sembang
Sembang home
Privacy Policy

Privacy Policy

Effective: 2026-04-27

1. Who we are

This Privacy Policy describes how Stelix Media Solutions Sdn Bhd("Stelix", "we", "us") collects, uses, discloses, and retains personal data through the Sembang WhatsApp customer-service agent ("Sembang", "the Service") operated under the domain stelixdigital.app.

We comply with the Malaysian Personal Data Protection Act 2010 (PDPA) as amended by the Personal Data Protection (Amendment) Act 2024.

2. What data we collect

When you message a WhatsApp number connected to Sembang, we collect:

  • Your phone number in international (E.164) format, e.g. +60 12-345-6789.
  • Your WhatsApp display name if you have set one.
  • The content of your messages — text, attachments, and voice notes you send to the connected number.
  • Voice transcripts automatically generated from voice notes (see Section 4).
  • Conversation metadata — timestamps, language, conversation status, and AI-generated signal scores used to route your enquiry to the right team member.

We do not collect: identity-card numbers, financial details, location data, or contacts list.

3. Why we collect it (purposes)

  • To respond to your enquiries about Stelix products and services.
  • To route conversations to the right team member when your request requires a human reply.
  • To improve the quality of our customer-service replies.
  • To comply with our legal and regulatory obligations.

4. Third parties who process data on our behalf

We use the following sub-processors. Each processes only the data necessary to perform its function and is bound by their own privacy and security obligations:

  • Meta Platforms, Inc.— delivers your WhatsApp messages to and from us via the WhatsApp Business Cloud API. Data is processed globally per Meta's privacy policy.
  • Google LLC (Google Cloud / Firebase) — hosts our application, stores conversation data (Firestore), and handles operator authentication. Data resides in asia-southeast1 (Singapore).
  • Anthropic, PBC — provides the Claude AI models that analyse incoming messages and draft replies. Message content sent to Anthropic is not used to train their models (commercial terms). Data may be processed in the United States.
  • OpenAI, Inc.— transcribes voice notes via the Whisper API. Voice audio bytes are sent for transcription only; the resulting text is returned to us. Per OpenAI's API data policy, API inputs are not used for model training. Data may be processed in the United States.

Cross-border transfers:Anthropic and OpenAI process data in the United States. Google Cloud processes data in Singapore. We rely on each provider's standard contractual safeguards and the lawful-transfer mechanisms permitted under PDPA Section 129.

5. How long we keep your data

Conversation data is retained for 730 days from the date of your last message, after which messages and transcripts are purged automatically. Aggregated analytics (counts of conversations, token usage) are retained indefinitely in non-identifying form.

You may request earlier deletion at any time — see Section 7.

6. Legal basis & consent

By messaging a Stelix WhatsApp number connected to Sembang, you consent to the processing of your personal data as described in this Policy. We process the minimum data necessary to provide the Service.

You may withdraw consent at any time by replying STOP or BERHENTI to the conversation, or by emailing us. After opt-out, we will stop sending you new messages and purge your conversation data within 30 days, except where retention is required by law.

7. Your rights under PDPA

You have the right to:

  • Access the personal data we hold about you.
  • Correct any data that is inaccurate or out-of-date.
  • Withdraw consent to processing.
  • Request deletion of your data (subject to legal retention requirements).
  • Lodge a complaint with the Personal Data Protection Department of Malaysia.

To exercise any of these rights, contact us using the details in Section 10.

8. Security

We use industry-standard measures to protect your data, including TLS 1.2+ in transit, at-rest encryption on Google Cloud, HMAC-SHA256 signature verification on incoming webhooks, and Google Secret Manager for credential storage. Operator access is restricted to named Stelix employees authenticated via Google sign-in.

9. Children

The Service is intended for users aged 18 or older. We do not knowingly collect data from minors. If you believe a minor has contacted us, please notify us so we can purge the data.

10. Contact

For privacy questions, data-access requests, or complaints:

  • Email: privacy@stelixmedia.com.my
  • WhatsApp: the same number you have been messaging, with subject line "Privacy request".
  • Postal: Stelix Media Solutions Sdn Bhd, Malaysia (full registered address available on request).

11. Changes to this Policy

We may update this Policy from time to time. The "Effective" date at the top reflects the most recent revision. Material changes will be communicated via the WhatsApp number you contacted us on, or by email, before they take effect.