1. Introduction
Welcome to Desked.ai (“we,” “our,” or “us”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI Chatbot Management Platform and related services (collectively, the “Platform”). Desked.ai provides an internal tooling platform that enables businesses (“Clients”) to onboard, configure, manage, and monitor AI chatbot deployments across various messaging channels, including WhatsApp, Instagram, and Facebook Messenger.
This Privacy Policy is designed to comply with applicable data protection laws, including the Personal Data Protection Act (PDPA) of Malaysia, and the requirements set forth by Meta Platforms, Inc. for developers utilizing the WhatsApp Business Platform Cloud API, Meta Graph API, and related services.
By accessing or using the Platform, you agree to the terms of this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Platform.
2. Information We Collect
We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“Personal Data”). The types of Personal Data we collect depend on how you interact with our Platform.
2.1 Information Collected from Clients
When a Client registers for an account or uses our Platform, we may collect the following information:
| Category | Examples of Data Collected | Purpose of Collection |
|---|---|---|
| Account Information | Business name, industry, timezone, contact details, and authorized user credentials. | To create and manage the Client account, provide customer support, and communicate important updates. |
| Configuration Data | AI persona settings, knowledge base content, product catalogues, policies, and objection playbooks. | To configure and operate the AI chatbot tailored to the Client's specific business needs. |
| Integration Data | API keys, webhook URLs, and authentication tokens for third-party services (e.g., Meta, Google Calendar). | To facilitate seamless integration with messaging channels and external systems. |
2.2 Information Collected from End-Users
When an end-user (“Customer”) interacts with a Client's AI chatbot powered by Desked.ai via WhatsApp, Instagram, or Facebook Messenger, we process the following information on behalf of the Client:
| Category | Examples of Data Collected | Purpose of Collection |
|---|---|---|
| Contact Information | Phone numbers, social media handles, and names (if provided by the Customer). | To identify the Customer, maintain conversation continuity, and populate the Client's CRM. |
| Message Content | Text, images, files, and audio messages sent by the Customer to the chatbot. | To process inquiries, generate appropriate AI responses, and facilitate human agent handoffs. |
| Conversation Metadata | Timestamps, message status (sent, delivered, read), channel used, and interaction duration. | To monitor platform performance, ensure message delivery, and generate analytics. |
| Derived Data | Intent classification, sentiment analysis, conversation summaries, and CRM labels (e.g., "Hot Lead," "Pending Payment"). | To optimize AI behavior, trigger escalation rules, and provide business intelligence to the Client. |
3. How We Use Your Information
We use the collected information for various purposes, primarily to provide, maintain, and improve our Platform.
3.1 Providing and Operating the Platform
We process Personal Data to operate the AI chatbots, route messages between messaging channels and the AI Engine, and maintain the Unified Inbox for human agents. This includes utilizing the Retrieval-Augmented Generation (RAG) architecture to provide accurate responses based on the Client's knowledge base.
3.2 Customer Relationship Management (CRM)
We automatically populate and update Customer profiles within the built-in CRM system based on conversation history. This allows Clients to track the buying journey, apply relevant labels, and manage follow-ups effectively.
3.3 Analytics and Business Intelligence
We analyze conversation data to generate performance metrics, such as AI resolution rates, average response times, and conversion rates. These insights help Clients understand customer behavior and optimize their operations.
3.4 Security and Compliance
We use information to monitor platform health, detect and prevent fraudulent activities, enforce our terms of service, and comply with legal obligations. This includes implementing strict guardrails to prevent prompt injection attacks and unauthorized data access.
4. Data Sharing and Disclosure
We do not sell, rent, or trade Personal Data to third parties. We only share information in the following circumstances:
4.1 Service Providers and Sub-Processors
We may share information with trusted third-party service providers who assist us in operating the Platform. These sub-processors are contractually obligated to protect your data and use it only for the purposes we specify. Key sub-processors include:
- OpenAI: We utilize OpenAI's language models to power the AI Engine. All Client AI calls are routed through our master API account.
