Privacy Policy

Introduction

PT Karya Anak Negeri Indonesia ("Lawsight", "we") is committed to protecting user privacy. This policy explains how we collect, use, store, and protect your information when using the Lawsight platform.

Data We Collect

We collect the following data:

• Personal Information — name, email, phone number, job title, and organization information.
• Documents & Content — documents you upload, contract content, and notes you create on the platform.
• Technical Data — IP address, browser information, and activity logs for security and audit purposes.

How We Use Your Data

• Providing and improving the Lawsight platform services.
• Processing documents with AI for research, review, and analysis.
• Sending service-related notifications and regulatory updates.
• Fulfilling legal obligations and regulatory compliance.

Data Protection

We implement the highest security standards to protect your data:

• Encryption — AES-256 for data at rest, TLS 1.3 for data in transit.
• Data Isolation — Every organization has full data isolation (multi-tenancy). Your data is never mixed with other organizations.
• Key Management — HashiCorp Vault with 90-day key rotation.
• Authentication — JWT with Multi-Factor Authentication (MFA) required for OWNER and ADMIN roles.

Third-Party Services

We use the following third-party services to process your data:

• Google Cloud Platform — document storage (GCS), AI processing (Vertex AI), and document extraction (Document AI).
• AI Models — Google Gemini for natural language processing and document analysis.

All third-party vendors have been evaluated for security compliance and have Data Processing Agreements (DPA) in place.

Your Rights (UU PDP)

In accordance with Indonesia's Personal Data Protection Law (UU PDP), you have the following rights:

• Right to Access — request a copy of your personal data that we store.
• Right to Deletion — request deletion of your personal data. The deletion process has a 30-day grace period.
• Right to Portability — export your personal data in a machine-readable format.

Data Retention

• Audit logs are retained for 7 years per compliance requirements.
• Application logs are retained for 90 days.
• Backups are retained for 35 days.
• Personal data is permanently deleted after a 30-day grace period from deletion request.

Compliance & Certifications

• ISO 27001 — Information security management.
• SOC 2 Type II — Security, availability, and confidentiality.
• UU PDP — Full compliance with Indonesia's Personal Data Protection Law.

Data Breach Notification

In the event of a data breach, we will notify affected users within 72 hours and Indonesian regulators (BSSN) within 3 business days, in accordance with UU PDP requirements.

Contact Us

For privacy-related inquiries, contact us at:

security@lawsight.ai

PT Karya Anak Negeri Indonesia