Privacy Policy | Kuluara

1. Controller and processor roles

Kuluara is operated by PT Tom Marvolo Riddle Group, a company registered in Indonesia, located at Jalan Mertasari, Desa/Kelurahan Kerobokan Kelod, Kec. Kuta Utara, Kab. Badung, Provinsi Bali, 80361.

For the purposes of data protection law, Kuluara acts in two capacities depending on the category of personal data:

Data Controller for account data, billing data, and usage analytics relating to customers who sign up for and administer their Kuluara workspace. This includes names, email addresses, login credentials, and platform usage information.
Data Processorfor CRM data that customers import, create, or receive through the platform on behalf of their own end customers. This includes contact records, deal records, messages received via WhatsApp, Telegram, Instagram, and email, as well as files and attachments exchanged through connected channels. The customer determines the purposes and means of processing this data; Kuluara processes it strictly on the customer's behalf and in accordance with the customer's instructions.

For privacy inquiries, data subject requests, or complaints, contact our Data Protection Officer at info@kuluara.com. General questions can also be directed to info@kuluara.com.

2. Scope

This Privacy Policy applies to the Kuluara website (kuluara.com), web application, CRM platform, all messaging channel integrations (WhatsApp Business API, Telegram Bot API, Instagram Messaging API, email via IMAP/SMTP), and related support services.

3. Personal data we collect

Depending on how you use Kuluara, we may collect the following categories of data:

3.1 Account and profile data

Name, email address, company name, role, phone number, login credentials, and workspace configuration. Collected directly from the customer upon registration and account setup.

3.2 Customer relationship data (CRM data)

Contacts, companies, notes, deal records, pipeline stages, tasks, tags, and custom fields. This data is created and managed by the customer within their workspace.

3.3 Communication data

Messages, conversation metadata, read receipts, delivery statuses, and message templates from connected channels including WhatsApp Business API, Telegram Bot API, Instagram Messaging API, and email (IMAP/SMTP). This data originates from the customer's connected channels and their end customers.

3.4 Files and attachments

Documents, images, audio, and other files uploaded to or exchanged through the platform.

3.5 Operational and audit data

Timestamps, ownership changes, workflow activity, authentication logs, and system event logs.

3.6 Technical data

IP address, browser type, device information, operating system, and session identifiers.

3.7 Integration data

OAuth tokens, webhook payloads, API credentials, and channel configuration received from third-party providers when the customer connects external services.

4. How we use personal data

Provide, operate, maintain, and secure the Kuluara platform and its integrations.
Authenticate users and manage accounts, permissions, team members, and access control.
Route, deliver, and display customer messages across WhatsApp, Telegram, Instagram, and email channels.
Create and maintain deal, contact, company, and pipeline records.
Enable team collaboration features including internal notes, comments, assignments, and team chat.
Process and display lead form submissions received via Meta Lead Ads integration.
Provide customer support, troubleshoot issues, and improve platform reliability.
Generate aggregated, anonymized analytics to improve the service.
Comply with legal obligations, enforce our terms, and prevent misuse or fraud.

5. Legal bases for processing

Where applicable under GDPR (Regulation (EU) 2016/679) or similar data protection laws, we process personal data on the following legal bases:

Performance of a contract (Article 6(1)(b) GDPR): To provide and maintain the Kuluara platform as agreed in our Terms of Use and any applicable subscription agreement.
Legitimate interests (Article 6(1)(f) GDPR): To operate, secure, and improve the service; to detect and prevent fraud; to provide customer support. Our legitimate interests do not override your fundamental rights and freedoms.
Legal obligation (Article 6(1)(c) GDPR): To comply with applicable laws, regulations, tax requirements, and lawful government requests.
Consent (Article 6(1)(a) GDPR): Where consent is specifically required, such as for certain marketing communications or optional data processing activities. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6. WhatsApp Business API: consent and opt-in

When customers connect their WhatsApp Business API account to Kuluara, they are responsible for ensuring that end customers have provided valid opt-in consent before receiving messages, in accordance with the WhatsApp Business Policy and WhatsApp Commerce Policy.

Opt-in consent may be obtained through:

A customer-initiated conversation (the end customer messages the business first).
An explicit opt-in mechanism on the customer's website, app, or physical form where the end customer provides their phone number and agrees to receive WhatsApp messages.
A Meta Lead Ads form where the end customer submits their contact information and consents to WhatsApp communication.

