Privacy Policy
TroveChat by TroveDeck Solution (Malaysia) — Last updated: 19 April 2026
Effective: 1 January 2025. Compliant with Malaysia PDPA 2010 and references GDPR principles for EU users.
1. Who We Are
TroveDeck Solution (hereafter “TroveDeck”, “we”, “us”) is a technology company registered in Malaysia operating the TroveChat AI customer service platform at trovechat.trovedeck.com. Contact: [email protected].
2. What Data We Collect
We collect the following categories of data:
- Account data: Business name, email address, password hash (bcrypt). Collected when you register.
- Conversation data: Customer messages, AI replies, human agent replies, timestamps, platform identifiers (WhatsApp phone number ID, Telegram chat ID, Shopee/Lazada order ID, widget visitor ID). Collected when your customers interact via connected channels.
- Knowledge Base (KB) content: Q&A pairs, categories, embeddings you upload or that are auto-generated from imported chat history.
- Usage analytics: Message volume counts, AI confidence scores, response times, daily aggregates. No persistent IP tracking.
- Payment data: Stripe customer ID and subscription ID. We do not store raw card numbers — payment processing is delegated to Stripe.
- Channel credentials: Encrypted access tokens for connected platforms (WhatsApp, Telegram, Shopee, Lazada). Stored with AES-256-GCM encryption at rest.
- Cookies / local storage: Session tokens (HttpOnly cookie via NextAuth), locale preference (localStorage). No advertising trackers or third-party analytics cookies.
3. How We Use Your Data
- Operate and deliver the TroveChat AI customer service service.
- Generate AI replies using your KB and conversation context.
- Send transactional emails (password reset, invoice) via Resend.
- Process subscription billing via Stripe.
- Display analytics dashboards to account holders.
- Improve AI models and KB suggestions (aggregate, anonymised patterns only).
We do not use your data for advertising, sell it to data brokers, or share it with unrelated third parties.
4. Third Parties We Share Data With
| Service | Purpose | Data sent |
|---|---|---|
| DeepSeek (China) | AI reply generation (default provider) | Conversation context, KB excerpts |
| Groq (USA) | AI reply generation (alternative provider), live chat widget | Conversation context, KB excerpts |
| Stripe (USA) | Subscription billing | Email, billing amount |
| Resend (USA) | Transactional email delivery | Recipient email, email content |
| Shopee / Lazada | Receiving order-related customer messages | Message content, order reference |
AI providers (DeepSeek, Groq) receive conversation context solely to generate a reply. We do not grant them permission to train their models on your data. Users who process EU personal data should be aware that some providers are based outside the EEA; cross-border transfers rely on standard contractual clauses or provider-published data protection addenda.
5. Data Retention
- Active conversations: Retained while your account is active.
- Archived conversations: After 90 days of inactivity, conversations may be archived and removed from the live database. Archive data is retained for up to 12 months then permanently deleted.
- Account data: Retained until account deletion is requested.
- Billing records: Retained for 7 years as required by Malaysian tax law.
- Deleted accounts: All personal data is purged within 30 days of account deletion.
6. Your Rights
Under Malaysia PDPA 2010, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate personal data.
- Withdraw consent for data processing (where processing is consent-based).
- Request deletion of your data (see our Data Deletion page).
EU/EEA users additionally have GDPR rights including data portability and the right to object. Contact us at [email protected] to exercise any of these rights.
7. Security
Channel access tokens are encrypted at rest using AES-256-GCM. Passwords are hashed using bcrypt (cost factor 12). Transport is enforced over TLS 1.2+. Access to production databases is restricted to authorised personnel only.
8. Cookies and Tracking
We use a single HttpOnly session cookie set by NextAuth for authentication. We store your locale preference in localStorage. We do not use Google Analytics, Meta Pixel, or any other third-party tracking scripts.
9. Children
TroveChat is a B2B platform intended for business operators aged 18 and above. We do not knowingly collect data from minors.
10. Changes to This Policy
We may update this Privacy Policy. Material changes will be communicated by email to account holders at least 14 days before taking effect. Continued use of TroveChat after the effective date constitutes acceptance.
11. Contact
Data protection enquiries: [email protected]
Telegram: @trovedeck