Privacy Policy
Effective date: 4 July 2026
This is how Pixel AI Studio handles personal data across AgentOS — plainly stated. The short version: we collect only what the Service needs, your customers' data stays yours, we never sell data, and we never train AI models on your business data.
01Who we are and what this policy covers
Pixel AI Studio (Registration No. 202503344894 (CT0158569-A)), a business registered in Malaysia (“Pixel AI Studio”, “we”, “us”, “our”), builds and operates AgentOS — a software suite for sales teams made up of Lailaichat (AI front office: omnichannel inbox, AI Closer, campaigns, landing pages and lead CRM), AgentHero (commission and back office: agents, orders, commissions, payouts) and the AI Training simulator (collectively, the “Service”).
This policy explains what personal data we collect, why we collect it, how we protect it, and the choices you have. It is written to comply with Malaysia's Personal Data Protection Act 2010 (“PDPA”), including its notice-and-choice obligations. It applies to visitors of our websites, people who sign up for the Service, and — with an important distinction explained in Section 2 — the end customers of the businesses that use the Service.
02Our role: when we decide, and when your provider decides
The Service handles personal data in two distinct capacities:
- Data we control. For the account, billing and usage data of the businesses that subscribe to AgentOS (each a “Tenant”), we decide how and why the data is processed. For this data, Pixel AI Studio is the data user (controller) under the PDPA.
- Data we process on behalf of Tenants. When a Tenant connects WhatsApp, Facebook, Instagram or Telegram and their customers chat with them (or with the Tenant's AI Closer), those conversations, contact details and lead records belong to the Tenant. The Tenant is the data user (controller) of its end-customer data; Pixel AI Studio acts strictly as a data processor, handling that data only on the Tenant's instructions and only to provide the Service.
If you are an end customer of a business that uses AgentOS and you have questions about how your data is used, your first point of contact should be that business. We will assist Tenants in responding to such requests (see Section 12).
03The personal data we collect
Depending on how you interact with the Service, we collect:
- Account data — name, work email address, company name, role and login credentials of Tenant administrators and team members who are given seats.
- Customer conversations and lead data (processed on behalf of Tenants) — messages exchanged through connected channels (WhatsApp, Facebook Messenger, Instagram, Telegram and web chat), contact names and phone numbers, lead records, notes, campaign responses and landing-page form submissions.
- Billing data — subscription plan, credit-pack purchases, invoices and transaction history. Card details are collected and stored by our payment provider, Stripe — we never see or store full card numbers.
- Usage and technical data — feature usage, credit consumption per AI action, log data, device and browser information, IP address and approximate location, used to operate, secure and improve the Service.
- Support communications — messages you send to our support channels and the records needed to resolve them.
04Why we use personal data
We use personal data only for the following purposes:
- Providing, operating and maintaining the Service, including routing and storing conversations, generating AI replies the Tenant has enabled, running campaigns and calculating commissions.
- Creating and administering accounts, authenticating users and managing seats and roles.
- Billing — processing subscriptions and credit-pack purchases, metering credit consumption, issuing invoices and receipts, and detecting payment fraud.
- Providing customer support and responding to enquiries.
- Monitoring, securing and improving the Service, including debugging, abuse prevention and aggregate (non-identifying) analytics.
- Meeting our legal and regulatory obligations in Malaysia, including record-keeping and tax requirements.
- Sending service notices (for example billing alerts, security notices or material changes to terms). Marketing messages are only sent where permitted, and you can opt out at any time.
We do not use personal data for purposes incompatible with the above without notifying you and, where the PDPA requires it, obtaining your consent.
05AI features and model providers
Parts of the Service — the AI Closer, AI-assisted replies, and the AI Training simulator — send content (such as a customer's message and relevant business context the Tenant has uploaded) to third-party AI model providers to generate a response. Credits are consumed each time an AI action runs.
- No training on your business data. We do not use Tenant business data — conversations, leads, uploaded knowledge files or commission records — to train our own AI models, and we contract with model providers on terms that do not permit them to train their general-purpose models on this data.
- AI content is processed transiently for the purpose of generating the requested output and operating the feature — not for advertising.
- Tenants control what knowledge and context they upload for the AI to use, and should avoid uploading personal data that is not needed for the feature.
06Where data is stored and how we protect it
The Service runs on reputable cloud infrastructure providers. We apply security measures appropriate to the nature of the data, including:
- Encryption of data in transit (HTTPS/TLS) across the Service and between the Service and connected platforms.
- Tenant isolation — every record is scoped to the owning Tenant, and access controls enforce that separation.
- Role-based access within Tenant workspaces, and least-privilege access for our own personnel.
- Logging, monitoring and backup practices designed to detect issues and recover from failures.
No system is perfectly secure. If we become aware of a data breach affecting personal data, we will act in line with applicable Malaysian data-breach notification requirements and inform affected Tenants without undue delay.
07How long we keep data
- Tenant end-customer data (conversations, leads) is retained for as long as the Tenant's subscription is active, or until the Tenant deletes it through the Service.
- After a subscription ends, Tenant data is retained for a short grace period (so an accidental lapse doesn't destroy a business's records), after which it is deleted or irreversibly anonymised, except where we must keep specific records to meet legal obligations.
- Billing and transaction records are kept for the period required by Malaysian tax and accounting law.
- Logs and technical data are kept for limited periods appropriate to security and troubleshooting, then deleted or aggregated.
Under the PDPA's retention principle, we do not keep personal data longer than is necessary for the purpose it was collected.
09Cross-border processing
Some of our infrastructure and service providers (including cloud hosting, Stripe, Meta and AI model providers) operate data centres outside Malaysia. This means personal data may be transferred to, and processed in, other countries. Where that happens, we take steps consistent with the PDPA's cross-border transfer requirements — including contractual safeguards with providers — so the data receives a standard of protection substantially similar to this policy wherever it is processed.
11Your rights under the PDPA
If we hold your personal data as data user (controller), you have the following rights under the PDPA:
- Right of access — request a copy of the personal data we hold about you.
- Right of correction — ask us to correct personal data that is inaccurate, incomplete, misleading or out of date.
- Right to withdraw consent — withdraw your consent to processing by written notice. Note that withdrawing consent for data essential to the Service (for example your account email) may mean we can no longer provide the Service to you.
- Right to prevent processing likely to cause damage or distress, and to opt out of direct marketing at any time.
To exercise any of these rights, contact us using the details in Section 14. We may need to verify your identity before acting on a request, and we will respond within the timelines set by the PDPA. A modest fee may apply to access requests where the law permits.
12Requests about a business's customer data
Where your data was collected by a business using AgentOS (for example you chatted with a company on WhatsApp and that company uses Lailaichat), that business is the data user responsible for your data, and access, correction or deletion requests should be made to them directly. We provide Tenants with tools to search, export, correct and delete end-customer records so they can honour those requests. If you contact us directly, we will forward your request to the relevant Tenant where we can identify them.
13Changes to this policy
We may update this policy as the Service, the law or our providers change. For material changes we will give notice through the Service or by email before the change takes effect. The “Effective date” at the top of this page always shows the current version. Continued use of the Service after a change takes effect means the updated policy applies.
14Contact us about your data
For data protection questions, PDPA requests, or anything about this policy, contact:
- Pixel AI Studio — Registration No. 202503344894 (CT0158569-A), Malaysia
- Email: support@pixelaistudio.com (mark your message “Data Request” for faster routing)
This notice is issued in English. Upon request, we will provide a Bahasa Malaysia summary in accordance with the PDPA's notice requirements.
Questions about this document? Email support@pixelaistudio.com.