Kuluara provides the technical infrastructure to deliver messages via the WhatsApp Business API. The customer is solely responsible for maintaining records of end-customer consent and for complying with WhatsApp's messaging policies, including template message approval requirements and messaging limits.

7. Telegram Bot API: data handling

When customers connect a Telegram Bot to Kuluara, messages exchanged between the bot and Telegram users are received via the Telegram Bot API and stored within the customer's Kuluara workspace.

Kuluara stores Telegram message content, sender information (user ID, username, display name), and conversation metadata solely for the purpose of providing the CRM service to the customer. We commit to the following:

Telegram message data is retained only for as long as the customer maintains an active workspace, or until the customer requests deletion.
We do not disclose Telegram message content or user data to any third party, except as required by law or as instructed by the customer.
Upon account termination or deletion request, Telegram data is purged in accordance with the timelines described in Section 13 of this policy.
Customers are responsible for their own compliance with the Telegram Terms of Service and Telegram Privacy Policy.

8. Instagram Messaging API: data handling

When customers connect their Instagram Professional account to Kuluara via the Instagram Messaging API (part of the Meta Platform), direct messages exchanged between the customer's Instagram account and their followers are received and stored within Kuluara.

Kuluara processes Instagram message data in compliance with Meta Platform Terms and the Meta Developer Policies. Instagram data is used exclusively to provide the CRM service and is not repurposed for advertising, profiling, or sale to third parties.

9. Google API Services and third-party integrations

Kuluara accesses Google user data through Google OAuth 2.0 when users explicitly connect their Google account within the Kuluara platform. Kuluara also integrates with video conferencing, advertising, analytics, storage, and scheduling services to provide a complete CRM experience.

Google services — data accessed

Gmail: Email message content, metadata, and attachments for inbox synchronization within the CRM.
Google Calendar: Event details, attendees, and scheduling data for activity tracking and meeting management.
Google Meet: Meeting links, participant lists, meeting metadata (duration, start/end times), and recording links when available. Kuluara does not record Google Meet calls directly — it only accesses metadata and links generated by Google.
Google Contacts: Contact names, email addresses, phone numbers, and organization details for contact synchronization.
Google Drive: File names, metadata, and shared links for attaching documents to CRM records. Kuluara does not access file contents unless explicitly shared by the user.

Advertising and analytics integrations

Kuluara may connect to advertising and analytics platforms to track lead sources and measure campaign performance:

Google Ads:Campaign data, ad group performance, lead form submissions, cost metrics, and conversion data. Used to attribute CRM leads to advertising campaigns. Kuluara does not modify or create ad campaigns on the customer's behalf unless explicitly configured.
Google Analytics: Website visitor data, traffic sources, conversion events, and user behavior metrics. Used to enrich CRM contact records with attribution data. Kuluara does not inject tracking scripts into customer websites — integration requires customer-side configuration.
Meta Ads (Facebook/Instagram Ads): Campaign performance, lead form submissions, audience insights, and cost data. Already covered under Meta data handling in Sections 6 and 7.
TikTok Ads: Covered under TikTok Business API in Section 10.

Video conferencing integrations

Kuluara integrates with video conferencing platforms to schedule, track, and link meetings to CRM records:

Zoom:Meeting metadata (title, duration, start/end times, participant count), meeting links, recording links (when enabled by the host in Zoom settings), and calendar event associations. Kuluara accesses Zoom data via Zoom OAuth 2.0 and the Zoom Marketplace API. Kuluara does not record Zoom calls — recordings are managed entirely within Zoom's own platform.
Google Meet: See Google services above.
Microsoft Teams: Meeting metadata, participant lists, meeting links, and calendar associations when customers connect their Microsoft 365 account. Accessed via Microsoft Graph API with OAuth 2.0 consent.

Scheduling and productivity integrations

Calendly / Cal.com: Booking data, availability windows, and scheduled event metadata for linking meetings to CRM contacts and deals.
Zapier / Make (Integromat):Workflow automation data as configured by the customer. Kuluara provides webhook endpoints and API access; the scope of data shared depends on the customer's workflow configuration.

Payment processing

Kuluara may integrate with payment processors to track invoices and transactions within the CRM:

Stripe: Transaction metadata, invoice status, payment amounts, and customer payment identifiers. Kuluara does not store full credit card numbers or sensitive cardholder data — payment processing is handled entirely by Stripe in compliance with PCI-DSS.

