Polaris

Privacy Policy

Last Updated: April 2026

1. Our Commitment to Your Privacy

Polaris Technologies is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with the Polaris AI-powered omnichannel customer service platform (the "Service"). It applies to all Clients who subscribe to the Service and, where applicable, to the End Users who interact with Client-deployed AI assistants. We comply fully with the Malaysian Personal Data Protection Act 2010 (PDPA) and any amendments thereto. We encourage you to read this policy carefully. If you have any questions, please contact us at privacy@polaris.my.

2. Definitions

In this Privacy Policy, the following terms shall have the meanings set out below:

"Polaris", "Company", "We", "Us", or "Our"
refers to Polaris Technologies (SSM Registration No. 202603066744 / AS0511535-P), a business registered in Malaysia with its principal place of business in Cheras, Selangor.
"Client", "You", or "Your"
refers to the business entity or individual who subscribes to and uses the Polaris Service.
"End User"
refers to any individual who interacts with a Client's AI assistant deployed on WhatsApp, Instagram, or Messenger.
"Service"
refers to the Polaris AI-powered omnichannel customer service platform, including all associated dashboards, features, tools, and third-party integrations.
"Personal Data"
has the same meaning as defined under the PDPA — any information that relates directly or indirectly to an individual who is identified or identifiable from that information.
"Processing"
means any operation or set of operations performed on Personal Data, including collection, recording, storage, use, disclosure, transfer, or erasure.
"Data Controller"
means the entity that determines the purposes and means of processing Personal Data. Clients are the Data Controllers for their End Users' Personal Data.
"Data Processor"
means the entity that processes Personal Data on behalf of the Data Controller. Polaris acts as a Data Processor when handling End User data on behalf of Clients.
"PDPA"
means the Personal Data Protection Act 2010 of Malaysia, as amended or replaced from time to time.
"Knowledge Base"
refers to the business documents, FAQs, price lists, catalogs, and other materials uploaded by the Client to train and configure the AI assistant.

3. Consent and Acknowledgement

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy and you consent to the collection, use, and disclosure of your Personal Data as described herein.

By subscribing to the Service, the Client represents and warrants that: (a) it has obtained all necessary consents from its End Users for the collection and processing of their Personal Data through the Polaris platform; (b) it maintains a publicly accessible privacy policy that informs End Users how their data is collected, used, and protected; and (c) it has ensured that all End Users who receive outbound messages have validly opted in to receive such communications, in compliance with applicable law and Meta's platform policies.

You may withdraw your consent to our processing of your Personal Data at any time by contacting privacy@polaris.my. Please note that withdrawal of consent may limit or prevent our ability to continue providing the Service.

4. Categories of Personal Data We Collect

We collect the following categories of Personal Data in connection with the provision of the Service:

  • Account & Business Details: Your name, WhatsApp number, email address, and business name, collected when you submit an enquiry, register for the Service, or communicate with our team.
  • Knowledge Base Materials: Business documents you upload to the platform — PDFs, price lists, product catalogs, FAQs, and other materials — used to configure and train your AI assistant on your specific business context.
  • End-Customer Conversation Data: Messages sent and received between your End Users and your AI assistant on WhatsApp, Instagram, or Messenger, including AI-generated replies, conversation timestamps, sender identifiers, and human agent handoff records.
  • Usage & Technical Data: Analytics on how you interact with our website and client dashboard, error logs, API call metadata, and system performance metrics used to maintain and improve the Service.
  • Billing Information: Your name, billing address, and payment reference details required to process your subscription. We do not store credit or debit card numbers on our servers — payment card data is handled exclusively by our payment processor.

5. Data We Collect From Other Sources

In addition to data you provide directly, we may receive Personal Data from the following external sources:

  • Meta Platforms: When End Users interact with your AI assistant via WhatsApp, Instagram, or Messenger, Meta transmits message payloads to our system via their Cloud API. This includes message content, sender identifiers, channel metadata, and message timestamps.
  • Publicly Available Sources: We may verify business information using publicly available registers such as the SSM (Suruhanjaya Syarikat Malaysia) directory, solely for account verification and fraud prevention purposes.

6. How We Use Your Personal Data

We use the Personal Data we collect strictly for the following purposes:

  • To set up, configure, and operate your AI assistant on your chosen messaging channels.
  • To process and manage your subscription payments and billing records.
  • To provide technical support, diagnose issues, and resolve service disruptions.
  • To monitor system performance, maintain service reliability, and improve AI response accuracy and quality.
  • To comply with applicable legal and regulatory obligations, including tax and financial record-keeping requirements.
  • To detect, investigate, prevent, and respond to fraud, security incidents, and other unlawful or unauthorized activities.
  • To send you essential service-related communications, such as payment reminders, service notices, and policy updates.

