Legal

Privacy Policy

Last updated: 5 June 2026

1. Who we are

Hiiiilo is an AI receptionist service operated by Meteor Pulse (Registration No. TR0286427-X), Kuala Lumpur, Malaysia ("we", "us"). This policy explains how we handle personal data in line with the Personal Data Protection Act 2010 ("PDPA") of Malaysia.

This policy covers two situations: (a) when you visit this website or contact us, and (b) when Hiiiilo processes messages on behalf of a business that uses our service (a "Client").

2. If you are a visitor to this website

What we collect

• Contact data — if you book a demo via WhatsApp, we receive your name, phone number, and message content.
• Technical data — standard server logs (IP address, browser type, pages visited) collected by our hosting provider for security and performance.

How we use it

• To respond to your enquiry and arrange a demo.
• To operate, secure, and improve the website.

We do not sell personal data, and we do not use it for third-party advertising.

3. If you message a business that uses Hiiiilo

When you contact a clinic, salon, or studio on WhatsApp and that business uses Hiiiilo, the business is the data user (controller) of your personal data under the PDPA. We process your data on the business's behalf and instructions to provide the service.

What is processed

• Your WhatsApp name, phone number, and the content of your messages.
• Appointment details you provide (service requested, preferred time, staff preference).
• Booking records written to the business's calendar and customer list.

How it is used

• To reply to your messages, answer questions from the business's verified information, and book appointments.
• To show the business its own conversations, bookings, and enquiry statistics in its dashboard.

Hiiiilo answers only from information the business has verified. Where it cannot help, the conversation is handed to the business's staff. We do not use your conversations to market unrelated products to you, and we do not sell your data.

To access, correct, or delete your data, contact the business you messaged — they control your data. We will assist them in fulfilling your request.

4. Service providers we rely on

We use reputable infrastructure providers to deliver the service, each processing data only as needed:

• Meta (WhatsApp Cloud API) — message delivery. Subject to Meta's own terms.
• Anthropic (Claude API) — generating replies from the business's verified information.
• Google (Calendar API) — writing confirmed bookings to the business's calendar.
• Cloud hosting and database providers — running the service and storing conversation and booking records.

Some providers store data on servers located outside Malaysia. Where data is transferred abroad, we take reasonable steps to ensure it is protected to a standard consistent with the PDPA.

5. Retention and security

We keep personal data only as long as needed to provide the service to the relevant business, meet legal obligations, or resolve disputes, after which it is deleted or anonymised. Data is protected with encryption in transit, access controls, and the security measures of the infrastructure providers above.

6. Your rights under the PDPA

You may request access to or correction of your personal data, withdraw consent to its processing, or limit its use for certain purposes. For data we hold as a website visitor, contact us directly. For data processed for a business you messaged, contact that business — we will support the request.

7. Changes to this policy

We may update this policy from time to time. The "Last updated" date above reflects the latest version. Material changes will be noted on this page.

8. Contact us

For privacy questions or requests, message us on WhatsApp at +60 17-307 2065.