// LEGAL

Privacy
Policy

This page is available in Bahasa Indonesia and English. Click ID to switch.
Ashari Tech — Effective Date: February 12, 2026 — Last Updated: February 12, 2026

Versi Bahasa Indonesia tersedia di Kebijakan Privasi. The Indonesian version of this Privacy Policy is the legally binding version. This English translation is provided for convenience.

1. Introduction

This Privacy Policy describes how Ashari Tech (“we”, “our”, or “us”) collects, uses, stores, and protects your personal data when you use our services and products.

This policy applies to all websites, applications, platforms, and services operated by Ashari Tech, including but not limited to:

  • Ashari Tech (ashari.tech) — Company website, employee portal, and internal management services
  • Ashari Cloud (ashari.cloud) — AI-powered automation platform with Gmail, Google Calendar, and other third-party service integrations
  • AI services, workflow automation, and other custom client solutions

By accessing or using our services, you agree to the data collection and usage practices described in this policy.

2. Information We Collect

2.1 Account and Identity Data

When you register or sign in to our services, we collect:

  • Full name (first name and last name)
  • Email address
  • Profile photo (if provided via Google account or uploaded manually)
  • Phone number (if provided)
  • Google account information (if you sign in using Google OAuth)

2.2 Service Usage Data

Depending on the features you use, we may collect the following additional data:

  • Attendance data: clock-in/out times, selfie photos during check-in, geographic location (latitude, longitude), location address
  • Device information: browser user agent, IP address
  • Form data: personal information submitted through registration, onboarding, or other service forms
  • Assignments and assessments: assignment submissions, grades, and feedback
  • Reports and notes: activity logs, skill assessments, and reflections
  • AI conversation history: messages sent and received in interactions with our AI services
  • Integration configurations: third-party service connection settings and workflow automation configurations
  • Webhook data: data received from integrated services (email, calendar, messages)

2.3 Google API Data

When you connect your Google account through Ashari Cloud’s Integrations page, we request access to the following specific OAuth scopes:

  • Gmail (read-only — gmail.readonly): List and read your email messages, view message headers (from, to, subject, date), message body content, attachment metadata, and Gmail labels. We do not send, modify, or delete any emails.
  • Email address (userinfo.email): Your primary Google Account email address, used to identify which account is connected and displayed in the Integrations dashboard.
  • Profile information (userinfo.profile): Your display name and profile picture, shown in the Integrations dashboard for visual identification of the connected account.

Important: Email content is fetched on-demand from Google’s servers and displayed directly in your browser. We do not store, cache, or copy your email content on our servers. Only your OAuth tokens (encrypted) and basic profile information (email, name, profile picture) are persisted.

2.4 Technical and Analytics Data

  • IP address and device information
  • Browser type and version
  • Pages visited and visit duration
  • Interaction data with service features
  • Cookies and similar tracking technologies

3. Purpose of Data Use

We use your data for the following purposes:

  1. Service Provision: Providing, operating, and maintaining the service features you use, including authentication, automation, and data management
  2. Authentication and Security: Verifying your identity, managing login sessions, preventing unauthorized access, and protecting account security
  3. Internal Management: Managing attendance, assignments, courses, onboarding, and reporting for employees and internship program participants
  4. Workflow Automation: Executing automated tasks configured on our platform
  5. Communication: Sending verification emails, service-related notifications, and important information about your account
  6. Service Improvement: Analyzing service usage to improve features, performance, and user experience
  7. Legal Compliance: Fulfilling legal obligations, including internship program reporting to relevant educational institutions

4. Legal Basis for Processing

We process your personal data based on the following legal grounds in accordance with Law Number 27 of 2022 on Personal Data Protection (UU PDP):

  • Consent: You provide consent when registering an account, authorizing Google API access, or enabling specific features
  • Contractual Necessity: Processing necessary to provide the services you have requested
  • Legitimate Interest: For system security, fraud prevention, and service improvement
  • Legal Obligation: To comply with applicable laws and regulations

