Xolara Privacy Policy

Last updated: 1 December 2025

I. Who We Are

This Privacy Policy explains how Suntech Chatbot Sdn Bhd (referred to as "Xolara", "we", "us", or "our") collects, uses, stores, and shares personal data in connection with the Xolara AI chatbot platform and related services.

  • Legal entity: Suntech Chatbot Sdn Bhd
  • Address: 99, Lorong Saujana Permai 1, 14000 Mukim 15, Penang, Malaysia
  • Privacy contact email: legal@suntech-software.com

Xolara is a B2B SaaS and on-premise AI chatbot solution used by businesses globally to communicate with their customers (live chat, AI chatbot, automation, integrations, analytics, etc.).

Depending on the situation, we act as:

  • "Controller" / "Data User" (under GDPR/PDPA) when we process data about our customers (companies and their staff), website visitors, leads, and other direct contacts; and
  • "Processor" / "Data Processor" when we process personal data about your end users (the people who chat with your bot or agents) on your instructions as our customer.

This Policy applies to:

  • our websites and web apps related to Xolara,
  • our SaaS platform and APIs, and
  • support and communication channels we operate.

Our services are intended only for business and professional users, not for private consumers or children.

II. How You Can Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights, you can contact us at:

We will do our best to respond within the time limits required by applicable law (e.g. PDPA, GDPR, CCPA).

III. What Personal Data We Collect

The exact data we process depends on how you interact with Xolara (e.g., as a customer admin, agent, or end user).

1. Data About Our Business Customers (Admins / Agents)

When your company signs up for Xolara or when you use our platform as an admin or agent, we may collect:

  • Identification & contact data
    • Name
    • Work email address
    • Phone number (if provided)
  • Business & billing information
    • Company name
    • Company address
    • Billing details (e.g., registration number, tax ID, billing contact, billing address)
  • Account and login data
    • Username or email used for login
    • Password (stored as a hashed value; we do not store plain-text passwords)
  • Usage & technical data
    • IP address
    • Browser type and version
    • Operating system and device information
    • Time and duration of access
    • Pages or screens visited in the app
  • Payment-related information
    • Limited payment information (e.g. last 4 digits of card, expiry month/year) as returned by our payment processor
    • We do not store full card numbers; these are processed by our payment gateway (e.g., Stripe) as a separate controller or processor.
  • Support and communication data
    • Messages you send to our support (email or in-app)
    • Information you provide in tickets or feedback
    • Any attachments you send to us

2. Data About Your End Users (Chatbot / Channel Users)

When your end users interact with Xolara on your website or channels, we process data on your behalf, such as:

  • Conversation content
    • Messages sent and received in chats (text, emojis, etc.)
  • Basic identifiers (if provided by the user or via integration)
    • Name or nickname
    • Email address
    • Phone number / WhatsApp number
  • Channel identifiers
    • Platform IDs (e.g., WhatsApp, Facebook, other messaging channel IDs)
  • Metadata
    • Timestamps of each message
    • Conversation ID, status or tags
    • Language detected/selected
    • Internal labels, ratings, or notes applied by your team
  • Files / attachments
    • Images, documents, or other files uploaded within conversations (if you enable this)

We process this information as a processor acting on your documented instructions (for example via your configuration, workflows, and integrations).

3. Automatically Collected Information (Cookies, Logs, Analytics)

When you visit our website or use our web apps, we may automatically collect:

  • Log and usage data
    • IP address
    • Browser and device info
    • Access times, pages viewed, and actions taken
  • Cookie and similar technologies
    • Session cookies for login and security
    • Analytics cookies (e.g., for understanding usage and performance)
    • Marketing and advertising cookies (e.g., pixels and tags for ad attribution)
    • A/B testing or performance cookies (when used)

We explain cookies in more detail in the Cookies section below.

4. Sensitive Personal Data

Xolara is not designed to intentionally collect "sensitive" personal data, such as:

  • government ID numbers,
  • health or medical information,
  • religious or political beliefs,
  • racial or ethnic origin,
  • union membership,
  • sexual orientation, etc.

We ask our business customers not to use Xolara to collect or store such sensitive data, unless:

  • they have a proper legal basis under applicable law, and
  • they have informed us and agreed appropriate safeguards with us in writing.

If we become aware that sensitive personal data has been submitted unintentionally, we will handle it with heightened care and may delete, anonymise, or restrict it where appropriate.

IV. For What Purposes We Use Personal Data (and Legal Bases)

Because Xolara serves global clients, our processing is mainly governed by:

  • PDPA (Malaysia)
  • GDPR (EU/UK users and data subjects)
  • CCPA/CPRA (California consumers, as applicable)

Below we summarise main purposes and legal bases.

