Privacy Policy
Effective Date: 5 April 2026 · Last Updated: 5 April 2026
Plain-English Summary
- ●We collect your name, email, and OAuth tokens to connect your social media accounts. We never store your social-platform passwords.
- ●Your data is used only to power the analytics dashboard and AI insights you see in SocialSurfer. We do not sell your data to anyone.
- ●OAuth tokens are encrypted at rest with AES-256-GCM. Our database is hosted on Supabase (PostgreSQL) with connection pooling and TLS.
- ●You can access, correct, delete, or export your personal data at any time by contacting privacy@socialsurfer.site.
- ●This policy complies with Indonesia's Personal Data Protection Act (UU No. 27 Tahun 2022) and follows GDPR best practices as a supplementary standard.
What Personal Data We Collect and How
Under Pasal 1 angka 1 of the PDPA, "personal data" means any data about a person that can identify them, either directly or in combination with other data. We collect the following categories:
| Data Category | Examples | How We Collect It |
|---|---|---|
| Identity data | Full name, profile picture | Account registration form or OAuth sign-in (Google / GitHub) |
| Contact data | Email address | Registration form or OAuth provider |
| Authentication data | Hashed password (bcrypt), session tokens (JWT) | Generated on sign-up / sign-in |
| Social platform data | OAuth access & refresh tokens, platform user IDs, usernames, bios, follower counts, engagement metrics, media content metadata | Fetched via Instagram Graph API, YouTube Data API, TikTok API after you authorise the connection |
| Subscription & billing data | Stripe customer ID, subscription plan, billing cycle | Processed by Stripe — we never see or store your full card number |
| Usage & analytics data | Screens visited, features used, AI query counts | Application logs and Zustand state |
| Device & technical data | Browser type, OS, IP address, screen resolution | Automatically collected via HTTP headers and Next.js server logs |
| AI conversation data | AI query prompts and responses | Stored when you use the AI Insights feature |
We do not collect biometric data, genetic data, criminal records, political opinions, or other "specific personal data" as defined in Pasal 4 ayat (2) of the PDPA.
Purpose and Legal Basis for Processing
Under Pasal 20 ayat (2) of the PDPA, processing of personal data must be based on a clear and specific purpose communicated to the data subject. We process your data for the following purposes:
| Purpose | Data Used | Legal Basis (PDPA) |
|---|---|---|
| Provide the analytics dashboard | Social platform data, identity data | Performance of contract (Pasal 20 ayat (2) huruf b) — necessary to deliver the service you signed up for |
| Authenticate your identity | Contact data, authentication data | Performance of contract (Pasal 20 ayat (2) huruf b) |
| Process payments & manage subscriptions | Billing data (via Stripe) | Performance of contract (Pasal 20 ayat (2) huruf b) |
| Deliver AI-powered insights | Social platform data, AI conversation data | Consent (Pasal 20 ayat (2) huruf a) — you explicitly opt in to the AI feature |
| Improve service quality & fix bugs | Usage & analytics data, device data | Legitimate interest (Pasal 20 ayat (2) huruf f) / GDPR Art. 6(1)(f) |
| Communicate service updates | Contact data | Legitimate interest; you may opt out at any time |
| Comply with legal obligations | As required | Legal obligation (Pasal 20 ayat (2) huruf c) |
Data Storage, Security, and Retention
3.1 Where Your Data Is Stored
Your data is stored in a Supabase-managed PostgreSQL database hosted on AWS (ap-northeast-1 region). All connections use TLS encryption in transit and PgBouncer connection pooling.
3.2 Security Measures
In accordance with Pasal 35 of the PDPA, we implement appropriate technical and organisational measures to protect your data:
- Encryption at rest: OAuth access tokens and refresh tokens are encrypted with AES-256-GCM before storage.
- Password hashing: Credentials are hashed with bcrypt (cost factor 10) — we never store plaintext passwords.
- Session security: JWT-based sessions with HttpOnly, Secure, SameSite cookies.
- CSRF protection: OAuth callbacks verify the state parameter to prevent cross-site request forgery.
- HTTP security headers: Content-Security-Policy, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are enforced on all responses.
- Access control: All protected API routes require authenticated sessions. AI usage is quota-limited per plan.
- Error scoping: Internal errors are logged server-side only; generic messages are returned to clients.
3.3 Retention Periods
Under Pasal 25 ayat (2) of the PDPA, personal data must be deleted once it is no longer necessary for its stated purpose. Our retention policy is:
| Data Type | Retention Period | After Expiry |
|---|---|---|
| Account data (name, email) | Duration of your account + 30 days after deletion request | Permanently deleted |
| Social platform tokens | Until you disconnect the platform or delete your account | Permanently deleted |
| Analytics cache | 30 minutes (TTL-based caching) | Automatically purged |
| Daily analytics history | Up to 30 days (plan-dependent: Free = 7 days, Pro = 30 days) | Automatically rotated |
| AI conversation history | Duration of your account | Deleted with account |
| Payment records | Per applicable tax/accounting law (typically 5 years) [REVIEW NEEDED] | Anonymised or deleted |
| Server logs | 90 days | Automatically purged |
Third-Party Data Sharing
Under Pasal 25 of the PDPA, we may only share your personal data with third parties when necessary for a stated purpose and with adequate safeguards. We do not sell your personal data. The following third parties receive data as part of our service:
| Third Party | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Supabase (Database) | Data storage and database hosting | All stored personal data (encrypted tokens) | supabase.com/privacy |
| Stripe | Payment processing and subscription management | Email, Stripe customer ID, billing events | stripe.com/privacy |
| Meta / Instagram Graph API | Fetching Instagram analytics data | OAuth tokens, platform user ID | facebook.com/privacy/policy |
| Google / YouTube Data API | Fetching YouTube analytics data | OAuth tokens, channel ID | policies.google.com/privacy |
| TikTok API | Fetching TikTok analytics data | OAuth tokens, TikTok user ID | tiktok.com/legal/privacy-policy |
| Google OAuth / GitHub OAuth | Authentication (sign-in) | Name, email, profile picture | policies.google.com/privacy / github.com/privacy |
| OpenAI (AI Engine) | AI-powered content insights and recommendations | Aggregated analytics data, AI prompts | openai.com/id-ID/policies/row-privacy-policy/ |
| Vercel | Application hosting and edge delivery | HTTP request metadata, server logs | vercel.com/legal/privacy-policy |
We may also disclose personal data when required by law or a valid court order, in compliance with Pasal 23 of the PDPA.
