Privacy Policy

Last updated: 20 May 2026

This Privacy Policy describes how Hail Pilot Pte Ltd (“Hail Pilot,” “we”) collects, uses, discloses, and protects personal data. It is structured to satisfy the Personal Data Protection Act 2012 (Singapore) (“PDPA”), Malaysia's Personal Data Protection Act 2010 (“MY PDPA”), and — where applicable — the EU General Data Protection Regulation (“GDPR”).

For the browser extension privacy notice, see /legal/extension-privacy.

1. Organisation and Data Protection Officer

Controller of your personal data: Hail Pilot Pte Ltd, a company incorporated in Singapore.

Data Protection Officer (DPO): dpo@hailpilot.com. You may contact the DPO directly for any matter relating to your personal data, including access, correction, withdrawal of consent, and complaints.

In Malaysia, the DPO acts as the registered point of contact for MY PDPA matters pending formal appointment of a Malaysia-resident DPO during Phase 10 expansion.

2. Purposes of collection

We collect personal data only for the following purposes:

  • Service delivery — operating the Hail Pilot platform, including dispute defense, evidence management, AI reply drafting, risk scoring, and cross-merchant fraud-pattern detection (the latter via pseudonymisation with k-anonymity ≥5 guard, see Section 5).
  • Account administration — authentication, billing, customer support, user management.
  • Security and audit — fraud and abuse detection on our own platform, webhook signature verification, audit logging.
  • Legal compliance — responding to lawful regulatory requests, enforcing our Terms of Service, defending claims, retaining evidence for marketplace-platform disputes.
  • Product improvement — internal analytics in aggregated or de-identified form to improve heuristics; we do not train foundation models on Customer Data.
  • Service communications — transactional emails about your account, deadlines, billing. Marketing emails require separate opt-in.

We do not use personal data for any purpose incompatible with the purposes for which it was collected, without obtaining fresh consent.

3. Categories of personal data

Merchant user data (you, as our customer's representative): email, name, phone (if provided), Telegram chat ID (if linked), authentication credentials (password hashed with Argon2id), session identifiers, IP address, browser user-agent, audit-log events.

Buyer data (data subjects whose data you upload to the Service via channel connectors or CSV import): name, email, phone (E.164), shipping address, order history, dispute history, attendance/no-show events, payment-method metadata (never full PAN), evidence files (photos, screenshots, chat transcripts). Stored encrypted at rest using AES-256-GCM envelope encryption with key versioning.

Cross-merchant fraud signals: HMAC-SHA256 tokens of normalised PII (no raw PII), perceptual hashes of evidence photos (phash), and aggregated network-profile counters. See Section 5 and the DPA for the carve-out and re-identification guard.

Marketplace credentials: OAuth refresh tokens for Shopee Open Platform, Lazada Open Platform, and similar — stored encrypted at rest using AES-256-GCM with key versioning, used solely to call the marketplace APIs on your behalf.

Telemetry: error reports (via Sentry), session replays (10% sampling with text masking + media blocking), product-analytics events (PostHog, GTM/Clarity/LinkedIn/Meta — opt-in via Consent Mode v2).

4. Categories of recipients (subprocessors)

We engage third-party processors strictly to deliver the Service. The full, current list is published at /legal/subprocessors. Categories include cloud infrastructure (Railway, Vercel, Cloudflare), AI providers (Anthropic, OpenAI, Together AI, Alibaba Cloud Model Studio, Cloudflare Workers AI), payment processing (HitPay), observability (Sentry, Langfuse, Better Stack, UptimeRobot, Cronitor), email (Resend), messaging (Telegram), and storage (R2, B2).

Subprocessor changes require 30 days' advance notice to merchants who have signed a Data Processing Agreement. Subscribe to our subprocessor changelog via the legal index page.

We do not sell, rent, or share personal data with advertisers, data brokers, or other third parties for their own marketing purposes.

5. Cross-border transfers and safeguards

Personal data is stored primarily in Asia-Pacific regions (Singapore — Railway asia-southeast1-eqsg3a, Alibaba Cloud Model Studio ap-southeast-1). Some subprocessors operate globally (Cloudflare, Vercel edge) or out of the United States (Anthropic, OpenAI, Sentry, Langfuse Cloud). Transfers outside Singapore are subject to:

  • The ASEAN Model Contractual Clauses, where the recipient is in an ASEAN member state.
  • Standard contractual provisions consistent with PDPA s.26, where the recipient is outside ASEAN.
  • For Customer Data covered by GDPR exposure, EU Standard Contractual Clauses (SCCs) with supplementary technical measures (encryption-in-transit + at-rest, pseudonymisation where applicable).