5. Google API Services Compliance

Ashari Cloud’s use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Limited Use Disclosure

Specifically, our use of Google user data is limited to the following practices:

  1. We only use Google user data to provide or improve user-facing features that are prominent in the requesting application’s user interface. Ashari Cloud uses Gmail data solely to display your emails within the Ashari Cloud dashboard.
  2. We do not transfer Google user data to third parties unless necessary to provide or improve user-facing features, required to comply with applicable laws, or needed for security purposes such as investigating abuse.
  3. We do not use Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.
  4. We do not allow humans to read Google user data unless: (a) you have given affirmative consent to view specific data (e.g., for technical support), (b) it is necessary for security purposes (investigating abuse or security incidents), (c) it is required to comply with applicable law, or (d) the data is aggregated and anonymized for internal operations.

How We Handle Google Data

  • Email content is fetched in real-time from Google’s servers via the Gmail API and displayed directly to you. We do not store, cache, index, or copy email content on our servers.
  • OAuth tokens (access and refresh tokens) are encrypted at rest using AES-256-GCM and stored in our database solely to maintain your authorized session. Tokens are immediately deleted when you disconnect your Google account.
  • Profile information (email address, display name, profile picture URL) is stored to identify and display the connected account in the Integrations dashboard.

6. Data Storage and Security

  • Encryption at Rest: All credentials, tokens, and sensitive data are encrypted using AES-256-GCM
  • Encryption in Transit: All data communication uses TLS 1.3 encryption
  • Access Control: Data access is strictly limited to authorized personnel only
  • Token Management: OAuth tokens are automatically refreshed and securely stored; revoked tokens are immediately deactivated
  • File Storage: Uploaded files are stored in encrypted cloud storage services
  • Credential Hashing: Passwords and sensitive credentials are hashed using bcrypt and cannot be read back

7. Data Retention

We retain your personal data for as long as necessary for the purposes described in this policy:

  • Account data: For as long as your account is active and up to 30 days after account deletion
  • Authentication tokens: Up to 30 days from issuance; revoked tokens are automatically deleted after expiry
  • Operational data: For as long as required for administrative and reporting purposes
  • Analytics data: Stored in aggregate and anonymous form without a specific time limit
  • Google API tokens: Retained only while your Google integration is active. Immediately deleted when you disconnect your Google account via the Integrations page or revoke access via Google Account Permissions
  • Google email content: Not stored. Email data is fetched on-demand from Google’s servers and never persisted on our infrastructure

8. Third-Party Data Sharing

We do NOT:

  • Sell your personal data to third parties
  • Use your data for advertising purposes
  • Share your data with third parties except as described below

We use the following third-party service providers to operate our services:

  • Supabase: User authentication (Google OAuth and email/password)
  • Google Cloud: OAuth services, Gmail API, Calendar API, Drive API, Google Workspace
  • Amazon Web Services (AWS): Cloud hosting, file storage, encryption key management, message queues
  • MongoDB Atlas: Encrypted database storage
  • Cloudflare: Content delivery network (CDN) and security
  • Resend: Transactional email delivery (email verification, notifications)
  • Google Analytics: Website usage analytics (anonymous and aggregate data)

These service providers are bound by strict confidentiality agreements and security standards. We only share the minimum data necessary to operate our services.

Google user data specifically: Data obtained through Google API scopes (email content, profile information) is never shared with, sold to, or transferred to any third party, except where required to comply with applicable law or as part of a security investigation. Email content is not stored on our servers and therefore cannot be shared.

9. Cookies and Tracking Technologies

We use cookies and similar technologies for:

  • Authentication cookies: Store session tokens to keep you signed in (HTTP-only, secure, valid for 30 days)
  • OAuth cookies: Temporary cookies during the login process that are automatically deleted after authentication completes (valid for 10 minutes)
  • Analytics cookies: To collect anonymous usage data through Google Analytics

You can manage cookie preferences through your browser settings. Disabling authentication cookies will require you to sign in again each time you access the service.

