Privacy Policy
Last Updated: November 10, 2025
1. Introduction
This Privacy Policy describes how SmartAira (the "Service") collects, uses, and protects your personal information. This Service is operated within the Republic of Indonesia and complies with Indonesian data protection laws, including UU No. 27 Tahun 2022 tentang Pelindungan Data Pribadi (Personal Data Protection Law). By using the Service, you consent to the collection and use of information in accordance with this policy. This Service is intended exclusively for users within Indonesia.
2. Information We Collect
We collect the following types of information: Personal Information: • Username and display name • Email address • Phone number (optional) • Organization affiliation • User role and permissions • Account credentials (passwords are encrypted) • Profile information (first name, last name) Meeting Data: • Meeting recordings and audio files • Meeting transcripts and diarization data • Meeting metadata (title, date, duration, participants, location) • AI-generated content (summaries, recommendations, regulation extractions) • Chat conversations with the AI assistant • Meeting evaluations and analytics Voice Biometric Data: • Voice enrollments and voice prints • Speaker identification data • Audio samples for voice training Documents and Materials: • Uploaded documents and files • Material metadata • Document annotations Technical Information: • IP addresses • Browser type and version • Device information • Operating system • Access logs and timestamps • System usage patterns • Cookies and session data
3. How We Use Your Information
We use the collected information for the following purposes: Service Provision: • Authenticate and authorize users • Provide meeting transcription and analysis • Perform speaker identification and diarization • Generate AI-powered summaries, recommendations, and regulation extractions • Enable chat functionality with AI assistant • Manage meetings, materials, and documents • Provide analytics and evaluations Security and Compliance: • Monitor system access and usage • Detect and prevent unauthorized access • Maintain audit logs as required by law • Ensure compliance with organizational policies • Investigate security incidents Service Improvement: • Analyze usage patterns to improve functionality • Troubleshoot technical issues • Enhance AI model accuracy • Improve speaker identification algorithms • Develop new features Communication: • Send service notifications • Provide customer support • Send important updates and announcements • Respond to inquiries
4. Voice Biometric Data
The Service uses voice biometric technology for speaker identification: Collection and Use: • Voice prints are created from audio samples you provide during enrollment • Voice data is used to identify speakers in meeting recordings • Processing is performed to improve transcription accuracy Storage and Security: • Voice prints are encrypted and stored securely • Access is restricted to authorized personnel only • Voice data is retained according to organizational policies Your Rights: • You can request deletion of your voice enrollment • You can opt out of speaker identification features • You have the right to access your voice biometric data Voice biometric data is not shared with third parties and is used solely for service provision within Indonesia.
5. Data Storage and Security
We implement appropriate technical and organizational measures to protect your personal data: Security Measures: • All data is stored within Indonesia • Passwords are encrypted using industry-standard algorithms (bcrypt, Argon2) • Data transmission is encrypted using TLS/SSL protocols • Access to personal data is restricted to authorized personnel only • Multi-factor authentication is available • Regular security assessments and penetration testing • Automated backup and disaster recovery systems Physical Security: • Data centers are located in Indonesia with 24/7 security • Physical access controls and monitoring • Environmental controls (fire suppression, climate control) Meeting data, voice biometric data, and documents are treated as confidential and protected according to your organization's security requirements.
6. Data Sharing and Disclosure
We do NOT share your personal data with third parties except in the following circumstances: Within Your Organization: • Data is accessible to authorized members of your organization • Organization administrators can manage user access and permissions • Meeting data is shared based on organizational policies Legal Requirements: • When required by Indonesian law or legal proceedings • To comply with court orders or government requests • To protect the rights, property, or safety of the Service, its users, or the public Service Providers: • With cloud infrastructure providers (within Indonesia) • With service providers who assist in operating the Service • All service providers operate under strict confidentiality agreements We do NOT: • Sell your personal data to third parties • Share your data with international entities outside Indonesia without authorization • Use your data for marketing purposes without consent • Share voice biometric data with third parties
7. Data Retention
We retain your personal data for as long as necessary to provide the Service and comply with legal obligations: Account Information: • Retained while your account is active • Deleted within 90 days of account deactivation (unless required by law) Meeting Data: • Retained according to your organization's policies • Typically retained for 1-7 years for legal and compliance purposes • Can be deleted upon request (subject to legal obligations) Voice Biometric Data: • Retained while enrolled and account is active • Deleted within 30 days of enrollment deletion request Access Logs: • Retained for security and audit purposes (typically 1-2 years) • Required by Indonesian regulations for cybersecurity compliance AI-Generated Content: • Retained as long as the associated meeting data • Deleted when meeting data is deleted When data is no longer needed, it is securely deleted or anonymized using industry-standard methods.
