Privacy Policy
Last updated: May 19, 2026
Clienta.ai ("we", "us", "our") operates an AI-powered customer support platform. This Privacy Policy explains how we collect, use, store, and protect information when you use our services, in compliance with the Thailand Personal Data Protection Act B.E. 2562 (PDPA) and applicable international data protection standards.
By using Clienta.ai, you agree to the practices described in this policy. If you are a business using Clienta.ai to serve your customers, you act as the Data Controller for your end users' data, and we act as the Data Processor.
1. Information We Collect
Account Information
When you register, we collect your name, email address, organization name, and password. If you sign in via Google OAuth, we receive your name, email, and profile picture from Google.
Billing Information
Payment processing is handled by Stripe (international) and Omise (Thailand). We do not store full credit card numbers. Our payment processors provide us with the last four digits, card brand, and expiration date for display purposes only.
Conversation Data
Messages exchanged between your end users and your AI chatbot, including text content, timestamps, and any files shared during conversations.
Knowledge Base Content
Documents, FAQs, and other materials you upload to train your AI chatbot.
Usage Data
We automatically collect IP addresses, browser type, device information, pages visited, and interaction timestamps to operate, secure, and improve the service.
2. How We Use Your Information
- Provide, maintain, and improve the Clienta.ai platform
- Process AI chatbot responses using your knowledge base
- Facilitate live agent handoff with full conversation context
- Process payments and manage subscriptions
- Generate usage analytics and insights for your dashboard
- Send operational notifications (service updates, security alerts, billing)
- Detect, prevent, and address security incidents and abuse
We do not use your conversation data or knowledge base content to train any AI models.
3. Third-Party Service Providers
We use the following sub-processors to deliver our service. Each is bound by data processing agreements with security obligations no less protective than our own.
| Provider | Purpose | Location |
|---|---|---|
| OpenAI | AI language model inference (GPT-4o) | United States |
| Supabase | Database hosting (PostgreSQL) | United States / EU |
| Vercel | Frontend hosting and CDN | Global edge |
| Railway | Backend application hosting | United States / EU |
| Stripe | Payment processing (international) | United States |
| Omise | Payment processing (Thailand / PromptPay) | Thailand |
| Resend | Transactional email delivery | United States |
| Cohere | Search reranking for knowledge base | United States / Canada |
| Sentry | Error monitoring and diagnostics | United States |
4. Cross-Border Data Transfers
Your data may be transferred to and processed in countries outside Thailand as listed above. We protect these transfers using Standard Contractual Clauses (SCCs) and Data Processing Addendums with each provider, in compliance with PDPA Sections 28-29. All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
5. Data Security
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Role-based access control (RBAC) with least-privilege principle
- Multi-tenant data isolation — each organization's data is strictly separated
- Audit logging for administrative and data access events
- Regular encrypted backups with tested recovery procedures
6. Data Retention
Active accounts: We retain your data for as long as your account is active and as needed to provide services.
After cancellation: You may export your data within 30 days of account termination. We delete all personal data, including backups, within 60 days of termination unless legally required to retain it.
Usage logs: Anonymized usage analytics may be retained for up to 24 months for service improvement purposes.
7. Your Rights (PDPA Sections 30-36)
Under the PDPA, you have the right to:
- Access your personal data and request a copy
- Rectify inaccurate or incomplete data
- Delete your personal data
- Restrict processing of your data
- Port your data in a machine-readable format (JSON/CSV)
- Object to certain processing activities
- Withdraw consent at any time, without affecting the lawfulness of prior processing
To exercise any of these rights, contact us at privacy@clienta.ai. We will respond within 30 days.
8. Cookies
We use essential cookies required for authentication and session management. We use Vercel Analytics for anonymous, privacy-friendly website analytics — no personal data is collected by our analytics.
9. Children's Data
Clienta.ai is designed for business use and is not intended for individuals under 20 years of age (per PDPA definition of a minor). We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on our website at least 30 days before the changes take effect.
11. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights:
- Privacy inquiries: privacy@clienta.ai
- General support: support@clienta.ai