Privacy Policy
This Privacy Policy explains what personal data AIport collects, how we use it, and the rights you have. We comply with Indonesia's Personal Data Protection Law (UU No. 27/2022, “UU PDP”). If you are accessing AIport from outside Indonesia, additional local rules may apply to you.
1. Who we are
The controller of your personal data is Pt Digital Media Inovatif, a limited liability company established under Indonesian law (the "Company"). For any privacy-related question, you can reach us at support@aiport.id.
2. What we collect
2.1 Account data
- Name and email address (required to create an account).
- Hashed password (we never store passwords in plain text).
- Email verification status and login timestamps.
2.2 Billing data
- Top-up amounts, the unique matching code, and the date of each transfer.
- Sender bank-account details supplied by our bank reconciliation provider (Moota) — used only to match a transfer to your account. We do not store full account numbers beyond what is needed for reconciliation and accounting records.
- Credit balance and a per-request usage ledger (model, tokens, IDR cost).
2.3 API & product usage
- API keys (stored as hashes; the secret is shown only once at creation).
- Prompts and outputs submitted through the API, the playground, and the chat surface (see §3 for retention).
- Uploaded files (images for img2img, source images for img2video, audio/video for multimodal) stored in Cloudflare R2 under
uploads/{userId}/.... - Job metadata: provider selected, latency, success/failure, error reason, and IDR cost.
2.4 Technical data
- IP address, browser user-agent, country (derived from IP), and request timestamps.
- Session cookies for keeping you signed in to the dashboard.
- Anti-abuse signals (e.g. unusual request patterns, repeated failed logins).
We do not collect: government ID numbers, biometric data, payment-card numbers, or health data. AIport is not directed at children under 18, and we do not knowingly collect data from them.
3. How we handle prompts & outputs
This is the part developers care about most, so it gets its own section.
- We do not train models on your prompts or outputs. AIport does not build its own foundation models.
- Forwarding: to fulfil your request, prompts and inputs are forwarded to the model provider you selected (or that our smart router chose). Each provider has its own privacy and retention policy; we list the active providers on /pricing.
- Retention: we keep request & output records for up to 30 days in the
jobstable for billing reconciliation, abuse investigation, and customer support. After 30 days the prompt and output text/URLs are deleted; only billing metadata (model, token count, IDR cost, timestamp) is retained for accounting purposes. - Uploaded files stored in R2 are retained for 30 days, then deleted on a scheduled cleanup job.
- Abuse / safety: we may retain a specific request beyond 30 days if it is relevant to an investigation of a Terms violation, a legal request, or a security incident.
4. Why we use your data (legal basis)
- To provide the service — fulfilling our contract with you (Art. 20(b) UU PDP).
- To bill correctly and prevent fraud — our legitimate interest and our legal obligation (tax / accounting).
- To secure the platform — our legitimate interest in protecting AIport, other users, and upstream providers.
- To send transactional emails (verification, top-up confirmation, account alerts) — performance of contract.
- To send product updates — only with your consent; you can opt out anytime.
5. Who we share data with
We share the minimum necessary data with a small set of vetted processors:
- Cloudflare — hosting (Workers), database (D1), object storage (R2), edge delivery, DDoS protection.
- Model providers — OpenAI, Anthropic, Google, DeepSeek, RunningHub, and others listed on /pricing. They receive your prompt (and any input file) so they can produce a response.
- Moota — Indonesian bank reconciliation; receives bank-transfer metadata so we can match top-ups to your account.
- Email provider — sends transactional and (with consent) product emails.
- Authorities — only where compelled by a valid Indonesian legal request.
We do not sell your personal data, and we do not share it with advertising networks.
6. International transfers
Some processors (Cloudflare, model providers) operate globally. When data is transferred outside Indonesia, we rely on contractual safeguards consistent with Art. 56 UU PDP.
7. Security
- All traffic is encrypted in transit (HTTPS / TLS).
- Passwords are hashed with a slow modern algorithm.
- API keys are stored as hashes; the secret is shown only once.
- Admin access is gated by password + TOTP and audited.
- Database backups are managed by Cloudflare D1.
No system is 100% secure. If we discover a personal-data breach that is likely to put your rights at risk, we will notify you and the relevant authority within 72 hours of becoming aware of it, as required by UU PDP.
8. Your rights (UU PDP)
Subject to the law, you have the right to:
- Know what personal data we hold about you and how it is processed.
- Correct inaccurate or incomplete personal data.
- Delete personal data that is no longer needed, or where consent is withdrawn.
- Restrict or object to processing in certain situations.
- Receive a copy of your data in a structured, commonly used format (portability).
- Withdraw consent for processing based on consent (e.g. marketing emails).
- Lodge a complaint with the Indonesian personal-data-protection authority if you believe we have not handled your data correctly.
To exercise any of these rights, email support@aiport.id. We will respond within 30 days. Some rights may be limited where we have a legal obligation to retain data (e.g. tax records).
9. Cookies
We use only strictly-necessary cookies — primarily a session cookie that keeps you signed in to the dashboard. We do not use third-party advertising or cross-site tracking cookies.
10. Data retention summary
- Account record: while your account is active, plus up to 12 months after closure.
- Billing & tax records: 10 years from the transaction (Indonesian tax law).
- Prompts, outputs, uploaded files: 30 days, then deleted.
- Job metadata (model, cost, timestamps): kept for the lifetime of the account for usage history.
- Server logs: up to 30 days.
11. Changes to this policy
We may update this policy when our practices change. Material changes will be announced in the dashboard or by email at least 14 days before they take effect.
12. Contact
Privacy questions, data-subject requests, or breach reports — support@aiport.id.