Privacy

Privacy Policy

How Goma AI collects, uses, stores, and protects personal data across our WhatsApp CRM and website, in line with Singapore's Personal Data Protection Act (PDPA).

Last updated: 30 June 2026
1

About this policy

Goma AI provides a WhatsApp Business CRM that helps firms in Singapore's regulated industries message clients, capture leads, and book appointments while staying aligned with frameworks such as the PDPA, MAS guidelines, and CEA rules.

This policy explains how we handle personal data through our website, the Goma AI platform, and related services (together, the "Services"). It applies to our business customers and their staff, to individuals who message a business that uses Goma AI, and to visitors to our website.

The Services are operated by Goma AI Pte. Ltd. (UEN 202314006H), with a registered address at 176 Orchard Rd, #05-05, Singapore 238843. In this policy, "we", "us", and "our" refer to that entity.

2

Our role: controller or intermediary

Under the PDPA, our responsibilities depend on whose data we are handling and why. There are two distinct situations:

When we decide

For our customers' account details and for website visitor data, we are the organisation responsible for the data and decide how it is used. This policy governs that data directly.

When you decide

When we process the personal data of your clients and leads through the platform, we act as your data intermediary — handling it on your behalf and on your instructions under our customer agreement.

Where we act as your data intermediary, you remain the organisation responsible for that data. That includes obtaining valid consent from the individuals concerned, responding to their requests, and deciding what data to collect and how long to keep it. We process it only to provide the Services to you.

3

Personal data we collect

The personal data involved falls into three groups.

  • Business users (our customers and their staff)Name, work email, phone number, company, job role, salesperson registration details where relevant (such as a CEA Registration No. or RNF), billing information, account login credentials, and records of how you use the platform.
  • Clients and leads (processed on your behalf)WhatsApp number and profile name; the content of messages, including text, media, voice notes, and documents; any identity, financial, or health-related information that an individual chooses to send; consent and opt-in records with timestamps; appointment and booking details; and audit-log metadata such as message times and the staff member handling a conversation.
  • Website visitorsDevice and browser information, IP address, pages viewed, cookie data, and anything you submit when you book a demo or contact us.

Some conversations in regulated industries may involve sensitive information. We treat all message content as confidential and apply the safeguards described in this policy regardless of category.

4

How we collect it

  • Directly from youWhen you sign up, book a demo, contact support, or configure your workspace.
  • AutomaticallyWhen you use the platform or browse the website, through cookies and similar technologies.
  • Through the WhatsApp Business PlatformWhen messages are sent to or from your official business number.
  • From the integrations you connectSuch as lead sources, your CRM, or your calendar, on your instruction.
5

How we use personal data

We use personal data to:

  • provide and operate the Services, including routing, displaying, and storing conversations in a shared team inbox;
  • apply the compliance rules you switch on, such as attaching required disclaimers, capturing opt-ins, and writing records to the audit vault;
  • send appointment reminders, booking confirmations, and template messages you have set up;
  • provide support, manage your account, and handle billing, including measuring the outcomes our pricing is based on;
  • keep the Services secure and prevent fraud or misuse;
  • improve the Services, using aggregated or de-identified data wherever possible; and
  • comply with our legal and regulatory obligations.

We do not sell personal data. We use AI only to deliver features you have enabled, and we do not use your clients' message content to train AI models for unrelated purposes or for other customers.

7

WhatsApp and Meta

The Services run on the official WhatsApp Business Platform provided by Meta. When messages are sent or received, they are transmitted and processed through Meta and WhatsApp systems, which are governed by Meta's own terms and privacy policy. Where we use Meta's WhatsApp Business Platform, the personal data involved is Platform Data as defined in Meta's Platform Terms.

We are not responsible for how Meta processes data under its own policies. We recommend reviewing the WhatsApp Business Policy and Meta's privacy resources to understand their role.