Cross-merchant fraud signals carve-out. HMAC-SHA256 tokens of normalised PII and perceptual hashes of evidence photos may be retained beyond the originating merchant relationship and used to surface fraud-reuse patterns to other merchants. These signals are treated as pseudonymised personal data under PDPA guidance — they remain personal data, are protected as such, and are subject to a k-anonymity ≥5 guard before any cross-merchant surfacing (no signal is exposed to another merchant unless at least five distinct merchants' data is present). We do not market this carve-out as anonymisation.

6. Retention periods

We retain personal data only as long as necessary:

  • Merchant account data: for the duration of your subscription plus 12 months for billing and audit reconciliation, then purged.
  • Buyer PII (encrypted): 24 months from the last activity on the relevant order/case, or until merchant-initiated deletion, whichever is earlier.
  • Evidence files: 24 months from case closure, then purged from object storage; metadata retained 12 additional months for audit.
  • Audit logs: 24 months (partitioned monthly).
  • Cross-merchant fraud signals (pseudonymised): indefinitely while k-anonymity ≥5 guard holds; nullified on PDPA s.22 erasure request per the erasure runbook.
  • Backups: 30 days hot (R2), 13 months cold (B2), then deleted.
  • Webhook forensic logs: 12 months, then purged.

On termination of your subscription, you have a 30-day window to export Customer Data. After 30 days we begin the deletion sequence above.

7. Your rights as a data subject

PDPA rights (Singapore):

  • Access (s.21): request a copy of your personal data and a list of its uses and disclosures.
  • Correction (s.22): request correction of inaccurate or incomplete personal data, including erasure where the data is no longer necessary.
  • Withdrawal of consent (s.16): withdraw consent at any time on reasonable notice. Withdrawal may affect our ability to provide the Service.

GDPR rights (where applicable):

  • Access, rectification, erasure (“right to be forgotten”).
  • Restriction of processing, objection to processing, data portability.
  • Withdraw consent without affecting the lawfulness of prior consent-based processing.
  • Lodge a complaint with your local supervisory authority (see Section 8).

Submit requests to dpo@hailpilot.com. We will acknowledge within 5 business days and respond within 30 days. We may charge a reasonable fee for excessive or repetitive requests under PDPA s.21(2).

Buyer-data requests via merchants. If you are a buyer whose data has been uploaded to the Service by a merchant, your primary point of contact is the merchant (the controller of your data). The DPO can route your request to the relevant merchant and assist where the merchant is non-responsive.

8. Complaint mechanism

First, contact the DPO at dpo@hailpilot.com. If unresolved, you may complain to:

  • Singapore: Personal Data Protection Commission (PDPC) — pdpc.gov.sg.
  • Malaysia: Jabatan Perlindungan Data Peribadi (JPDP) — pdp.gov.my.
  • European Union: your local Data Protection Authority. A directory is maintained by the European Data Protection Board.

9. AI and automated decision-making notice

The Service uses AI to draft replies, summarise evidence, classify buyer intent, and score risk. These outputs are recommendations, not solely-automated decisions producing legal or similarly significant effects. Final consequential actions (refund approvals, dispute submissions, buyer block-listing) require explicit human action by the merchant user.

In compliance with the EU AI Act Article 50, AI-generated content is clearly disclosed through the in-product AI Assistant Badge, and merchant users are required to acknowledge an AI Disclosure Notice on first use of the dashboard (version 2026-08-02.v1).

10. Security

We protect personal data with: AES-256-GCM envelope encryption with key versioning for PII and channel-connection secrets; Argon2id password hashing; server-side sessions; CSRF double-submit-cookie protection; PostgreSQL Row Level Security plus application-layer multi-tenant filters; OpenFGA fine-grained authorisation; HMAC-SHA256 cross-merchant identity tokenisation; AlignmentCheck and Prompt Guard 2 against AI prompt-injection; weekly off-platform backups with quarterly restore drills.

11. Changes to this Policy

Material changes will be notified by email at least 30 days before they take effect and tracked in the legal changelog. The current version is dated above.