1. Providing and Managing the Xolara Service

We process personal data to:

  • create and manage business accounts,
  • authenticate admins and agents,
  • provide chatbot, AI, and messaging features,
  • manage integrations and configurations,
  • provide on-premise or SaaS hosting (as applicable).

Legal bases:

  • Contractual necessity – to perform our contract with your company (GDPR Art. 6(1)(b); PDPA "necessary for the contract").
  • Legitimate interest – to run and improve a secure, reliable service for our customers (GDPR Art. 6(1)(f)).

2. Billing, Payments, and Accounting

We use customer and billing data to:

  • issue invoices,
  • process payments via our payment gateway,
  • maintain financial records and comply with tax/accounting obligations.

Legal bases:

  • Contractual necessity – to process your subscription or fees.
  • Legal obligation – to comply with tax and accounting laws (GDPR Art. 6(1)(c); PDPA compliance).

3. Customer Support and Communications

We process personal data to:

  • respond to your emails and support tickets,
  • diagnose and resolve technical issues,
  • provide training, onboarding, or help documentation.

Legal bases:

  • Legitimate interest – to respond to your requests and maintain customer relationships.
  • Contractual necessity – where support is part of the services we provide.

4. Product Improvement, Analytics, and Security

We use usage and log data to:

  • analyse how the platform is used,
  • improve features and user experience,
  • monitor system performance and security,
  • detect and prevent fraud, abuse, or technical issues.

Legal basis:

  • Legitimate interest – to improve and secure our platform and run our business efficiently.

We may aggregate or anonymise data for statistical or analytical purposes. Aggregated data no longer identifies individuals and is not considered personal data.

5. Marketing and Newsletters

We may use your business contact details to:

  • send product updates, feature announcements, and service notices,
  • send promotional or marketing messages, including offers and campaigns,
  • follow up on trials, demos, or contact form submissions.

Recipients:

  • paying customers
  • free trial users
  • leads who have expressed interest in Xolara

Legal basis:

  • Legitimate interest – to promote and grow our business and inform existing/prospective customers about relevant services, while giving you a clear right to opt out at any time.

You can opt out of marketing at any time by:

  • contacting us at marketing@suntech-software.com and requesting to stop marketing; and/or
  • following any opt-out instructions included in the message (if provided).

Service-related communications that are important to your use of Xolara (e.g., critical security notices, info about major changes to the platform) may still be sent as part of our contractual and legal obligations.

V. Retention Periods – How Long We Keep Data

We keep personal data only for as long as needed to fulfil the relevant purpose or as required by law.

Unless otherwise agreed in writing:

  • Account & billing / invoice data
    Kept up to 7 years after the end of the relevant financial year or the end of the business relationship, to comply with accounting and tax laws.
  • Chat logs / conversation data (end users)
    Kept for as long as the subscription is active, unless:
    • your company deletes data earlier using available tools, or
    • your contract or data processing agreement specifies shorter retention.
  • After termination, we may retain backups for a limited time in accordance with our backup and disaster recovery routines, after which data is deleted or irreversibly anonymised.
  • System logs (IP, device, technical logs)
    Kept for up to 1 year for security, troubleshooting, and audit purposes, unless legal or security requirements justify a longer period.
  • Support tickets and communications
    Kept for up to 1 year after the ticket is closed, to track historical issues, handle follow-ups, and protect our legal interests.
  • Marketing contacts
    Kept until you unsubscribe, object, or we consider you inactive for a reasonable period, after which we may delete or anonymise your data.

We may retain data for longer where necessary:

  • to comply with legal obligations,
  • to establish, exercise, or defend legal claims, or
  • where required by regulators or competent authorities.

VI. Who We Share Personal Data With (Data Recipients)

We do not sell personal data. We share personal data only when necessary, under appropriate safeguards, and for the purposes described above.

Depending on your use of Xolara, we may share data with the following categories of recipients:

1. Cloud hosting providers

    • To host our application, databases, and backups
    • Example: infrastructure on Google Cloud Platform (GCP)

2. Email and infrastructure hosting providers

    • For sending system emails or hosting email services (e.g., Plesk / Hostinger or similar providers)

3. Payment processors

    • To process subscription payments and manage billing (e.g., Stripe)
    • These providers may act as controllers or processors under their own terms.

4. Third-party AI model providers

    • We may send portions of Input (prompts, messages) to external AI model providers only to generate outputs and power AI features.
    • We instruct our AI providers to use your data only to provide the AI functionality and not to use it to train their general models, except where you or we have explicitly agreed otherwise or where data is aggregated/de-identified in line with their privacy terms.

