Privacy Policy

1) Roles: Customer vs. Website Visitor (Controller / Processor)

When our widget is used on a customer's website:

• The customer (the business running the widget) is typically the data controller for lead data collected on their site.
• Tailyx typically acts as a data processor, processing lead data on the customer's instructions (e.g., scoring, enrichment, routing, automation).

When you use tailyx.ai directly (e.g., beta sign-up or admin console), Tailyx is the data controller for the personal data you provide to us.

2) Personal Data We Collect

A. Data you provide (Customer Admins)

• Account data: name, email, phone, login credentials (or OAuth identifiers), organization details.
• Configuration data: widget settings, qualification questions, scoring rules, routing rules, automation templates, calendars/booking links.
• Support communications: messages you send to support, feedback, bug reports.

B. Data collected from Website Visitors / Leads via the widget

When a visitor interacts with a Tailyx-powered widget, we collect the following data on behalf of the customer (the data controller). A notice is displayed to visitors at the point of data collection informing them of the purpose and their rights.

• Conversation data: chat messages, responses to questions, timestamps, conversation identifiers.
• Lead capture data: name, email, phone, company, role/title, country/location (if provided).
• Qualification signals: fit/intent fields (e.g., need, timeline, budget, authority), and any additional fields the customer enables.
• Engagement events: meeting link shown/clicked, booking events, replies to follow-up (where integrated), delivery/bounce metadata.

C. Lead scoring, segmentation & automation metadata

• Lead score and tier: numeric score and/or segmentation (e.g., Hot/Warm/Cold) computed automatically from conversation responses and engagement signals.
• Scoring inputs: which answers/signals contributed to the score (where enabled).
• Automation actions: emails triggered, pauses on reply, routing outcomes, and audit logs.

D. Enrichment data (where enabled by the customer)

Where a customer enables enrichment, we may augment lead records after the conversation has been captured, using information from: (i) data the lead provides, (ii) public sources, and/or (iii) third-party enrichment providers. The purpose of enrichment — improving lead context for the customer's sales process — is disclosed in the widget's privacy notice displayed to visitors.

• Possible enriched fields: company details, website, industry, seniority signals, public professional profile links (e.g., LinkedIn URL if provided), location, and other firmographic/contact context.
• Confidence: enrichment may include confidence scores or "suggested" fields and may not be perfectly accurate.

E. Automatically collected technical data

• Log data: IP address, browser type, device identifiers, pages viewed, referring URLs, timestamps.
• Security data: rate limiting signals, bot detection outcomes, suspicious request patterns, and related diagnostics.
• Cookies & similar technologies: session cookies, analytics identifiers, and preference cookies (see "Cookies" section).

3) How We Use Personal Data

A. Provide and operate the services

• Create and manage accounts, authenticate users, and provide the admin console.
• Deliver the widget experience, capture leads, and maintain conversation history.
• Compute lead scores/segments and apply customer-configured routing and automation.
• Provide enrichment (where enabled) to improve lead context for the customer's sales process.

B. Communications

• Respond to support requests and product inquiries.
• Send service notices (security, billing, policy updates, important operational messages).
• Send product updates or marketing communications where permitted, with a clear opt-out mechanism where required by law.

C. Analytics, product improvement, and R&D

• Understand usage patterns and improve reliability, UX, scoring performance, and automation outcomes.
• Debug, test, and maintain the platform.

D. Security, abuse prevention, and legal compliance

• Detect and prevent fraud, spam, bot activity, and abuse.
• Enforce our Terms, protect our rights, and comply with legal obligations.

4) Legal Bases (Where Applicable)

Depending on context and jurisdiction, we may process personal data based on:

• Consent: where a website visitor provides their personal data via the widget after being informed of the purpose, or where required for certain marketing communications or non-essential cookies.
• Contract: to provide the services to customer admins and process lead data per customer instructions.
• Legitimate interests: to operate, secure, and improve our services, balanced against individuals' rights.
• Legal obligation: where we must comply with applicable laws or regulations.

Under the Singapore PDPA, we also rely on the deemed consent framework where a visitor voluntarily submits personal data via the widget after being presented with a clear notice of purpose — provided the purpose is reasonable, clearly disclosed, and the visitor has a meaningful opportunity to opt out.