Limited Use disclosure

Kuluara's use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

Kuluara's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

Kuluara does not use Google API data to serve advertisements.
Kuluara does not transfer Google API data to third parties unless necessary to provide or improve user-facing features, with user consent, or for security or legal purposes.
Kuluara does not allow humans to read Google API data except with user consent, for security investigation, to comply with applicable law, or for internal operations where the data has been aggregated and anonymized.

Revoking access

Users can revoke Kuluara's access to their Google account data at any time from the Kuluara settings page or from their Google Account permissions page. Upon revocation, Kuluara will cease accessing new data from Google APIs. Previously synchronized data will be retained in accordance with the retention periods described in Section 13 of this policy, unless the user requests earlier deletion.

10. TikTok Business API: data handling

When customers connect their TikTok Business account to Kuluara via the TikTok Business API, data from their TikTok account is received and stored within the customer's Kuluara workspace.

Data collected

Kuluara may collect TikTok user profile data (display name, profile picture, account identifiers), business content data (post metadata, engagement metrics), and ad account data (lead information, campaign identifiers) when the customer connects their TikTok Business account.

Purpose

TikTok data is used exclusively to synchronize TikTok leads and messages into the customer's CRM workspace, enabling unified lead management and conversation tracking. TikTok data is not repurposed for advertising, profiling, or sale to third parties.

Retention and sharing

TikTok data is retained in accordance with the data retention periods described in Section 17 of this policy. TikTok data is not shared with third parties beyond what is strictly necessary for the integration to function.

11. Telephony and VoIP: data handling

When customers connect telephony or VoIP services (such as Twilio or similar providers) to Kuluara, call-related data is received and stored within the customer's Kuluara workspace.

Data collected

Kuluara may collect phone numbers (caller and recipient), call metadata (duration, timestamps, call direction, call status), and call recordings when the recording feature is enabled by the workspace owner.

Call recording consent

Call recording is an opt-in feature that must be explicitly enabled by the workspace owner. Kuluara displays a clear notice before any recording begins. All call participants are informed at the start of a recorded call. The workspace owner is responsible for ensuring that call recording complies with applicable local laws, including two-party consent requirements where applicable.

Purpose

Telephony data is used to track calls within the CRM, link call records to associated deals and contacts, and provide call history for customer relationship management purposes.

Retention

Call recordings are retained for 90 days by default. Workspace owners may configure a different retention period within their workspace settings. Call metadata (excluding recordings) is retained in accordance with the data retention periods described in Section 17 of this policy.

12. SMS messaging: data handling

When customers use SMS messaging capabilities through Kuluara, message data is processed and stored within the customer's Kuluara workspace.

Data collected

Kuluara may collect phone numbers (sender and recipient), message content, and delivery status information (sent, delivered, failed, read).

Opt-in and opt-out requirements

Customers are solely responsible for obtaining proper consent from recipients before sending SMS messages via Kuluara. Kuluara supports standard STOP and unsubscribe handling mechanisms to enable recipients to opt out of future messages. Kuluara does not send unsolicited SMS messages on its own behalf.

Compliance

Customers using SMS messaging through Kuluara must comply with all applicable messaging regulations, including but not limited to the Telephone Consumer Protection Act (TCPA) in the United States, the Personal Data Protection Act (PDPA) in Singapore, and any other local messaging regulations applicable in the recipient's jurisdiction.

13. LINE Official Account: data handling

When customers connect their LINE Official Account to Kuluara via the LINE Messaging API, messages and user data exchanged between the customer's LINE Official Account and LINE users are received and stored within the customer's Kuluara workspace.

Data collected

Kuluara may collect LINE user profile data (userId, displayName, pictureUrl, statusMessage), message content, and read receipts from conversations conducted through the connected LINE Official Account.

Purpose

LINE data is used exclusively to synchronize LINE conversations into the customer's unified inbox within Kuluara, enabling centralized conversation management across all connected channels. LINE data is not repurposed for advertising, profiling, or sale to third parties.

Retention

LINE data is retained in accordance with the data retention periods described in Section 17 of this policy.

LINE Developer Agreement

LINE user data is processed in accordance with the LINE Developer Agreement. Kuluara does not use LINE user data for any purpose other than providing the CRM service.

14. Sources of data

We may receive personal data from:

Users who create accounts or enter information into Kuluara.
End customers whose messages or contact details are processed through connected messaging channels (WhatsApp, Telegram, Instagram, email).
Meta Platform APIs (WhatsApp Business API, Instagram Messaging API, Meta Lead Ads).
Telegram Bot API.
Email providers via IMAP/SMTP connection.
Lead form submissions configured by the customer.

