Polaris
Jiun

Is my WhatsApp chatbot customer data safe in Malaysia?

Your customer chats contain real personal data: names, phone numbers, what they ordered, when they last messaged. That data is your responsibility under Malaysian law, and a badly run chatbot setup can expose it. This guide explains where the data goes, what the law says, and what a properly run setup does to protect it.

Where does the chat data actually go?

When a customer messages your WhatsApp chatbot, that conversation does not sit on a staff member’s phone. It is sent through the WhatsApp Business API, then stored on a server that your chatbot platform operates.

With Polaris, conversations are stored on a dedicated server, encrypted in transit (TLS) and encrypted at rest. Your team views those chats through a shared Chatwoot-based inbox, not through personal WhatsApp accounts. Only your own team members with login access can see them. No one else, including Polaris staff, reads your customer chats in the normal course of service.

This matters because keeping chat data on personal phones is one of the riskiest things a small business can do. A staff member leaves, the phone is lost, or someone screenshots a conversation. A server-based setup with access controls removes most of those risks.

What does PDPA actually require?

The Personal Data Protection Act 2010 (Act 709) governs how businesses in Malaysia collect, store, and use personal data in commercial transactions. It is enforced by the Department of Personal Data Protection (JPDP) under the Digital Ministry.

The law sets out seven principles. Three of them apply most directly to a chatbot setup:

  • Security Principle. You must protect personal data from loss, misuse, and unauthorized access. This means your chatbot platform needs proper access controls and encryption, not just a password on a WhatsApp account.
  • Retention Principle. You can only keep data for as long as it is needed. Once the purpose is done, delete it.
  • Access Principle. Customers have the right to request access to the personal data you hold about them.

The Personal Data Protection (Amendment) Act 2024 added three significant changes, rolling out in phases from June 2025. First, if you have a breach, you must notify the Commissioner within 72 hours. If that breach risks significant harm to affected individuals, you must also notify those individuals within 7 days of your Commissioner notification, according to guidelines from the JPDP. Second, larger organisations must appoint a Data Protection Officer. Third, the old term “data user” is now “data controller” and data portability rights were added.

From 1 April 2025, fines for breaching PDPA principles rose to RM1,000,000 with up to 3 years imprisonment, up from the previous RM300,000. Those are not hypothetical numbers.

Is encryption enough to keep data safe?

Encryption is necessary but not the whole picture. Using TLS for data in transit and strong encryption for data at rest (such as AES-256) is widely recommended best practice under the PDPA Security Principle. It protects against common attacks like network interception or physical theft of a storage drive.

What encryption does not protect against is a misconfigured system, a weak password, or someone inside your team with access they should not have. A good setup combines encryption with access controls, audit logs, and the principle of least privilege (only the people who need to see data can see it).

Polaris does not claim to be unhackable. No system is. What it does is follow these practices so that a breach would require significant effort, and any breach would be covered by the notification obligations under the amended PDPA.

Who can see my customers’ chats?

Only your own team members with a login to your workspace. Polaris runs on a Chatwoot-based inbox where conversations are labelled by who is handling them, either the AI bot or a specific human agent. This means two staff members do not accidentally reply to the same customer at the same time, and you can see exactly who handled each conversation.

The AI chatbot only answers from the knowledge base your business provides. It does not pull information from the internet or from other businesses’ data. If a customer asks something outside your knowledge base, the bot can escalate to a human agent rather than guess. For more on how the AI handles knowledge limits, see can an AI chatbot give wrong answers.

Can I delete customer data when I need to?

Yes. The PDPA Retention Principle requires this, and Polaris supports it.

You can delete a single document from your knowledge base, or clear the entire workspace. When data is deleted, it is removed from the system. This matters if a customer requests deletion of their information or if you decide a particular document is no longer accurate.

The ability to delete data also protects you operationally. Old product information, outdated pricing, or incorrect details that sit in the knowledge base will be used by the bot to answer customers. Keeping the knowledge base current is part of running a compliant and accurate chatbot. A bad knowledge base is not just a legal risk, it is a customer experience problem.

