Back to home
Legal

Privacy Policy

How PT Sarana Digital Bangsa collects, uses, shares, and protects Personal Data in connection with the Sapa omnichannel conversation management platform. Read alongside our Terms and Conditions.

Last updated
13 May 2026
Data controller
PT Sarana Digital Bangsa
Governing law
Republic of Indonesia
Overview

Preamble

This Privacy Policy describes how PT Sarana Digital Bangsa (“Sapa”, “we”, “us”, or “our”) collects, uses, shares, and protects Personal Data in connection with the Sapa omnichannel conversation management platform (the “Platform”).

Sapa is a business-to-business service. When a company or organisation (the “User”) uses the Platform to communicate with its own customers or end users (each an “End User”), the User is generally the controller of End User Personal Data and Sapa acts as a processor on the User’s behalf. Sapa is the controller of Personal Data relating to the User’s own account holders (administrators and human agents) and certain operational data we generate ourselves (for example, audit logs).

This Policy is governed by the laws of the Republic of Indonesia, including Law No. 27 of 2022 on Personal Data Protection (the “PDP Law”) and any implementing regulations.

Part I

Data Handling

What Personal Data we process, how we use it, with whom we share it, and how we keep it secure.

A

Definitions

Personal Data
Any information relating to an identified or identifiable natural person as defined under the PDP Law.
End User
A natural person who interacts with the User via a conversation, OTP, or other Platform-mediated message.
Subprocessor
A third party engaged by Sapa to process Personal Data on behalf of the User in connection with the provision of the Platform.
Account User
An administrator or human agent who logs in to the Platform on behalf of the User.
Audit Log
Operational records the Platform generates when it sends, receives, or processes messages, OTPs, and other events.
B

Personal Data we collect

01
Account data
When the User registers an Account User, we collect their name, email address, role (administrator or human agent), hashed authentication credentials, and any avatar or profile information the Account User provides.
02
End User data received through channels
When the User connects a messaging channel (WhatsApp Business Cloud API or Telegram Bot API), we receive and store messages and metadata sent by End Users to the User, which may include:
  • Message bodies and structured content;
  • File attachments (images, documents, audio, video, stickers);
  • End User identifiers (such as WhatsApp phone numbers or Telegram user IDs);
  • Display names and avatars provided by the channel;
  • Delivery, read, and typing-status events.
03
OTP delivery data
Where the User uses the Platform to deliver one-time passwords via WhatsApp authentication templates, we process the recipient phone number, the OTP code, the template metadata, and the delivery state returned by the channel (accepted, sent, delivered, read, or failed) for each send.
04
Operational and audit data
The Platform automatically generates Audit Logs of inbound webhooks, outbound sends, and OTP attempts, including request and response bodies, HTTP status, duration, and error details. We also record assignment events between human agents and AI, and timestamps such as the last time an API key was used.
05
Technical data
When an Account User accesses the Platform, we may process technical data such as IP address, user-agent, session tokens, and request timestamps for security and troubleshooting purposes.
C

How we use Personal Data

01
Providing the Platform
We process Personal Data to deliver the core service: routing messages between End Users and the User’s agents, storing conversation history, displaying conversations in the dashboard, delivering OTPs through approved WhatsApp templates, and serving file attachments.
02
AI-assisted reply generation
When AI-assisted reply generation is invoked, the relevant conversation context is transmitted to a third-party generative AI provider integrated with the Platform so that the model can produce a suggested or sent reply. Sapa is provider-agnostic and may change the underlying model or provider from time to time.
03
Security, audit, and abuse prevention
We use Audit Logs and technical data to detect, investigate, and respond to security incidents, abuse of the Platform or API keys, channel-policy violations, and to comply with requests from the channel operators (Meta and Telegram).
04
Service improvement
We use aggregated and de-identified metrics derived from Platform usage to monitor reliability, capacity, and performance and to improve the Platform. We do not use End User message content to train generative AI models.
05
Legal and contractual obligations
We may process Personal Data to perform our contract with the User, to comply with our legal obligations, and to enforce our Terms and Conditions.
D

Legal basis under the PDP Law

Where we act as a processor on behalf of the User, the User is responsible for establishing and documenting a valid legal basis under the PDP Law for the processing it instructs us to perform, and for obtaining any consents required from End Users. Where we act as a controller (for example, in respect of Account User data and Audit Logs), we rely on one or more of the following:

  • Performance of a contract with the User or the Account User;
  • Compliance with a legal obligation to which Sapa is subject;
  • Our legitimate interests in operating, securing, and improving the Platform, where these are not overridden by the rights and freedoms of the data subject;
  • Consent, where consent is the appropriate basis and has been validly obtained.
E

Sharing and Subprocessors

Sapa engages the following categories of Subprocessors to provide the Platform. By configuring the relevant feature, the User authorises the corresponding data flow:

  • Meta Platforms, Inc. (WhatsApp Business Cloud API) — receives message bodies, attachments, End User phone numbers, OTP codes, and template metadata necessary to deliver WhatsApp messages.
  • Telegram Messenger LLP (Telegram Bot API) — receives message bodies, attachments, End User Telegram identifiers, and typing indicators necessary to deliver Telegram messages.
  • Generative AI provider(s) integrated with the Platform — receives conversation context as prompts when AI-assisted reply generation is invoked. Sapa is provider-agnostic and may change the underlying model provider without notice; the current list is available on request.
  • S3-compatible object storage provider — stores and serves file attachments uploaded by Users or End Users.
  • Cloud infrastructure providers — host the Platform's databases, queues, and application servers under contractual confidentiality and security obligations.