11. Sub-processors and data sharing

We use the following categories of sub-processors to operate the Kuluara platform. Each sub-processor processes data only as necessary to provide its designated function:

Infrastructure and hosting

Supabase (Supabase, Inc.) — Database hosting, authentication, and real-time data services. Data is stored in the AWS Singapore (ap-southeast-1) region. Supabase acts as a sub-processor for all CRM data, account data, and authentication records.
Vercel (Vercel, Inc.) — Application hosting and edge network delivery. Vercel processes HTTP requests and serves the Kuluara web application. Vercel may process technical data (IP addresses, request headers) at edge locations globally.
Google Cloud Platform (Google LLC) — Webhook processing server located in the Jakarta (asia-southeast2) region. GCP processes incoming webhook payloads from Meta APIs and Telegram Bot API before routing them to the Kuluara database.

Communication platform providers

Meta Platforms (Meta Platforms, Inc.) — WhatsApp Business API, Instagram Messaging API, Meta Lead Ads, and Meta Ads reporting.
Telegram (Telegram FZ-LLC) — Telegram Bot API for messaging.
TikTok (ByteDance Ltd.) — TikTok Business API for lead and content synchronization.
LINE (LY Corporation) — LINE Messaging API for Official Account conversations.
Twilio (Twilio Inc.) — Telephony, VoIP, and SMS delivery services.

Video conferencing and scheduling

Zoom (Zoom Video Communications, Inc.) — Meeting metadata and recording links via Zoom Marketplace API.
Google (Google LLC) — Gmail, Calendar, Meet, Contacts, Drive, Ads, and Analytics via Google APIs.
Microsoft (Microsoft Corporation) — Teams meetings and calendar via Microsoft Graph API.

Payment and automation

Stripe (Stripe, Inc.) — Payment processing and invoice tracking. PCI-DSS compliant. Kuluara does not store cardholder data.
Zapier / Make — Workflow automation as configured by the customer.

Other disclosures

We may also disclose personal data to:

Professional advisors, auditors, or legal counsel where necessary.
Law enforcement or regulatory authorities where required by applicable law or valid legal process.
Successors in connection with a merger, acquisition, or business transfer.

We do not sell personal data. We do not use CRM data or message content for advertising, profiling, or any purpose other than providing the Kuluara service.

12. International data transfers

Kuluara is operated by PT Tom Marvolo Riddle Group from Indonesia. Personal data may be transferred to and processed in the following jurisdictions:

Singapore — Database hosting via Supabase (AWS ap-southeast-1).
Indonesia — Webhook processing server via Google Cloud Platform (Jakarta region).
United States — Application hosting infrastructure via Vercel; Meta and Telegram API infrastructure.
Global edge locations — Vercel edge network for application delivery.

For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing an adequate level of data protection, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or other appropriate safeguards permitted under applicable law. Copies of relevant safeguards can be obtained by contacting info@kuluara.com.

For transfers governed by Indonesian law, we implement safeguards in accordance with Government Regulation No. 46 of 2024 on the implementation of the PDP Law, including ensuring that the recipient jurisdiction provides an equivalent level of personal data protection, or that appropriate contractual protections are in place.

13. Data retention

We retain personal data for specified periods depending on the data category and the purpose of processing:

Account and profile data: Retained for the duration of the active subscription, plus 90 days after account closure to allow for reactivation or data export. Deleted within 30 days after the 90-day grace period.
CRM data (contacts, deals, companies, notes): Retained for the duration of the active workspace. Deleted within 30 days of a valid deletion request or account termination.
Message data (WhatsApp, Telegram, Instagram, email): Retained for the duration of the active workspace. Deleted within 30 days of a valid deletion request or account termination.
Files and attachments: Retained for the duration of the active workspace. Deleted within 30 days of a valid deletion request or account termination.
Authentication and security logs: Retained for 12 months from creation for security monitoring and incident investigation purposes.
Billing and transaction records: Retained for 5 years as required by Indonesian tax law (Law No. 28 of 2007 on General Tax Provisions) and applicable accounting regulations.
Backup copies: Purged from backup systems within 90 days after deletion from primary systems.
Anonymized analytics data: May be retained indefinitely as it no longer constitutes personal data.

14. Data security

We implement administrative, technical, and organizational security measures designed to protect personal data from unauthorized access, loss, misuse, or disclosure. These measures include:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
Row Level Security (RLS) policies enforced at the database level via Supabase.
Authentication via secure token-based sessions with multi-factor authentication support.
Access controls limiting data access to authorized team members within each workspace.
Regular security reviews and dependency vulnerability monitoring.