8

Disclosure and sub-processors

We do not sell personal data and we do not share it except as set out below:

  • Service providers and sub-processorsTrusted vendors who help us run the Services, such as cloud hosting, Meta (WhatsApp Business Platform), communications, analytics, and payment providers.
  • Your connected integrationsWhere you instruct us to exchange data with another tool, such as your calendar or CRM.
  • Professional advisers and authoritiesWhere disclosure is required by law, regulation, or a valid request from a public authority.
  • Business transfersIf we are involved in a merger, acquisition, or sale of assets, subject to this policy continuing to apply.

We require our sub-processors to protect personal data to a standard consistent with the PDPA. A current list of our sub-processors is available on request.

9

Data residency and transfers

We offer Singapore-based hosting and data residency options, so your message history and audit records can be kept in-region to support local data storage requirements.

Where personal data is transferred outside Singapore — for example, to a sub-processor located in the United States — we take steps to ensure it receives a standard of protection comparable to that required under the PDPA, including through contractual safeguards.

10

How long we keep data

We keep account data for as long as you are a customer and for a reasonable period afterwards to meet legal, accounting, and security needs.

Conversation data and audit-vault records are retained according to the settings you configure and the record-keeping rules that apply to your industry, such as those set by MAS or the CEA. You control retention and deletion for your own workspace.

When your agreement ends, we return or delete client data in line with that agreement. Website and cookie data is kept only for short periods.

11

How we protect data

We make reasonable security arrangements to protect personal data against unauthorised access, use, or disclosure. These include role-based access controls, encryption of data in transit, audit logging, monitoring, a tamper-evident audit vault, staff confidentiality obligations, and due diligence on our vendors.

No system can be guaranteed completely secure. If a data breach occurs that is likely to result in significant harm or meets the notification threshold, we will notify affected parties and the relevant authority as required by law.

12

Your rights and data deletion

You may request access to the personal data we hold about you, ask us to correct it if it is inaccurate or incomplete, withdraw consent to our use of it, and request that we delete it.

If you are a business user (our customer or their staff): to request deletion of your account data, email our Data Protection Officer at hello@gomalabs.com with the subject "Data deletion request". We will verify the request and delete the data we are responsible for within a reasonable time, unless we are required to retain it for legal, accounting, or security reasons.

If you are a client or lead of a business that uses Goma AI: the business you messaged is responsible for your data, and it controls retention and deletion for its workspace. To delete your data, contact that business directly, or reply "STOP" to opt out of further messages. As their data intermediary, Goma AI will assist that business in locating and deleting your data on their instruction. If you are unable to reach the business, you may email hello@gomalabs.com and we will route your request to them.

If you visited our website only: to request deletion of any personal data we hold about you (such as demo bookings or contact form submissions), email our Data Protection Officer at hello@gomalabs.com with the subject "Data deletion request".

We will respond within a reasonable time as required by the PDPA. A reasonable fee may apply to certain access requests, as permitted under the Act. To exercise any of these rights, contact our Data Protection Officer using the details in section 16.

13

Cookies and website analytics

Our website uses cookies and similar technologies to keep the site working, remember preferences, and understand how the site is used so we can improve it. You can manage or block cookies through your browser settings, though some features may not work as intended if you do.

14

Children and minors

The Services are intended for businesses and are not directed to children. We do not knowingly collect personal data from children through our website. Where a business's clients may include minors, that business is responsible for obtaining appropriate consent, including from a parent or guardian where required.

15

Changes to this policy

We may update this policy from time to time. When we do, we will post the revised version here and update the "Last updated" date. If a change is significant, we will take reasonable steps to let you know.

16

How to contact us

If you have questions about this policy, want to make an access or correction request, or wish to raise a concern, please contact our Data Protection Officer:

Data Protection Officer
Val Yap, Goma AI
Email: hello@gomalabs.com
Address: 176 Orchard Rd, #05-05, Singapore 238843

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore.