Introduction & Scope
Pendahuluan & Ruang Lingkup
Judic AI (“Judic,” “we,” “us,” or “our”) is committed to protecting your personal data and privacy. This Privacy Policy applies to all personal data we collect through our Platform at tryjudic.com, our APIs, and any related services.
This policy is designed to comply with Indonesian Law No. 27 of 2022 on Personal Data Protection (Undang-Undang Pelindungan Data Pribadi, “UU PDP”), which took full effect on October 17, 2024. Where applicable, we also align with international best practices including the principles of the EU General Data Protection Regulation (GDPR).
By using the Platform, you consent to the collection and processing of your personal data as described in this Privacy Policy. If you do not agree with any part of this policy, please discontinue use of the Platform.
Data Controller Information
Informasi Pengendali Data
Judic AI
Data Controller / Pengendali Data Pribadi
As the Data Controller (Pengendali Data Pribadi) under UU PDP, we determine the purposes and means of processing your personal data and are responsible for ensuring compliance with applicable data protection laws.
Personal Data We Collect
Data Pribadi yang Kami Kumpulkan
General Personal Data (Data Pribadi Umum)
| Category | Data Points | Collection Method |
|---|---|---|
| Account Data | Name, email address, profile photo | Registration (Google OAuth, email sign-up) |
| User Content | Uploaded contracts, legal documents | Direct upload by user |
| Usage Data | Pages visited, features used, analysis requests, search queries | Automatic collection |
| Chat Data | Conversations with AI, questions, follow-ups | User-initiated chat sessions |
| Technical Data | IP address, browser type, device type, OS, session ID | Automatic collection |
| Payment Data | Transaction IDs, payment method type, billing history | Via payment processor |
| Feedback Data | Finding feedback (correct/incorrect), ratings, suggestions | User-submitted feedback |
We do not collect Specific Personal Data (Data Pribadi Spesifik) as defined under UU PDP Article 4(2), such as health data, biometric data, genetic data, sexual orientation, political views, criminal records, or children's data. If your uploaded documents happen to contain such data, it is processed solely for the purpose of contract analysis and is not extracted, stored separately, or used for any other purpose.
Legal Basis for Processing
Dasar Hukum Pemrosesan
Under UU PDP, we process your personal data based on the following legal grounds:
| Legal Basis | UU PDP Reference | Application |
|---|---|---|
| Explicit Consent | Article 20(2)(a) | Account creation, document upload, AI analysis |
| Contractual Necessity | Article 20(2)(b) | Service delivery, billing, account management |
| Legal Obligation | Article 20(2)(c) | Tax records, court orders, regulatory compliance |
| Legitimate Interest | Article 20(2)(f) | Security monitoring, fraud prevention, service improvement |
| Vital Interest | Article 20(2)(d) | Emergency security measures to protect user data |
Where we rely on consent as the legal basis, you may withdraw your consent at any time through Settings or by contacting us. Withdrawal of consent does not affect the lawfulness of processing performed prior to the withdrawal.
How We Use Your Data
Bagaimana Kami Menggunakan Data Anda
We process your personal data for the following purposes:
Core Service Delivery
- Contract analysis, risk assessment, and compliance checking against our regulatory Knowledge Base.
- AI-powered chat for document-related queries, including citation-verified responses.
- Document comparison, playbook execution, and regulatory mapping.
- Generating bilingual analysis reports and plain-language contract summaries.
Account & Service Management
- Creating and managing your account, authentication, and session management.
- Processing payments and managing subscriptions via Xendit.
- Communicating service updates, security alerts, and transactional notifications.
- Providing customer support and responding to inquiries.
Platform Improvement
- Improving AI accuracy through aggregated, anonymized analysis of finding feedback.
- Monitoring Platform performance, identifying bugs, and optimizing user experience.
- Conducting internal analytics to understand feature usage and inform product development.
Security & Compliance
- Detecting and preventing fraud, abuse, and unauthorized access.
- Maintaining audit trails for security and regulatory compliance (2-year retention).
- Enforcing our Terms of Service and Acceptable Use Policy.
- Complying with legal obligations under Indonesian law.
We never sell your personal data. We do not use your documents to train AI models. Aggregated, anonymized data used for Platform improvement cannot be traced back to individual users.
AI & Machine Learning Processing
Pemrosesan AI & Pembelajaran Mesin
Your contract text is transmitted to third-party AI providers for analysis. These providers operate under strict data processing agreements and do not use your data for model training.
The Platform uses artificial intelligence, including large language models (LLMs), to perform contract analysis, risk assessment, and compliance checking. When you upload a document or interact with our AI features, your data may be processed as follows:
How Your Data Is Processed
- Document text extraction is performed entirely within our own infrastructure. Your original files are not shared with AI providers.