7. Use of Client Data and AI-Related Processing

The Service is powered by Anthropic's Claude API. When an End User sends a message to your AI assistant, relevant Knowledge Base content and conversation context are transmitted to Anthropic for AI inference. Anthropic processes this data solely to generate a response and, under our enterprise agreement, does not use this data to train its foundational AI models.

The Client is the Data Controller for all End User Personal Data. Polaris acts as a Data Processor, handling End User data strictly on the Client's instructions and for the sole purpose of delivering the contracted Service. Polaris will not access, use, or disclose End User data for any purpose other than delivering the Service, except as required by law.

Polaris may, in the future, use anonymized and aggregated conversation data — drawn from across its Client base and fully stripped of any personally identifiable information — to develop specialized customer service AI models tailored to Malaysian business contexts. This is distinct from training third-party foundational models. Any such use will be limited to anonymized, aggregated datasets. Clients will be given advance notice and the opportunity to opt out before any such program is implemented.

8. Disclosure of Personal Data

We will never sell your Personal Data. We disclose it only to the following categories of trusted third-party service providers who are necessary to operate the Service, each bound by appropriate data processing agreements:

  • Anthropic (Claude AI): Receives Knowledge Base content and End User messages for AI inference. Bound by Anthropic's enterprise data handling and usage policy, which prohibits use of API data for training base models.
  • Supabase: Cloud database provider storing Knowledge Base vector embeddings, tenant configuration, conversation history, and session data. Hosted in Singapore.
  • Chatwoot: Self-hosted messaging middleware that receives messages from Meta channels and routes them to the Polaris AI engine. Self-hosted on our own Hetzner server — data does not leave our infrastructure.
  • Meta Platforms: End User messages originate from and are delivered via WhatsApp, Instagram, and Messenger. Message transmission through Meta's Cloud API is an inherent part of operating on these channels and is governed by Meta's own Privacy Policy.
  • Hetzner: Server infrastructure provider. The Polaris application backend, including Chatwoot and core AI orchestration services, runs on a dedicated Hetzner server located in Singapore.
  • Curlec / Payment Processors: Securely processes monthly subscription payments via direct debit (Curlec). Annual plan payments are made via bank transfer and are not handled by a third-party processor. Card details are never stored on Polaris servers.
  • Legal and Regulatory Authorities: We may disclose Personal Data where required by applicable law, court order, or direction of a governmental or regulatory authority, including the Personal Data Protection Commissioner of Malaysia.

9. Transfer of Personal Data

To deliver the Service, your data may be transferred to and processed in the following jurisdictions outside of Malaysia:

  • Singapore: Our primary application server (Hetzner) and cloud database (Supabase) are both located in Singapore, a jurisdiction with robust data protection legislation comparable to the PDPA.
  • United States: AI inference requests are processed by Anthropic, which is headquartered in the United States. Anthropic is bound by its enterprise data handling policy and applicable US privacy law.

All cross-border data transfers are conducted over TLS-encrypted connections. Data at rest is encrypted using AES-256. We take contractual and technical measures to ensure that all data transferred outside Malaysia receives a level of protection equivalent to that required by the PDPA.

10. Cookies and Similar Technologies

Our website uses cookies — small text files placed on your device by your browser. We use the following types of cookies:

  • Essential Cookies: Necessary for the website to function. These cannot be disabled without affecting core site functionality.
  • Analytics Cookies: Help us understand how visitors interact with our website (e.g., pages visited, time on site), so we can improve the experience.
  • Preference Cookies: Remember your settings and choices, such as your selected language.

You may disable non-essential cookies through your browser settings at any time. Note that disabling certain cookies may affect the functionality of parts of the website.

11. Data Retention

We retain different categories of Personal Data for different periods, based on the purpose for which they were collected:

  • Account & Business Details: Retained for the duration of your active subscription and deleted within 30 days of cancellation.
  • Knowledge Base Materials: Retained for the duration of your active subscription and permanently deleted within 30 days of cancellation.
  • Conversation Logs (Messages): Individual messages are automatically purged 180 days after creation by an automated daily retention sweep. Expired demo sessions are purged 90 days after expiry, cascading to delete their associated messages. Any remaining data is permanently deleted within 30 days of subscription cancellation.
  • Session Cache (Redis): Automatically expires within 24 hours by design.
  • Billing & Financial Records: Retained for 7 years from the date of the relevant transaction in compliance with Malaysian financial and tax record-keeping requirements.

Retention is enforced by an automated daily background process. Upon cancellation, we provide a 30-day data export window. After this window closes, all account data, Knowledge Base content, and conversation logs are permanently and irreversibly deleted from our primary systems and backups.

