Follow-upFollow-up Back home

Legal

Privacy Policy

Last updated: 15 May 2026

1. Who we are

Clazzy Tech Sdn Bhd (“Follow-up”, “we”, “us”) operates the Follow-up service. This Privacy Policy explains what personal data we collect, how we use it, and the rights you have under applicable data protection laws (Malaysia PDPA 2010, GDPR where applicable, and similar regimes).

2. Data we collect

We collect the following categories of personal data:

  • Account data: name, email, hashed password (or Google OAuth profile), organization name.
  • Billing data: pack purchases and Stripe customer ID. We do not store card numbers; Stripe holds them.
  • Customer Data: documents you upload, contact lists, message templates, replies, and AI-generated text.
  • Integration tokens: encrypted OAuth tokens for Google (Gmail, Sheets, Drive), Microsoft, and WhatsApp/Twilio.
  • Usage data: login times, IP addresses, user agent, feature usage, error logs.
  • Communications: emails you send through us, replies polled from your connected inbox, AI conversation history.

3. How we use your data

  • Provide and operate the Service (authentication, sending email/WhatsApp, AI classification, task extraction).
  • Bill credits and process pre-paid pack purchases via Stripe.
  • Maintain audit logs and security records.
  • Improve and support the Service (debugging, performance, customer support).
  • Comply with legal obligations, court orders, and lawful requests.

We do not sell your personal data and do not use Customer Data to train third-party AI models.

4. Legal bases (GDPR/PDPA)

  • Contract: processing required to provide the Service you signed up for.
  • Legitimate interests: security, fraud prevention, product improvement.
  • Consent: optional cookies, marketing emails, and third-party integrations you choose to connect.
  • Legal obligation: tax, accounting, anti-money-laundering, and regulatory compliance.

5. Sub-processors and third parties

We rely on the following sub-processors to provide the Service:

  • OpenAI — AI text classification, extraction, and reply drafting (processes Customer Data passed in prompts).
  • Stripe — payment processing (PCI-DSS Level 1).
  • Google Cloud Identity / OAuth — Gmail send/read, Sheets, Drive integration.
  • Microsoft Identity — Outlook integration (optional).
  • Twilio — WhatsApp messaging.
  • Cloud hosting providers — VPS provider for application and database (Malaysia/Singapore region preferred).
  • Backblaze B2 or equivalent S3-compatible — offsite backup mirroring.

Each sub-processor accesses only the data necessary to perform its function. Contractual data processing agreements (DPAs) are in place where required.

6. Data storage and security

Application data is stored in Postgres 16 on a managed VPS. Uploaded documents are stored in S3-compatible object storage (MinIO) with private ACLs and signed-URL retrieval. OAuth tokens are encrypted at rest using AES-256 with a key held in Clazzy Tech Sdn Bhd environment secrets. All traffic is TLS (HTTPS) in transit. Backups are encrypted, mirrored offsite weekly, and retained per a 7-daily / 4-weekly / 6-monthly schedule.

7. Retention

  • Active accounts: data retained while your subscription/account is active.
  • Inactive accounts: data deleted 90 days after closure unless legal retention applies.
  • Audit logs: 12 months.
  • Backups: rotated per the schedule in §6.
  • Billing records: 7 years (Malaysian tax law).

8. Your rights

You have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • request deletion (subject to legal retention obligations);
  • export your Customer Data in a portable format;
  • object to or restrict certain processing;
  • withdraw consent for optional processing;
  • lodge a complaint with the Personal Data Protection Commissioner (Malaysia) or your local data protection authority.

Send requests to [email protected]. We respond within 30 days.

9. International transfers

Some sub-processors (OpenAI, Stripe, Google) process data outside Malaysia. We rely on Standard Contractual Clauses or equivalent safeguards for such transfers. Where possible, primary application hosting remains in the SEA region.

10. Cookies and tracking

We use session cookies (managed by Better Auth) for authentication and a small number of functional cookies for preferences. We do not use third-party advertising cookies. No analytics scripts are loaded in the authenticated app surface.

11. Children

The Service is not directed to anyone under 18. We do not knowingly collect personal data from minors. Contact us to report and we will delete it.

12. Changes to this policy

Material changes will be notified by email or in-app banner at least 14 days before they take effect. The “Last updated” date at the top reflects the current version.

13. Contact

Data protection questions, access requests, and complaints can be sent to [email protected].