10. Your Rights

In accordance with the UU PDP and applicable data protection regulations, you have the following rights:

  • Right of Access: Request information about your personal data that we hold
  • Right to Correction: Request correction of inaccurate or incomplete personal data
  • Right to Deletion: Request deletion of your personal data, subject to applicable legal obligations
  • Right to Restriction: Request restriction of processing of your personal data under certain conditions
  • Right to Withdraw Consent: Withdraw your consent at any time for processing based on consent
  • Right to Revoke Google Access: Revoke our application’s access to your Google account at any time via Google Account Permissions

To exercise your rights, please contact us using the contact information at the bottom of this policy.

11. Children’s Privacy

Our services are not intended for children under the age of 13. For users aged 13-17 participating in the internship program (PKL), use of services is conducted with the consent and supervision of parents/guardians and educational institutions. We do not knowingly collect personal data from children under 13.

12. International Data Transfer

Your data may be stored and processed on servers located in Indonesia (Jakarta) and other locations where our service providers operate. We ensure that any international data transfers are protected by appropriate security measures, including encryption and data processing agreements.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be notified through:

  • Email notification to registered users
  • Prominent notice on our website
  • In-app notifications where applicable

Continued use of our services after policy changes constitutes your acceptance of the updated policy.

14. Legal Compliance

We comply with:

  • Law Number 27 of 2022 on Personal Data Protection (UU PDP)
  • Data protection regulations of the Republic of Indonesia
  • Google API Services User Data Policy
  • Applicable industry security standards

15. Data Retention & Destruction

In compliance with UU PDP Article 14 (Storage Limitation), we retain personal data only as long as necessary for the purposes stated in this policy or as required by law.

Retention Periods by Data Category

📝 Account Data

  • Active Accounts: Retained while account is active
  • Inactive Accounts: 12 months after last login, then marked for deletion
  • Deleted Accounts: 30 days grace period, then permanent deletion

⏰ Attendance Records

  • Current Employees/Interns: Retained for employment duration + 3 years
  • Former Employees/Interns: 3 years after program completion (for academic/legal requirements)
  • Selfie Photos: Automatically deleted 90 days after clock-in event

🔐 Authentication Tokens

  • Access Tokens: 1 hour (automatically expired)
  • Refresh Tokens: 30 days or until revoked
  • Revoked Tokens: Blocklist maintained for 30 days, then purged

📊 Analytics & Logs

  • Application Logs: 90 days
  • Security Logs: 1 year
  • Aggregated Analytics: Indefinitely (anonymized, no personal identifiers)

💬 User-Generated Content

  • Assignment Submissions: 2 years after submission
  • Weekly Reports: 2 years after submission
  • Support Tickets: 1 year after resolution

🗑️ Secure Deletion Procedures

When retention periods expire or deletion is requested, we use the following methods:

  • Database Records: Permanent deletion with no recovery option (hard delete, not soft delete)
  • Encrypted Files: Encryption key deletion + file overwrite
  • Backups: Removed from next backup cycle (within 30 days)
  • Third-Party Systems: Deletion requests sent to all data processors

⚖️ Legal Hold Exception: Data may be retained beyond stated periods if required for ongoing legal proceedings, investigations, or regulatory compliance. You will be notified if your data is subject to legal hold.

16. Data Breach Notification

In compliance with UU PDP Article 66 (Data Breach Notification), we have established comprehensive procedures for detecting, responding to, and notifying affected parties of personal data breaches.

