This Privacy Policy ("Policy") is a legally binding document between you ("User") and AULAA, the video conferencing service operated by the entity identified in Section 14 ("AULAA", "we"). This Policy is drafted to comply with Indonesian Law No. 27 of 2022 on Personal Data Protection ("PDP Law"), Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transactions ("EIT Law"), Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions, as well as the Google API Services User Data Policy including its Limited Use requirements. By accessing or using AULAA, you confirm that you have read, understood, and agreed to the entirety of this Policy.
1Definitions
For the purpose of this Policy, the following terms have the meanings set out below:
1.1Personal Data
Any data about an identified or identifiable individual, whether alone or combined with other information, as defined in Article 1(1) of the PDP Law.
1.2Data Subject
The User whose Personal Data is processed, as defined in Article 1(6) of the PDP Law.
1.3Data Controller
AULAA, as the party that determines the purpose and exercises control over the processing of Personal Data.
1.4Data Processor
Third-party infrastructure and service providers that process Personal Data on behalf of AULAA under data-processing contracts.
1.5Service
The AULAA video conferencing platform, including web and mobile applications, public APIs, and accompanying features.
1.6Google Data
Data you permit AULAA to access via Google OAuth 2.0, as detailed in Section 6.
2Legal Basis for Processing
Processing of Personal Data by AULAA is based on one or more of the following legal grounds, in line with Article 20 of the PDP Law:
2.1Explicit consent
Valid, specific, informed, and clear consent from the Data Subject — given when you create an account or enable an optional integration (e.g., Google Calendar sync).
2.2Contract performance
Processing necessary for performing the contract of providing the Service to you (e.g., displaying your profile to meeting participants).
2.3Legal obligation
Processing to comply with AULAA legal obligations (e.g., log retention for tax-audit purposes or lawful requests by enforcement authorities).
2.4Legitimate interests
Processing for AULAA legitimate interests that do not override the rights and interests of the Data Subject (e.g., abuse detection, account security).
3Categories of Personal Data Processed
We collect and process the following categories of Personal Data, with varying legal bases and purposes:
3.1Identity & account data
Full name, email address, password (hashed using bcrypt; never stored in plaintext), profile photo, language preference, timezone. Source: direct registration or Google Sign-In. Legal basis: 2.1, 2.2.
3.2Meeting content data
Meeting titles, schedules, participant lists, in-meeting chat message logs, and invited guests. AULAA never stores audio or video streams on our servers. All media is transmitted in real time between participant devices through the media server, without being cached, recorded, or archived by AULAA. If a User uses the recording feature, the recording runs entirely on the client device (client-side); the resulting recording file is stored exclusively on the User's own device and is never uploaded to AULAA infrastructure. Legal basis: 2.2.
3.3Technical & device data
IP address, device type, browser model, operating system version, session identifiers, authentication activity logs. Used for technical diagnostics, anomaly detection, and account security. Legal basis: 2.4.
3.4Usage data
Aggregate statistics without direct identifiers: monthly meeting counts, average participants, average duration. Conversation content is never analyzed. Legal basis: 2.4.
3.5Communications data
Correspondence you send to the AULAA support team, including attachments. Legal basis: 2.1, 2.2.
4Purposes of Processing
Personal Data is processed solely for the following purposes and will not be used for other purposes without your additional consent:
4.1Service provision
Creating and maintaining accounts, providing meeting rooms, synchronizing participants, processing calendars, sending invitations and reminders.
4.2Service communications
Sending important account-security notifications, Policy changes, scheduled-downtime notices, and responses to support requests.
4.3Security & integrity
Detecting and preventing abuse, fraud, spam, brute-force attempts, and activities violating the Terms of Service.
4.4Service improvement
Aggregate analysis to improve stability, performance, and user experience. We do not profile individuals for commercial purposes.
4.5Legal compliance
Compliance with applicable statutory obligations, including responding to lawful requests by enforcement authorities under the Indonesian Criminal Procedure Code (KUHAP) and related regulations.
5Processing by Third Parties (Sub-processors)
AULAA may engage third parties as Data Processors to support Service delivery. Every such party is bound by a legally binding Data Processing Agreement and may only process Personal Data per AULAA instructions.
5.1Infrastructure providers
Cloud hosting, content delivery networks (CDN), and WebRTC media servers for audio/video transmission. Access is limited to technical data strictly necessary for operations.
5.2Authentication providers
Google LLC as an OAuth 2.0 provider, when you choose to sign in using a Google Account. Processing is subject to the Google Privacy Policy.
5.3Email service providers
Transactional email service providers used to send system notifications (email verification, password reset, meeting reminders).
5.4No data sales
AULAA does not sell, rent, or trade your Personal Data to any third party for advertising, commercial profiling, or any other purpose outside those stated in this Policy.
6Google Data & Limited Use Policy Compliance
If you choose to link your AULAA account with a Google Account via OAuth 2.0, the handling of Google Data is governed specifically by this Section, in addition to the general provisions of the Policy.
6.1Scopes requested
AULAA requests only the minimum scopes required for the functionality you enable:• "openid", "email", "profile" — for authentication and displaying your basic identity.• "https://www.googleapis.com/auth/calendar.events" — optional, only if you enable Google Calendar sync to create and manage AULAA meeting events in your calendar.We do not request scopes broader than necessary.
