Lok.chat Terms of Service

Privacy Policy

Last updated: 23 March 2026

1. Introduction

Lok.chat is operated by The Gentle Equation Pty Ltd (ABN 97 688 924 307) ("we", "us", "our"). We operate a WhatsApp-based AI receptionist platform for healthcare and aesthetic clinics in Malaysia.

This Privacy Policy explains how we collect, use, store, and protect personal data in compliance with the Personal Data Protection Act 2010 (PDPA) of Malaysia. Your use of Lok.chat is also subject to our Terms of Service.

2. Data We Collect

We collect the following categories of personal data:

  • Patient data — WhatsApp phone number, name (as provided via WhatsApp), message content, appointment details, and consent records. Appointment and health-related information is classified as sensitive personal data under the PDPA and is processed with appropriate safeguards.
  • Clinic staff data — Name, email address, role (owner, admin, or staff), and login credentials (passwords are hashed using Argon2id and never stored in plaintext).
  • Clinic data — Clinic name, address, phone number, operating hours, and service offerings.
  • Usage data — Page views and feature usage collected via self-hosted Umami analytics on our servers in Singapore. Umami does not use cookies or collect personally identifiable information.

Providing your WhatsApp phone number and name is necessary for the clinic to deliver the receptionist service through our platform. If you do not wish to provide this data, you may choose not to message the clinic's WhatsApp number. Providing consent for follow-up and marketing messages is voluntary.

3. AI Disclosure

When you message a clinic via WhatsApp, you will initially interact with an artificial intelligence (AI) system powered by Anthropic's Claude AI. The AI receptionist is designed to answer enquiries, check appointment availability, and book appointments on behalf of the clinic.

The AI receptionist is not a medical professional and does not provide medical advice, diagnosis, or treatment. You may request to speak with a human staff member at any time, and the AI is designed to hand off complex or sensitive queries to clinic staff automatically.

Conversation data is not used to train or fine-tune AI models. Anthropic's API terms provide that API data is not used for model training.

4. How We Use Your Data

  • To provide AI-powered receptionist services via WhatsApp on behalf of your clinic.
  • To book and manage patient appointments.
  • To send appointment reminders and follow-up messages (only with patient consent).
  • To provide clinic staff with a dashboard to manage conversations and settings.
  • To monitor and improve platform reliability and performance.

5. Consent

We obtain explicit consent before sending patients follow-up or promotional messages. Patients can opt out at any time by replying "STOP" to any WhatsApp message. Consent records are stored with timestamps for audit purposes.

Outside the 24-hour customer service window defined by WhatsApp, messages are sent using pre-approved WhatsApp message templates in compliance with Meta's policies.

For clinic staff, consent for data processing is obtained through the clinic's agreement to use the Lok.chat platform.

6. Data Storage and Security

  • Data is stored on servers hosted by Hetzner Online GmbH in Singapore and transmitted over encrypted connections (TLS).
  • Sensitive credentials (WhatsApp API tokens) are encrypted at rest using AES-256-GCM.
  • Passwords are hashed using Argon2id, a modern and secure hashing algorithm.
  • Access to the platform is protected by session-based authentication with HTTP-only, secure cookies.
  • Database servers are secured with restricted network access; no direct external access is permitted.

7. Data Sharing

We do not sell personal data. We share data with the following third-party service providers, solely for the purpose of operating the platform:

  • Meta (WhatsApp Business API) — Messages are sent and received through Meta's WhatsApp Cloud API. Please review Meta's WhatsApp Business Terms and Privacy Policy for information on how Meta processes your data. If you request deletion of your data through WhatsApp or Facebook settings, we will process your request in accordance with Meta's data deletion requirements.
  • Anthropic (AI processing, United States) — Message content is sent to Anthropic's Claude API for AI response generation. Anthropic does not use API data for model training. See Anthropic's privacy policy.
  • OpenAI (embeddings, United States) — Knowledge base content (clinic service descriptions, FAQs) is processed to generate search embeddings. No patient messages or personal data are sent to OpenAI.
  • Hetzner Online GmbH (infrastructure, Singapore) — Our servers are hosted by Hetzner. Hetzner provides infrastructure only and does not access or process your data.
  • Cloudflare (security and performance, global) — Web traffic is proxied through Cloudflare for security and performance. AI API calls may be routed through Cloudflare AI Gateway for caching and reliability.
  • Resend (email, United States) — Email addresses are shared with Resend for transactional emails such as password resets.
  • Sentry (error monitoring, European Union) — Technical diagnostic data (such as error stack traces and request metadata) is sent to Sentry for debugging. We take steps to minimise personally identifiable information in error reports.

8. Cross-Border Data Transfers

Your data may be transferred to and processed in countries outside Malaysia, including Singapore, the United States, and the European Union, by the third-party service providers listed in Section 7.

We ensure appropriate safeguards are in place, including contractual data protection obligations with each provider. By using the platform, you consent to these transfers as permitted under Section 129 of the PDPA.

9. Data Retention

Conversation data is retained for as long as the clinic's account is active. Clinics may request deletion of their data at any time by contacting us.

Upon account termination, we retain data for 30 days to allow for data export, after which it is permanently deleted.

Resolved conversations are automatically archived after 7 days but remain accessible to clinic staff.

10. Data Breach Notification

In the event of a personal data breach that may affect your rights and interests, we will notify affected clinics without undue delay and, where required by law, notify the Personal Data Protection Commissioner in accordance with the PDPA.

11. Your Rights (PDPA)

Under the Personal Data Protection Act 2010, you have the right to:

  • Access your personal data held by us (Section 12, PDPA).
  • Request correction of inaccurate personal data (Section 13, PDPA).
  • Withdraw consent for data processing (Section 38, PDPA), after which we will cease processing and delete data no longer required for any lawful purpose.

To exercise these rights, contact our Data Protection Officer at hello@lok.chat.

12. Data Controller and Processor

Clinics using Lok.chat are the data users (controllers) under the PDPA for patient data. Lok.chat acts as a data processor, processing patient data on behalf of the clinic in accordance with the clinic's instructions and these terms.

Clinics are responsible for ensuring their own compliance with PDPA requirements, including registering as data users with the Personal Data Protection Commissioner where required under PDPA Section 14.

A Data Processing Addendum is available upon request and forms part of these terms.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date.

For material changes that affect how your personal data is processed, we will notify you via email or in-app notification at least 14 days before the changes take effect and obtain your consent where required by law.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, contact our Data Protection Officer:

Email: hello@lok.chat

Operated by: The Gentle Equation Pty Ltd (ABN 97 688 924 307)