- Meta Platforms, Inc.: We integrate with Meta's WhatsApp Business API, Instagram Graph API, and Facebook Messenger API to facilitate messaging.
- Hosting Providers: We use managed infrastructure providers (e.g., Railway, Render, or AWS) to host the Platform and databases.
- Database Providers: We utilize PostgreSQL for relational data and vector databases (e.g., Pinecone or pgvector) for semantic search capabilities.
4.2 Legal Requirements
We may disclose information if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency).
4.3 Business Transfers
If we are involved in a merger, acquisition, or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.
5. Data Retention and Deletion
We retain Personal Data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
5.1 Message Data Retention
In accordance with Meta's Cloud API requirements, message data has a maximum retention period of 30 days to provide base features and functionality (e.g., retransmissions). User identifiers used as sources or destinations of individual messages are deleted within 30 days of the last status update of a message, unless otherwise directed by the Client.
5.2 Client Data Retention
Client account information, configuration data, and CRM records are retained for the duration of the active account. If a Client account is deactivated, data may be retained in accordance with the Client's configured data retention policies to comply with the PDPA.
5.3 Data Deletion Requests
Customers have the right to request the deletion of their Personal Data. Since Desked.ai acts as a data processor on behalf of our Clients, Customers should direct their deletion requests to the respective Client (the data controller). We provide our Clients with the necessary tools to delete Customer data from the Platform upon request.
If you are a Client and wish to delete your account or specific data, please contact our support team at privacy@desked.ai.
For a detailed, step-by-step guide to submitting a deletion request, see our dedicated Data Deletion Instructions page.
6. Data Security
We implement robust technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction.
6.1 Multi-Tenant Architecture
The Platform utilizes a multi-tenant architecture with strict data partitioning. Every database record is scoped to a specific tenant_id, ensuring that no cross-client queries are possible. Client data, AI configurations, and CRM records are completely isolated at the database level.
6.2 Encryption
All customer data is encrypted at rest and in transit. Messages traveling between the user and the Cloud API are encrypted via WhatsApp using the Signal protocol.
6.3 Access Controls
Internal team access to the Platform is role-based. Staff members can only access the data of Clients assigned to them, minimizing the risk of unauthorized internal access.
7. Meta Platform Integrations
Desked.ai integrates with Meta's platforms to provide messaging capabilities. We adhere to Meta's Developer Data Use Policy and Privacy Policy Requirements.
7.1 WhatsApp Business Platform Cloud API
When utilizing the WhatsApp Business Platform Cloud API, Meta acts as a data processor/service provider on behalf of the business. Cloud API will only use the messages it processes on behalf of and at the instruction of the business. Cloud API will not automatically use WhatsApp messages to inform the ads that a person sees.
7.2 Important Notice Regarding Call Recording
IMPORTANT INSTRUCTION FOR ADMINISTRATORS: If your business utilizes any voice or call features in conjunction with our Platform (though currently out of scope for the core text-based chatbot), you must ensure that all calls are recorded in compliance with applicable local laws, and that explicit consent is obtained from the Customer prior to recording.
8. Your Privacy Rights
Depending on your jurisdiction, you may have certain rights regarding your Personal Data, including:
- Right to Access: You can request copies of your Personal Data.
- Right to Rectification: You can request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
- Right to Erasure: You can request that we erase your Personal Data, under certain conditions.
- Right to Restrict Processing: You can request that we restrict the processing of your Personal Data, under certain conditions.
- Right to Object to Processing: You can object to our processing of your Personal Data, under certain conditions.
- Right to Data Portability: You can request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
To exercise these rights, please contact the specific Client (business) you interacted with. If you are a Client, please contact us at privacy@desked.ai.
9. Changes to This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last Updated” date at the top. You are advised to review this Privacy Policy periodically for any changes.
10. Contact Us
If you have any questions about this Privacy Policy, please contact us:
By email: privacy@desked.ai