Privacy Policy
Last updated: January 26, 2026
This Privacy Policy explains how PT. Nakafa Tekno Kreatif ("Nakafa," "we," "us," or "our") collects, uses, and discloses Personal Data when you access or use our websites, applications, and related services (collectively, the "Services").
Your use of the Services is at all times subject to our Terms of Service, which incorporates this Privacy Policy.
What this Privacy Policy covers
This Privacy Policy covers how we treat Personal Data that we gather when you access or use the Services.
This Privacy Policy does not cover the practices of companies we do not own or control, or people we do not manage, including third-party services you may access through the Services. For information about third-party services' data practices, please refer to their respective privacy policies linked throughout this document.
Key definitions
- Personal Data means any information that identifies or relates to a particular individual. Personal Data may also be referred to as "personally identifiable information" or "personal information" under applicable privacy laws.
- User Content means information you submit through the Services, such as chat messages, comments, and other text you provide.
- Service Providers means vendors and service providers that process Personal Data on our behalf as data processors under applicable data protection laws, including agreements that incorporate Standard Contractual Clauses for cross-border transfers where required.
Important notice about third-party data processing
This Privacy Policy covers how PT. Nakafa Tekno Kreatif acts as a data controller for Personal Data collected through the Services. However, we engage third-party service providers that act as data processors to provide core functionality, including hosting, database services, analytics, email delivery, subscription management, and AI processing.
These third parties have their own privacy policies and data processing practices. We have entered into data processing agreements with these service providers that include data protection obligations and, where required, Standard Contractual Clauses for international data transfers. We only share Personal Data with these service providers as necessary to provide the Services and under contractually binding data protection obligations.
This Privacy Policy provides general information. For complete details about how third parties process your data, including their data locations, subprocessors, and specific practices, we encourage you to review their privacy policies directly via the links provided throughout this document.
The links provided in this Privacy Policy direct you to the third-party service providers' own privacy policies and data processing addendums. We make reasonable efforts to ensure these links remain accurate, but we cannot guarantee that third-party privacy policies will not change. You should periodically review third-party privacy policies for any updates.
This Privacy Policy is not legal advice. Privacy and data protection laws are complex and vary by jurisdiction. If you have specific questions about how your Personal Data is processed or your rights under applicable law, we recommend seeking independent legal advice.
Personal Data we collect
The table below summarizes categories of Personal Data we collect, why we collect it, and the categories of third parties with whom we disclose it. Details are explained in the sections that follow.
| Category of Personal Data (examples) | Purpose(s) for collection | Disclosed to third-party data processors (see below for policy links) |
|---|---|---|
| Profile or contact data (name, email, optional profile image, optional role) | Account creation, support, and service delivery | Convex (database/hosting) - |
| Account identifiers (authentication identifiers linked to your account) | Authentication and account security | Convex (database/hosting); Vercel (hosting) |
| Device and usage data (IP address, browser/OS, usage events) | Security, analytics, and service improvement | PostHog (analytics) - |
| Account security device data (device identifiers and last-seen timestamps) | Session security and unusual-activity detection | Convex (database/hosting); Vercel (hosting) |
| Education and activity data (classes, bookmarks, exercises, notifications) | Operating learning features and personalization | Convex (database/hosting); Vercel (hosting) |
| User Content (chat messages, comments, prompts) | Providing interactive features and AI responses | Convex (database/hosting); Vercel AI Gateway (AI processing) - |
| Payment and subscription data (customer/subscription IDs and related metadata) | Subscription management and compliance | Polar (subscriptions/payments) - |
| Email delivery and event data (delivery events and related metadata) | Transactional emails and deliverability management | Resend (email delivery) - |
Payment Processing
Payments are processed through our subscription management service. Our current payment processor is Polar, which implements appropriate security and privacy protections for payment processing.
For current payment processing details and data practices, please review polar.sh.
Why we collect and use Personal Data
We collect and use Personal Data to operate, maintain, and improve the Services. This includes providing account and learning features, supporting subscriptions, communicating with you (including transactional emails), measuring service performance, preventing abuse and scraping, and complying with legal obligations.
Legal bases for processing (GDPR)
If you are in the EU/EEA, we process Personal Data under one or more of the following legal bases:
- Contract: processing is necessary to provide the Services you request.
- Legitimate interests: processing is necessary for security, service improvement, and fraud prevention, and those interests are not overridden by your rights.
- Consent: where required, for example for certain analytics or marketing choices if applicable.
- Legal obligation: processing is necessary to comply with applicable laws.
Where Personal Data comes from
- From you directly, when you create an account, submit User Content, or contact us.
- Automatically, when you use the Services (for example device, usage, and analytics events).
- From third parties you interact with through the Services, such as Polar payment events and Resend email delivery events.