6.2Limited Use
AULAA use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, AULAA will not:• Use Google Data to serve advertisements, including personalized or retargeted ads.• Transfer Google Data to third parties except as sub-processors per Section 5, or as required by law.• Allow humans to read Google Data unless (i) we have your explicit consent, (ii) it is necessary for security purposes (e.g., abuse investigation), (iii) to comply with applicable law, or (iv) for internal operations purposes that have been anonymized/aggregated.• Use Google Data to train generalized machine learning models.
6.3Storage of Google Data
OAuth tokens are stored in encrypted form and accessible only by authorized processes. You can revoke access at any time via the Google Account permissions dashboard at https://myaccount.google.com/permissions or from AULAA account settings.
6.4Deletion on revocation
If you revoke Google access, AULAA will delete the related authentication tokens and stop Calendar sync within no later than 7 (seven) calendar days.
7Data Retention
Retention periods differ by data category:
7.1Active account data
Stored while your account is active. Accounts unused for 24 (twenty-four) consecutive months will be flagged for review and may be deactivated upon prior notice.
7.2Meeting data & chat logs
Meeting metadata and chat logs are stored for at most 90 (ninety) calendar days after the meeting ends, unless you delete them earlier via the dashboard. AULAA does not store audio/video streams or any recording files. If you use the recording feature, the recording file is stored exclusively on your own device — the retention period, location, and access controls are entirely under your control.
7.3Technical & security logs
Stored for at most 30 (thirty) days, unless longer retention is required for incident investigation or legal obligations.
7.4Account deletion
When you delete your account, all related Personal Data is removed from production systems within no later than 30 days, except data that must be retained by law (e.g., financial transaction records).
8Rights of the Data Subject
Per Articles 5 through 15 of the PDP Law, you have the following rights:
8.1Right to information
Receive clarity on the identity of the controller, the legal basis, the purpose, and the categories of Personal Data being processed.
8.2Right of access & copy
Request a copy of your Personal Data in a common and structured electronic format (data portability).
8.3Right to rectification
Request correction of Personal Data that is inaccurate, incomplete, or misleading.
8.4Right to erasure
Request deletion of Personal Data no longer needed ("right to be forgotten").
8.5Right to object & restrict
Object to or restrict processing in certain circumstances, particularly where you dispute accuracy or object to the controller legitimate interest.
8.6Right to withdraw consent
Withdraw consent at any time, without affecting the lawfulness of processing performed prior to withdrawal.
8.7How to exercise rights
Requests may be submitted by email to privacy@aulaa.co with subject "Data Subject Rights Request". We will acknowledge within 3 (three) business days and resolve within 30 business days, unless the request is complex and requires extension, which will be notified to you.
9Cross-border Data Transfers
AULAA primary servers are located within the Republic of Indonesia / Southeast Asia region. In the event of any transfer of Personal Data outside the jurisdiction of the Republic of Indonesia (e.g., for backups, technical support, or sub-processor processing), such transfer will be carried out subject to Article 56 of the PDP Law, which requires:• A level of Personal Data protection in the receiving country equivalent to or higher than the PDP Law; or• Adequate and legally binding protection safeguards (e.g., standard contractual clauses); or• Consent from the Data Subject.
10Security & Protection Measures
AULAA implements reasonable technical and organizational measures to protect Personal Data from unauthorized access, alteration, disclosure, or destruction, including: role-based access controls, multi-factor authentication for administrative access, separation of production and development environments, and audit logs for sensitive activities. Nevertheless, no system is entirely immune to security risks, so you also play a role in keeping your account credentials confidential.
11Incident Notification
In the event of a Personal Data protection failure that has material impact on Data Subjects, AULAA will notify affected Data Subjects and the Personal Data Protection Authority (as designated by the PDP Law) within no later than 3x24 hours, pursuant to Article 46 of the PDP Law. The notification will include incident description, affected data categories, remediation steps, and mitigation recommendations.
13Minors
The AULAA Service is intended for users aged 13 (thirteen) or older. For Users under 17 years old, parental or legal-guardian consent is required pursuant to Article 25 of the PDP Law and Article 1 of the Indonesian Civil Code. If we become aware that an account was registered by a child below the minimum age without parental consent, the account will be deactivated and the related Personal Data deleted.
14Data Controller & Contact
The Data Controller for the AULAA Service may be contacted via: • General email: hello@aulaa.co• Privacy-related requests: privacy@aulaa.co• Data Protection Officer (DPO): dpo@aulaa.co• Suspected violation reporting: legal@aulaa.co You also have the right to lodge a complaint with the Personal Data Protection Authority as designated by the PDP Law if you consider that processing of your Personal Data by AULAA violates the law.
15Changes to this Policy
This Policy may be amended from time to time to reflect changes in processing practices, regulations, or the Service. Material changes will be notified to registered Users by email at least 30 (thirty) days before they take effect, unless an urgent change is required by law or security circumstances. The "Last updated" date at the top of this document will be updated for every revision. Continued use of the Service after the effective date of changes constitutes your acceptance of the latest version.