No system can be guaranteed to be completely secure. In the event of a personal data breach, we will follow the notification procedures described in Sections 16 and 17 of this policy.

15. Your rights under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:

Right of access (Article 15): Request a copy of the personal data we hold about you.
Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data.
Right to erasure (Article 17): Request deletion of your personal data, subject to legal retention obligations.
Right to restrict processing (Article 18): Request that we limit processing of your data in certain circumstances.
Right to data portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON).
Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

Automated decision-making (Article 22)

Kuluara does not make decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect data subjects. The platform provides tools for customers to organize and manage their data, but all business decisions are made by the customer's human operators.

Right to lodge a complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement. A list of supervisory authorities is available at edpb.europa.eu.

To exercise any of these rights, contact our Data Protection Contact at info@kuluara.com. We will respond within 30 days of receiving a verified request.

16. Your rights under Indonesia PDP Law

For purposes of Indonesian data protection law, including Law No. 27 of 2022 on Personal Data Protection (UU PDP) and its implementing regulations, the following applies:

Data subject rights

Right to obtain information about the processing of your personal data.
Right to access and obtain a copy of your personal data.
Right to correct inaccurate or incomplete personal data.
Right to request deletion or destruction of personal data.
Right to withdraw consent for processing that is based on consent, without affecting the lawfulness of processing carried out before withdrawal.
Right to object to profiling that produces legal effects.
Right to restrict or suspend processing activities.
Right to bring a claim and receive compensation for violations of the PDP Law.

Response timeline

We will acknowledge and respond to data subject requests within 72 hours of receipt, and will fulfill valid requests within the timeframes mandated by the PDP Law and its implementing regulations.

Breach notification

In the event of a personal data breach that affects Indonesian data subjects, we will notify the affected data subjects and the relevant authority within 72 hours of becoming aware of the breach, as required by Article 46 of the PDP Law. The notification will include the nature of the breach, the categories and approximate number of records affected, and the measures taken or proposed to address the breach.

Cross-border transfer safeguards

Where personal data of Indonesian data subjects is transferred outside of Indonesia, we ensure that the recipient country provides an equivalent level of personal data protection as required by Government Regulation No. 46 of 2024. Where the recipient country does not meet this threshold, we implement binding contractual safeguards to ensure adequate protection.

To exercise your rights under the PDP Law, contact info@kuluara.com.

17. Children

Kuluara is a business-to-business CRM platform intended for use by business professionals. It is not directed to children under the age of 16 (or such lower age as applicable in the relevant jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

18. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be posted on this page with an updated effective date. Where required by law, we will notify affected users directly (for example, by email) before changes take effect.

19. Contact

Data Protection Contact: info@kuluara.com

General inquiries: info@kuluara.com

Mailing address: PT Tom Marvolo Riddle Group, Jalan Mertasari, Desa/Kelurahan Kerobokan Kelod, Kec. Kuta Utara, Kab. Badung, Provinsi Bali, 80361, Indonesia.

1. Controller and processor roles

For the purposes of data protection law, Kuluara acts in two capacities depending on the category of personal data:

Data Controller for account data, billing data, and usage analytics relating to customers who sign up for and administer their Kuluara workspace. This includes names, email addresses, login credentials, and platform usage information.
Data Processorfor CRM data that customers import, create, or receive through the platform on behalf of their own end customers. This includes contact records, deal records, messages received via WhatsApp, Telegram, Instagram, and email, as well as files and attachments exchanged through connected channels. The customer determines the purposes and means of processing this data; Kuluara processes it strictly on the customer's behalf and in accordance with the customer's instructions.

For privacy inquiries, data subject requests, or complaints, contact our Data Protection Officer at info@kuluara.com. General questions can also be directed to info@kuluara.com.

2. Scope

3. Personal data we collect

Depending on how you use Kuluara, we may collect the following categories of data:

3.1 Account and profile data

Name, email address, company name, role, phone number, login credentials, and workspace configuration. Collected directly from the customer upon registration and account setup.

3.2 Customer relationship data (CRM data)

Contacts, companies, notes, deal records, pipeline stages, tasks, tags, and custom fields. This data is created and managed by the customer within their workspace.

3.3 Communication data

3.4 Files and attachments

Documents, images, audio, and other files uploaded to or exchanged through the platform.

3.5 Operational and audit data

Timestamps, ownership changes, workflow activity, authentication logs, and system event logs.

