Privacy Policy
Last updated: July 2026 (draft)
Draft — pending legal review. This page describes our current product and data practices in plain language, but it has not yet been reviewed by a lawyer and should not be treated as final legal advice to you or your customers. Contact us before relying on it for your own compliance obligations.
This policy covers MgxChatx, a WhatsApp AI inbox product operated by Magentix AI ("we", "us") for business customers ("you", "your organization") in Singapore and elsewhere.
What we collect
- Account data: name, email, password (hashed, never stored in plain text), organization details.
- WhatsApp conversation data: messages, media, and voice notes sent to and from your linked WhatsApp number, stored so your team and AI can respond.
- Configuration data: the AI persona, tone, and knowledge-base documents you upload.
- Usage data: message volumes and AI reply counts, used for trial limits, billing, and reliability.
- Billing data: handled directly by Stripe — we do not store your card details.
How we use it
To operate the service: storing and displaying your conversations, generating AI replies via our AI provider (OpenRouter) using your persona and knowledge base, sending your outbound replies via your linked WhatsApp number, and processing your subscription via Stripe. We do not sell data to anyone, and we do not use your customers' conversation content to train AI models — we route AI requests through providers whose terms prohibit training on submitted content.
Our role under Singapore's PDPA
For the WhatsApp conversations your business has with your own customers, Magentix AI acts as a data intermediary (processor) — your organization remains the data controller responsible for your own customers' consent and communications. We only ever reply to conversations your customers start; MgxChatx has no cold-outreach or unsolicited marketing feature on its current WhatsApp-Web-based transport, by product design.
Where data is stored
Your application data — accounts, conversations, media, and knowledge-base documents — is stored on infrastructure located in Singapore.
Overseas transfers
To generate AI replies, message content is sent to our AI provider (OpenRouter, a third-party LLM routing service) and the underlying model providers it routes to, some of which operate outside Singapore, including in the United States. Payment processing is handled by Stripe, also based outside Singapore. As required by Singapore's PDPA (section 26), we transfer this data only to processors that are contractually bound to provide a standard of protection comparable to the PDPA, and we rely on their data-processing terms for that protection. Content is sent to these processors solely to operate the service (to generate replies and take payment), never for their own marketing or model training.
Security
Passwords are hashed (never stored in plain text); session authentication uses HttpOnly cookies; any per-channel WhatsApp connection tokens are encrypted at rest; access to your organization's conversations is scoped to your organization's own team members only.
Data breach notification
If a data breach occurs that is likely to result in significant harm to affected individuals, or that meets the notifiable-breach thresholds under the PDPA (Part 6A), we will notify the Personal Data Protection Commission, and affected individuals or the controlling organization where required, without undue delay and within the statutory timeframe (currently three calendar days of assessing the breach as notifiable).
Data retention & deletion
We retain your data for as long as your account is active. When you close your account, or on a verified deletion request, we delete your account and associated data from our live systems within 30 days, and residual copies in encrypted backups are purged within a further 90 days — subject to any legal obligation that requires us to retain specific records for longer.
Your rights
You may request access to, correction of, or deletion of your personal data, and may withdraw consent for us to process it, subject to the limits described above.
Data Protection Officer & contact
As required by the PDPA, Magentix AI has designated a Data Protection Officer responsible for ensuring our compliance. To exercise any of the rights above, withdraw consent, or raise a privacy or data-protection concern, contact our DPO at [email protected]. We aim to respond to data-protection requests within 30 days.