Privacy Policy

Last updated: TBD — fill before public launch

Skeleton — not yet legally reviewed. Bracketed placeholders [LIKE_THIS] must be filled in and the document reviewed by qualified counsel before this page is linked from production marketing.

1. Who we are

Cariosan is operated by [ENTITY_NAME], located at [ENTITY_ADDRESS]. For privacy questions contact hello@cariosan.com.

2. Data we collect

  • Account data — email, name, organisation, and anything else you submit when you join the waitlist or create a workspace.
  • Communication data — message content sent through chat workspaces you operate using Cariosan.
  • Technical data — IP address, browser, OS, request timestamps, error traces, and similar diagnostics.
  • Cookies — see Section 8.

3. How we use your data

We use data to operate the service, communicate about it, prevent abuse, comply with the law, and improve the product. [ENUMERATE_EACH_PURPOSE_AND_THE_DATA_IT_USES].

4. Legal basis (UU PDP / GDPR)

For data subjects in Indonesia we process data under UU 27/2022 (Pelindungan Data Pribadi). For data subjects in the EEA we rely on consent, contractual necessity, and legitimate interest as defined in GDPR Art. 6. [MAP_EACH_PROCESSING_PURPOSE_TO_THE_LEGAL_BASIS].

5. Sharing with third parties

We share data with infrastructure providers only as needed to deliver the service: [LIST_PROCESSORS — e.g. DigitalOcean (hosting), Cloudflare (CDN), Resend (transactional email)]. We do not sell personal data.

6. Retention

Account data is retained while your workspace is active and for [N] days after deletion. Backups follow a [N]-day rolling window. Self-hosted deployments are governed by the operator, not Cariosan.

7. Your rights

You may access, correct, export, or delete your personal data, and you may withdraw consent or object to processing. Indonesian residents may also lodge a complaint with the Lembaga Pelindungan Data Pribadi (UU 27/2022 supervisory authority). To exercise any of these rights, email hello@cariosan.com.

8. Cookies and tracking

[LIST_COOKIES_AND_PURPOSES — analytics, session, preference]. Strictly necessary cookies are not subject to consent; non-essential cookies require opt-in.

9. International transfers

Personal data may be processed outside Indonesia (for example by CDN edge nodes in the EU or US). Where required, transfers rely on [STANDARD_CONTRACTUAL_CLAUSES_OR_EQUIVALENT].

10. Security

We use TLS in transit, encryption at rest for backups, and limit access to production data on a need-to-know basis. Report vulnerabilities via our SECURITY.md.

11. Children

Cariosan is not directed at children under 13. We do not knowingly collect personal data from anyone under 13; if we learn we have, we delete it.

12. Changes to this policy

Material changes will be announced by email and on this page at least [N] days before they take effect.

13. Contact

Privacy questions or requests: hello@cariosan.com.