Privacy Policy
Last updated: 2026-06-02 · Version 1.2
PT Epithre Teknologi Indonesia
Jakarta, Indonesia
Registered Private-Scope Electronic System Operator (PSE Lingkup Privat), Komdigi — TD PSE No. 023750.02/DJAI.PSE/06/2026
Data-protection contact: legal@epithre.com
Summary
For realtime endpoints (chat, embeddings, rerank, images): Epithre does not log or persist the content of your API requests or responses. We store only billing metadata (token counts, timestamps, costs).
For stateful endpoints you explicitly opt into (Files, Batches, Knowledge): content you upload is persisted by design, you need it stored to use the feature. Retention is bounded; full details below.
Our handling of personal data is subject to UU 27/2022 (Pelindungan Data Pribadi).
What we collect
| Category | Examples | Retention |
|---|---|---|
| Account data | Email, hashed password, name (optional), company, country | Account lifetime + 30 days |
| API keys | SHA-256 hash, prefix (first 12 chars), name, scopes | Account lifetime; revoked keys 90 days |
| Usage events | Timestamp, model, endpoint, token counts, cost, latency, HTTP status, cache hits, no request/response content | 90 days |
| Files (you upload) | JSONL batch input/output; documents uploaded with purpose=knowledge | 30 days from upload (or until you delete) |
| Batch records | Batch ID, status, request counts, link to input/output files | 30 days from completion |
| Knowledge chunks | Text chunks extracted from your documents + their embeddings | Until source file deleted |
| Webhook delivery log | Event payloads we POST to your URL, HTTP response status, retry history | 30 days |
| Billing events | Topups, refunds, signup credits, adjustments | 7 years (tax/audit) |
| Audit log | Admin actions, key creation/revocation, suspensions, login events | 365 days |
| Session data | JWT issued at login; stored in your browser localStorage | 24h (auto-expire) |
What we DO NOT collect
- The content of your realtime prompts (chat, embed, rerank, image endpoints), these pass through gateway memory and are discarded after the response returns.
- The content of model responses for realtime endpoints (text completions, embeddings, generated/edited images).
- Retrieval query text, when you call
/v1/retrieval, the query string is embedded server-side but not logged (only the embed-token count is recorded for billing). - Cookies for tracking, fingerprinting, or analytics. We use only a session JWT in localStorage.
- Third-party trackers, advertising IDs, or social plugins.
- IP addresses are not persisted with usage events. They appear transiently in nginx/Caddy access logs (7-day rotation).
How we use data
- Account data, to authenticate you, contact you about your account, and prevent abuse.
- Usage data, to bill correctly and to detect/respond to abuse (e.g., rate-limit abusers, high-error patterns).
- Audit log, to detect unauthorized access and for compliance audits.
Legal basis for processing
We process personal data on the bases recognised in Article 20 of UU PDP:
- Performance of a contract, to create your account, authenticate you, and deliver the API services you request.
- Legal obligation, to retain billing and tax records and to respond to lawful requests from Indonesian authorities.
- Legitimate interests, to secure the platform, prevent and investigate abuse, and keep audit logs, balanced against your rights and freedoms.
- Consent, for any optional processing we ask you to opt into (e.g., product announcements). You may withdraw consent at any time.
Automated decision-making
We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing. Automated abuse signals may rate-limit or temporarily block an API key, but account suspension or termination involves human review (UU PDP Art. 10).
Children's data
The platform is intended for businesses and developers and is not directed to children under 18. We do not knowingly collect children's personal data; where a user is a child, processing requires verifiable consent from a parent or guardian (UU PDP Art. 25–26). Email legal@epithre.com if you believe a child has provided us data and we will delete it.
Third parties
Your prompts and outputs do flow through Epithre infrastructure (FastAPI gateway → backend inference servers in Jakarta data center). No third-party AI provider (OpenAI, Anthropic, Google, etc.) is in the request path. Our models are self-hosted.
For payment processing during the alpha period: we exchange invoices via email. Payment is via bank transfer or other methods you arrange directly with us, no payment processor sees your billing details unless you choose to use one. Stripe / Midtrans integration is planned for general availability.
Your rights
Under UU 27/2022 you have the following rights as a data subject:
- Access, request a copy of your account data via legal@epithre.com. We respond within 7 business days.
- Deletion, request account deletion. We will erase your account and all linked data within 30 days, except where retention is required by law (billing records 7 years).
- Correction, change your email, name, company, country via the Settings page or by emailing support.
- Portability, request your usage logs and uploaded files as CSV / JSONL exports.
- Object to processing, disable specific features (e.g., audit logging beyond what's needed for security) by contacting support.
- Withdraw consent, at any time. Withdrawal does not retroactively invalidate processing that took place while consent was valid.
- Lodge a complaint, with the competent data protection authority (Lembaga Pelindungan Data Pribadi) if you believe your rights under UU PDP have been infringed.
Enterprise customers may request a Data Processing Agreement (DPA) covering controller-processor responsibilities under UU PDP.
Data location & residency
All servers physically located in Jakarta, Indonesia. Inference models are self-hosted on our hardware. We do not transfer data outside Indonesia under normal operation. Outbound HTTP webhook deliveries go to URLs you specify, if you point them at an overseas endpoint, that's an export you control.
Security
- All API and dashboard traffic is TLS 1.2+ encrypted.
- Passwords are hashed with Argon2id.
- API keys are stored as SHA-256 hashes (we cannot recover the original).
- Backend services are isolated on a private network (LAN-only inference endpoints).
No system is perfectly secure. If you discover a vulnerability, please email hello@epithre.com with subject "Security disclosure".
Data breach notification
If a personal data breach occurs that threatens your rights as a data subject, we will notify you and the competent data protection authority within 3×24 hours (72 hours) of becoming aware of it — describing the data affected, when and how the breach occurred, and the mitigation steps we are taking (UU PDP Art. 46).
Changes
We will email you 14 days before any material change to this policy.
Contact
Data protection & privacy: legal@epithre.com
General & account support: hello@epithre.com