3.6 Technical data

IP address, browser type, device information, operating system, and session identifiers.

3.7 Integration data

OAuth tokens, webhook payloads, API credentials, and channel configuration received from third-party providers when the customer connects external services.

4. How we use personal data

Provide, operate, maintain, and secure the Kuluara platform and its integrations.
Authenticate users and manage accounts, permissions, team members, and access control.
Route, deliver, and display customer messages across WhatsApp, Telegram, Instagram, and email channels.
Create and maintain deal, contact, company, and pipeline records.
Enable team collaboration features including internal notes, comments, assignments, and team chat.
Process and display lead form submissions received via Meta Lead Ads integration.
Provide customer support, troubleshoot issues, and improve platform reliability.
Generate aggregated, anonymized analytics to improve the service.
Comply with legal obligations, enforce our terms, and prevent misuse or fraud.

5. Legal bases for processing

Where applicable under GDPR (Regulation (EU) 2016/679) or similar data protection laws, we process personal data on the following legal bases:

Performance of a contract (Article 6(1)(b) GDPR): To provide and maintain the Kuluara platform as agreed in our Terms of Use and any applicable subscription agreement.
Legitimate interests (Article 6(1)(f) GDPR): To operate, secure, and improve the service; to detect and prevent fraud; to provide customer support. Our legitimate interests do not override your fundamental rights and freedoms.
Legal obligation (Article 6(1)(c) GDPR): To comply with applicable laws, regulations, tax requirements, and lawful government requests.
Consent (Article 6(1)(a) GDPR): Where consent is specifically required, such as for certain marketing communications or optional data processing activities. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

6. WhatsApp Business API: consent and opt-in

Opt-in consent may be obtained through:

A customer-initiated conversation (the end customer messages the business first).
An explicit opt-in mechanism on the customer's website, app, or physical form where the end customer provides their phone number and agrees to receive WhatsApp messages.
A Meta Lead Ads form where the end customer submits their contact information and consents to WhatsApp communication.

7. Telegram Bot API: data handling

When customers connect a Telegram Bot to Kuluara, messages exchanged between the bot and Telegram users are received via the Telegram Bot API and stored within the customer's Kuluara workspace.

Telegram message data is retained only for as long as the customer maintains an active workspace, or until the customer requests deletion.
We do not disclose Telegram message content or user data to any third party, except as required by law or as instructed by the customer.
Upon account termination or deletion request, Telegram data is purged in accordance with the timelines described in Section 13 of this policy.
Customers are responsible for their own compliance with the Telegram Terms of Service and Telegram Privacy Policy.

8. Instagram Messaging API: data handling

9. Google API Services and third-party integrations

Google services — data accessed

Gmail: Email message content, metadata, and attachments for inbox synchronization within the CRM.
Google Calendar: Event details, attendees, and scheduling data for activity tracking and meeting management.
Google Meet: Meeting links, participant lists, meeting metadata (duration, start/end times), and recording links when available. Kuluara does not record Google Meet calls directly — it only accesses metadata and links generated by Google.
Google Contacts: Contact names, email addresses, phone numbers, and organization details for contact synchronization.
Google Drive: File names, metadata, and shared links for attaching documents to CRM records. Kuluara does not access file contents unless explicitly shared by the user.

Advertising and analytics integrations

Kuluara may connect to advertising and analytics platforms to track lead sources and measure campaign performance:

Google Ads:Campaign data, ad group performance, lead form submissions, cost metrics, and conversion data. Used to attribute CRM leads to advertising campaigns. Kuluara does not modify or create ad campaigns on the customer's behalf unless explicitly configured.
Google Analytics: Website visitor data, traffic sources, conversion events, and user behavior metrics. Used to enrich CRM contact records with attribution data. Kuluara does not inject tracking scripts into customer websites — integration requires customer-side configuration.
Meta Ads (Facebook/Instagram Ads): Campaign performance, lead form submissions, audience insights, and cost data. Already covered under Meta data handling in Sections 6 and 7.
TikTok Ads: Covered under TikTok Business API in Section 10.

Video conferencing integrations

Kuluara integrates with video conferencing platforms to schedule, track, and link meetings to CRM records:

Zoom:Meeting metadata (title, duration, start/end times, participant count), meeting links, recording links (when enabled by the host in Zoom settings), and calendar event associations. Kuluara accesses Zoom data via Zoom OAuth 2.0 and the Zoom Marketplace API. Kuluara does not record Zoom calls — recordings are managed entirely within Zoom's own platform.
Google Meet: See Google services above.
Microsoft Teams: Meeting metadata, participant lists, meeting links, and calendar associations when customers connect their Microsoft 365 account. Accessed via Microsoft Graph API with OAuth 2.0 consent.

