Privacy Policy

1. Introduction

Welcome to Dewata AI. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI chatbot platform.

PT DEWATA ARTIFICIAL INTELLIGENCE, an Individual Limited Liability Company (Perseroan Terbatas Perorangan) established under the laws of the Republic of Indonesia, domiciled in Bali ("We", "Company"), acts as the Personal Data Controller for data collected through this platform.

This Privacy Policy is prepared in accordance with:

• Law No. 27 of 2022 on Personal Data Protection (PDP Law)
• Government Regulation No. 71 of 2019 on Electronic Systems and Transactions
• Government Regulation No. 80 of 2019 on Electronic Commerce

2. Information We Collect

3. Legal Basis for Processing Personal Data

In accordance with Article 20 of Law No. 27 of 2022 on Personal Data Protection (PDP Law), we process your personal data based on the following legal grounds:

4. How We Use Your Information

We use the collected information to:

• Provide and maintain our services
• Process your transactions and payments
• Send service-related notifications
• Improve our platform and develop new features
• Prevent fraud and ensure security
• Calculate lead scores and analyze prospect qualification
• Provide customer analytics and lifecycle tracking
• Trigger promotional offers based on hesitation signals
• Process payments via Midtrans and merchant gateways
• Facilitate conversation handoffs to human agents
• Export lead data to Google Sheets when requested
• Generate vector embeddings for semantic search (RAG)
• Store persistent customer memory for personalized cross-session interactions
• Execute automated workflow rules based on triggers
• Sync product catalogs from external sources
• Administer platform via admin panel with audit logging

5. Data Security

We implement industry-standard security measures including:

• SSL/TLS encryption for data in transit
• Encrypted storage for sensitive data (AES-256-GCM)
• API keys hashed with SHA-256 before storage
• Row Level Security (RLS) on database
• Access controls and authentication
• Input validation and XSS/SQL injection detection

6. Third-Party Services

We use the following third-party services:

• Supabase: Database and authentication
• OpenAI/Anthropic: AI model providers
• Vercel: Hosting and deployment
• Midtrans: Platform payment processing (subscriptions and credit top-ups)
• Midtrans, Xendit, Pakasir: Merchant payment gateways (used by merchant users to accept payments from their customers)
• Meta (Facebook): WhatsApp Business API and Instagram Messaging API for channel integrations
• Telegram Bot API: Telegram bot integration for automated messaging
• Google (Google Sheets API): Lead data export to spreadsheets
• Resend: Email notifications for leads and handoffs
• Sanity Inc.: CMS for blog and changelog content management

7. Meta Platform and Telegram Integration

When using WhatsApp, Instagram, or Telegram integration:

• Messages are processed through Meta's Cloud API or Telegram Bot API
• We store message content to generate AI responses
• Customer data is used solely for chatbot functionality
• You can disconnect integrations and delete data at any time
• We comply with Meta Platform Terms and Developer Policies
• Access tokens are exchanged for long-lived tokens and stored encrypted

For more information about how Meta handles data, please refer to Meta's Privacy Policy.

8. Data Retention

We retain your data according to the following retention periods:

• Financial transaction data: minimum 10 years from the transaction (per GR No. 80 of 2019)
• Non-financial transaction-related data: minimum 5 years from the transaction (per GR No. 80 of 2019)
• Conversation history: retained while the associated bot account is active, deleted 30 days after bot account closure
• User account data: deleted 30 days after account deletion
• Customer and lead data: retained while the bot owner's account is active
• Customer memory: retained while bot account is active, deleted with customer record
• Admin audit logs: retained minimum 2 years for compliance
• Workflow execution logs: retained 90 days for debugging/audit

After the retention period expires, data will be permanently deleted unless otherwise required by applicable laws and regulations.

9. Your Rights

In accordance with Law No. 27 of 2022 on Personal Data Protection (PDP Law), you have the following rights:

• Right to be informed — You have the right to know how your personal data is collected, processed, and used
• Right to access and receive copies — You have the right to access and obtain copies of your personal data that we hold
• Right to rectification — You have the right to request correction of inaccurate or incomplete personal data
• Right to erasure — You have the right to request deletion of your personal data, subject to legal retention obligations
• Right to withdraw consent — You have the right to withdraw consent previously given for personal data processing at any time
• Right to data portability — You have the right to request that your personal data be transferred to another party in a commonly used format
• Right to object to processing — You have the right to object to personal data processing, including automated decision-making such as lead scoring
• Right to restrict processing — You have the right to request restriction of processing of your personal data under certain conditions
• Right to lodge a complaint — You have the right to lodge a complaint with the supervisory authority (currently the Ministry of Communication and Digital / Komdigi)
• Right to compensation — You have the right to receive compensation in the event of a violation of your personal data protection

To submit a request regarding your rights, please contact us at contact@dewataai.com. We will respond to your rights request within 3x24 hours in accordance with the PDP Law.

10. Cross-Border Data Transfer

In the course of providing our services, your personal data may be transferred to and processed outside the territory of the Republic of Indonesia by the following service providers:

• Supabase — database hosting (servers may be located outside Indonesia)
• Vercel — application hosting and global CDN
• OpenAI/Anthropic — AI model processing (servers outside Indonesia)
• Meta — WhatsApp and Instagram API (servers outside Indonesia)
• Telegram — Bot API (servers outside Indonesia)
• Google — Sheets API (servers outside Indonesia)
• Sanity — CMS for blog and changelog content (servers outside Indonesia)
• Midtrans — payment processing (servers in Indonesia)

We ensure that data recipients outside Indonesia provide a level of data protection that is equal to or higher than the PDP Law, through data processing agreements and adequate technical security measures.

11. Data Breach Notification

In the event of a personal data breach, we are committed to:

• Notifying affected data subjects within 3x24 hours of the confirmed breach
• Notifying the supervisory authority (currently the Ministry of Communication and Digital / Komdigi) within 3x24 hours
• Including in the notification: the types of data affected, when and how the breach occurred, and remediation measures taken

To report a suspected data breach, please contact us at contact@dewataai.com.

12. Automated Decision-Making

Our platform performs automated processing of personal data, including:

• Lead scoring — automated assessment based on conversation signals (buying signals, hesitation keywords, positive sentiment) to produce prospect qualification scores
• Hesitation detection — automated analysis of conversation patterns to trigger promotional offers
• Customer lifecycle classification — automated categorization of customers into stages: visitor → lead → prospect → customer → repeat customer
• Workflow automation — rule-based triggers executing automated actions (keyword detection, lead score thresholds, lifecycle changes)

In accordance with the PDP Law, you have the right to object to automated decision-making. To submit an objection, please contact us at contact@dewataai.com.

13. Cookies and Fingerprinting

We use essential cookies for authentication and session management. We also use browser fingerprinting techniques for visitor identification to provide a continuous conversation experience across sessions. We do not use third-party tracking cookies.

By using the chatbot widget, end users consent to the use of browser fingerprinting techniques for visitor identification purposes. You may object to the use of fingerprinting by contacting us, though this may affect cross-session conversation functionality.

14. Children's Privacy

Our services are not intended for children under 13. We do not knowingly collect personal information from children.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.