Privacy Policy

Last Updated: May 22, 2026

This Privacy Policy describes how Pentagon Technology ("we," "us," or "our") collects, uses, and shares information in connection with your use of our website and our WhatsApp B2B AI Assistant services (the "Service").

We are committed to protecting your personal data and your privacy. This policy is designed to comply with the Malaysian Personal Data Protection Act 2010 (PDPA) and Meta's WhatsApp Business Solution Policies.

1. Information We Collect

• Business Information: We may collect your name, email address, and company details when you sign up.
• Messaging Content: To provide our AI service, we process messages, attachments, phone numbers, and account identifiers sent through the messaging channels you connect to our platform, which may include the WhatsApp Business Platform, Instagram Direct, and Facebook Messenger.
• Usage Data: We collect basic technical information like IP addresses to maintain service security and performance.

2. How We Use Your Information

We use the collected data to:

• Provide, operate, and maintain our AI-powered messaging platform.
• Automate customer support and business workflows via supported messaging channels.
• Process outbound marketing, broadcast, or notification messages that you send through our platform — only to recipients for whom you have obtained valid opt-in consent.
• Generate aggregate analytics and usage reports for the business account that owns the data.
• Comply with legal obligations and prevent platform abuse.

3. Data Processing and AI Disclosure

Our Service utilizes Artificial Intelligence (AI) to analyze and respond to messages. Please note:

• We do not sell your data or chat history to third parties.
• Chat data is used solely for the functionality of your specific business account.
• We do not use Client conversation data, business configuration, or end-customer messages to train Pentagon Technology's own AI models. All AI inference is performed via third-party LLM providers listed in Section 5, under contractual terms that prohibit those providers from using your data to train their models.

4. Data Storage, Security, and International Transfers

Customer data is hosted on Google Cloud Platform (Firebase App Hosting) in the asia-southeast1 (Singapore) region. We implement industry-standard security controls including:

• Transport encryption: all data in transit is protected using TLS 1.2 or higher.
• Storage encryption: data at rest is encrypted using AES-256, provided by Google Cloud Platform.
• Access controls: role-based access controls and authentication for internal personnel; principle of least privilege applied.
• Platform-level protections: WhatsApp, Instagram, and Facebook Messenger communications are additionally subject to Meta's end-to-end encryption and platform security standards where applicable.

4.1 Cross-Border Data Transfers

Because our hosting infrastructure is located in Singapore, personal data of Clients and end users located in Malaysia (or elsewhere) is transferred outside of those jurisdictions for processing. We rely on the data-protection terms of our cloud and sub-processor agreements, and on the relevant exceptions of the Malaysian Personal Data Protection Act 2010 (Section 129), including transfers necessary for the performance of our contract with the Client and transfers to places providing substantially similar levels of data protection. Where required, the Client (acting as the data controller of its end customers' data) is responsible for notifying its end users of any such cross-border transfers.

4.2 Data Breach Notification

In the event of a personal data breach that materially affects a Client's data, Pentagon Technology will notify the affected Client without undue delay, and in any case within seventy-two (72) hours of becoming aware of the breach. Where available, the notice will include: the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the steps we have taken or propose to take to mitigate the impact.

5. Sub-Processors

To deliver the Service, we engage the following categories of sub-processors. Each is bound by appropriate data-protection terms.

• Meta Platforms, Inc. — message delivery and platform integration via the WhatsApp Business Platform, Instagram Direct, and Facebook Messenger.
• Google LLC (Google Cloud Platform / Firebase) — application hosting, database storage, and infrastructure services (asia-southeast1 region).
• Google LLC (Google Workspace APIs) — Google Drive synchronisation and Google Calendar integration, where enabled by the Client.
• Anthropic, PBC and Google LLC — large-language-model inference (Anthropic Claude and Google Gemini) for message understanding and response generation. Conversation context shared with these providers is processed only to generate the immediate response and is not used to train provider models.
• Payment processors — secure billing, invoicing, and subscription management.