Where a customer has entered into a Data Processing Addendum (DPA) with Tailyx, the lawful basis and processing conditions set out in that DPA govern our processing of personal data on that customer's behalf, and take precedence over this section to the extent of any conflict.

5) Automated Scoring & Profiling

Tailyx performs automated lead scoring and segmentation (e.g., Hot/Warm/Cold) based on conversation responses and engagement signals. This processing is disclosed to website visitors at the point of data collection. Automated scoring may affect how a lead is handled, for example:

• Whether a booking link is shown immediately;
• Whether a follow-up sequence is triggered or paused;
• Whether a lead is routed to a team or flagged as low fit.

6) Sharing & Disclosure

We may share personal data in the following cases:

• With the customer (the business using the widget) so they can follow up with leads and operate their sales process.
• Service providers / subprocessors who help us run the service (e.g., hosting, databases, email delivery, analytics, monitoring, enrichment providers), under contractual confidentiality and security obligations.
• Legal / compliance where required by law, court order, or to protect rights and safety.
• Business transfers (e.g., merger/acquisition) where data may transfer subject to appropriate safeguards and notice to affected parties.

7) Cookies & Tracking

We use cookies and similar technologies to operate the site (e.g., sessions), remember preferences, measure performance, and improve the service. Cookies fall into two categories:

• Essential cookies: necessary for the site and widget to function. These cannot be disabled without affecting core functionality.
• Optional cookies: used for analytics and performance measurement. Where required by applicable law, we will seek consent before placing these.

You can control cookies through your browser settings. Disabling essential cookies may impact functionality.

8) International Transfers

We are based in Singapore and primarily store and process data in Singapore. We may also engage service providers in other countries. Where personal data is transferred outside Singapore, we use appropriate safeguards, including:

• Contractual protections (e.g., data processing agreements with equivalent protection obligations);
• Transfers only to jurisdictions or service providers that provide a comparable standard of data protection.

9) Data Security

We use reasonable administrative, technical, and organizational safeguards, including:

• Encryption in transit (HTTPS/TLS) for all data transmission.
• Access controls and least-privilege permissions for all production systems.
• Monitoring, logging, and incident response procedures.
• Regular maintenance and vulnerability management practices appropriate for our stage of operation.

In the event of a data breach that is notifiable under the PDPA (i.e., one likely to result in significant harm or that affects 500 or more individuals), we will notify the Personal Data Protection Commission and affected individuals as required by law.

No method of transmission or storage is 100% secure. We work to protect data, but cannot guarantee absolute security.

10) Retention

We retain personal data only as long as necessary for the purposes described in this policy, unless a longer period is required by law. Typical retention periods (may vary by customer configuration):

• Lead conversation + scoring records: 12–24 months or as configured by the customer.
• Security logs and diagnostics: typically 30–180 days.
• Billing and transactional records: as required by applicable accounting and tax laws.
• Backups: retained for limited periods and rotated on a defined schedule.

Customers may request deletion of their lead data at any time by contacting us at [email protected]. We will process such requests in accordance with our obligations as a data processor.

11) Your Rights

Depending on your jurisdiction and role (customer admin vs. website visitor / lead), you may have the following rights:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete personal data.
• Deletion: request deletion of your personal data, subject to our legal obligations and legitimate business needs.
• Portability: request your data in a structured, machine-readable format (where applicable).
• Withdrawal of consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Restriction / objection: object to or request restriction of certain processing activities.
• Complaint: lodge a complaint with the Personal Data Protection Commission (Singapore) or another competent data protection authority.

12) Data Protection Officer

In accordance with the Singapore PDPA, Discover Up LLP has designated a Data Protection Officer (DPO) responsible for overseeing our data protection practices and ensuring compliance with applicable privacy laws.

You may contact the DPO for any questions, concerns, or requests relating to your personal data or this Privacy Policy. We aim to respond to all legitimate requests within 30 days.

13) Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version on our website and update the effective date at the top. If changes are material, we will provide additional notice to customer admins (e.g., by email or an in-product notification) where appropriate.

Your continued use of the Services after changes become effective constitutes acceptance of the updated Policy.

14) Contact

If you have questions about this Privacy Policy or wish to exercise your rights, contact: