← Back to Home

Data Protection Policy

Aria Platform · JKY DYNASTY HOLDING SDN. BHD.

Effective Date: 22 March 2026

Your data is protected by 4 layers of security.

Aria Platform is built with privacy-first architecture. We comply with data protection laws across Malaysia, Singapore, Indonesia, and Hong Kong.

1. Data We Collect

  • Account information — email address, business name, password (hashed)
  • Contact data — phone numbers, names, email addresses of your customers
  • Conversation history — WhatsApp and Messenger messages processed by the AI
  • Booking data — appointment dates, times, and service types
  • Usage analytics — message counts, response times, conversion rates (aggregated)

2. How We Protect Your Data — 4 Layers

  • Layer 1: At-rest encryption — all data stored in Supabase is encrypted at rest automatically
  • Layer 2: Column-level AES-256-GCM encryption — phone numbers, names, emails, addresses, and conversation content are individually encrypted before storage
  • Layer 3: One-way phone hashing — HMAC-SHA256 hashing is used in logs and analytics so raw phone numbers never appear in system logs
  • Layer 4: TLS in transit — all API communications use HTTPS encryption

3. Consent & Automated Contact

  • We require explicit opt-in consent before any automated contact is initiated
  • Follow-up messages are only sent within a 20–23 hour window after the customer’s last message
  • Every automated message includes the sender’s identity, business name, and opt-out instructions
  • Replying STOP immediately unsubscribes the customer — no further automated contact is sent
  • All consent actions are logged in our PDPA audit log

4. Data Retention

  • Active conversation data — retained while your subscription is active
  • Episodic memory (raw conversations) — archived after 30 days, purged after 12 months
  • Semantic profiles (AI-generated summaries) — retained while subscription is active
  • PDPA audit logs — retained for 7 years as required by compliance regulations
  • After account deletion — all personal data is permanently deleted within 30 days, except audit logs

5. Data Minimisation

  • We only collect data necessary to deliver the AI automation service
  • Raw conversation data older than 12 months is automatically purged
  • Analytics use aggregated, anonymised metrics — not individual customer data
  • Phone numbers in logs and Redis caches are stored as one-way hashes, not raw values

6. Your Rights

  • Access — request a copy of all personal data we hold about you or your customers
  • Correction — request correction of inaccurate personal data
  • Deletion — request permanent deletion of your data (subject to audit log retention)
  • Withdrawal of consent — withdraw consent for automated contact at any time
  • Data portability — export your leads, bookings, and conversation history

7. Multi-Market Compliance

  • Malaysia — Personal Data Protection Act 2010 (PDPA)
  • Singapore — Personal Data Protection Act 2012 (PDPA)
  • Indonesia — Undang-Undang Pelindungan Data Pribadi 2022 (UU PDP)
  • Hong Kong — Personal Data (Privacy) Ordinance (PDPO)
  • We apply the strictest applicable standard across all markets we operate in

8. Third-Party Processors

  • Supabase — database hosting and authentication (encrypted at rest)
  • Stripe — payment processing (PCI DSS Level 1 compliant)
  • Meta (WhatsApp / Messenger) — message delivery channel
  • OpenRouter — AI model routing (no customer data stored)
  • Google Calendar — appointment scheduling (tenant’s own OAuth connection)

Related policies

Privacy PolicyTerms of ServiceRefund Terms

Questions about data protection? Email jkydynasty@gmail.com