Privacy Policy

1. Who We Are

BossFree ("we", "us", "our") is a WhatsApp AI automation service operated in Malaysia. We build and manage custom AI agents for businesses ("Clients") that automate WhatsApp group communication, order management, lead capture, and business workflow automation.

Our registered contact: hello@bossfree.co

2. What Data We Collect

We collect different types of data depending on your relationship with us:

From website visitors (bossfree.co):

• Pages visited, time spent, referring URL (via standard web server logs)
• Device and browser type, IP address (anonymised)
• Form submissions — name, business name, WhatsApp number, email if you contact us

From Clients (businesses that use our service):

• Business name, contact name, WhatsApp number, email address
• Payment records (amount, date — we do not store card details)
• WhatsApp group information needed to operate your AI agent (group names, participant structure)
• Messages processed by your AI agent (order text, customer enquiries, responses sent)
• Product catalogues, pricing data, and business rules you provide us to configure your agent

From your customers (end users of your AI agent):

• WhatsApp messages sent to your groups that our AI agent processes
• Phone numbers that interact with the AI agent
• Order details, delivery addresses, and other information they provide during the automated flow

We process end-user data solely as a data processor on your behalf. You remain the data controller for your customers' information.

3. How We Use Your Data

• To deliver the service: Reading, parsing, and responding to WhatsApp messages through your configured AI agent
• To log business records: Writing confirmed orders and leads to Google Sheets or other connected systems you specify
• To improve agent performance: Reviewing message logs to tune accuracy, detect errors, and improve response quality
• To communicate with you: Sending service updates, invoices, and support responses to your registered contact
• To comply with legal obligations: Retaining business records as required under Malaysian law

We do not use your data for advertising, profiling, or sale to third parties.

4. Data Sharing & Third Parties

We share data only where necessary to operate your service:

• WhatsApp Business API / Meta: All WhatsApp message processing passes through the WhatsApp Business API, which is operated by Meta Platforms Inc. Meta's own terms and privacy policy apply to this infrastructure layer.
• Google LLC: If your service includes Google Sheets integration, order and lead data is written to your specified Google Sheet. This is a destination you control.
• Render (hosting): Our AI agent servers are hosted on Render (render.com). Application logs may be stored on their infrastructure.
• OpenAI / Anthropic: Some AI agent functions use large language model APIs (OpenAI GPT or Anthropic Claude) to process natural language. Message content may be sent to these APIs for processing. We do not use customer opt-in data for model training.
• AutoCount / SQL Accounting: If your plan includes accounting integration, transaction data may be sent to your connected accounting software via its API.

All third-party providers are bound by their own privacy policies and data processing agreements. We will not share your data with any party not listed here without your explicit consent.

5. Data Retention

• Active clients: WhatsApp message logs are retained for 90 days for QA and debugging purposes, then deleted from our systems. Data written to Google Sheets remains under your control.
• After contract ends: We delete all message logs and operational data within 30 days of service termination. Business contact and payment records are retained for 7 years as required by Malaysian accounting law.
• Website enquiry data: Retained for 12 months or until you request deletion.

6. Data Security

We implement the following security measures:

• All data transmitted between your customers and our servers is encrypted via HTTPS/TLS
• API tokens and credentials are stored as encrypted environment variables, never in source code
• Access to production systems is restricted to authorised BossFree personnel only
• We use reputable cloud infrastructure (Render) with built-in security controls

No system is 100% secure. In the event of a data breach that affects your business or your customers, we will notify you within 72 hours of becoming aware.

7. Your Rights

As a Client or end user, you have the right to:

• Access: Request a copy of data we hold about you or your business
• Correction: Ask us to correct inaccurate data
• Deletion: Request that we delete your data (subject to legal retention requirements)
• Portability: Request your data in a machine-readable format
• Objection: Object to certain types of processing

To exercise any of these rights, email us at hello@bossfree.co. We will respond within 14 business days.

8. Cookies

Our website (bossfree.co) uses minimal cookies:

• Essential cookies: Required for the website to function (session management, preferences)
• Analytics: We do not currently use third-party analytics cookies (e.g. Google Analytics). If we add these in future, we will update this policy and request consent.

You can control cookies through your browser settings. Disabling cookies may affect website functionality.

9. Children's Privacy

BossFree services are intended for businesses and are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active Clients of material changes by WhatsApp or email at least 14 days before the changes take effect. The current version will always be available at bossfree.co/privacy.

11. Contact Us

If you have questions about this Privacy Policy or how we handle your data:

• Email: hello@bossfree.co
• WhatsApp: +60 16-239 3812

We are based in Malaysia and are subject to the Personal Data Protection Act 2010 (PDPA) of Malaysia.