What is my vendor’s responsibility, and what is mine?

Under the amended PDPA, data processors, which includes SaaS vendors and chatbot platforms acting on behalf of your business, now carry direct legal liability for the Security Principle. This is a meaningful change from the old framework, where the data controller (you, the business) bore almost all the responsibility.

In practice, this means you and your chatbot vendor both have skin in the game. When choosing a platform, ask: where is data stored? Who has access? What happens if there is a breach? A vendor who cannot answer these plainly is a risk.

Your responsibilities remain: you must get consent from customers to collect their data, you must keep data only as long as needed, and you must be able to provide or delete it on request. Polaris is a tool that processes data on your behalf. The relationship under the law is a shared one, not a hand-off.

What about data stored on WhatsApp itself?

Meta (WhatsApp’s parent company) stores message data on its own infrastructure as part of operating the WhatsApp Business API. Their data retention and privacy practices are governed by their own policies and applicable international frameworks. This is a separate layer from what your chatbot platform stores.

For the purposes of PDPA compliance in Malaysia, your primary obligation is to control what you collect, store, and process on your own systems. You should not store more than you need, and you should not keep it longer than the purpose requires.

Is Polaris locked into a long contract if I change my mind?

No. Polaris plans are monthly and rolling with no lock-in. If you cancel, your data and your domain content are what you take with you. For a full explanation of what happens when you cancel, see WhatsApp chatbot: can you cancel anytime?.

The honest summary

A properly run WhatsApp chatbot setup, using server-side storage, encrypted data, role-based access, and a vendor who operates under the amended PDPA’s data processor obligations, is a significant step up from managing customer chats on personal phones or in a personal WhatsApp account.

It is not a guarantee against every possible risk. What it is: a structured way to handle customer data that aligns with what Malaysian law now requires, gives you control over what you keep and what you delete, and makes your exposure far smaller than an ad-hoc setup would.

If you want to understand more about how Polaris works before deciding, the how it works page covers the full setup. Or read the broader AI chatbot guide for Malaysian businesses if you are still working out whether a chatbot fits your business at all.

Frequently asked questions

Does my WhatsApp chatbot have to comply with PDPA?

Yes. If your chatbot collects names, phone numbers, or order details from customers in a commercial transaction, that data falls under the Personal Data Protection Act 2010 (Act 709). You are the data controller and you must follow all seven PDPA principles.

What happens if there is a data breach?

Under the Personal Data Protection (Amendment) Act 2024, which took effect in phases from June 2025, you must notify the Commissioner within 72 hours of discovering a breach. If the breach risks significant harm to affected individuals, you must also notify them within 7 days of that commissioner notification.

Can my customers ask to see or delete their data?

Yes. The PDPA includes an Access Principle that gives individuals the right to access personal data held about them. Under the 2024 amendments, data portability rights were also added. A properly run chatbot system should let you retrieve or delete a customer's records on request.

Who is responsible if the chatbot vendor leaks data?

Under the amended PDPA, data processors (which includes SaaS chatbot vendors acting on your behalf) now carry direct legal liability for the Security Principle. That means the vendor shares legal responsibility, not just you. Choose vendors who state this clearly and can show their security practices.

What are the fines for breaking PDPA in Malaysia?

From 1 April 2025, the maximum fine for breaching PDPA principles rose to RM1,000,000, with up to 3 years imprisonment. This is a significant increase from the previous RM300,000 cap.

How long can I keep customer chat data?

The PDPA's Retention Principle says you may only keep personal data for as long as it is necessary for the purpose it was collected. Once that purpose is met, you must destroy or anonymise it. There is no single fixed period in the law. It depends on your business context.

Ready to stop missing customer inquiries?

Let our team set up a managed AI chatbot on your WhatsApp in 24 hours. No tech setup needed from you.