Privacy Policy

1. Introduction

Level3 AI Pte. Ltd. ("Level3 AI", "we", "us", or "our") is a company incorporated in Singapore (UEN: 202244781R) with its registered office at 1 Fusionopolis Walk, #09-01 Solaris South Tower, Singapore 138628. We operate the platform available at level3-ai.com and provide conversational AI agents for customer support and sales teams across APAC enterprises.

This Privacy Policy explains how we collect, use, disclose, transfer, and store personal data when you visit our website, use our platform, or otherwise interact with Level3 AI. It applies to all personal data we process as a data controller and describes your rights in relation to that data.

We are committed to protecting personal data in compliance with the Singapore Personal Data Protection Act 2012 (PDPA), the European Union General Data Protection Regulation (GDPR) where applicable, Indonesia's Undang-Undang Perlindungan Data Pribadi (UU PDP), and other applicable data protection laws across the APAC region.

By accessing our website or using our platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please discontinue use of our services.

2. Data We Collect

2.1 Information You Provide Directly

When you create an account, request a demo, submit a contact form, or communicate with us, we collect information you provide directly, including:

• Identity and contact data: full name, job title, company name, work email address, and phone number.
• Account credentials: username and hashed password for platform access.
• Professional information: company size, industry, geographic markets you operate in, and a description of your support operation — collected during onboarding to configure your AI agents appropriately.
• Payment information: billing name, billing address, and credit card details. Card data is handled directly by our payment processor (Stripe Inc.) and is not stored on Level3 AI servers. We store only a tokenised reference and the last four digits of the card.
• Communications: the content of emails, chat messages, support tickets, and calls you have with our team.

2.2 Data Generated Through Platform Use

When you operate the Level3 AI platform, we collect data about how the platform is used and the interactions it processes:

• Configuration data: AI agent settings, escalation thresholds, integration credentials (stored encrypted), and knowledge base content you upload.
• Conversation data: transcripts of conversations between your customers and Level3 AI agents. This data belongs to you as the data controller. We process it as your data processor under the terms of our Data Processing Agreement.
• Performance data: resolution rates, CSAT scores, escalation event logs, API call records, and error logs generated by your AI agent deployment.
• User activity data: which dashboard features you access, configuration changes made by your team, and audit log entries.

2.3 Data Collected Automatically

When you visit level3-ai.com, we automatically collect:

• Device and browser data: IP address, browser type and version, operating system, device identifiers, and screen resolution.
• Usage data: pages visited, time spent on pages, links clicked, referring URLs, and navigation paths through the site.
• Cookie data: see our Cookie Policy for a detailed breakdown of the cookies we use and how to manage them.

2.4 Data From Third Parties

We may receive data about you from the following sources:

• CRM and helpdesk platforms (Salesforce, Zendesk, HubSpot, Freshdesk) that you integrate with the Level3 AI platform — specifically, account and ticket data your organisation shares via the integration.
• Business intelligence tools used by our sales and marketing teams to qualify enterprise leads, such as LinkedIn Sales Navigator and Apollo.io.
• Payment processors, who confirm payment status and notify us of subscription changes.

3. How We Use Your Data

We use the personal data we collect for the following purposes, and only where we have a lawful basis to do so:

3.1 Providing and Operating the Platform

We use your account data, configuration data, and conversation data to operate the Level3 AI platform — creating your account, running your AI agents, processing escalations, and generating analytics reports. The legal basis is performance of contract: we need this data to deliver the service you have subscribed to.

3.2 Customer Support and Onboarding

We use your contact data and support communications to answer your questions, help you configure integrations, diagnose technical problems, and onboard your team. The legal basis is performance of contract and our legitimate interest in providing effective customer support.

3.3 Billing and Payments

We use billing information to process subscription payments, issue invoices, handle refund requests, and manage subscription upgrades and cancellations. The legal basis is performance of contract and compliance with financial record-keeping obligations.

3.4 Product Improvement

We use aggregated, de-identified usage data and platform performance metrics to improve our product. We do not use individual conversation transcripts from your deployment to train or fine-tune any shared AI models. Model improvements are made using synthetic data and consented benchmark datasets. The legal basis is our legitimate interest in improving the platform for all customers.