We may add or change sub-processors as our infrastructure evolves. Material changes will be communicated to active subscribers, and a current sub-processor list is available on request via the contact details below.

6. Data Retention

We retain personal data only as long as necessary to provide the Service or to comply with applicable law:

• Messaging content (chat history): 90 days by default. Clients on Professional and Ultimate plans may request a shorter retention period.
• Business configuration data (services, hours, templates, integrations): for the duration of the active account.
• Billing records and invoices: seven (7) years, in accordance with Malaysian tax and accounting law.
• Contact form submissions and support inquiries: 12 months.
• Server logs and security telemetry: 30 days.
• Following account cancellation or termination: Clients have a 30-day grace period to export their data. After this period, all Client business data is permanently deleted from our production systems and removed from backups within an additional 30 days.

7. Your Rights (PDPA Compliance)

Under the Malaysian PDPA, you have the right to access your personal data, request corrections, withdraw consent, or request deletion of your data (subject to our legal record-keeping obligations described in Section 6). To exercise these rights, please contact us via the email provided below.

8. Legal Requests and Data Disclosure

We prioritize the privacy of our business users. In the event that we receive a request for data access from public authorities (such as law enforcement or government agencies), we adhere to the following strict procedures:

• Legality Review: We verify the legal basis of any request to ensure it is accompanied by appropriate legal documentation, such as a formal warrant or court order.
• Challenging Requests: We reserve the right to challenge or appeal requests that we believe are unlawful, overbroad, or do not follow proper legal procedures.
• Data Minimization: Even when legally required to provide data, we only disclose the minimum information necessary to satisfy the legal requirement.
• Record Keeping: We maintain detailed records of all data access requests received from public authorities, including the identity of the requester and the legal basis for the disclosure.

9. Cookies and Tracking Technologies

Our website and dashboard use cookies and similar technologies for the following purposes:

• Essential cookies: required for the secure operation of the dashboard, authentication sessions, and language preferences. These cannot be disabled without breaking core functionality.
• Performance cookies: anonymised aggregate analytics used to improve the website and Service.
• No advertising cookies: we do not currently use third-party advertising or cross-site tracking cookies.

By using our website you consent to the use of essential cookies. You may control or block non-essential cookies through your browser settings.

10. Children's Data

The Service is intended for use by registered businesses and is not directed to individuals under eighteen (18) years of age. We do not knowingly collect personal data from children. If a Client uses our Service to communicate with end customers, the Client is responsible for ensuring those communications comply with applicable laws regarding minors, and with Meta's platform policies prohibiting business messaging targeted at minors. If we become aware that we have inadvertently collected personal data of a child without verified parental consent, we will take prompt steps to delete such data.

11. Marketing Communications

Pentagon Technology may send Clients service-related communications (account notifications, billing confirmations, security alerts, and policy updates). These are essential to operating the Service and cannot be opted out of while a subscription is active.

Separately, we may send Clients marketing or promotional communications (such as product updates, new feature announcements, or educational content) using the contact details provided at sign-up. Clients may opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link included in every marketing email;
• Adjusting preferences in your dashboard account settings; or
• Emailing us at the address provided in Section 13 (Contact Us).

Opting out of marketing does not affect your receipt of service-related communications.

12. Policy Updates

Pentagon Technology may update this Privacy Policy from time to time. Material changes — including changes to data-collection categories, sub-processors, retention periods, or your rights — will be communicated to active Clients via email or in-application notice at least thirty (30) days before the changes take effect. Non-material changes (such as clarifications or formatting corrections) may be made without prior notice.

The "Last Updated" date at the top of this Privacy Policy reflects the most recent revision. We encourage you to review this policy periodically.

13. Contact Us

If you have any questions regarding this Privacy Policy, please contact us at:

Email: contact@pentatech.com.my
Address: BANDAR MENJALARA, KEPONG, WILAYAH PERSEKUTUAN, MALAYSIA.