Privacy Policy
Last updated: April 2026
This Privacy Policy describes how Vialode ("we", "us", "our") collects, uses, stores, and protects personal data when you use our platform, APIs, dashboard, and related services ("Service"). This policy applies to all users of the Service, including visitors to our website.
We are committed to complying with the Personal Data Protection Act 2010 (PDPA 2010) of Malaysia as our primary data protection framework. For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions with applicable data protection laws, additional provisions are set out in Section 14 below.
1. Data Controller
Vialode is the data controller responsible for the personal data collected through the Service. For data protection inquiries:
- Data Protection Officer: dpo@vialode.com
- General privacy inquiries: privacy@vialode.com
- Registered address: Malaysia (full address available on request)
2. Personal Data We Collect
We collect the following categories of personal data:
2.1 Data you provide directly
- Account information: Email address, company name, role/job title when you register for the Service or join our waitlist.
- Payment information: Billing details processed by our third-party payment processor. We do not store full payment card numbers on our systems.
- Communications: Information you provide when you contact our support team or respond to surveys.
2.2 Data generated through your use of the Service
- Usage data: API calls made, documents processed, features used, timestamps, error logs.
- Technical data: IP address, browser type, device information, referring URLs, collected via server logs and analytics.
2.3 Customer Data (uploaded documents)
- Trade documents: Documents you upload for processing (e.g., bills of lading, commercial invoices, packing lists). These documents may contain personal data of third parties, such as names, addresses, and contact details of shippers, consignees, freight forwarders, and other parties.
- Extracted data: Structured output produced by the Service from your uploaded documents.
3. Purposes and Legal Basis for Processing
We collect and use your personal data for the following purposes:
| Purpose | Legal basis (PDPA) |
|---|---|
| Providing and operating the Service | Contractual necessity |
| Processing uploaded documents and returning extracted data | Contractual necessity |
| Tracking usage for billing | Contractual necessity |
| Sending product updates and security notices | Legitimate interest / Consent |
| Sending marketing communications | Consent (opt-in) |
| Responding to support requests | Contractual necessity |
| Improving the Service (aggregated analytics) | Legitimate interest |
| Complying with legal obligations | Legal requirement |
| Preventing fraud and ensuring security | Legitimate interest |
4. Third-Party Personal Data in Customer Documents
Trade documents typically contain personal data of third parties (e.g., shipper names and addresses, consignee details, notify party information). If you upload documents containing third-party personal data:
- You represent and warrant that you have lawful authority to process and share such data with us, and that doing so complies with all applicable data protection laws.
- You are the data controller for any third-party personal data contained in your Customer Data. We process such data solely on your behalf and in accordance with your instructions (i.e., to provide the Service).
- You are responsible for fulfilling any data subject rights requests from those third parties with respect to their personal data in your documents.
5. Data Sharing and Disclosure
We do not sell your personal data. We share personal data only in the following circumstances:
- AI processing providers: Document content is transmitted to third-party AI service providers (currently based in the United States) for document extraction and processing. Only the document content is shared — your account information is never transmitted to AI providers. See Section 7 for cross-border transfer details.
- Cloud infrastructure providers: We use enterprise-grade cloud services with servers located in the Asia-Pacific region for hosting, storage, and compute. See Section 7 for cross-border transfer details.
- Payment processors: Billing information is processed by our third-party payment provider.
- Analytics providers: We use privacy-respecting analytics to understand website usage. No personal data is shared with advertising networks.
- Legal compliance: We may disclose personal data if required by law, regulation, legal process, or governmental request.
- Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity. We will notify you before your data becomes subject to a different privacy policy.
6. Data Storage and Security
- Primary storage location: Asia-Pacific region. As no major hyperscaler operates a data centre in Malaysia at this time, your data is stored outside Malaysia subject to the cross-border transfer safeguards described in Section 7.
- Encryption at rest: All stored data is encrypted using AES-256 encryption.
- Encryption in transit: All data transmitted between your systems and ours is protected by TLS 1.2 or higher.
- Tenant isolation: Customer Data is logically isolated per organization. Access controls and database-level policies prevent cross-tenant data access.
- Access controls: Access to personal data is limited to authorized personnel on a need-to-know basis.
For more details on our security practices, see our Security page.