12. Security of Personal Data

We implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, loss, and destruction, including:

  • TLS (Transport Layer Security) encryption for all data transmitted between your devices, our servers, and our service providers.
  • AES-256 encryption at rest for data stored in our database and file storage systems.
  • Role-based access controls ensuring that only authorized Polaris personnel with a legitimate need may access Client data.
  • Infrastructure security measures including firewalls, intrusion detection, and regular security patching.
  • Periodic security reviews of our infrastructure and third-party integrations.

No method of data transmission over the internet or electronic storage is completely secure. While we take all reasonable steps to protect your Personal Data, we cannot guarantee absolute security. In the event of a security incident, we will act promptly in accordance with our Data Breach Management procedures below.

13. Data Breach Management

In the event of a Personal Data breach that is reasonably likely to result in significant harm to affected individuals, we will:

  • Identify and contain the breach as quickly as operationally possible.
  • Assess the nature, scope, cause, and likely consequences of the breach.
  • Notify the Personal Data Protection Commissioner (PDPC) in accordance with the applicable timelines under the PDPA.
  • Notify affected Clients without undue delay where the breach is likely to adversely affect their rights or the rights of their End Users.
  • Document the breach, our response, and any remedial actions taken.
  • Implement corrective measures to prevent recurrence of similar incidents.

14. Your Rights

Under the Malaysian PDPA, you have the following rights with respect to your Personal Data held by Polaris:

  • Right of Access: Request a copy of the Personal Data we hold about you.
  • Right to Correct: Request correction of any Personal Data that is inaccurate, incomplete, misleading, or not up to date.
  • Right to Withdraw Consent: Withdraw your consent to our processing of your Personal Data at any time. End Users interacting with a Client AI assistant may send the exact phrase STOP AI RESPONSES (or "Henti Respons AI" / "Berhenti Respons AI" in Bahasa Malaysia, or "停止AI回复" in Mandarin) as a standalone message to immediately halt all further bot replies and activate a 30-day block. Clients and business contacts may withdraw by contacting privacy@polaris.my.
  • Right to Erasure: Request deletion of your Personal Data from our systems, subject to any overriding legal retention obligations.
  • Right to Prevent Processing: Request that we cease or restrict processing of your Personal Data for any purpose that is causing or is likely to cause unwarranted damage or distress.

15. Access, Correction, Withdrawal, and Other Requests

To exercise any of your rights under the PDPA, submit a written request to our Privacy team at privacy@polaris.my. Please include your full name, business name, contact number, the messaging channel (WhatsApp, Instagram, or Messenger), and your channel identifier (phone number or user ID) where applicable, so we can locate and process your records accurately.

We will acknowledge receipt of your request within five (5) business days and endeavour to respond in full within thirty (30) calendar days. Where a request is complex or involves a large volume of data, we may extend this period by up to a further thirty (30) days and will notify you of the extension and the reason for it. We may require you to verify your identity before we process your request.

We reserve the right to charge a reasonable administrative fee for requests that are manifestly unfounded, repetitive, or excessive. We will inform you of any applicable fee before proceeding.

16. Marketing Communications

We will only send you marketing communications — such as product updates, new feature announcements, or promotional offers — if you have explicitly opted in to receive them at the time of registration or thereafter.

You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, or by contacting us at privacy@polaris.my. Opting out will not affect your receipt of essential service-related communications, such as invoices, payment reminders, or critical service notices.

17. Third-Party Websites and Integrations

Our Service integrates with third-party platforms including Meta Platforms (WhatsApp, Instagram, Messenger), Anthropic, Supabase, Curlec, and others. Our website may also contain links to external websites. Polaris is not responsible for the privacy practices, data handling, or content of any third-party websites or services. We encourage you to review the privacy policies of every platform and service you use in connection with the Polaris Service, as each operates under its own terms.

18. Children and Minors

The Service is a business-to-business (B2B) platform intended exclusively for use by business entities and their authorized representatives. It is not directed at, and we do not knowingly collect Personal Data from, individuals under the age of 18. If you become aware that a minor has provided Personal Data to Polaris, please notify us immediately at privacy@polaris.my. We will take prompt steps to delete such information from our records.

19. Contact Details

For all privacy-related enquiries, data access or correction requests, or complaints, please contact our Privacy team using the details below. We are committed to resolving all privacy concerns promptly.

  • Email: privacy@polaris.my
  • Company: Polaris Technologies
  • SSM Registration: 202603066744 (AS0511535-P)
  • Address: Cheras, Selangor, Malaysia

20. Amendments and Language

We reserve the right to update or amend this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or other factors. Where changes are material, we will provide notice by email or via a prominent notice on our website or client dashboard at least fourteen (14) days before the changes take effect. Your continued use of the Service after the effective date of any amended policy constitutes your acceptance of that revised policy.

This Privacy Policy is available in English, Bahasa Malaysia, and Mandarin Chinese. In the event of any discrepancy, conflict, or inconsistency between language versions, the English version shall prevail and take precedence.