CRM Hub
CRM Hub
Log inSign up

Privacy Policy

How we collect, use, and protect your personal data.

Last updated: 8 April 2026

1. Introduction

This Privacy Policy describes how TSA AI Solution Advisory ("we", "us") collects, uses, discloses, stores, and protects personal data when you use TSA CRM Hub (the "Service"). We are committed to handling personal data in accordance with the Malaysian Personal Data Protection Act 2010 ("PDPA") and applicable subsidiary legislation, where they apply to our processing activities.

Company registration (SSM): [TO BE COMPLETED]

Registered address: 102, Jalan Aman Elemen 8, Bandar Tropicana Aman, Telok Panglima Garang, Selangor, Malaysia.

Contact (privacy and general enquiries): csteam@tsa-ai.com

2. Scope

This Policy applies to personal data we process as a data user in connection with the Service. It does not govern third-party websites or services that we link to; their privacy notices apply instead.

3. Categories of personal data

Depending on how you use the Service, we may process:

  • Account and profile: name, email address, password (stored in hashed form by our authentication provider), and profile details you choose to provide.
  • Service content you enter: customer and product records, notes, meeting information, files, transcripts, and other CRM data you upload or create. This may include personal data about your own contacts (third-party personal data for which you are responsible as their data user).
  • Usage and technical data: log and event data, device and browser type, approximate location derived from IP, pages or features used, and diagnostic information.
  • Billing-related data: subscription status, transaction references, and limited payment metadata processed by our payment provider (we do not store full card numbers on our servers).
  • Communications: messages you send to us (for example, support requests).

4. Purposes of processing

We process personal data for purposes including:

  • providing, operating, and improving the Service;
  • authenticating users and securing accounts;
  • processing subscriptions, payments, and credits (including via Stripe);
  • customer support and responding to enquiries;
  • analytics to understand usage and improve product experience;
  • complying with legal obligations and enforcing our terms;
  • where applicable, AI-related processing (for example, generating summaries or assistant responses from content you submit).

5. Legal bases (PDPA)

We rely on appropriate legal grounds under the PDPA where applicable, including: your consent where we request it (for example, for certain optional communications or processing); processing necessary for the performance of a contract with you (providing the Service you sign up for); processing necessary for our legitimate interests (such as security, fraud prevention, and service improvement) where not overridden by your rights; and processing required to comply with law.

6. Disclosure and international transfers

We use reputable service providers ("data processors" or subprocessors) who process personal data on our instructions. They may be located outside Malaysia, including in countries that may not be deemed to provide an adequate level of protection under Malaysian law. Where required, we take steps consistent with the PDPA (such as contractual safeguards) for cross-border transfers.

Categories of recipients include:

  • Google (Firebase / Google Cloud): authentication, database, file storage, and related infrastructure.
  • Stripe: payment processing, billing, and customer portal for subscriptions and related charges.
  • Mixpanel: product analytics (events and usage patterns).
  • AI and machine learning providers (such as OpenAI or others we configure): processing prompts and content you submit to AI features.
  • Pinecone or similar vector database providers: storing and querying embeddings for search and RAG features.
  • Daily.co (if you enable the integration): video meeting and related webhook or API processing.

We may also disclose personal data if required by law, court order, or government request, or to protect our rights, users, or the public.

7. Retention

We retain personal data for as long as your account is active and as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods may vary by data type; we delete or anonymise data when it is no longer needed for these purposes, unless a longer period is required by law.

8. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. No method of transmission over the Internet is completely secure; we cannot guarantee absolute security.

9. Your rights

Subject to the PDPA and applicable exceptions, you may have the right to request access to and correction of your personal data, to withdraw consent where processing is based on consent (which may affect our ability to provide certain features), and to lodge a complaint with the relevant authority where applicable.

To exercise these rights, contact us at csteam@tsa-ai.com. We may need to verify your identity before responding.

10. Cookies and similar technologies

We use cookies and similar technologies for session management (for example, to keep you signed in), security, and analytics. You can control cookies through your browser settings; disabling certain cookies may limit functionality of the Service.

11. Children

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected such data, please contact us and we will take steps to delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and revise the "Last updated" date. Where changes are material, we will provide additional notice where appropriate (for example, by email or in-product message).

13. Complaints

If you have concerns about how we handle personal data, please contact us first at the email above. You may also have the right to contact the Personal Data Protection Department of Malaysia (PDPD) or other competent supervisory bodies as provided under applicable law.