8. Your Rights Under Indonesian Law
Under Indonesian data protection law (UU No. 27 Tahun 2022), you have the following rights: Right to Access: • Request access to your personal data • Receive a copy of your data in portable format Right to Rectification: • Correct inaccurate or incomplete data • Update your profile information Right to Erasure: • Request deletion of your data (subject to legal obligations) • Delete your voice enrollments • Request anonymization of your data Right to Restriction: • Restrict certain data processing activities • Object to specific uses of your data Right to Data Portability: • Export your data in machine-readable format • Transfer data to another service provider Right to Withdraw Consent: • Withdraw consent for data processing at any time • Opt out of optional features Right to Object: • Object to automated decision-making • Object to certain data processing Right to Complain: • File complaints with supervisory authorities • Contact the Indonesian data protection authority To exercise these rights, please contact your organization's administrator or designated data protection officer.
9. AI and Automated Processing
The Service uses artificial intelligence for: AI Processing Activities: • Transcribing meetings with speech recognition • Identifying speakers through voice biometrics • Generating summaries and recommendations • Extracting regulatory references • Providing chat responses and insights • Analyzing meeting content and topics Accuracy and Limitations: • AI processing is performed to assist your work, not replace human judgment • AI-generated content may contain errors or inaccuracies • You are responsible for verifying important information • We continuously work to improve AI accuracy No Automated Decisions: • The Service does not make automated decisions with legal or similarly significant effects • AI is used as an assistive tool only • Final decisions remain with human users Transparency: • AI-generated content is clearly labeled • You can always request human review of AI outputs
10. Children's Privacy
The Service is not intended for individuals under 18 years of age: • We do not knowingly collect personal information from children under 18 • If we become aware of collecting data from a child, we will delete it immediately • Parents or guardians should monitor children's online activities • If you believe we have collected data from a child, please contact us immediately Organizations are responsible for ensuring their members meet age requirements.
11. Cookies and Tracking Technologies
We use cookies and similar technologies: Types of Cookies: • Essential cookies: Required for service functionality (session management, authentication) • Functional cookies: Remember your preferences (language, theme) • Analytics cookies: Understand usage patterns and improve service • Performance cookies: Monitor system performance Cookie Management: • You can control cookie settings through your browser • Disabling essential cookies may limit service functionality • Analytics cookies can be disabled without affecting core features Session Management: • Session cookies expire when you close your browser • Persistent cookies remain until expiration or manual deletion • We use secure, httpOnly cookies for sensitive data We do NOT use cookies for: • Third-party advertising • Cross-site tracking • Selling user data
12. Data Breach Notification
In the event of a data breach that may affect your personal data: Our Response: • Immediate investigation and containment of the breach • Assessment of impact and affected data • Notification to affected users within 72 hours • Notification to your organization's administrators promptly • Reporting to Indonesian authorities (Badan Siber dan Sandi Negara - BSSN) as required Information Provided: • Nature and scope of the breach • Types of data affected • Likely consequences • Measures taken to address the breach • Recommendations for protecting yourself Prevention Measures: • Regular security audits and penetration testing • Continuous monitoring for suspicious activity • Incident response plan and team • Regular security training for personnel
13. International Data Transfer
This Service operates exclusively within Indonesia: Data Location: • All personal data is stored and processed within Indonesian territory • Servers and data centers are located in Indonesia • Data does not leave Indonesia during normal operations Exceptions: International transfer may occur only when: • Explicitly required by Indonesian law • Authorized by your organization with adequate safeguards • Necessary for critical technical maintenance • Required for security incident response If transfer is necessary: • We implement appropriate safeguards (encryption, access controls) • We ensure compliance with UU No. 27 Tahun 2022 • We obtain necessary approvals • We maintain records of transfers Cloud Services: • Cloud infrastructure providers operate within Indonesia • Providers comply with Indonesian data protection requirements • Agreements include data residency clauses
14. Third-Party Services
The Service may integrate with or use third-party services: Service Categories: • Cloud infrastructure (within Indonesia) • Email delivery services • Analytics and monitoring tools • Authentication providers (Google OAuth) Third-Party Access: • Third parties access only data necessary for their service • All providers operate under strict confidentiality agreements • Providers are required to comply with Indonesian data protection laws Your Responsibilities: • When using third-party authentication (Google), their privacy policy also applies • Review privacy policies of any third-party services you connect • Understand what data is shared with third parties We carefully select and monitor third-party providers to ensure they meet our security and privacy standards.