How we disclose Personal Data
We disclose Personal Data in the following circumstances:
- Service Providers: we use Service Providers to host and operate the Services, store data, deliver emails, and process payments and analytics. These include Vercel (hosting), Convex (database/backend), PostHog (analytics), Vercel Analytics (analytics), Resend (email delivery), and Polar (payments/subscriptions).
- AI processing: when you submit prompts or chat messages for AI features, we send that input to Vercel AI Gateway for processing, and we receive the model output back to provide the feature.
- Legal and safety: we may disclose information if we believe in good faith that it is necessary to comply with law, respond to lawful requests, protect rights and safety, or investigate fraud or abuse.
- Business transfers: if we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction.
AI processing and Vercel AI Gateway
If you use AI features, your prompts and related context are processed through Vercel AI Gateway. The underlying model provider depends on the model selected and the gateway configuration.
Do not include sensitive personal data in prompts (for example government IDs, financial account numbers, or highly sensitive health information). You are responsible for the content you submit.
For more information about Vercel AI Gateway terms, please review Vercel’s AI Product Terms for AI Gateway at vercel.com.
Tracking technologies and analytics
We use analytics tools to understand how users interact with the Services and to improve performance and reliability. These tools use cookies and similar technologies (such as local storage) to recognize your browser/device and collect usage events.
Our current analytics providers include for more information, please review their privacy policies directly:
- PostHog (product analytics) -
posthog.com
- Vercel Analytics (website and product analytics) -
vercel.com
Your choices
- Browser controls: most browsers allow you to control cookies through settings, including blocking or deleting cookies.
- Device settings: your device may allow you to control certain identifiers and tracking behaviors.
- Do Not Track: some browsers offer a "Do Not Track" setting. There is no uniform industry standard for responding to Do Not Track signals; we treat it as a preference signal but may still collect analytics needed to operate the Services.
Blocking cookies may affect certain features, such as login sessions and preferences.
Data retention
We retain Personal Data for as long as necessary to provide the Services and for legitimate business purposes, including compliance, dispute resolution, and enforcement of agreements.
Retention depends on the type of data:
- Account and profile data is retained while your account is active and for a reasonable period after deletion to complete deletion workflows, prevent fraud, and comply with legal requirements.
- Subscription and billing records are retained as required for accounting, tax, and compliance.
- Security and audit-related data may be retained to investigate abuse and protect the Services.
If you request deletion, we will delete or de-identify Personal Data unless we are required or permitted to retain it for legal or legitimate business reasons.
Data security
We use reasonable administrative, technical, and organizational measures designed to protect Personal Data against unauthorized access, loss, misuse, alteration, and destruction.
No security program can eliminate all risk. You are responsible for keeping your account credentials confidential and for using a secure password and device practices.
International data transfers
We are based in Indonesia and may process and store Personal Data in Indonesia and other countries where our Service Providers operate. When we transfer Personal Data across borders, we take steps designed to provide appropriate safeguards as required by applicable law, including the use of data processing agreements that incorporate Standard Contractual Clauses for transfers to non-EEA countries.
Children’s privacy
The Services are not intended for children under 13 years of age. If you are under 13, do not use the Services or submit Personal Data.
If you are under 18, you may use the Services only with the involvement and permission of a parent or legal guardian who agrees to this Privacy Policy and our Terms of Service.
If we learn that we collected Personal Data from a child under 13, we will take steps to delete that information.
Your privacy rights
Your rights depend on where you live.
Indonesia (UU PDP)
If you are in Indonesia, you may have rights under Indonesia’s Personal Data Protection Law, including rights to access, correct, and delete your Personal Data, and other rights provided by applicable law.
EU/EEA (GDPR)
If you are in the EU/EEA, you may have the following rights:
- Access your Personal Data.
- Correct inaccurate or incomplete Personal Data.
- Delete your Personal Data in certain circumstances.
- Restrict or object to certain processing.
- Request data portability.
- Withdraw consent where processing is based on consent.
US state privacy rights
If you are a resident of a US state with a comprehensive privacy law (for example California and certain other states), you may have rights such as:
- Right to know/access the categories and specific pieces of Personal Data we collected.
- Right to delete Personal Data (subject to exceptions).
- Right to correct inaccurate Personal Data (in certain jurisdictions).
- Right to opt out of certain processing such as targeted advertising, sale/sharing, or profiling (where applicable).
- Right not to receive discriminatory treatment for exercising your rights.
Exercising your rights
To exercise your privacy rights, contact us at nakafaai@gmail.com.
To protect users, we will verify your identity before processing certain requests. Verification may require access to the email address associated with your account or other information needed to confirm your identity.
If you are making a GDPR-related request, include “GDPR Request” in the subject line.
Contact information
PT. Nakafa Tekno Kreatif
Taman Sukahati Permai H6
Kabupaten Bogor, Indonesia
Email: nakafaai@gmail.com