Privacy Policy
Last Updated: June 21, 2026. Envoyou is committed to safeguarding your personal and workspace data.
1. Identity of the Data Controller
For the purposes of applicable data protection laws, including the Indonesian Law on Personal Data Protection (UU PDP No. 27/2022) and the European Union General Data Protection Regulation (GDPR), the Data Controller is:
Operator: Envoyou (Registered Business Operator)
Business Identification Number (NIB): Registered under the NIB Framework of the Republic of Indonesia
Electronic System Operator (PSE): Registered with the Ministry of Communication and Informatics (Kominfo), Republic of Indonesia
Registered Address: Banyuwangi, Jawa Timur, Indonesia
Contact Email: support@envoyou.com
2. Legal Basis for Processing
We process your personal data under the following legal bases established by UU PDP (Chapter V) and GDPR Article 6(1):
- Contractual Necessity (GDPR Art. 6(1)(b) / UU PDP Art. 20): To perform the services you register for, including authentication, setting up Clerk organizations, processing subscription transactions, and running editorial polishing cycles.
- Legitimate Interests (GDPR Art. 6(1)(f) / UU PDP Art. 20): To maintain site security, analyze and optimize page performance, detect credit card fraud, and prevent spam/abuse of our trial balances.
- Consent (GDPR Art. 6(1)(a) / UU PDP Art. 20): For optional marketing communications, newsletters, or third-party tracking cookies (which can be withdrawn at any time).
3. AI Data Processing Safeguards
As an AI-driven Editorial Intelligence system, Envoyou enforces strict data confidentiality parameters to protect your proprietary intellectual assets:
- No LLM Training: All drafts, source notes, scraped reference URLs, and outlined articles processed through the Envoyou EAI workspace are submitted to Google LLC's Gemini API via secure commercial developer API endpoints. Under our enterprise terms, your data is never used to train Google's public large language models (LLMs).
- Encrypted API Credentials: Your external CMS access tokens, API keys, and database secrets are encrypted at rest using industry-standard AES-256-GCM. Decryption keys are managed securely and are never sent or exposed to the browser client.
4. Information We Collect
- Visitor Data: IP addresses, browser agents, geographic region, and click path logs collected via analytics cookies on envoyou.com.
- Account Information: Workspace name, user email, profile photo, and associated organization roles sync'd via our identity partner, Clerk.
- Workspace Inputs: Article drafts, outlines, URL references, briefs, and categories uploaded to the EAI Editor.
- Payment Metadata: Transaction totals, subscription status, and billing logs. We do not store full credit card numbers directly on our servers; payments are processed securely by our licensed gateway partner, Midtrans.
5. Data Retention Schedule
We retain personal and workspace data according to the following retention schedule, after which data is securely deleted or permanently anonymized:
| Data Category | Retention Period | Action Upon Expiry |
|---|---|---|
| Marketing Cookie Logs (GA4) | Up to 14 months from visit | Automatic deletion by Google Analytics |
| Draft Inputs & Refinement Logs | During active membership subscription | Permanent database wipe within 30 days of manual deletion by user or account closure |
| Identity & Auth Metadata (Clerk) | Duration of active account | Deleted within 30 days of account termination |
| Financial Transactions & Taxes | 7 years after the fiscal year end | Retained to comply with Indonesian tax audit and corporate accounting requirements |
6. Third-Party Data Processors
We share specific data subsets with third-party service providers (data processors) who assist us in operating our Site and Service under strict data protection agreements:
- Clerk Inc.: Identity provider, managing account logins and security profiles.
- Google LLC (Gemini API): Primary Large Language Model API, utilized to process and rewrite draft content.
- Vercel Inc.: Frontend deployment and serverless edge hosting infrastructure.
- DigitalOcean LLC: Cloud VPS hosting provider for the EAI application backend.
- PT Cloud Hosting Indonesia (Biznet Gio): Local VPS hosting provider for the blog back-end infrastructure.
- Supabase, Inc. & Neon Database: Cloud database platforms hosting the blog and EAI databases respectively.
- Cloudflare, Inc.: DNS routing, content delivery network (CDN) caching, and DDoS security logs.
- PT Midtrans: Licensed Indonesian payment gateway, securely managing local subscription checkouts and billing renewals.
7. International Data Transfers (Cross-Border)
Because our technical architecture is distributed, personal data and article drafts may be transferred to, stored, and processed in cloud databases located outside of the Republic of Indonesia (including Singapore and the United States) by our processors (such as DigitalOcean, Neon, Supabase, and Google Cloud).
Under Indonesian Law No. 27/2022 on Personal Data Protection (UU PDP) and GDPR, we ensure all cross-border transfers are governed by standard data protection clauses and strict encryption protocols to guarantee your data privacy is maintained at all times.
8. Data Security Standards
To prevent unauthorized access, data leaks, or processing errors, we maintain security measures:
- Enforcing SSL/TLS encryption for all data transit.
- Enforcing AES-256 cryptographic standards for all database credentials and third-party secrets.
- Routine vulnerability checks and restriction of internal access to operational logs.
9. Your Rights & Contact Details
Under UU PDP and GDPR, you have the right to access, rectify, port, restrict processing of, or request the deletion of your personal data. You may also lodge a complaint with your local data protection supervisory authority.
To exercise your rights, please submit a request to our data protection team at: support@envoyou.com.