- Relevant excerpts of your document text are sent to our AI providers for analysis. Only the portions necessary for the requested analysis are transmitted.
- Analysis results are stored securely in our database and associated exclusively with your account through strict access controls.
AI Provider Commitments
| Provider | Purpose | Data Retention | Training Use |
|---|---|---|---|
| Anthropic | Contract analysis, risk assessment, chat | Not retained after processing | Not used for training |
| OpenAI | Document processing, supplementary analysis | Not retained after processing | Not used for training (API policy) |
Both providers process data under their respective API terms of service, which explicitly prohibit using API customer data for model training. We maintain Data Processing Agreements (DPAs) with all AI providers to ensure your data is protected.
Data Sharing & Third Parties
Berbagi Data & Pihak Ketiga
We share your personal data only with the following categories of recipients, and only to the extent necessary for the purposes described:
| Recipient | Purpose | Data Shared | Location |
|---|---|---|---|
| Anthropic | AI-powered analysis | Document text excerpts | United States |
| OpenAI | AI-powered analysis | Document text excerpts | United States |
| Cloud infrastructure provider | Data storage and hosting | Platform data | Singapore |
| Authentication provider | User authentication | Name, email, profile photo | United States |
| Xendit | Payment processing | Transaction data, payment method | Indonesia |
| Hosting provider | Application delivery | Request metadata | Singapore |
| Email service provider | Transactional email | Email address, notification content | United States |
| Error monitoring service | Application reliability | Anonymized error data | United States |
We may also disclose personal data when required to:
- Comply with legal obligations, court orders, or lawful government requests under Indonesian law.
- Protect the rights, property, or safety of Judic AI, our users, or the public.
- Enforce our Terms of Service or investigate potential violations.
- Facilitate a merger, acquisition, or sale of assets (with prior notice to affected users).
We require all third-party recipients to maintain appropriate data protection measures and to process personal data only for the specific purposes described above.
The Platform uses the following cookies and tracking technologies:
| Type | Purpose | Duration | Essential? |
|---|---|---|---|
| Session cookies | Authentication state, CSRF protection | Session | Yes |
| Authentication tokens | Secure session management | Short-lived, auto-rotating | Yes |
| Theme preference | Dark/light mode setting | Persistent | No |
| Analytics | Page views, performance metrics | Session | No |
We do not use advertising cookies, cross-site tracking pixels, or social media tracking scripts. We do not participate in any advertising networks or behavioral targeting programs.
Essential cookies are required for the Platform to function and cannot be disabled. Non-essential cookies can be managed through your browser settings. Disabling non-essential cookies will not affect the core functionality of the Platform.
Data Storage & Security
Penyimpanan & Keamanan Data
We implement comprehensive, industry-standard security measures to protect your personal data in accordance with UU PDP Article 35 requirements:
Infrastructure Security
- All data is stored on servers in the Asia-Pacific region (Singapore), ensuring low latency for Indonesian users.
- Data is encrypted at rest and in transit using industry-standard encryption protocols.
- Strict access controls ensure each user can only access their own data — no cross-account data exposure is possible.
- File access is restricted through time-limited, authenticated access mechanisms.
Application Security
- Short-lived, automatically rotating authentication sessions.
- Cryptographic verification of all incoming webhooks and third-party callbacks.
- Input validation and sanitization on all user-submitted data.
- AI-specific security measures to prevent prompt manipulation and ensure analysis integrity.
- Rate limiting and abuse prevention controls.
- Multi-layer file validation to prevent malicious uploads.
Organizational Security
- Access to production systems is restricted to authorized personnel on a need-to-know basis.
- Comprehensive audit logging with 2-year retention for all data access events.
- Regular security assessments and vulnerability monitoring.
- Incident response procedures aligned with UU PDP breach notification requirements.
Cross-Border Data Transfers
Transfer Data Lintas Batas
Some of our service providers are located outside Indonesia. In accordance with UU PDP Article 56, we ensure that cross-border data transfers are subject to appropriate safeguards:
| Destination | Services | Safeguard Mechanism |
|---|---|---|
| Singapore | Cloud infrastructure, application hosting | Adequate data protection standards; primary data residency location |
| United States | AI analysis providers, authentication, email, monitoring | Data Processing Agreements (DPAs), contractual safeguards, API terms prohibiting data use for training |
| Indonesia | Payment processing | Domestic processing; subject to Indonesian law |
Before transferring personal data to any country, we verify that the receiving country provides an equivalent level of data protection or that adequate contractual safeguards are in place, as required by UU PDP Article 56. We maintain documentation of all cross-border transfer assessments.
If the Indonesian government publishes a list of countries with adequate data protection levels, we will update our transfer mechanisms accordingly.
