CloudChem
HomeFeaturesTemplatesPricingBlogFAQContact
Log inStart free

Last updated · 2026-05-07

Privacy Policy.

This policy explains how CloudChem (operated by Perisi Sdn Bhd, "we", "us") collects, uses, and protects personal data in accordance with the Personal Data Protection Act 2010 ("PDPA") of Malaysia.

1. Who this policy applies to

This policy applies to anyone who creates a CloudChem account, signs up for our mailing list, sends a chat message to our connected WhatsApp / Telegram numbers, or visits our marketing site at cloudchem.com.my.

2. What data we collect

  • Account data — your name, email address, business name, and (optionally) phone number.
  • Workspace data — invoices, receipts, customer records, products, and any other documents you create through our service.
  • Chat data — messages you send through linked WhatsApp / Telegram numbers, plus the parsed metadata (intent, document type) we generate from those messages.
  • Billing data — handled directly by our payment processor (Stripe). We store only the workspace-level subscription status, not card numbers.
  • Operational data — request logs, error reports, and aggregated usage analytics (no message bodies are sent to third-party analytics).

3. How we use it

  • To provide the service you signed up for — generate documents, run chat commands, send notifications.
  • To process payments and manage your subscription.
  • To detect and prevent abuse, fraud, and security incidents.
  • To send service-related emails (e.g. invoice reminders, billing receipts) and, only with your consent, occasional product updates.
  • To comply with Malaysian tax, accounting, and regulatory obligations.

4. Who we share it with

We share data only with vendors that help us deliver the service, under contractual confidentiality. The current list:

  • Supabase — primary database and authentication.
  • Stripe — payment processing.
  • Meta (WhatsApp Cloud API) and Telegram — message delivery.
  • OpenAI / Google AI Studio — natural-language parsing of chat messages. Inputs are sent to extract structured fields (e.g. customer name, line items); we do not retain a copy outside the database row tied to your workspace.
  • Resend — transactional email delivery.
  • Sentry — error monitoring (when enabled).
  • DigitalOcean — hosting infrastructure.

We do not sell personal data. We do not share your workspace contents with other CloudChem customers, even when phone numbers overlap.

5. Cross-border transfers

Some of the vendors above process data outside Malaysia (United States, Singapore, European Union). We rely on contractual safeguards (DPAs, Standard Contractual Clauses where applicable) to ensure equivalent protection.

6. How long we keep it

  • Active workspaces — for as long as you maintain an account.
  • Cancelled workspaces — 90 days, after which we delete or anonymise.
  • Tax-relevant documents (invoices, receipts) — kept for 7 years to comply with Malaysian tax law, even after cancellation, on request.
  • Webhook ingest logs — 30 days.
  • Error / Sentry data — 30 days.

7. Your rights under the PDPA

You have the right to:

  • Request access to the personal data we hold about you.
  • Request correction of inaccurate data.
  • Withdraw consent for marketing communications at any time.
  • Request deletion (subject to overriding legal obligations such as tax record retention).
  • Lodge a complaint with the Personal Data Protection Department (JPDP).

To exercise any of these rights, email privacy@cloudchem.com.my. We respond within 21 days.

8. Security

We use TLS for all in-transit data, row-level security in our Supabase database (one workspace cannot read another's data), and bcrypt-equivalent hashing for credentials. Service-role keys are stored as encrypted secrets in our hosting providers and rotate on incident.

9. Children

CloudChem is a B2B product not intended for users under 18. We do not knowingly collect data from children.

10. Changes to this policy

When we make material changes, we'll email account holders at least 14 days before the change takes effect. The "Last updated" date at the top of this page always reflects the current version.

11. Contact

Perisi Sdn Bhd
Email: privacy@cloudchem.com.my

12. WhatsApp Business — additional disclosures

Merchants connect their own WhatsApp Business Account (WABA) to CloudChem via Meta's Embedded Signup or, during the Tech Provider review period, by pasting a System User access token. Access tokens are encrypted at rest with AES-256-GCM (a unique nonce per token); only the API server holds the key.

What we process for WhatsApp commerce: end-customer phone numbers, message content (text, images, voice notes), WhatsApp profile names, and conversation timestamps. Images may be sent to Anthropic Claude for vision analysis; voice notes to OpenAI Whisper for transcription. Both sub-processors operate under written data processing agreements; neither retains content for training when called via API.

Retention: conversation history is retained for 24 months by default so merchants can audit and improve their bot. Merchants may request earlier deletion of any conversation or their full WhatsApp data set by emailing privacy@cloudchem.com.my. We complete deletions within 30 days.

Meta data-deletion callback: end-users who remove the app from their Facebook profile trigger a signed deletion request that we log atapi.cloudchem.com.my/webhook/meta-data-deletionand reply with a polling URL. Each request is reviewed manually by our team within 30 days.

End-customer rights: if you are a customer of one of our merchants and want your phone number and message history removed from their workspace, email privacy@cloudchem.com.my with the merchant name and your phone number — we'll route your request and confirm completion.

Outside the 24h window:Meta only permits free-form replies for 24 hours after a customer's last inbound message. Outside that window, our bot is constrained to pre-approved template messages — enforced both by Meta's API and by guardrails in our system prompt.