01What data we collect
We collect personal data in four contexts, and only what each context needs.
- Website visitors. IP address, browser and device metadata, pages viewed, referrer, and approximate location. Collected via cookies and similar technologies (see our Cookie Policy).
- Lead form submitters. Name, work email, company, role, country, and any free-text notes you provide. Collected when you submit a KScore request, contact form, or demo booking.
- KScore Personal users. The public social handles you submit (Instagram, TikTok, LinkedIn, YouTube, Facebook, X), email address, language and persona preferences, and the public profile data we scrape from those handles. We do not access private accounts or content behind authentication walls.
- Paid customers. Billing contact, company legal name, tax identifiers, and payment metadata (handled by Duitku; we do not store full card numbers).
We do not knowingly collect data from individuals under 18. If you believe we have done so, contact us at dpo@klindros.com and we will delete it.
02How we use the data
We use personal data to provide the service you requested and to run our business. Specifically:
- Deliver the KScore diagnostic, generate the report PDF, and send the report by email.
- Reply to your contact form, demo booking, or DPA request.
- Operate paid subscriptions, issue invoices, collect payment via Duitku, and remit applicable taxes.
- Measure traffic and product usage so we can improve klindros.com and the platform.
- Protect against fraud, abuse, and security incidents.
- Send transactional emails (report delivery, billing notices, security alerts). Marketing emails are sent only with explicit consent and you can unsubscribe at any time.
- Comply with legal obligations, including tax, anti-money-laundering, and lawful requests from supervisory authorities.
We do not sell personal data. We do not use customer data to train public AI models.
03How long we retain the data
Retention periods vary by data category:
- KScore Personal scan data (submitted handles, scraped public profile insights, AI analysis output, generated PDFs): retained for 3 days after scan completion, then deleted from primary storage. Backup copies expire within 30 days.
- Lead and contact form submissions: retained for 24 months from your last interaction with us, then anonymised or deleted.
- Paid customer billing records: retained for 10 years to comply with Indonesian bookkeeping and tax regulations.
- Analytics data: Google Analytics 4 default of 14 months. Microsoft Clarity session recordings retained for 30 days.
- Server logs and security events: retained for 30 days.
- Email correspondence with our DPO or sales team: retained as long as needed to handle the matter, then archived for record-keeping.
04Third parties we share data with
We share personal data only with carefully selected sub-processors that help us run the service. Each sub-processor is contractually bound to handle data confidentially and in compliance with applicable law.
| Sub-processor | Purpose | Location |
|---|
| Apify Inc | Public social profile scraping for KScore diagnostics | United States |
| OpenAI, L.L.C. | AI-generated profile audit and growth recommendations (KScore Personal paid tier) | United States |
| PT Kharisma Catur Mandala (Duitku) | Payment processing for KScore Personal and subscription billing | Indonesia |
| Hostinger International Limited | VPS hosting and SMTP delivery for transactional email | Lithuania / European Union |
| Google LLC | Google Analytics 4, reCAPTCHA v3 form protection, Google Fonts | United States |
| Microsoft Corporation | Microsoft Clarity session analytics | United States |
| IPGeolocation Inc | IP-to-country lookup for locale suggestion | Canada |
| Ghost Foundation Ltd | Ghost CMS hosting for the KlindrOS blog | Singapore |
We may also disclose personal data when required by law, to defend our legal rights, or in a merger or acquisition (in which case successors must continue to honour this Policy).
05Your rights
Under GDPR, the Indonesian Personal Data Protection Law (UU PDP), and similar regimes, you have the following rights:
- Access. Request a copy of the personal data we hold about you.
- Correction. Ask us to fix data that is inaccurate or incomplete.
- Deletion. Request that we delete your data, subject to legal retention obligations.
- Portability. Receive your data in a structured, machine-readable format and have it transferred to another controller where technically feasible.
- Object or restrict. Object to certain processing (for example, profiling or direct marketing) or ask us to restrict processing.
- Withdraw consent. Where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
- Lodge a complaint. Contact a supervisory authority if you believe we have mishandled your data (see section 9).
To exercise any of these rights, email dpo@klindros.com. We respond within 30 days. We may need to verify your identity before we act on the request.
06Cookies and tracking
We use essential cookies to run klindros.com, analytics cookies to measure performance, and (selectively) marketing cookies to measure campaign effectiveness. You can opt out of non-essential cookies via our cookie banner. We honour Global Privacy Control signals where supported.
See the Cookie Policy for the full list of cookies, their purposes, and durations.
07Cross-border data transfers
Several of our sub-processors are located outside Indonesia (see section 4). When we transfer personal data internationally, we rely on one or more of the following safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/EEA.
- Indonesian PDP Law cross-border transfer safeguards, including assessment of the recipient country's data protection adequacy.
- Contractual obligations on each sub-processor to apply at least the same protections we provide.
Enterprise customers in regulated industries can request a Data Processing Addendum (DPA) with the full subprocessor list, security controls, and SCC Module 2 attached. Email dpo@klindros.com.
08Contact our Data Protection Officer
For any privacy question, request, or concern, contact our Data Protection Officer:
Data Protection Officer, KlindrOSGrand Slipi Tower, Jl. Letjen S. Parman Kav. 22-24, Lt. 9 Unit ORT.6 / RW.10, Jelambar Baru, Kec. Grogol PetamburanKota Jakarta Barat, DKI Jakarta 11480, IndonesiaEmail: dpo@klindros.com09Filing a complaint
If you believe we have not complied with this Policy or with applicable data protection law, you have the right to file a complaint with the relevant supervisory authority.
- Indonesia. Kementerian Komunikasi dan Digital (Kemenkomdigi), or the supervisory authority designated under UU PDP once established.
- European Union. The data protection authority of your member state of residence, place of work, or place of the alleged infringement.
- Other jurisdictions. The relevant national authority where you reside.
We would appreciate the chance to address your concern first. Please contact dpo@klindros.com before escalating.