3.5 Security and Fraud Prevention

We use technical and behavioural data to detect unauthorised access, prevent abuse, investigate security incidents, and protect the integrity of the platform. The legal basis is our legitimate interest in maintaining platform security.

3.6 Marketing Communications

With your consent, we send product updates, event invitations, and educational content relevant to conversational AI and APAC customer experience. You can withdraw consent at any time by clicking "unsubscribe" in any email or contacting us at hello@level3-ai.com. The legal basis is consent.

3.7 Legal and Regulatory Compliance

We retain and process data as required by applicable laws, including responding to lawful requests from government authorities and meeting audit requirements. The legal basis is legal obligation.

4. Data Sharing and Disclosure

We do not sell personal data. We share data with third parties only in the following circumstances:

4.1 Service Providers

We share data with service providers who help us operate Level3 AI under data processing agreements that restrict how they can use the data:

• Cloud infrastructure: Amazon Web Services (AWS), with data hosted in ap-southeast-1 (Singapore) for APAC customers. AWS acts as our infrastructure processor under the AWS Data Processing Addendum.
• Payment processing: Stripe Inc., which processes credit card payments. Stripe is PCI DSS Level 1 certified.
• Email communications: SendGrid (Twilio), used for transactional emails and product communications.
• Analytics: Mixpanel for product usage analytics. Data shared with Mixpanel is pseudonymised and does not include conversation transcripts.
• Customer support tooling: Intercom, used by our support team to manage customer communications.
• Error monitoring: Sentry, used to capture and diagnose application errors. Error logs are scrubbed of personal data before submission.

4.2 Customer Data in Integrations

When you connect Level3 AI to a third-party platform (Salesforce, Zendesk, etc.), data passes between Level3 AI and that platform per the integration you configure. You are responsible for ensuring that integration is permitted under your own data protection obligations to your customers.

4.3 Legal Requirements

We may disclose personal data to law enforcement agencies, courts, or regulatory authorities when required to do so by applicable law, court order, or governmental authority — including requests from the Personal Data Protection Commission of Singapore, Indonesia's Kominfo, or EU supervisory authorities.

4.4 Business Transfers

If Level3 AI is involved in a merger, acquisition, asset sale, or corporate restructuring, personal data may be transferred as part of that transaction. We will notify affected users before data is transferred and becomes subject to a different privacy policy.

5. International Data Transfers

Level3 AI stores customer data in AWS ap-southeast-1 (Singapore) by default. For customers who specifically require Indonesian data residency, we offer a deployment option using AWS ap-southeast-3 (Jakarta).

Where we transfer personal data outside of Singapore or the European Economic Area, we ensure appropriate safeguards are in place, including standard contractual clauses approved by the relevant data protection authority, adequacy decisions where applicable, and binding corporate rules where the transfer is to an affiliated entity.

Our sub-processors (listed in Section 4.1) maintain data transfer agreements and certifications appropriate to the jurisdictions in which they operate. A current list of sub-processors is available upon request at hello@level3-ai.com.

6. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required by law.

• Account data: Retained for the duration of your subscription plus 2 years after account closure, to handle post-termination billing disputes and legal claims.
• Conversation transcripts: Retained for the duration of your subscription. On account closure, transcripts are deleted within 90 days unless you request earlier deletion or an export. Certain financial services customers may have regulatory retention requirements of up to 5 years, which are handled under separate data processing agreements.
• Payment records: Retained for 7 years to meet financial record-keeping requirements under Singapore's Companies Act and applicable tax legislation.
• Marketing data: Retained until you withdraw consent or request deletion.
• Server logs and security data: Retained for 12 months from the date of generation.
• Support communications: Retained for 3 years after the resolution of the support request.

When data reaches the end of its retention period, it is deleted from production systems and backups within 30 days, except where deletion is technically impracticable due to backup architecture, in which case the data is isolated and not accessed until it is overwritten in the normal backup rotation cycle.