We may also disclose Personal Data to competent authorities where required by applicable law, court order, or to protect the rights, property, or safety of Sapa, our Users, or the public.

F

International transfers

Some of our Subprocessors are established outside the Republic of Indonesia. Where Personal Data is transferred outside Indonesia, Sapa will rely on a lawful transfer mechanism recognised under the PDP Law, including assessing the level of protection in the destination jurisdiction and entering into contractual safeguards with the receiving party.

G

Retention

01
We retain conversation messages, customer profiles, attachments, and OTP send history for as long as the User’s account is active, unless a shorter retention period is agreed in the Usage Agreement or required by law.
02
Audit Logs are retained for operational, troubleshooting, and compliance purposes. They are not subject to a fixed time-to-live and may contain Personal Data; the User is responsible for ensuring this retention model is consistent with disclosures the User has made to its End Users.
03
When the Usage Agreement ends, the User shall have thirty (30) days to export its data from the Platform, after which Sapa may delete End User and conversation data unless retention is required by law. Operational and security logs may be retained for longer where necessary to comply with legal obligations or to defend legal claims.
H

Data subject rights

Subject to the PDP Law and other applicable data-protection laws, data subjects have the right to:

  • Obtain information about the Personal Data we process about them;
  • Request access to, correction of, or completion of their Personal Data;
  • Request erasure or restriction of processing of their Personal Data, subject to lawful grounds for continued retention;
  • Object to processing or withdraw consent (where processing is based on consent);
  • Request portability of Personal Data in a structured, commonly used format;
  • Lodge a complaint with the competent supervisory authority.

Because End User Personal Data is processed on the User’s instructions, End User requests should generally be directed to the User. Where Sapa receives a request directly from an End User, we will forward it to the relevant User and assist the User in responding. Account Users may exercise their rights by contacting us using the details in Part III.C.

I

Security

Sapa implements technical and organisational measures designed to protect Personal Data against unauthorised access, alteration, disclosure, or destruction. These measures include role-based access control, encrypted transport, presigned URLs with short expiry for file attachments, authentication and authorisation on all API surfaces, and segregation of customer data by tenant. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

J

Children

The Platform is not directed to individuals under the age of majority in their jurisdiction. We do not knowingly collect Personal Data from such individuals. If you become aware that a child has provided us with Personal Data in violation of applicable law, please contact us so that we can take appropriate action.

Part II

Channel-Specific Notices

Additional disclosures that apply when the User connects a particular messaging channel or feature.

A

WhatsApp Business Cloud API

The WhatsApp Business Cloud API is operated by Meta Platforms, Inc. When the User connects a WhatsApp Business Account, End User phone numbers, message content, attachments, and OTP codes are processed by Meta in accordance with Meta’s own privacy policies. The User is responsible for: (i) obtaining the consents required under applicable law for messaging End Users on WhatsApp; (ii) complying with the WhatsApp Business Messaging Policy; and (iii) honouring opt-out requests.

B

Telegram Bot

The Telegram Bot API is operated by Telegram Messenger LLP. When the User connects a Telegram bot, End User Telegram identifiers, message content, and attachments are processed by Telegram in accordance with its own privacy policies. The User is responsible for compliance with Telegram’s Bot API Terms of Service and applicable law.

C

AI-Assisted Reply Generation

When AI-assisted reply generation is invoked, the relevant conversation context is transmitted to a third-party generative AI provider integrated with the Platform. Sapa is provider-agnostic and may change the underlying model or provider from time to time. The User must not submit to the AI features any Personal Data the User is not legally entitled to share with a generative AI Subprocessor, and should consider the sensitivity of the data being shared.

Part III

General

A

Cookies and local storage

The Platform dashboard uses strictly necessary cookies and browser local storage to keep Account Users signed in and to preserve session state (for example, the currently selected workspace). We do not use advertising cookies or third-party analytics that profile Account Users.

B

Changes to this Policy

01
Sapa may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page.
02
Material changes will be communicated to the User with reasonable advance notice through the Platform, by email, or by other appropriate means.
03
Continued use of the Platform after the effective date of a revised Privacy Policy constitutes acceptance of the revised Policy.
C

Contact

For questions about this Privacy Policy, to exercise your data-subject rights, or to request our current list of Subprocessors, please contact us using the details below.

Data controller
PT Sarana Digital Bangsa
Email
tech@sarana.ai
Website
www.sarana.ai
Business hours
Mon – Fri, 09:00 – 17:00 (UTC+7)

This Privacy Policy was last updated on 13 May 2026. We recommend that you review this Policy periodically to stay informed about how Sapa processes Personal Data.