5. Analytics and performance tools

    • To understand platform usage and performance (e.g., analytics tools such as Google Analytics or equivalents)

6. Communication / channel integrations

    • If you connect Xolara to external channels (such as WhatsApp, Facebook or other messaging platforms), personal data (such as message content and identifiers) will be exchanged with those platforms according to your configuration and their own privacy policies.

7. Professional advisers

    • Law firms, accountants, auditors, or consultants who help us operate our business and are bound by confidentiality obligations.

8. Authorities and legal recipients

    • Where required by law, court orders, or lawful requests from governmental or regulatory authorities.

We enter into data processing agreements (or equivalent) with our service providers where required, to ensure they handle personal data appropriately and securely.

VII. International & Cross-Border Data Transfers

Xolara serves global clients. Your personal data may be stored and processed in:

  • Malaysia
  • Other countries where our cloud, infrastructure, or service providers operate

For Malaysian PDPA purposes, you agree that we may transfer your personal data outside Malaysia where necessary for the purposes described in this Policy, and we will take reasonable steps to ensure that any foreign recipient provides a standard of protection comparable to PDPA requirements.

For EU/UK GDPR data subjects, when we transfer personal data outside the EEA/UK to a country without an “adequacy” decision:

  • we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent mechanisms; and
  • we take reasonable steps (including technical and organisational measures) to protect personal data in line with GDPR requirements.

We will only transfer personal data where it is lawful, necessary, and subject to suitable safeguards.

VIII. Your Rights (PDPA / GDPR / Global)

The privacy rights available to you depend on your location and applicable law (e.g., PDPA, GDPR). In general, subject to conditions and legal exceptions, you may have the right to:

1. Right to be informed

    • To receive clear information about how we use your personal data (this Privacy Policy is part of that).

2. Right of access

    • To request a copy of personal data we hold about you and certain related information.

3. Right to rectification

    • To request correction of inaccurate or incomplete personal data.

4. Right to erasure (Right to be forgotten – GDPR)

    • To request deletion of your personal data in certain circumstances (for example, when data is no longer needed for the purpose collected and we have no overriding legal reason to keep it).

5. Right to restrict processing

    • To request that we limit the processing of your data in certain cases (e.g., while accuracy is being checked).

6. Right to data portability (GDPR)

    • To receive personal data you provided to us in a structured, commonly used, machine-readable format, and to request we transmit it to another controller, where technically feasible.

7. Right to object

    • To object at any time to processing based on our legitimate interests, including profiling.
    • You also have the right to object at any time to direct marketing, in which case we will stop using your data for marketing.

8. Right to withdraw consent

    • Where we rely on consent (if applicable), you may withdraw that consent at any time. This will not affect processing that took place before the withdrawal.

9. Right to lodge a complaint

    • You may lodge a complaint with your local data protection authority if you believe we are not processing your data in compliance with applicable law.

To exercise any of these rights, please contact us at:
Email: legal@suntech-software.com

We may need to verify your identity and ask for additional information to process your request. We aim to respond within the time periods required by law (generally within one month, possibly extended for complex or numerous requests).

IX. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), as amended by the CPRA.

1. Categories of Personal Information We Collect

In the 12 months prior to the date of this Policy, we may have collected the following categories of personal information (PI) (as defined by CCPA):

  • Identifiers:
    e.g., name, email, phone number, device identifiers, IP address.
  • Commercial information:
    records of services purchased, subscription status, billing history.
  • Internet or other electronic network activity information:
    usage data, logs, interactions with our website/app.
  • Professional or employment-related information:
    job title, role, business contact details.
  • Inferences drawn from other information:
    preferences, service usage patterns (for product improvement and marketing).

We do not knowingly collect sensitive personal information as defined by CCPA (e.g., precise geolocation, race, health data) for profiling or sale.

2. Sources of Personal Information

We collect personal information from:

  • you directly (sign-up, forms, support);
  • your employer or organisation (as our customer);
  • your use of our website and services (logs, cookies);
  • integrated third-party platforms (e.g., communication channels) as configured by your company.

3. Purposes of Collection

We use personal information for the purposes described in this Policy, including:

  • providing and improving the services,
  • billing and payments,
  • security and fraud prevention,
  • customer support,
  • analytics and product development,
  • legitimate marketing.

4. Disclosure to Third Parties

We may disclose your personal information to service providers and contractors who support our operations (e.g., hosting, payment processing, analytics), as described in Section VI – Data Recipients.

We do not sell personal information in exchange for money. If we ever intend to do so, we will update this Policy and provide appropriate opt-out mechanisms as required by law.

We may share limited data with third parties for analytics or advertising purposes (for example, via cookies or pixels), which may be considered “sharing” under CPRA. You may contact us to request that we stop such “sharing” for cross-context behavioural advertising.

