Privacy Policy

1. Introduction

PT Pusat Cyberspace dan Inovasi Teknologi Informasi ("Cybernethicc," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, store, and share information when you use the Cybernethicc cloud platform, portal, and related services (collectively, the "Services").

By using our Services, you consent to the practices described in this Privacy Policy. We encourage you to read this document carefully and contact us if you have any questions.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Phone number
• Company name (optional)
• Password (stored as a salted hash using argon2; we never store your plaintext password)

2.2 Billing Information

Payment transactions are processed through Midtrans and PayPal. We do not store your full credit card numbers, CVV codes, or bank account details on our servers. We may store:

• Billing account name and address
• Payment method type (e.g., credit card, e-wallet, bank transfer)
• Masked card information (last 4 digits, card brand)
• Transaction history and invoice records

2.3 Usage Data

We automatically collect certain information when you use our Services:

• Service usage metrics (resource consumption, API call volumes)
• Server and application logs
• IP addresses
• Browser type and version
• Operating system
• Pages visited and features used within the portal
• Timestamps of access and actions

2.4 Cookies

We use cookies to:

• Session cookies (essential): Maintain your login session and authentication state
• Preference cookies (optional): Remember your language, theme, and display preferences
• Analytics cookies (optional): Understand how users interact with our portal to improve the experience

We do not use third-party tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may affect your ability to use the Services.

3. How We Use Information

We use the information we collect for the following purposes:

• Service delivery: To provision, operate, and maintain the cloud services you have requested
• Billing: To process payments, generate invoices, and manage your billing accounts
• Support: To respond to support tickets and provide technical assistance
• Security monitoring: To detect, prevent, and investigate unauthorized access, fraud, and abuse
• Analytics: To analyze aggregated, anonymized usage data to improve our Services and infrastructure
• Communication: To send service-related notifications (e.g., payment confirmations, security alerts, maintenance notices). We do not send marketing communications unless you have opted in
• Billing notifications: We send automated emails regarding invoices, payment reminders, and service status changes
• Legal compliance: To comply with applicable laws, regulations, and legal processes

4. Information Sharing

We do not sell your personal information to third parties. We may share your information only in the following circumstances:

• Infrastructure providers: We work with infrastructure partners to deliver our Services. These partners process data solely as needed for service delivery and do not have direct access to your personal user data
• Payment processors: Midtrans and PayPal process your payment transactions in accordance with their respective privacy policies and PCI DSS compliance requirements
• Law enforcement: We may disclose information if required by law, valid court order, or government request. Where legally permitted, we will notify you before making such disclosure
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change

5. Data Storage and Security

We take the security of your data seriously and implement the following measures:

• Encryption at rest: Sensitive data is encrypted using AES-256 encryption
• Encryption in transit: All data transmitted between your browser and our servers is protected using TLS 1.3
• Data locations: Your data is stored in data centers located in Indonesia and Singapore
• Access controls: We enforce strict role-based access controls (RBAC) to limit who can access your data within our organization
• Security audits: We conduct regular security assessments and vulnerability testing of our infrastructure
• Password security: All passwords are hashed and salted using the argon2 algorithm before storage

While we implement industry-standard security measures, no system is completely immune to security threats. We encourage you to use strong passwords and enable two-factor authentication on your account.

6. Data Retention

We retain your information for the following periods:

• Account data: Retained for the duration of your account. After account deletion, personal data is removed within 30 days, except where retention is required by law
• Usage logs: Retained for 90 days, then automatically purged
• Billing records: Retained for 7 years in compliance with Indonesian tax law (UU Ketentuan Umum Perpajakan)
• Audit logs: Retained for 1 year
• Support ticket data: Retained for the duration of your account plus 1 year after account closure

6A. Cybernethicc Vault Data Handling

Cybernethicc Vault is a zero-knowledge service. This section explains exactly what we can and cannot see about your Vault data, and how SSO/SCIM identity attributes are processed.

What we never see. Your master password, your derived encryption key, the plaintext of any vault item, the plaintext of any Secret Send payload, and the plaintext of any attached file. These are encrypted in your browser before being sent to our servers.

What we store. An Argon2id verifier (proves a correct master password without revealing it), the encrypted blob of each item or Secret Send, metadata strictly needed for the service to work (item id, owner user id, created/updated timestamps, expiry, max-views for Secret Send), and audit log entries describing actions taken (create, view, share, revoke).

Audit log retention by tier. Customer-visible audit retention scales with your Vault tier: Free 30 days, Pro 1 year, Team 3 years, Enterprise 5 years. We may keep audit records internally beyond that window for legal, security, or fraud-prevention purposes.

SSO and SCIM (Enterprise). When you configure SAML SSO, we store IdP entity ID, SSO URL, IdP certificate(s), and the SP keypair generated for your org. When you enable SCIM, we store a hashed token plus the identity attributes your IdP sends through SCIM (user id, email, name, group membership). These attributes are used only for authentication and lifecycle management; we do not use them for marketing or share them with third parties.

Emergency contact. If you designate an Emergency Contact, we store a record of the designation, an additional wrapped encryption key the contact can use (still encrypted; we cannot read it), and the configured waiting period. We log every emergency access request.

Recovery. Because of the zero-knowledge design, Cybernethicc cannot recover vault contents if you forget your master password and have not designated an Emergency Contact. Standard account password reset does not unlock the vault.

Data location. Vault data is hosted in our Jakarta, Indonesia infrastructure. Encrypted blobs may be replicated to secondary regions for disaster recovery; the encryption keys necessary to read those blobs are never replicated server-side.

Data export and deletion. On Pro and higher tiers you can export your vault contents as encrypted JSON at any time. When you delete your account, vault data follows the same 30-day deletion window as the rest of your account data.

7. Your Rights

You have the following rights regarding your personal information:

• Access: You may request a copy of the personal data we hold about you
• Correction: You may request correction of any inaccurate or incomplete personal data
• Deletion: You may request deletion of your account and personal data. The deletion process takes 30 days, during which your account will be suspended. Certain data may be retained as required by law
• Export: You may export your data through the portal or by submitting a request to our support team
• Opt-out: You may opt out of marketing communications at any time through your notification preferences or by contacting support

To exercise any of these rights, please contact us at [email protected] or submit a request through the portal. We will respond to your request within 30 days.

8. Children

Our Services are not intended for, nor directed to, individuals under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age. If we become aware that we have collected personal information from a person under 18, we will take steps to delete that information promptly.

9. Cookies

Our use of cookies is limited to the following categories:

• Essential cookies: Required for authentication, session management, and core platform functionality. These cannot be disabled
• Analytics cookies (optional): Used to collect aggregated, anonymized data about portal usage to help us improve our Services. You may opt out of these
• Preference cookies (optional): Used to remember your display preferences such as language and theme settings. You may opt out of these

We do not use third-party tracking cookies or advertising cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email to the address associated with your account and/or through a prominent notice on the portal.

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

11. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us: