-powered automated processing of communications
• Processing of voice biometric data
• Cross-border data transfers
• Large-scale processing of chat and messaging data

DPIA records are maintained and updated when processing activities materially change.

20.4 Records of Processing Activities (ROPA)

In accordance with GDPR Article 30, we maintain comprehensive Records of Processing Activities that document:

• The purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• Cross-border transfer details and safeguards
• Retention periods
• Technical and organisational security measures

Our ROPA is available to supervisory authorities upon request.

21. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

For significant changes, we will provide at least thirty (30) days' notice through:

• Our Services platform (dashboard notification)
• Email notification to registered Business Users
• An updated entry in the Version History (Section 25)

Continued use of our Services after the notice period constitutes acceptance of the updated policy. If you do not agree, you should discontinue use of our Services before the changes take effect.

22. Contact Us and Data Protection Officer

22.1 General Inquiries

If you have questions, concerns, or complaints about this Privacy Policy or our data practices:

• Email: admin@ibalam.ai
• Data Protection Officer: admin@ibalam.ai

22.2 Data Subject Requests

To exercise your data protection rights:

• Email: admin@ibalam.ai
• Subject Line: "Data Subject Request — [Your Right]"
• Response Time: Within 21 days (PDPA), 30 days (GDPR/UK GDPR), or 45 days (CCPA) as applicable

22.3 Complaints

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant regulatory authority:

Jurisdiction	Authority	Contact
Malaysia	Personal Data Protection Commissioner	www.pdp.gov.my | Hotline: 03-8000 8000
Malaysia	Malaysian Communications and Multimedia Commission (MCMC)	www.mcmc.gov.my
Malaysia	National Cyber Security Agency (NACSA)	www.nacsa.gov.my
EU/EEA	Your local Data Protection Supervisory Authority	See EDPB list of authorities
United Kingdom	Information Commissioner's Office (ICO)	ico.org.uk
California, USA	California Privacy Protection Agency (CPPA)	cppa.ca.gov
Brazil	Autoridade Nacional de Protecao de Dados (ANPD)	gov.br/anpd
South Africa	Information Regulator	inforegulator.org.za
China	Cyberspace Administration of China (CAC)	www.cac.gov.cn
Singapore	Personal Data Protection Commission (PDPC)	pdpc.gov.sg
Australia	Office of the Australian Information Commissioner (OAIC)	oaic.gov.au
Thailand	Personal Data Protection Committee (PDPC)	pdpc.or.th

23. Governing Law

This Privacy Policy is governed by the laws of Malaysia, including the Personal Data Protection Act 2010 (as amended in 2024), the Communications and Multimedia Act 1998 (as amended in 2025), and the Cybersecurity Act 2024. Any disputes shall be subject to the exclusive jurisdiction of the Malaysian courts, without prejudice to your rights to lodge complaints with your local data protection authority.

24. Jurisdiction-Specific Disclosures

24.1 European Union / European Economic Area

If you are located in the EU/EEA, the following additional information applies:

• Our legal bases for processing are set out in Section 7.6
• Cross-border transfers are protected by EU Standard Contractual Clauses (Section 10.4)
• You have the full range of GDPR rights as set out in Section 12.2
• We process personal data in compliance with the EU AI Act transparency requirements (Article 50)
• We have conducted Data Protection Impact Assessments for our AI processing activities (Section 20.3)
• We maintain Records of Processing Activities in accordance with Article 30 (Section 20.4)
• Where we process data as a Data Processor on behalf of EU Business Users, we comply with GDPR Article 28 requirements as set out in our Terms of Service
• Our EU representative contact is provided in Section 2.3

24.2 United Kingdom

If you are located in the United Kingdom, the following additional information applies:

• Processing is conducted in compliance with the UK GDPR and the Data Protection Act 2018
• Cross-border transfers are protected by the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs
• You have the full range of UK GDPR rights as set out in Section 12.3
• Our UK representative contact is provided in Section 2.4
• You may lodge complaints with the Information Commissioner's Office (ICO) at ico.org.uk

24.3 California, United States

If you are a California resident, the following additional information applies under the CCPA/CPRA:

