Privacy Policy
Last updated: 4 July 2026
1. Who we are
Inchat ("Inchat", "we", "us") is an omnichannel conversational AI platform that helps merchants manage and reply to customer conversations across Facebook Messenger, Instagram, WhatsApp, and their own website chat widget. This policy explains what personal data we process, why, and the choices available to you.
It applies to merchants who create an Inchat workspace ("Merchants") and to their customers whose messages flow through the platform ("End Customers"). We process End Customer data on behalf of the Merchant who owns the connected channel.
2. Data we collect
We collect only what is needed to run the service:
- Account data — Merchant name, email address, and workspace settings when you sign up.
- Messaging data — message content, timestamps, delivery/read status, and platform-scoped sender identifiers (e.g. Messenger PSID, Instagram-scoped ID, WhatsApp phone number and profile name) received from Meta's APIs for channels the Merchant has connected.
- Attribution data — ad and referral identifiers Meta attaches to a conversation (e.g. ad ID, click ID) so Merchants can attribute conversations to campaigns.
- Knowledge base content — documents a Merchant uploads to ground AI replies.
- Billing data — subscription status and usage counts. Card details are handled by Stripe and never touch our servers.
- Technical data — logs necessary for security and reliability (e.g. webhook delivery records).
3. How we use data
We use the data above solely to provide the service:
- Displaying conversations in the Merchant's inbox and tracking response states.
- Generating AI-assisted replies. Message text is processed by Anthropic's Claude models and, for knowledge retrieval, Voyage AI embeddings. Customer conversations are not used to train AI models.
- Reporting conversation analytics (volumes, response times, AI deflection) to the Merchant who owns the data.
- Sending conversion signals to Meta's Conversions API only where the Merchant has enabled ad attribution for their own ad account.
- Billing, fraud prevention, and service integrity.
- We do not sell personal data, and we do not use End Customer data for advertising of our own.
4. Data from Meta platforms
Data received through Meta's APIs (Messenger, Instagram, WhatsApp Cloud API) is used only to provide messaging functionality to the workspace that owns the connected Page, Instagram account, or WhatsApp Business Account, in accordance with Meta's Platform Terms and Developer Policies. Access tokens are stored as encrypted references, never in plain text. We request only the permissions required for the features a Merchant enables.
5. Service providers (sub-processors)
We rely on a small set of infrastructure providers to run Inchat:
- Supabase — database and authentication (hosted in AWS ap-southeast-1, Singapore).
- Vercel — application hosting.
- Anthropic — AI reply generation (Claude).
- Voyage AI — text embeddings for knowledge retrieval.
- Stripe — subscription billing.
- Meta Platforms — message delivery on Messenger, Instagram, and WhatsApp.
- Sentry — error monitoring (technical logs only).
6. Retention and deletion
We keep personal data only while the Merchant's workspace is active or as required to provide the service. When a Merchant disconnects a channel or closes their workspace, associated conversation data is deleted from production systems within 30 days.
To request deletion of your data — whether you are a Merchant or an End Customer — email seansoh614@gmail.com with the channel and identifier involved. We honour verified requests within 30 days. This mailbox also serves as the data-deletion instruction channel required by Meta.
7. Your rights (PDPA)
Inchat complies with the Personal Data Protection Act 2010 (Malaysia). You have the right to access, correct, and request deletion of your personal data, to withdraw consent to processing, and to limit processing for direct marketing. To exercise any of these rights, contact us at the email below. If you are an End Customer, we may direct your request to the Merchant who controls the conversation data, and will assist them in fulfilling it.
8. Security
All traffic is encrypted in transit (TLS). Webhook payloads are authenticated with platform signatures before processing. Database access is isolated per workspace with row-level security, and platform credentials are stored as encrypted references. We practise data minimisation: we do not collect data the service does not need.
9. Changes to this policy
We may update this policy as the service evolves. Material changes will be announced to Merchants by email or in-product notice, and the "Last updated" date above will change. Continued use of Inchat after a change constitutes acceptance of the updated policy.
10. Contact
Data protection enquiries and requests: seansoh614@gmail.com