Scheduling and productivity integrations

Calendly / Cal.com: Booking data, availability windows, and scheduled event metadata for linking meetings to CRM contacts and deals.
Zapier / Make (Integromat):Workflow automation data as configured by the customer. Kuluara provides webhook endpoints and API access; the scope of data shared depends on the customer's workflow configuration.

Payment processing

Kuluara may integrate with payment processors to track invoices and transactions within the CRM:

Stripe: Transaction metadata, invoice status, payment amounts, and customer payment identifiers. Kuluara does not store full credit card numbers or sensitive cardholder data — payment processing is handled entirely by Stripe in compliance with PCI-DSS.

Limited Use disclosure

Kuluara's use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

Kuluara's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

Kuluara does not use Google API data to serve advertisements.
Kuluara does not transfer Google API data to third parties unless necessary to provide or improve user-facing features, with user consent, or for security or legal purposes.
Kuluara does not allow humans to read Google API data except with user consent, for security investigation, to comply with applicable law, or for internal operations where the data has been aggregated and anonymized.

Revoking access

10. TikTok Business API: data handling

When customers connect their TikTok Business account to Kuluara via the TikTok Business API, data from their TikTok account is received and stored within the customer's Kuluara workspace.

Data collected

Purpose

Retention and sharing

11. Telephony and VoIP: data handling

When customers connect telephony or VoIP services (such as Twilio or similar providers) to Kuluara, call-related data is received and stored within the customer's Kuluara workspace.

Data collected

Call recording consent

Purpose

Telephony data is used to track calls within the CRM, link call records to associated deals and contacts, and provide call history for customer relationship management purposes.

Retention

12. SMS messaging: data handling

When customers use SMS messaging capabilities through Kuluara, message data is processed and stored within the customer's Kuluara workspace.

Data collected

Kuluara may collect phone numbers (sender and recipient), message content, and delivery status information (sent, delivered, failed, read).

Opt-in and opt-out requirements

Compliance

13. LINE Official Account: data handling

Data collected

Purpose

Retention

LINE data is retained in accordance with the data retention periods described in Section 17 of this policy.

LINE Developer Agreement

LINE user data is processed in accordance with the LINE Developer Agreement. Kuluara does not use LINE user data for any purpose other than providing the CRM service.

14. Sources of data

We may receive personal data from:

Users who create accounts or enter information into Kuluara.
End customers whose messages or contact details are processed through connected messaging channels (WhatsApp, Telegram, Instagram, email).
Meta Platform APIs (WhatsApp Business API, Instagram Messaging API, Meta Lead Ads).
Telegram Bot API.
Email providers via IMAP/SMTP connection.
Lead form submissions configured by the customer.

11. Sub-processors and data sharing

We use the following categories of sub-processors to operate the Kuluara platform. Each sub-processor processes data only as necessary to provide its designated function:

Infrastructure and hosting

Supabase (Supabase, Inc.) — Database hosting, authentication, and real-time data services. Data is stored in the AWS Singapore (ap-southeast-1) region. Supabase acts as a sub-processor for all CRM data, account data, and authentication records.
Vercel (Vercel, Inc.) — Application hosting and edge network delivery. Vercel processes HTTP requests and serves the Kuluara web application. Vercel may process technical data (IP addresses, request headers) at edge locations globally.
Google Cloud Platform (Google LLC) — Webhook processing server located in the Jakarta (asia-southeast2) region. GCP processes incoming webhook payloads from Meta APIs and Telegram Bot API before routing them to the Kuluara database.

Communication platform providers

Meta Platforms (Meta Platforms, Inc.) — WhatsApp Business API, Instagram Messaging API, Meta Lead Ads, and Meta Ads reporting.
Telegram (Telegram FZ-LLC) — Telegram Bot API for messaging.
TikTok (ByteDance Ltd.) — TikTok Business API for lead and content synchronization.
LINE (LY Corporation) — LINE Messaging API for Official Account conversations.
Twilio (Twilio Inc.) — Telephony, VoIP, and SMS delivery services.

