← All posts

Compliance·6 Jul 2026·5 min read

A plain-English PDPA checklist for using AI in customer messaging

Using AI to reply to customers in Singapore? Here's a plain-English PDPA checklist covering consent, sensitive data, and overseas processing — without the legalese.

Singapore's Personal Data Protection Act (PDPA) applies whenever your business collects, uses, or shares personal data — and that includes the WhatsApp messages your customers send you. If you're adding an AI assistant to reply to those messages, here's what to keep in mind, in plain English.

This is a practical checklist, not legal advice. When in doubt, talk to a professional — but these are the questions worth asking of any tool before you point it at customer conversations.

1. Do you have a basis to use the data?

Under the PDPA you generally need consent (or another lawful basis) to collect and use personal data. A customer messaging you to enquire about your service typically implies consent to use their message to respond — but be clear about what you do with it beyond that, and don't repurpose it for unrelated marketing without asking.

2. What happens to sensitive identifiers?

NRIC numbers, financial details, and health information deserve extra care. A good AI setup redacts these before anything is stored or sent to a third-party model, so the most sensitive data never leaves your control in the first place.

  • Ask whether NRIC and card numbers are stripped at the point of ingestion.
  • Ask whether raw messages are retained, and for how long.
  • Ask whether your conversations are used to train the vendor's AI models.

3. Where is the data processed?

Many AI tools send data overseas for processing. The PDPA's Transfer Limitation Obligation means you're responsible for ensuring data sent abroad gets comparable protection. Ask your vendor where processing happens and what safeguards are in place.

4. Can customers get their data deleted?

The PDPA gives individuals rights to access and correct their data. Make sure your tool lets you delete a specific customer's data on request, and that you have a clear channel for those requests.

The safest AI setup is one where sensitive data is redacted before storage, retention is bounded, and your conversations are never used to train someone else's model.

How microcrew approaches this

microcrew is built for Singapore. Sensitive identifiers like NRIC and card numbers are stripped before anything is stored or sent to the AI, retention windows are bounded and configurable, and your customers' conversations are never used to train third-party models. It's designed so you can automate replies without losing control of customer data.

Let microcrew handle the replies.

An AI assistant that answers your WhatsApp, books appointments, and follows up leads — built for Singapore businesses.

Request early access →