Lailaichat

Privacy Policy

Effective 08 May 2026

This Privacy Policy explains how Lailaichat, a customer relationship management and omnichannel inbox platform operated by Cstars Sdn Bhd(“we”, “us”, “our”), collects, uses, stores, and shares information when you use our services (the “Service”). It applies to the website at lailaichat.cc and any subdomain we operate.

1. Who this policy applies to

This policy covers two groups of people:

  • Account holders — the businesses (and their employees) that subscribe to Lailaichat to manage their leads and customer conversations.
  • End customers — people whose conversations and contact details flow through the platform because they messaged a Lailaichat account holder via WhatsApp, Facebook Messenger, Instagram, TikTok, or another supported channel.

2. What we collect

From account holders

  • Name, email address, phone number, and password (hashed; we never see plaintext).
  • Company name, role, and any team membership data the account holder provides during onboarding or while using the platform.
  • API credentials you connect to integrate third-party platforms (e.g. WhatsApp Business access tokens, Meta App credentials, Google OAuth tokens). We store these encrypted at rest and only use them to deliver the integration you connected.
  • Usage data — pages viewed, features used, request logs — for the purposes of debugging, security, and improving the Service.

From end customers

  • The contents of messages exchanged with a Lailaichat account holder via supported channels (text, images, voice notes, documents).
  • Contact identifiers the platform provides — phone number, social profile name, profile picture — attached to each conversation.
  • Lead metadata the account holder records about you (notes, status, follow-up dates, custom fields).

3. How we use your information

  • To provide, maintain, and improve the Service.
  • To deliver messages between you and the businesses you correspond with.
  • To authenticate access, prevent fraud, and meet our security obligations.
  • To comply with legal obligations under Malaysian law (including the Personal Data Protection Act 2010) and any other applicable jurisdiction.
  • To communicate with account holders about service updates, billing, and important security notices.

We do not sell your data. We do not use your conversation content to train machine learning models without explicit, separate consent.

4. How we share information

We share data only with the following categories of recipients, and only to the extent necessary:

  • Platform partners — Meta (WhatsApp / Facebook / Instagram), TikTok, Telegram, Google — when you send or receive messages, those messages necessarily pass through their infrastructure under their own privacy terms.
  • Cloud infrastructure — Cloudflare (R2 file storage, networking), MongoDB Atlas (database hosting), Railway (application hosting), Resend (transactional email). These providers process data on our behalf under written agreements.
  • Payment providers — when paid plans launch, we will use Stripe (or a comparable provider) to handle billing. We never see your full card number.
  • Authorities — if compelled by valid legal process, we will disclose only the minimum data required and notify you where lawful.

5. Where we store your data and how long we keep it

Account data and conversation history are stored on MongoDB Atlas and Cloudflare R2. We retain account-holder data for as long as the account is active. End-customer conversation history follows the retention chosen by the account holder; you can request deletion at any time (see Section 7).

Backups are kept for up to 30 days for disaster-recovery purposes only and are then permanently destroyed.

6. Security

We use industry-standard practices: TLS in transit, encrypted at rest where the underlying provider supports it, role-based access control, JWT-based authentication, multi-tenant data isolation, and webhook signature verification. No system is invulnerable; if you believe your account has been compromised, contact us immediately.

7. Your rights

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of your data, subject to lawful retention requirements.
  • Withdraw consent for processing where consent is the basis we rely on.
  • Lodge a complaint with the Malaysian Personal Data Protection Commissioner.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Cookies and tracking

We use only the cookies necessary to keep you signed in and to remember your interface preferences (theme, language). We do not use third-party advertising or analytics trackers that profile you across sites.

9. Children

Lailaichat is a B2B service intended for businesses. It is not designed for, and we do not knowingly collect personal data from, anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the Effective date at the top of this page and notify account holders by email. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11. Contact us

If you have questions about this policy or how we handle your data, contact:

Cstars Sdn Bhd
Email: [email protected]