7. Your Rights

Depending on your jurisdiction, you have the following rights in relation to your personal data:

7.1 Rights Under Singapore PDPA

• Right of access: You may request a copy of the personal data we hold about you, along with information about how we use it.
• Right of correction: You may request that we correct personal data that is inaccurate or incomplete.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
• Right to data portability: Under the PDPA's data portability obligation (effective May 2024), you may request that we transfer your data to another organisation in a machine-readable format, where technically feasible.

7.2 Additional Rights Under GDPR (EU/EEA Residents)

If you are located in the European Economic Area, the GDPR grants you additional rights:

• Right to erasure ("right to be forgotten"): You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where you withdraw consent and there is no other lawful basis for processing.
• Right to restrict processing: You may request that we limit how we use your data in certain circumstances.
• Right to object: You may object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to lodge a complaint: You have the right to lodge a complaint with your local supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu.

7.3 Exercising Your Rights

To exercise any of these rights, contact us at hello@level3-ai.com with the subject line "Privacy Rights Request". We will respond within 30 days. If your request is complex or numerous, we may extend this period by a further 30 days, with notice.

We may need to verify your identity before fulfilling a rights request. This is a security measure to prevent unauthorised disclosure of personal data to a third party claiming to be you.

8. Cookies

We use cookies and similar tracking technologies on level3-ai.com. For a full description of the cookies we use, their purpose, and how to manage your cookie preferences, please read our Cookie Policy.

In summary, we use:

• Essential cookies: Required for the website and platform to function. Cannot be disabled without breaking core features.
• Analytics cookies: Help us understand how visitors use our website. We use Mixpanel for this purpose. These cookies are active only if you consent.
• Preference cookies: Store your cookie consent choice and platform preferences such as UI language and dashboard layout.

9. Security

Level3 AI implements technical and organisational measures appropriate to the risk level of the data we process:

• Encryption in transit: All data transmitted between your browser, our platform, and our API endpoints is encrypted using TLS 1.2 or TLS 1.3.
• Encryption at rest: All data stored on AWS is encrypted at rest using AES-256. Database backups are encrypted with separate key management.
• Access controls: Access to production systems is restricted to a small number of authorised engineers via multi-factor authentication and individual credentials. Access logs are retained for 12 months.
• Penetration testing: Our platform undergoes external penetration testing annually. Results and remediation timelines are available to enterprise customers under NDA upon request.
• SOC 2 Type II: Our SOC 2 Type II audit is in progress. Enterprise customers can request the current audit status and expected completion date.
• Incident response: In the event of a personal data breach, we will notify affected customers and relevant regulators within the timeframes required by applicable law — 72 hours under GDPR and within 3 business days under PDPA notification obligations.

No security measure is infallible. We cannot guarantee absolute security of data transmitted over the internet. We encourage you to use strong, unique passwords for your Level3 AI account and to enable two-factor authentication, which is available to all users.

10. Children's Data

The Level3 AI platform is designed for use by businesses and their employees. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently collected data from a minor, please contact us at hello@level3-ai.com and we will delete it promptly.

11. Links to Third-Party Sites

Our website may contain links to third-party websites. These links are provided for your convenience. We are not responsible for the privacy practices of third-party sites and encourage you to review their privacy policies before sharing any personal data.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or the services we offer. When we make material changes, we will notify you by email (if you have an account) and by posting a prominent notice on our website. The "Last updated" date at the top of this page indicates when the policy was last revised.

Your continued use of level3-ai.com or the Level3 AI platform after a policy update constitutes acceptance of the updated terms.

13. Data Protection Officer

Level3 AI has designated a Data Protection Officer (DPO) responsible for overseeing compliance with data protection laws. The DPO can be contacted at:

• Email: dpo@level3-ai.com
• Postal address: Data Protection Officer, Level3 AI Pte. Ltd., 1 Fusionopolis Walk, #09-01 Solaris South Tower, Singapore 138628

14. Contact Us

For general privacy enquiries, data rights requests, or questions about this policy:

• Email: hello@level3-ai.com
• Website: level3-ai.com/contact
• Postal address: Level3 AI Pte. Ltd., 1 Fusionopolis Walk, #09-01 Solaris South Tower, Singapore 138628

For complaints related to Singapore PDPA compliance, you may also contact the Personal Data Protection Commission at pdpc.gov.sg.