Privacy Policy

1. Data Controller

The data controller for the Delt platform is PT Sarang Nalar Karya (trading as Cognerest), a company registered in the Republic of Indonesia. For privacy-related inquiries, contact us at support@cognerest.com.

When Delt hosts and runs your application on our infrastructure, we act as a data processor for any personal data that your application processes on behalf of your end-users. For your account information and billing data, we act as the data controller. See our Data Processing Agreement for formal processor obligations.

2. Legal Framework

This Privacy Policy is governed by Indonesia's Personal Data Protection Law (Undang-Undang Pelindungan Data Pribadi / UU PDP, Law No. 27 of 2022) as the primary legal framework. Where applicable, we also consider international data protection standards.

3. Legal Basis for Processing

In accordance with UU PDP Article 20, we process your personal data based on the following legal grounds:

• Contractual necessity: Account data, billing data, and deployment data are processed to provide the Service as agreed when you create an account.
• Legitimate interest: Usage metrics and deployment logs are processed to maintain platform security, prevent abuse, and improve the Service.
• Consent: Marketing communications and optional analytics are processed only with your explicit consent, which you may withdraw at any time.

4. Information We Collect

We collect the following categories of data:

• Account information: Email address, display name, and GitHub account details (username, avatar) provided during registration.
• Billing data: Transaction records (amount, date, Midtrans order ID, status), wallet balance, and plan tier. We do not store payment credentials — see Section 5.
• Usage data: Deployment logs, resource consumption metrics (CPU, memory), build status, and platform interaction data.
• Application data: Source code accessed via GitHub integration and environment variables encrypted in Supabase Vault.

5. Payment Data

All payment transactions (QRIS, GoPay, bank transfer) are processed by Midtrans. Delt does not store, process, or have access to your payment credentials, card numbers, or QRIS tokens. We retain only transaction records: amount, date, order ID, and payment status.

6. How We Use Your Information

Your information is used to:

• Provide, operate, and maintain the Service
• Process billing transactions and manage your wallet balance
• Build and deploy your applications on our infrastructure
• Communicate service updates, maintenance notices, and security alerts
• Ensure platform security and prevent abuse
• Improve the Service based on aggregated usage patterns

We do not sell your personal data to third parties.

7. Data Storage and Security

We implement the following security measures:

• Encryption at rest: Account and billing data are stored in Supabase (PostgreSQL) with encryption at rest.
• Environment variable encryption: Your application environment variables are encrypted using Supabase Vault (pgsodium) before storage. Plaintext values are never stored in the database.
• Encryption in transit: All data transmitted between your browser, our servers, and third-party services is encrypted via TLS.
• Tenant isolation: Each customer's application runs in a dedicated Kubernetes namespace with enforced resource quotas, preventing cross-tenant access.
• Row-Level Security: All database tables enforce Row-Level Security (RLS) policies ensuring tenants can only access their own data.

8. Data Residency

Application workloads run on Google Kubernetes Engine (GKE) in the Jakarta region (asia-southeast2), Indonesia. Account data and billing records are stored in Supabase's hosted PostgreSQL infrastructure.

9. Sub-Processors

We use the following third-party sub-processors to provide the Service:

• Supabase — Database, authentication, and secret management (Privacy Policy)
• Google Cloud Platform — Compute (GKE), container builds (Cloud Build), and container registry (Artifact Registry) (Privacy Notice)
• Midtrans — Payment processing (Privacy Policy)
• GitHub — Source code integration (Privacy Statement)
• Cloudflare — Frontend hosting (Privacy Policy)

10. Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account deletion.
• Deployment logs: Retained for 7 days, then automatically purged.
• Billing and transaction records: Retained as required by Indonesian tax regulations.
• Environment variables: Deleted immediately upon project deletion from Supabase Vault.

11. Your Rights

Under UU PDP and applicable data protection laws, you have the following rights:

• Right to access: Request a copy of the personal data we hold about you.
• Right to correction: Request correction of inaccurate or incomplete personal data.
• Right to deletion: Request deletion of your personal data, subject to legal retention requirements.
• Right to data portability: Export your project configuration and environment variable keys (encrypted values are not exportable).
• Right to object: Object to processing of your personal data based on legitimate interest.
• Right to withdraw consent: Withdraw consent for processing based on consent at any time.

To exercise any of these rights, contact us at support@cognerest.com. We will respond within 30 days.

12. Data Breach Notification

In the event of a personal data breach, we will notify affected users and the relevant supervisory authority within 72 hours (3 × 24 hours) of becoming aware of the breach, in accordance with UU PDP requirements. The notification will include the nature of the breach, categories of data affected, and measures taken to address it.

13. Children's Data

The Service is not intended for users under 17 years of age. Users under 17 require parental or guardian consent to use the Service. We do not knowingly collect personal data from children under 17 without such consent. If we become aware that we have collected personal data from a child under 17 without parental consent, we will take steps to delete that information.

14. Cookies

We use essential cookies for authentication session management (Supabase auth tokens). We also collect anonymized performance metrics via web-vitals to monitor page load performance.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

15. International Data Transfers

Some data may be processed outside Indonesia by our sub-processors. In particular, GitHub (United States) processes source code data for repository integration. Where data is transferred internationally, we ensure adequate safeguards are in place in accordance with UU PDP requirements.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before taking effect. The updated policy will be posted on this page with a revised date.

17. Contact

For privacy-related inquiries, contact us at support@cognerest.com.

PT Sarang Nalar Karya (Cognerest)
Republic of Indonesia