Privacy Policy

Effective 08 May 2026

This Privacy Policy explains how Lailaichat, a customer relationship management and omnichannel inbox platform operated by BTB Technologies (M) Sdn Bhd(“we”, “us”, “our”), collects, uses, stores, and shares information when you use our services (the “Service”). It applies to the website at lailaichat.cc and any subdomain we operate.

1. Who this policy applies to

This policy covers two groups of people:

  • Account holders — the businesses (and their employees) that subscribe to Lailaichat to manage their leads and customer conversations.
  • End customers — people whose conversations and contact details flow through the platform because they messaged a Lailaichat account holder via WhatsApp, Facebook Messenger, Instagram, TikTok, or another supported channel.

2. What we collect

From account holders

  • Name, email address, phone number, and password (hashed; we never see plaintext).
  • Company name, role, and any team membership data the account holder provides during onboarding or while using the platform.
  • API credentials you connect to integrate third-party platforms (e.g. WhatsApp Business access tokens, Meta App credentials, Google OAuth tokens). We store these encrypted at rest and only use them to deliver the integration you connected.
  • Usage data — pages viewed, features used, request logs — for the purposes of debugging, security, and improving the Service.

From end customers

  • The contents of messages exchanged with a Lailaichat account holder via supported channels (text, images, voice notes, documents).
  • Contact identifiers the platform provides — phone number, social profile name, profile picture — attached to each conversation.
  • Lead metadata the account holder records about you (notes, status, follow-up dates, custom fields).

3. How we use your information

  • To provide, maintain, and improve the Service.
  • To deliver messages between you and the businesses you correspond with.
  • To authenticate access, prevent fraud, and meet our security obligations.
  • To comply with legal obligations under Malaysian law (including the Personal Data Protection Act 2010) and any other applicable jurisdiction.
  • To communicate with account holders about service updates, billing, and important security notices.

We do not sell your data. We do not use your conversation content to train machine learning models without explicit, separate consent.

4. How we share information

We share data only with the following categories of recipients, and only to the extent necessary:

  • Platform partners — Meta (WhatsApp / Facebook / Instagram), TikTok, Telegram, Google — when you send or receive messages, those messages necessarily pass through their infrastructure under their own privacy terms.
  • Cloud infrastructure — Cloudflare (R2 file storage, networking), MongoDB Atlas (database hosting), Railway (application hosting), Resend (transactional email). These providers process data on our behalf under written agreements.
  • Payment providers — when paid plans launch, we will use Stripe (or a comparable provider) to handle billing. We never see your full card number.
  • Authorities — if compelled by valid legal process, we will disclose only the minimum data required and notify you where lawful.

Google API Services — Limited Use

When you connect a Google account (for example to import Google Forms responses as leads, or to sync Google Calendar), Lailaichat requests only the minimum Google OAuth scopes needed for the feature you enable, and accesses your Google data solely to provide and improve those user-facing features inside Lailaichat.

Lailaichat’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. Specifically:

  • We only use Google user data to provide or improve the feature you connected it for (Forms lead import, Calendar sync).
  • We do not transfer Google user data to others except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger or acquisition with appropriate notice.
  • We do not use Google user data for serving advertisements.
  • We do not allow humans to read your Google data unless (a) you give explicit consent for specific data, (b) it is necessary for security purposes such as investigating abuse, (c) it is required to comply with applicable law, or (d) the data is aggregated and anonymised for internal operations.
  • You can disconnect Google access at any time from the Integrations page, which revokes our stored tokens.

5. Where we store your data and how long we keep it

Account data and conversation history are stored on MongoDB Atlas and Cloudflare R2. We retain account-holder data for as long as the account is active. End-customer conversation history follows the retention chosen by the account holder; you can request deletion at any time (see Section 7).

Backups are kept for up to 30 days for disaster-recovery purposes only and are then permanently destroyed.

6. Security

We use industry-standard practices: TLS in transit, encrypted at rest where the underlying provider supports it, role-based access control, JWT-based authentication, multi-tenant data isolation, and webhook signature verification. No system is invulnerable; if you believe your account has been compromised, contact us immediately.

7. Your rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of your data, subject to lawful retention requirements.
  • Withdraw consent for processing where consent is the basis we rely on.
  • Lodge a complaint with the Malaysian Personal Data Protection Commissioner.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Cookies and tracking

We use only the cookies necessary to keep you signed in and to remember your interface preferences (theme, language). We do not use third-party advertising or analytics trackers that profile you across sites.

9. Children

Lailaichat is a B2B service intended for businesses. It is not designed for, and we do not knowingly collect personal data from, anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the Effective date at the top of this page and notify account holders by email. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11. Contact us

If you have questions about this policy or how we handle your data, contact:

BTB Technologies (M) Sdn Bhd
Email: [email protected]