7. Cross-Border Data Transfers
Vialode is a Malaysian company. In the course of providing the Service, personal data is transferred to and stored in jurisdictions outside Malaysia:
- Cloud hosting: Your data is stored on enterprise cloud infrastructure servers located in the Asia-Pacific region, as no major hyperscaler currently operates a data centre in Malaysia.
- AI processing: Document content is transmitted to AI service providers in the United States for processing. We ensure these transfers are protected by appropriate contractual safeguards.
- Support and operations: Our team may access data from locations outside Malaysia in the course of providing support.
In accordance with Section 129 of the PDPA 2010, we ensure that any recipient of personal data outside Malaysia provides a standard of protection that is at least comparable to the protection afforded by the PDPA 2010, through contractual arrangements and due diligence on the recipient's data protection practices.
8. Data Retention
- Account data: Retained for the duration of your active account plus 30 days after account termination to allow for data export.
- Uploaded documents and extracted data: Retained for 90 days by default. You may request earlier deletion at any time.
- Waitlist data: Email, company name, and role are retained until you are onboarded or you request deletion.
- Usage and billing records: Retained for up to 7 years as required by applicable tax and accounting laws.
- Server logs: Retained for up to 90 days for security monitoring and debugging purposes.
After the applicable retention period, personal data is permanently deleted or irreversibly anonymized.
9. AI and Automated Processing
The Service uses artificial intelligence and machine learning to process documents and extract structured data. You should be aware that:
- Document content is transmitted to third-party AI providers for processing.
- No training on your data: We do not use your Customer Data to train AI models without your explicit, prior written consent.
- AI-generated outputs may contain errors. You are responsible for verifying the accuracy of extracted data before relying on it.
- No fully automated decisions with legal or significant effects are made about individuals based on AI processing of your documents.
10. Cookies and Tracking
Our website uses:
- Essential cookies: Required for the website and Service to function (e.g., session management, authentication). These cannot be disabled.
- Analytics cookies: Used to understand how visitors use our website. These are only set with your consent where required by applicable law.
We do not use advertising cookies or share data with advertising networks.
11. Your Rights
Under the PDPA 2010 and other applicable data protection laws, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete personal data.
- Withdrawal of consent: Withdraw consent for processing where consent is the legal basis (e.g., marketing communications). This does not affect the lawfulness of processing prior to withdrawal.
- Deletion: Request deletion of your personal data, subject to our legal obligations to retain certain records.
- Data portability: Export your data via the API or request a machine-readable copy.
To exercise any of these rights, contact us at privacy@vialode.com. We will respond to access requests within 21 days and correction requests within 14 days, as required by the PDPA 2010.
12. Data Breach Notification
In the event of a data breach that results in, or is likely to result in, significant harm to individuals:
- We will notify the Jabatan Pelindungan Data Peribadi (JPDP) within the timeframe prescribed by the PDPA 2010 (as amended) upon assessing that the breach is notifiable.
- We will notify affected individuals as soon as practicable.
- For EU/EEA users, we will notify the relevant supervisory authority within 72 hours as required by the GDPR.
13. Children's Privacy
The Service is designed for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor, we will take steps to delete such data promptly.
14. Additional Provisions for EU/EEA and UK Users
If you are located in the European Economic Area or United Kingdom, the following additional provisions apply:
- Legal basis for processing: We process your personal data under: (a) contractual necessity (to provide the Service); (b) legitimate interest (improving the Service, security, fraud prevention); and (c) consent (marketing communications).
- Additional rights: You have the right to: restrict processing, object to processing based on legitimate interest, lodge a complaint with your local supervisory authority, and not be subject to automated decision-making with legal effects.
- Data transfers: Transfers of personal data outside the EEA/UK are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms.
- Data Processing Agreement (DPA): A DPA is available on request for customers who require one under the GDPR. Contact privacy@vialode.com.
15. Do Not Track
Our website does not currently respond to "Do Not Track" (DNT) browser signals, as there is no industry-standard specification for DNT compliance. We do not track users across third-party websites.
16. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-product notification at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
17. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data:
- Data Protection Officer: dpo@vialode.com
- General privacy inquiries: privacy@vialode.com
If you are not satisfied with our response, you may lodge a complaint with the Jabatan Pelindungan Data Peribadi (JPDP) of Malaysia at www.pdp.gov.my.