15. Organizational Data Controllers
For organizational accounts: Data Controller Relationship: • Your organization is the data controller for organizational data • We act as a data processor on behalf of your organization • Your organization determines retention policies and access controls Organization Responsibilities: • Ensuring proper consent for data processing • Managing user access and permissions • Determining data retention periods • Handling data subject requests from members Service Provider Responsibilities: • Processing data according to organizational instructions • Implementing appropriate security measures • Notifying organization of data breaches • Assisting with data subject requests Data Processing Agreement: • Terms are established in the organizational service agreement • Specifies purposes and scope of data processing • Defines security requirements and incident response
16. Changes to This Policy
We may update this Privacy Policy from time to time: Notification Methods: • In-app notifications for significant changes • Email to your registered address • Notice on the login page • Update of "Last Updated" date Types of Changes: • Compliance with new laws or regulations • Addition of new features or services • Improvements to security measures • Clarification of existing practices Your Options: • Review changes when notified • Contact us with questions or concerns • Stop using the Service if you disagree with changes • Request deletion of your data (subject to legal obligations) Continued use of the Service after changes constitutes acceptance of the updated policy.
17. Contact Information
For questions or concerns about this Privacy Policy or your personal data: Internal Contacts: • Your organization's system administrator • Your organization's designated data protection officer • Your organization's privacy or legal team Service Provider: • Contact through official support channels • Email support through your organization • Submit requests through the application Data Protection Authority: For formal complaints about data protection, contact: • Badan Siber dan Sandi Negara (BSSN) • Or other designated authority under UU No. 27 Tahun 2022 Response Time: • We aim to respond to inquiries within 14 business days • Complex requests may require additional time • You will be notified of any delays
18. Specific Data Processing Activities
Detailed information about specific data processing: Speech Recognition and Transcription: • Audio is processed using AI speech recognition models • Processing may occur in real-time during meetings • Transcripts are stored with meeting data • Voice data is temporarily processed and not retained after transcription Speaker Diarization: • AI identifies and separates speakers in recordings • Uses voice characteristics and patterns • Results are stored with transcripts • Improves over time with more data Voice Biometric Enrollment: • Voluntary process requiring explicit consent • Creates unique voice print from audio samples • Used for speaker identification in future meetings • Can be deleted at any time Document Processing: • Uploaded documents are analyzed for relevant information • May be used for context in AI responses • Stored securely with meeting data • Subject to same retention policies as meeting data
19. Legal Basis for Processing
We process personal data based on the following legal bases under Indonesian law: Contractual Necessity: • Processing required to provide the Service • Fulfilling terms of service agreement • Managing your account and membership Legitimate Interest: • Improving service quality and functionality • Ensuring security and preventing fraud • Conducting analytics and research Legal Obligation: • Complying with Indonesian laws and regulations • Responding to legal processes and government requests • Maintaining records as required by law Consent: • Voice biometric enrollment (explicit consent) • Optional features and enhancements • Marketing communications (where applicable) You can withdraw consent at any time for processing based on consent, which will not affect the lawfulness of processing before withdrawal.
20. Data Security Measures
Specific security measures we implement: Technical Measures: • End-to-end encryption for sensitive data • TLS 1.3 for all data transmission • AES-256 encryption for data at rest • Secure key management systems • Regular security patches and updates Access Controls: • Role-based access control (RBAC) • Multi-factor authentication (MFA) • Strong password requirements • Session timeout and management • Principle of least privilege Monitoring and Detection: • 24/7 security monitoring • Intrusion detection systems • Automated threat detection • Regular security audits • Penetration testing Personnel Security: • Background checks for employees • Confidentiality agreements • Regular security training • Access reviews and audits • Separation of duties Despite these measures, no system is completely secure. We encourage you to also take steps to protect your account, such as using strong passwords and enabling MFA.