5. CCPA Rights

Subject to legal conditions and exceptions, California residents have the right to:

1. Right to Know & Access

    • Request that we disclose the categories and specific pieces of personal information we have collected about you in the last 12 months, the categories of sources, purposes of use, and categories of third parties to whom we disclose it.

2. Right to Deletion

    • Request deletion of personal information we collected from you, subject to legal exceptions (for example, if needed to complete transactions, comply with law, detect security incidents, or maintain business records).

3. Right to Correct

    • Request that we correct inaccurate personal information we maintain about you.

4. Right to Opt Out of Sale or Sharing

    • If we engage in “selling” or “sharing” as defined by the CCPA/CPRA, you have the right to opt out.
    • At the time of this Policy, we do not sell personal information. If this changes, we will provide updated mechanisms for you to opt out.

5. Right to Non-Discrimination

    • We will not discriminate against you for exercising your CCPA rights (e.g., by denying service, charging different prices, or providing a different level of quality), except as permitted by law.

6. How to Exercise Your CCPA Rights

To exercise CCPA rights, you or your authorised agent may contact us at:

  • Email: legal@suntech-software.com
  • Include: that you are a California resident and specify the type of request (access, deletion, correction, etc.).

We may need to verify your identity (and, if applicable, your agent's authorisation) before fulfilling the request, for your security.

X. Use of AI and Automated Processing

Xolara provides AI-powered features that:

  • generate or transform content (e.g., drafts of responses, classification of messages),
  • assist in routing or prioritising conversations,
  • may use rule-based or model-based workflows.

To provide these features, we may:

  • send parts of Inputs (e.g. chat messages, prompts) to third-party AI model providers acting as our sub-processors;
  • receive Outputs (responses) from such providers and present them in our interface.

We instruct these providers to:

  • use the data only to deliver AI outputs for your use of Xolara; and
  • not use your identifiable data to train their general foundation models that are exposed to other customers, except in aggregated or anonymised form where allowed.

AI outputs may be inaccurate or incomplete. They are provided for informational purposes and should be reviewed by humans, especially for important decisions (legal, financial, medical, etc.). You remain responsible for verifying the content and deciding how to act on it.

Where we use automated processing or profiling that produces legal or similarly significant effects for individuals subject to GDPR, those individuals may request human review and express their point of view by contacting us at legal@suntech-software.com.

XI. Cookies and Similar Technologies

We use cookies and similar technologies on our websites and web applications to:

  • enable core site functionality (e.g., login, session management, security),
  • understand how visitors use our site and services (analytics),
  • support marketing and advertising campaigns,
  • conduct performance or A/B testing to improve user experience.

Types of Cookies We Use

1. Strictly necessary cookies

    • Required for the website or app to function properly (e.g., session, authentication).
    • Without these, some features may not be available.

2. Analytics cookies

    • Help us understand how visitors use our site (pages visited, time on site, etc.), so we can improve our services (e.g. via analytics tools such as Google Analytics or similar).

3. Marketing and advertising cookies

    • Used to measure the effectiveness of marketing campaigns and, where applicable, to deliver or measure ads (e.g., via pixels from ad platforms such as Meta or others).

4. Performance / A/B testing cookies

    • Used to test different versions of features or layouts to improve usability and performance.

Managing Cookies

You can manage or disable cookies in your browser settings. The exact steps depend on your browser and device. Please note:

  • Disabling or blocking certain cookies may impact the functionality of our website or app.
  • You may not be able to log in or use some features if strictly necessary cookies are blocked.

Some jurisdictions require consent for certain non-essential cookies. Where legally required, we will implement appropriate consent mechanisms or notices.

XII. Security of Personal Data

We take data security seriously and implement reasonable technical and organisational measures to protect personal data against:

  • accidental or unlawful destruction,
  • loss, alteration,
  • unauthorised disclosure or access.

These measures may include (without limitation):

  • access controls and authentication,
  • encryption in transit (e.g. HTTPS),
  • network and application security measures,
  • regular backups and disaster recovery processes,
  • staff confidentiality obligations and training.

However, no method of transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for:

  • maintaining the confidentiality of your passwords and access credentials, and
  • notifying us promptly if you believe your account has been compromised.

XIII. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • changes in our services,
  • changes in applicable laws and regulations, or
  • changes in how we process personal data.

When we make material changes, we will:

  • update the "Last updated" date at the top of this Policy, and
  • where appropriate, provide additional notice (e.g., by email or in-app notification).

Your continued use of Xolara after any changes become effective means you accept the updated Privacy Policy. If you do not agree with the changes, you should stop using the Services and, where applicable, request deletion or export of your data according to this Policy.