• Categories of PI collected (Civil Code §1798.100):
  1. Identifiers (name, email, username, account ID, IP address)
  2. Customer records (billing information via Stripe)
  3. Commercial information (subscription details, credit usage, purchase history)
  4. Internet or electronic network activity (interaction data, device information, widget analytics)
  5. Geolocation data (approximate location derived from IP)
  6. Audio information (temporary voice recordings when voice features used)
  7. Professional or employment-related information (if voluntarily provided in chat)
  8. Inferences (AI-generated responses and analytics patterns)
• Categories NOT collected: Protected classifications, biometric templates, education records, sensory data (except temporary audio), Social Security numbers
• Sources: Directly from you, automatically through our Services, from social media platforms, from OAuth providers
• Business purposes: Service delivery, security, analytics, billing, legal compliance
• Sale/Sharing: We do NOT sell or share personal information
• Sensitive PI: We may process voice data (biometric) with your explicit consent. You have the right to limit use of sensitive personal information.
• Retention: As specified in Section 11
• You will not receive discriminatory treatment for exercising your privacy rights

24.4 Illinois, United States (BIPA)

If you are located in Illinois, the biometric data disclosures in Section 3.5.1 apply. We obtain your explicit consent before collecting any biometric data and do not retain biometric identifiers or information beyond the immediate transcription session.

24.5 Brazil

If you are located in Brazil, processing is conducted in compliance with the LGPD. You have additional rights under Article 18 and 20 of the LGPD, including the right to review of automated decisions. Cross-border transfers comply with ANPD Resolution CD/ANPD No. 19/2024.

24.6 China

If you are located in China, processing is conducted in compliance with the PIPL. You have additional rights under PIPL Articles 44-49, including the right to refuse decisions made solely through automated means (Article 24). If you believe your rights under the PIPL have been violated, you may file a complaint with the Cyberspace Administration of China (CAC).

24.7 Australia

If you are located in Australia, processing is conducted in compliance with the Australian Privacy Principles (APPs) under the Privacy Act 1988. In accordance with the Privacy and Other Legislation Amendment Act 2024 (effective December 2026), we disclose that AI-generated outputs about identifiable individuals are treated as personal information and our privacy policy includes information about automated decision-making. For data breaches, we comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act.

24.8 South Africa

If you are located in South Africa, processing is conducted in compliance with POPIA. You have the right to challenge automated decisions under Section 71. Our security measures comply with the POPIA security safeguard requirements (Condition 7). We will notify the Information Regulator and affected data subjects of any breach as required by Section 22.

24.9 US State AI Laws

We comply with emerging US state AI transparency laws, including:

• California AI Transparency Act (SB 942): We disclose when content is AI-generated and identify the AI systems used
• Colorado AI Act (SB 205): We provide notice that AI is used in our Services and disclose the purpose and nature of AI processing
• Texas TRAIGA: We disclose AI involvement in communications and provide mechanisms for users to request human interaction

25. Version History

Version	Date	Summary of Changes
2.0	January 30, 2026	Comprehensive update: Added "Data We Do NOT Collect" section (Section 4); added "Your Choices and Controls" section (Section 13); added "Privacy by Design and Data Protection" section (Section 20) including DPIA and ROPA disclosures; added EU and UK representative appointments (Sections 2.3-2.4); added UK-specific disclosures and UK GDPR compliance (Section 24.2); added Illinois BIPA detailed biometric disclosures (Section 3.5.1); expanded CCPA to include all 11 PI categories (Section 24.3); added data received from third parties (Section 3.6); added Google Limited Use compliance (Section 3.4.1); added AI model identification and transparency (Section 6.2); added no-training-on-user-data commitment (Section 6.3); added AI bias monitoring (Section 6.8); added opt-out of AI processing (Section 6.9); added EU AI Act risk classification (Section 6.7); added legitimate interest balancing test (Section 6.5.1); added profiling disclosure (Section 6.5); added security incident classification (Section 14.3); added vulnerability disclosure policy (Section 14.4); added business continuity and disaster recovery (Section 14.5); added SOC 2/ISO 27001 certification roadmap (Section 14.6); expanded breach notifications to include Australia, South Africa, China, and NCII (Section 15.1); added breach notification content requirements (Section 15.3); added data deletion verification (Section 11.2); added data residency disclosure (Section 10.3); added external tool processing (Section 5.6); added version history (Section 25); added US state AI laws compliance (Section 24.9); expanded regulatory authorities table to include NACSA, CAC, and Thailand PDPC.
1.0	January 30, 2026	Initial publication. Comprehensive privacy policy covering Malaysia PDPA, GDPR, CCPA/CPRA, LGPD, POPIA, PIPL, Singapore PDPA, Thailand PDPA, and Australia Privacy Act compliance.