🚨 What Constitutes a Data Breach

A data breach occurs when there is:

  • Unauthorized access to personal data systems
  • Accidental or unlawful destruction, loss, alteration, or disclosure of personal data
  • Compromise of security controls protecting personal data
  • Ransomware attacks affecting personal data availability

⏱️ Notification Timelines

To Regulatory Authorities (Ministry of Communication and Informatics)

  • Within 72 hours of breach discovery
  • Includes: nature of breach, estimated affected individuals, potential consequences, mitigation measures

To Affected Individuals (You)

  • Without undue delay when breach poses high risk to your rights
  • Via email, in-app notification, and website banner
  • Includes: description of breach, types of data affected, steps taken, recommended actions, contact information

🛡️ Breach Response Procedures

  1. Detection & Assessment (0-24 hours):
    • Automated monitoring systems detect anomalies
    • Security team investigates and confirms breach
    • Assess scope, affected data, and potential impact
  2. Containment (24-48 hours):
    • Isolate affected systems
    • Block unauthorized access
    • Preserve evidence for investigation
  3. Notification (48-72 hours):
    • Notify regulatory authorities
    • Notify affected individuals
    • Coordinate with law enforcement if criminal activity suspected
  4. Remediation (Ongoing):
    • Apply security patches
    • Enhanced monitoring
    • User assistance (password reset, fraud monitoring)
  5. Post-Incident Review:
    • Root cause analysis
    • Update security controls
    • Documentation for compliance

📞 Breach Notification Contact: If you believe your personal data has been compromised, contact our Data Protection Officer immediately at [email protected]

17. Complaints & Redress Mechanism

You have the right to file complaints regarding our processing of your personal data. We are committed to resolving complaints fairly and promptly in accordance with UU PDP requirements.

📝 How to File a Complaint

  1. Submit Complaint to Our DPO:
    • Email: [email protected]
    • Subject: “Personal Data Complaint - [Your Name]”
    • Include: Your full name, account email, description of complaint, desired resolution
  2. We Acknowledge Your Complaint:
    • Within 3 business days
    • Complaint tracking number provided
  3. Investigation & Response:
    • Complete investigation within 14 days
    • Written response provided within 30 days (as required by UU PDP)
    • Complex cases may require extension - you will be notified

🏛️ Escalation Options

If you are not satisfied with our resolution, you may escalate to:

1. Ministry of Communication and Informatics (Kominfo)

2. Independent Dispute Resolution

  • Mediation through recognized Indonesian dispute resolution bodies
  • We commit to participate in good faith mediation

3. Legal Action

  • You may pursue civil remedies under UU PDP
  • Indonesian courts have jurisdiction

💰 Compensation & Remedies

Where we determine that your rights have been violated, we may provide:

  • Correction or deletion of inaccurate/unlawful data
  • Free credit monitoring services (in case of data breach)
  • Account restoration or reactivation
  • Financial compensation (where material harm occurred)
  • Written apology and explanation of corrective actions

18. Data Protection Officer (DPO)

As required by UU PDP Article 50, we have appointed a Data Protection Officer responsible for overseeing our data protection strategy and ensuring compliance with Indonesian data protection law.

👤 DPO Contact Information

  • Name: Ashari Tech Data Protection Officer
  • Email (Primary): [email protected]
  • Email (Security & Breaches): [email protected]
  • Response Time: Within 3 business days
  • Office Hours: Monday - Friday, 9:00 AM - 5:00 PM WIB

📋 DPO Responsibilities

  • Monitoring compliance with UU PDP and internal data protection policies
  • Advising on data protection impact assessments (DPIAs)
  • Serving as point of contact for data subjects (you) and regulatory authorities
  • Investigating data protection complaints and incidents
  • Conducting employee training on data protection
  • Maintaining records of processing activities
  • Reporting directly to senior management with independence

🔒 Independence Guarantee: Our DPO operates independently and reports to the highest management level. The DPO cannot be dismissed or penalized for performing their duties in accordance with UU PDP.

19. Contact Us

For questions, requests, or complaints regarding privacy and personal data:

Ashari Tech — AI Solutions & Technology Consulting — Made in Indonesia — Last reviewed: February 12, 2026