Data Retention Periods
Periode Retensi Data
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Specific retention periods are:
| Data Type | Retention Period | After Expiry |
|---|---|---|
| Account data | Active account + 30 days post-deletion | Permanently deleted |
| Uploaded documents | Until user deletes or account closure + 30 days | Permanently deleted |
| Analysis results | Until user deletes or account closure + 30 days | Permanently deleted |
| Chat history | 90 days from creation | Automatically purged |
| Document search indexes | Until source document is deleted | Permanently deleted |
| Audit logs | 2 years | Permanently deleted |
| Payment records | 5 years (Indonesian tax law) | Archived, then deleted |
| Analytics data | Aggregated/anonymized — indefinite | Cannot be traced to individual |
You may request early deletion of your data at any time, subject to legal retention obligations (e.g., tax records must be retained for 5 years under Indonesian tax law). Upon account deletion, we initiate a 30-day grace period during which your account can be recovered. After this period, all personal data is permanently and irreversibly deleted.
Your Rights Under UU PDP
Hak Anda Berdasarkan UU PDP
As a data subject (Subjek Data Pribadi) under Indonesian law, you have comprehensive rights over your personal data. We are committed to honoring all data subject rights as defined in UU PDP Chapter IV.
| Right | UU PDP Article | How to Exercise |
|---|---|---|
| Right to Information | Article 5-6 | Review this Privacy Policy; contact DPO for specifics |
| Right of Access | Article 7 | Settings → Data Export, or email privacy@tryjudic.com |
| Right to Correction | Article 8 | Update profile in Settings, or contact support |
| Right to Deletion | Article 9 | Settings → Delete Account, or email request |
| Right to Withdraw Consent | Article 10 | Settings → Data & Privacy, or email request |
| Right to Object | Article 11 | Email privacy@tryjudic.com with specific objection |
| Right to Data Portability | Article 13 | Settings → Data Export (JSON format) |
| Right to Restrict Processing | Article 12 | Email privacy@tryjudic.com |
| Right to Compensation | Article 12 | If we fail to protect your data, file claim via legal@tryjudic.com |
Exercising Your Rights
You can exercise most rights directly through the Platform's Settings page. For rights that require manual processing:
- Send your request to privacy@tryjudic.com with subject line “Data Subject Right Request.”
- Include your registered email address and specify which right you wish to exercise.
- We will verify your identity and respond within 3×24 hours of receiving your request.
- We will fulfill valid requests within 14 business days, or provide a written explanation if we are unable to do so.
We will not charge a fee for processing data subject rights requests unless the request is manifestly unfounded, excessive, or repetitive.
Children's Privacy
Privasi Anak
The Platform is not directed at children under the age of 18. We do not knowingly collect personal data from children. In accordance with UU PDP Article 25, processing of children's personal data requires explicit consent from a parent or legal guardian.
If we become aware that we have inadvertently collected personal data from a child under 18 without appropriate parental consent, we will take immediate steps to delete such data. If you believe that a child has provided us with personal data, please contact us at privacy@tryjudic.com.
Data Breach Notification
Pemberitahuan Pelanggaran Data
In accordance with UU PDP Article 46, we will notify affected data subjects and the relevant supervisory authority within 3×24 hours (72 hours) of discovering any personal data breach.
Our breach notification will include:
- A description of the nature of the breach and the categories of data affected.
- The approximate number of data subjects affected.
- The likely consequences of the breach.
- Measures taken or proposed to address the breach and mitigate potential adverse effects.
- Contact information for our Data Protection Officer.
We maintain a comprehensive incident response plan that includes containment procedures, forensic investigation, notification workflows, and remediation steps. We conduct regular breach simulation exercises to ensure operational readiness.
Changes to This Privacy Policy
Perubahan Kebijakan Privasi
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the “Effective” date at the top of this policy.
- Notify you via email and/or in-app notification at least 30 days before the changes take effect.
- Provide a summary of the key changes for your convenience.
- Where required by UU PDP, obtain your renewed consent for any new or materially different processing activities.
We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after the effective date of a revised Privacy Policy constitutes your acceptance of the changes.
Contact & Data Protection Officer
Kontak & Petugas Pelindungan Data
Data Protection Officer (DPO)
Petugas Pelindungan Data Pribadi — as required by UU PDP Article 53
Our DPO is responsible for overseeing compliance with this Privacy Policy and applicable data protection laws. You may contact the DPO at any time for questions, concerns, or to exercise your data subject rights.
If you believe that we have not adequately addressed your privacy concerns, you have the right to file a complaint with the relevant Indonesian data protection supervisory authority once established under UU PDP, or with the Ministry of Communication and Information Technology (Kementerian Komunikasi dan Informatika).