Is my WhatsApp chatbot customer data safe in Malaysia?
Your customer chats contain real personal data: names, phone numbers, what they ordered, when they last messaged. That data is your responsibility under Malaysian law, and a badly run chatbot setup can expose it. This guide explains where the data goes, what the law says, and what a properly run setup does to protect it.
Where does the chat data actually go?
When a customer messages your WhatsApp chatbot, that conversation does not sit on a staff member’s phone. It is sent through the WhatsApp Business API, then stored on a server that your chatbot platform operates.
With Polaris, conversations are stored on a dedicated server, encrypted in transit (TLS) and encrypted at rest. Your team views those chats through a shared Chatwoot-based inbox, not through personal WhatsApp accounts. Only your own team members with login access can see them. No one else, including Polaris staff, reads your customer chats in the normal course of service.
This matters because keeping chat data on personal phones is one of the riskiest things a small business can do. A staff member leaves, the phone is lost, or someone screenshots a conversation. A server-based setup with access controls removes most of those risks.
What does PDPA actually require?
The Personal Data Protection Act 2010 (Act 709) governs how businesses in Malaysia collect, store, and use personal data in commercial transactions. It is enforced by the Department of Personal Data Protection (JPDP) under the Digital Ministry.
The law sets out seven principles. Three of them apply most directly to a chatbot setup:
- Security Principle. You must protect personal data from loss, misuse, and unauthorized access. This means your chatbot platform needs proper access controls and encryption, not just a password on a WhatsApp account.
- Retention Principle. You can only keep data for as long as it is needed. Once the purpose is done, delete it.
- Access Principle. Customers have the right to request access to the personal data you hold about them.
The Personal Data Protection (Amendment) Act 2024 added three significant changes, rolling out in phases from June 2025. First, if you have a breach, you must notify the Commissioner within 72 hours. If that breach risks significant harm to affected individuals, you must also notify those individuals within 7 days of your Commissioner notification, according to guidelines from the JPDP. Second, larger organisations must appoint a Data Protection Officer. Third, the old term “data user” is now “data controller” and data portability rights were added.
From 1 April 2025, fines for breaching PDPA principles rose to RM1,000,000 with up to 3 years imprisonment, up from the previous RM300,000. Those are not hypothetical numbers.
Is encryption enough to keep data safe?
Encryption is necessary but not the whole picture. Using TLS for data in transit and strong encryption for data at rest (such as AES-256) is widely recommended best practice under the PDPA Security Principle. It protects against common attacks like network interception or physical theft of a storage drive.
What encryption does not protect against is a misconfigured system, a weak password, or someone inside your team with access they should not have. A good setup combines encryption with access controls, audit logs, and the principle of least privilege (only the people who need to see data can see it).
Polaris does not claim to be unhackable. No system is. What it does is follow these practices so that a breach would require significant effort, and any breach would be covered by the notification obligations under the amended PDPA.
Who can see my customers’ chats?
Only your own team members with a login to your workspace. Polaris runs on a Chatwoot-based inbox where conversations are labelled by who is handling them, either the AI bot or a specific human agent. This means two staff members do not accidentally reply to the same customer at the same time, and you can see exactly who handled each conversation.
The AI chatbot only answers from the knowledge base your business provides. It does not pull information from the internet or from other businesses’ data. If a customer asks something outside your knowledge base, the bot can escalate to a human agent rather than guess. For more on how the AI handles knowledge limits, see can an AI chatbot give wrong answers.
Can I delete customer data when I need to?
Yes. The PDPA Retention Principle requires this, and Polaris supports it.
You can delete a single document from your knowledge base, or clear the entire workspace. When data is deleted, it is removed from the system. This matters if a customer requests deletion of their information or if you decide a particular document is no longer accurate.
The ability to delete data also protects you operationally. Old product information, outdated pricing, or incorrect details that sit in the knowledge base will be used by the bot to answer customers. Keeping the knowledge base current is part of running a compliant and accurate chatbot. A bad knowledge base is not just a legal risk, it is a customer experience problem.
What is my vendor’s responsibility, and what is mine?
Under the amended PDPA, data processors, which includes SaaS vendors and chatbot platforms acting on behalf of your business, now carry direct legal liability for the Security Principle. This is a meaningful change from the old framework, where the data controller (you, the business) bore almost all the responsibility.
In practice, this means you and your chatbot vendor both have skin in the game. When choosing a platform, ask: where is data stored? Who has access? What happens if there is a breach? A vendor who cannot answer these plainly is a risk.
Your responsibilities remain: you must get consent from customers to collect their data, you must keep data only as long as needed, and you must be able to provide or delete it on request. Polaris is a tool that processes data on your behalf. The relationship under the law is a shared one, not a hand-off.
What about data stored on WhatsApp itself?
Meta (WhatsApp’s parent company) stores message data on its own infrastructure as part of operating the WhatsApp Business API. Their data retention and privacy practices are governed by their own policies and applicable international frameworks. This is a separate layer from what your chatbot platform stores.
For the purposes of PDPA compliance in Malaysia, your primary obligation is to control what you collect, store, and process on your own systems. You should not store more than you need, and you should not keep it longer than the purpose requires.
Is Polaris locked into a long contract if I change my mind?
No. Polaris plans are monthly and rolling with no lock-in. If you cancel, your data and your domain content are what you take with you. For a full explanation of what happens when you cancel, see WhatsApp chatbot: can you cancel anytime?.
The honest summary
A properly run WhatsApp chatbot setup, using server-side storage, encrypted data, role-based access, and a vendor who operates under the amended PDPA’s data processor obligations, is a significant step up from managing customer chats on personal phones or in a personal WhatsApp account.
It is not a guarantee against every possible risk. What it is: a structured way to handle customer data that aligns with what Malaysian law now requires, gives you control over what you keep and what you delete, and makes your exposure far smaller than an ad-hoc setup would.
If you want to understand more about how Polaris works before deciding, the how it works page covers the full setup. Or read the broader AI chatbot guide for Malaysian businesses if you are still working out whether a chatbot fits your business at all.