How Goma AI collects, uses, stores, and protects personal data across our WhatsApp CRM and website, in line with Singapore's Personal Data Protection Act (PDPA).
Last updated: 30 June 2026Goma AI provides a WhatsApp Business CRM that helps firms in Singapore's regulated industries message clients, capture leads, and book appointments while staying aligned with frameworks such as the PDPA, MAS guidelines, and CEA rules.
This policy explains how we handle personal data through our website, the Goma AI platform, and related services (together, the "Services"). It applies to our business customers and their staff, to individuals who message a business that uses Goma AI, and to visitors to our website.
The Services are operated by Goma AI Pte. Ltd. (UEN 202314006H), with a registered address at 176 Orchard Rd, #05-05, Singapore 238843. In this policy, "we", "us", and "our" refer to that entity.
Under the PDPA, our responsibilities depend on whose data we are handling and why. There are two distinct situations:
For our customers' account details and for website visitor data, we are the organisation responsible for the data and decide how it is used. This policy governs that data directly.
When we process the personal data of your clients and leads through the platform, we act as your data intermediary — handling it on your behalf and on your instructions under our customer agreement.
Where we act as your data intermediary, you remain the organisation responsible for that data. That includes obtaining valid consent from the individuals concerned, responding to their requests, and deciding what data to collect and how long to keep it. We process it only to provide the Services to you.
The personal data involved falls into three groups.
Some conversations in regulated industries may involve sensitive information. We treat all message content as confidential and apply the safeguards described in this policy regardless of category.
We use personal data to:
We do not sell personal data. We use AI only to deliver features you have enabled, and we do not use your clients' message content to train AI models for unrelated purposes or for other customers.
The PDPA generally requires consent before personal data is collected, used, or disclosed. For account and website data, we rely on your consent and on purposes you would reasonably expect when you choose to use the Services.
For client conversations, you (the business) are responsible for obtaining valid consent from your clients. Goma AI gives you the tools to do this properly: opt-in capture, timestamped consent records, "Do Not Contact" friendly flows, and automated opt-out handling.
An individual can withdraw consent at any time — usually by replying to stop messages, or by contacting the business they were dealing with. For data we are responsible for, you can withdraw consent by contacting our Data Protection Officer using the details in section 16.
The Services run on the official WhatsApp Business Platform provided by Meta. When messages are sent or received, they are transmitted and processed through Meta and WhatsApp systems, which are governed by Meta's own terms and privacy policy. Where we use Meta's WhatsApp Business Platform, the personal data involved is Platform Data as defined in Meta's Platform Terms.
We are not responsible for how Meta processes data under its own policies. We recommend reviewing the WhatsApp Business Policy and Meta's privacy resources to understand their role.
We do not sell personal data and we do not share it except as set out below:
We require our sub-processors to protect personal data to a standard consistent with the PDPA. A current list of our sub-processors is available on request.
We offer Singapore-based hosting and data residency options, so your message history and audit records can be kept in-region to support local data storage requirements.
Where personal data is transferred outside Singapore — for example, to a sub-processor located in the United States — we take steps to ensure it receives a standard of protection comparable to that required under the PDPA, including through contractual safeguards.
We keep account data for as long as you are a customer and for a reasonable period afterwards to meet legal, accounting, and security needs.
Conversation data and audit-vault records are retained according to the settings you configure and the record-keeping rules that apply to your industry, such as those set by MAS or the CEA. You control retention and deletion for your own workspace.
When your agreement ends, we return or delete client data in line with that agreement. Website and cookie data is kept only for short periods.
We make reasonable security arrangements to protect personal data against unauthorised access, use, or disclosure. These include role-based access controls, encryption of data in transit, audit logging, monitoring, a tamper-evident audit vault, staff confidentiality obligations, and due diligence on our vendors.
No system can be guaranteed completely secure. If a data breach occurs that is likely to result in significant harm or meets the notification threshold, we will notify affected parties and the relevant authority as required by law.
You may request access to the personal data we hold about you, ask us to correct it if it is inaccurate or incomplete, withdraw consent to our use of it, and request that we delete it.
If you are a business user (our customer or their staff): to request deletion of your account data, email our Data Protection Officer at hello@gomalabs.com with the subject "Data deletion request". We will verify the request and delete the data we are responsible for within a reasonable time, unless we are required to retain it for legal, accounting, or security reasons.
If you are a client or lead of a business that uses Goma AI: the business you messaged is responsible for your data, and it controls retention and deletion for its workspace. To delete your data, contact that business directly, or reply "STOP" to opt out of further messages. As their data intermediary, Goma AI will assist that business in locating and deleting your data on their instruction. If you are unable to reach the business, you may email hello@gomalabs.com and we will route your request to them.
If you visited our website only: to request deletion of any personal data we hold about you (such as demo bookings or contact form submissions), email our Data Protection Officer at hello@gomalabs.com with the subject "Data deletion request".
We will respond within a reasonable time as required by the PDPA. A reasonable fee may apply to certain access requests, as permitted under the Act. To exercise any of these rights, contact our Data Protection Officer using the details in section 16.
Our website uses cookies and similar technologies to keep the site working, remember preferences, and understand how the site is used so we can improve it. You can manage or block cookies through your browser settings, though some features may not work as intended if you do.
The Services are intended for businesses and are not directed to children. We do not knowingly collect personal data from children through our website. Where a business's clients may include minors, that business is responsible for obtaining appropriate consent, including from a parent or guardian where required.
We may update this policy from time to time. When we do, we will post the revised version here and update the "Last updated" date. If a change is significant, we will take reasonable steps to let you know.
If you have questions about this policy, want to make an access or correction request, or wish to raise a concern, please contact our Data Protection Officer:
Data Protection Officer
Val Yap, Goma AI
Email: hello@gomalabs.com
Address: 176 Orchard Rd, #05-05, Singapore 238843
If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore.