Singapore's Personal Data Protection Act is 12 years old. Most SME owners have heard of it. Very few have read it. And when an AI chatbot enters the picture, the PDPA questions that were previously theoretical become practically urgent — because an AI that talks to customers is, by definition, collecting and processing personal data.
This article is a plain-English guide to what PDPA actually requires from an AI deployment, and what most vendors quietly skip.
The three things PDPA actually cares about for AI chat
1. Consent — was the person told the AI might collect their data?
Under PDPA, you need to notify individuals about what personal data you are collecting and why before you collect it. For an AI chatbot, this means the person starting a conversation should know, at minimum, that they are talking to an AI, that the conversation may be stored, and what you intend to do with that information.
Most AI chatbot deployments skip this entirely. The chat window opens, the conversation starts, and the prospect has no idea that their name, phone number, or enquiry details are being logged in a system.
The fix is simple: a one-line disclosure at the start of the conversation. "This is an AI assistant. Conversations may be stored to improve our service. By continuing, you agree to our privacy policy." That is sufficient for most PDPA purposes — not a compliance document, just an honest disclosure.
2. Data minimisation — are you collecting only what you need?
PDPA requires that you collect only personal data that is "necessary for a legitimate purpose." An AI chatbot that asks for someone's full name, NRIC number, date of birth, and home address in order to answer a question about your operating hours is collecting far more than it needs to.
The practical test is this: for every piece of personal data the AI collects, ask whether removing it would prevent the AI from doing its job. If the answer is no, you probably shouldn't be collecting it.
"PDPA doesn't require you to build a compliance fortress around your chatbot. It requires you to be reasonable about what you collect and honest about what you do with it."
3. Storage and access — where does the conversation data live, and who can see it?
Conversation logs from an AI chatbot contain personal data. That data needs to be stored securely, accessible only to people who need it, and retained only for as long as necessary.
The questions to ask your AI vendor:
- Where are conversation logs stored? (Singapore vs overseas matters for PDPA cross-border transfer rules)
- Who at the vendor has access to conversation logs?
- How long are logs retained before deletion?
- Is conversation data used to train the AI model? (If yes, your customers' personal data is potentially feeding a model — this requires explicit disclosure)
The question most vendors don't want you to ask
Is your customers' data being used to train or improve the AI model?
Some AI chatbot platforms use conversation data — including the personal data of the people your customers tell the AI — to improve their underlying model. This is often buried in terms of service rather than surfaced in the sales process.
If a customer tells your AI chatbot their name, budget, health condition, or business challenge, and that conversation is feeding into model training, you have a PDPA disclosure problem. The customer consented to talk to your AI assistant; they did not consent to their personal data being used to improve a commercial AI model.
The PDPA-compliant answer is that conversation data is used only for the purposes it was collected for — answering the customer's question and logging the conversation for your business — and not for any third-party model training.
What Ludi does, for transparency
LudiChat is Singapore-hosted. Conversation data is not used for model training. The AI answers from your documents — not from a model trained on your customers' conversations. Consent disclosure is configurable in the chat setup. Conversation logs are retained per the terms agreed with each client and can be deleted on request.
This is not a comprehensive legal opinion — PDPA has nuances that depend on your specific industry and use case, and we recommend reviewing your deployment with a legal advisor if you operate in a regulated sector. But these are the baseline requirements that every AI chatbot deployment in Singapore should meet.
The practical checklist
- Add a consent disclosure at the start of AI conversations
- Collect only data that is necessary for the conversation's purpose
- Confirm with your vendor where data is stored and who has access
- Ask explicitly whether conversation data is used for model training
- Define a retention period for conversation logs and ensure it is enforced
- Ensure opt-out requests (for WhatsApp contacts) are handled automatically
If you are evaluating AI vendors for your Singapore business and want to know how LudiChat handles PDPA compliance in practice, we are happy to walk through the specific controls during a demo.