Video conferencing and scheduling

Zoom (Zoom Video Communications, Inc.) — Meeting metadata and recording links via Zoom Marketplace API.
Google (Google LLC) — Gmail, Calendar, Meet, Contacts, Drive, Ads, and Analytics via Google APIs.
Microsoft (Microsoft Corporation) — Teams meetings and calendar via Microsoft Graph API.

Payment and automation

Stripe (Stripe, Inc.) — Payment processing and invoice tracking. PCI-DSS compliant. Kuluara does not store cardholder data.
Zapier / Make — Workflow automation as configured by the customer.

Other disclosures

We may also disclose personal data to:

Professional advisors, auditors, or legal counsel where necessary.
Law enforcement or regulatory authorities where required by applicable law or valid legal process.
Successors in connection with a merger, acquisition, or business transfer.

We do not sell personal data. We do not use CRM data or message content for advertising, profiling, or any purpose other than providing the Kuluara service.

12. International data transfers

Kuluara is operated by PT Tom Marvolo Riddle Group from Indonesia. Personal data may be transferred to and processed in the following jurisdictions:

Singapore — Database hosting via Supabase (AWS ap-southeast-1).
Indonesia — Webhook processing server via Google Cloud Platform (Jakarta region).
United States — Application hosting infrastructure via Vercel; Meta and Telegram API infrastructure.
Global edge locations — Vercel edge network for application delivery.

13. Data retention

We retain personal data for specified periods depending on the data category and the purpose of processing:

Account and profile data: Retained for the duration of the active subscription, plus 90 days after account closure to allow for reactivation or data export. Deleted within 30 days after the 90-day grace period.
CRM data (contacts, deals, companies, notes): Retained for the duration of the active workspace. Deleted within 30 days of a valid deletion request or account termination.
Message data (WhatsApp, Telegram, Instagram, email): Retained for the duration of the active workspace. Deleted within 30 days of a valid deletion request or account termination.
Files and attachments: Retained for the duration of the active workspace. Deleted within 30 days of a valid deletion request or account termination.
Authentication and security logs: Retained for 12 months from creation for security monitoring and incident investigation purposes.
Billing and transaction records: Retained for 5 years as required by Indonesian tax law (Law No. 28 of 2007 on General Tax Provisions) and applicable accounting regulations.
Backup copies: Purged from backup systems within 90 days after deletion from primary systems.
Anonymized analytics data: May be retained indefinitely as it no longer constitutes personal data.

14. Data security

We implement administrative, technical, and organizational security measures designed to protect personal data from unauthorized access, loss, misuse, or disclosure. These measures include:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
Row Level Security (RLS) policies enforced at the database level via Supabase.
Authentication via secure token-based sessions with multi-factor authentication support.
Access controls limiting data access to authorized team members within each workspace.
Regular security reviews and dependency vulnerability monitoring.

No system can be guaranteed to be completely secure. In the event of a personal data breach, we will follow the notification procedures described in Sections 16 and 17 of this policy.

15. Your rights under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:

Right of access (Article 15): Request a copy of the personal data we hold about you.
Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data.
Right to erasure (Article 17): Request deletion of your personal data, subject to legal retention obligations.
Right to restrict processing (Article 18): Request that we limit processing of your data in certain circumstances.
Right to data portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON).
Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

Automated decision-making (Article 22)

Right to lodge a complaint (Article 77)

To exercise any of these rights, contact our Data Protection Contact at info@kuluara.com. We will respond within 30 days of receiving a verified request.

16. Your rights under Indonesia PDP Law

For purposes of Indonesian data protection law, including Law No. 27 of 2022 on Personal Data Protection (UU PDP) and its implementing regulations, the following applies:

Data subject rights

Right to obtain information about the processing of your personal data.
Right to access and obtain a copy of your personal data.
Right to correct inaccurate or incomplete personal data.
Right to request deletion or destruction of personal data.
Right to withdraw consent for processing that is based on consent, without affecting the lawfulness of processing carried out before withdrawal.
Right to object to profiling that produces legal effects.
Right to restrict or suspend processing activities.
Right to bring a claim and receive compensation for violations of the PDP Law.

Response timeline

Breach notification

Cross-border transfer safeguards

To exercise your rights under the PDP Law, contact info@kuluara.com.

17. Children

18. Changes to this policy

19. Contact

Data Protection Contact: info@kuluara.com

General inquiries: info@kuluara.com

Mailing address: PT Tom Marvolo Riddle Group, Jalan Mertasari, Desa/Kelurahan Kerobokan Kelod, Kec. Kuta Utara, Kab. Badung, Provinsi Bali, 80361, Indonesia.