Your Data Rights
Under Bab IV (Pasal 5–16) of the PDPA, you have the following rights regarding your personal data. We honour these rights without discrimination:
| Right | PDPA Article | Description |
|---|---|---|
| Right to Information | Pasal 5 | You have the right to be informed about the collection, processing, and sharing of your personal data. |
| Right of Access | Pasal 6 | You can request a copy of all personal data we hold about you. |
| Right to Correction | Pasal 7 | You can request correction of inaccurate or incomplete personal data. |
| Right to Deletion | Pasal 8 | You can request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations. |
| Right to Withdraw Consent | Pasal 9 | You may withdraw consent at any time. Withdrawal does not affect lawfulness of prior processing. |
| Right to Data Portability | Pasal 13 | You can request your data in a structured, commonly-used, machine-readable format (JSON/CSV). |
| Right to Object | Pasal 10 | You can object to processing based on legitimate interest or profiling. |
| Right to Restrict Processing | Pasal 11 | You can request restriction of processing while a dispute is being resolved. |
| Right to Compensation | Pasal 12 | You may seek compensation if your personal data is processed in violation of the PDPA. |
To exercise any of these rights, please see Section 7 — Data Requests below.
How to Submit a Data Request or Complaint
7.1 Submitting a Request
To exercise your rights under Section 6, email us at privacy@socialsurfer.site with the subject line DATA REQUEST — [Your Name]. Please include:
- Your full name and the email address associated with your SocialSurfer account.
- A description of the right you wish to exercise (e.g., access, deletion, portability).
- Any supporting details that help us identify the relevant data.
We will verify your identity before processing and respond within 3 × 24 hours as required by Pasal 11 of the PDPA, and fulfil the request within 14 business days.
7.2 Filing a Complaint
If you believe your data rights have been violated, you may file a complaint with us at privacy@socialsurfer.site. If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority established under Pasal 58–60 of the PDPA [REVIEW NEEDED — Once the supervisory body is formally established, add its name and contact here].
Cross-Border Data Transfers
Under Pasal 56 of the PDPA, transfer of personal data outside of Indonesia is permitted only when the receiving country has an equivalent level of data protection, or when other adequate safeguards are in place.
SocialSurfer's infrastructure involves data transfers to:
- AWS ap-northeast-1 (Tokyo) — Supabase database hosting
- United States — Stripe payment processing, Vercel application hosting, social media API endpoints (Meta, Google, TikTok)
For transfers to jurisdictions without equivalent PDPA-level protection, we rely on:
- Standard Contractual Clauses (SCCs) or equivalent data processing agreements with each provider.
- Encryption in transit (TLS) and at rest (AES-256-GCM) to ensure data integrity regardless of hosting location.
[REVIEW NEEDED — Once PDPA implementing regulations on cross-border transfer are finalised by the Indonesian government, update this section to reflect the approved mechanism and any adequacy decisions.]
Children's Privacy
SocialSurfer is not intended for use by individuals under the age of 17. We do not knowingly collect personal data from children. Under Pasal 25 ayat (3) of the PDPA, processing of a child's personal data requires verifiable parental or guardian consent.
If you are a parent or guardian and believe your child has provided personal data to SocialSurfer, please contact us at privacy@socialsurfer.site. We will promptly delete the data and close the account.
How and When This Policy Will Be Updated
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. In accordance with Pasal 21 of the PDPA:
- Material changes: We will notify you via the email address associated with your account at least 7 days before the updated policy takes effect.
- Minor changes: (e.g., typo fixes, formatting) will be updated in place with a new "Last Updated" date.
- Continued use: of SocialSurfer after the effective date of a material change constitutes acceptance of the updated policy. If you do not agree, you may delete your account.
We recommend reviewing this policy periodically. The "Last Updated" date at the top of this page reflects the most recent revision.
Data Controller & Contact Information
Under Pasal 1 angka 4 of the PDPA, the Data Controller (Pengendali Data Pribadi) for SocialSurfer is:
- Entity Name
- PT Lingkar Inovasi Teknologi
- Address
- MENARA RAJAWALI, LEVEL 7-1 JALAN DR IDE ANAK AGUNG GDE AGUNG LOT 5.1, KAWASAN MEGA KUNINGAN, JAKARTA SELATAN
- Privacy Email
- privacy@socialsurfer.site
Legal Framework
This Privacy Policy is primarily governed by Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi (Indonesia's Personal Data Protection Act / PDPA). We additionally follow the principles of the EU General Data Protection Regulation (GDPR) as supplementary best practices, particularly regarding lawful basis of processing (Art. 6), data subject rights (Arts. 15–22), and data protection by design (Art. 25). Where the PDPA and GDPR diverge, PDPA provisions take precedence for Indonesian users.