Privacy Policy
Effective Date: February 18, 2026 · Last Updated: March 5, 2026
This Privacy Policy explains how Calm Stoic, developed and operated by Neurakara Labs ("Neurakara Labs", "we", "us", or "our"), collects, uses, stores, shares, and protects your personal data when you use the Calm Stoic mobile application ("the App"). This policy is drafted in compliance with Indonesia's Personal Data Protection Law (UU No. 27 Tahun 2022, "UU PDP"), Government Regulation No. 17 of 2025 on Child Online Protection, the European Union General Data Protection Regulation (GDPR) where applicable, and Google Play Store policies.
1. Data Controller
The data controller responsible for your personal data is:
For any questions regarding the processing of your personal data, you may contact our Data Protection Officer at dpo@calmstoic.com.
2. Definitions
In this Privacy Policy:
- "Personal Data" means any information relating to an identified or identifiable individual, as defined by Article 1(1) of UU PDP.
- "General Personal Data" means personal data such as full name, email address, and device identifiers.
- "Specific Personal Data" (Sensitive Data) means personal data requiring heightened protection, including health data, biometric data, children's data, and financial data, as defined by Article 4(2) of UU PDP.
- "Processing" means any operation performed on personal data, including collection, storage, modification, disclosure, transfer, and deletion.
- "AI Personas" means the artificial intelligence-powered virtual characters in the App (Fannia, Epictetus, Seneca, and Marcus Aurelius) that generate conversational responses using large language models.
3. Data We Collect
We collect the following categories of personal data. Under UU PDP, much of this data qualifies as Specific Personal Data due to its health-related and sensitive nature.
3.1 Account Information (General Personal Data)
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, authentication, communication | Consent + Contract |
| Display name | Personalization within the App | Consent |
| Password (hashed) | Account security | Contract |
| Authentication method preference | Login (email, biometric, PIN) | Contract |
3.2 Chat & Conversation Data (Specific Personal Data)
| Data | Purpose | Legal Basis |
|---|---|---|
| Chat messages (text) | AI persona responses, memory building, personalization | Explicit Consent |
| Chat history (per session) | Contextual AI responses within a conversation | Explicit Consent |
| Session metadata (timestamps, duration) | Usage analytics, quality improvement | Legitimate Interest |
| Message embeddings (numerical vectors) | Semantic memory search for personalization | Explicit Consent |
| Images uploaded in chat (Stoa tier) | Multimodal AI analysis | Explicit Consent |
3.3 Journal Data (Specific Personal Data)
| Data | Purpose | Legal Basis |
|---|---|---|
| Free-form journal text | Personal journaling, AI insights | Explicit Consent |
| Guided journal responses | Structured reflection exercises | Explicit Consent |
| Journal entry type (free, morning, evening, guided) | Feature personalization | Legitimate Interest |
| AI-generated journal insights | Reflective feedback | Explicit Consent |
3.4 Mood & Emotion Data (Specific Personal Data)
| Data | Purpose | Legal Basis |
|---|---|---|
| Daily mood check-ins | Mood tracking, pattern visualization | Explicit Consent |
| Emotional state indicators | Emotional context for AI responses | Explicit Consent |
| Emotion labels | Emotion analysis, session context | Explicit Consent |
| Emotion source | Data attribution | Legitimate Interest |
3.5 AI Memory Data (Specific Personal Data)
The App's AI memory system extracts and stores personalization data from your interactions to provide increasingly tailored guidance. This may include your preferences, topics of interest, personal context, behavioral patterns, goals, and progress milestones.
Memory data is periodically consolidated and low-relevance data is automatically archived over time.
3.6 Assessment & Profile Data
| Data | Purpose | Legal Basis |
|---|---|---|
| Onboarding assessment answers (challenges, life stage, triggers, preferences) | Philosopher recommendation, personalization | Consent |
| Preferred persona | Default chat companion | Consent |
| Goals | Personalized guidance | Consent |
| Notification preferences | Communication settings | Consent |
3.7 Subscription & Transaction Data (Specific Personal Data)
| Data | Purpose | Legal Basis |
|---|---|---|
| Subscription tier (Free, Premium, Stoa) | Feature access control | Contract |
| Subscription status & expiration | Billing management | Contract |
| Transaction ID (from Apple App Store or Google Play) | Payment verification | Contract + Legal Obligation |
| Stoic Seeds balance & transaction history | In-app economy | Contract |
We do not directly collect or store your payment card details. All payment processing is handled by the Apple App Store, Google Play, and our subscription management provider.
3.8 Device & Technical Data (General Personal Data)
| Data | Purpose | Legal Basis |
|---|---|---|
| Device model, OS, OS version | Compatibility, crash diagnostics | Legitimate Interest |
| App version | Feature availability, debugging | Legitimate Interest |
| IP address (hashed) | Security, rate limiting | Legitimate Interest |
| Firebase Cloud Messaging token | Push notifications | Consent |
| Crash reports and stack traces | App stability improvement | Legitimate Interest |
| Session identifiers (anonymous) | Analytics | Legitimate Interest |
3.9 Biometric Data (Specific Personal Data)
If you enable biometric authentication (fingerprint, face recognition), the biometric data itself is processed and stored exclusively on your device within its secure enclave (iOS Keychain / Android Keystore). We do not transmit, access, or store your biometric data on our servers. We only store a boolean flag indicating that biometric authentication is enabled for your account.
3.10 Usage & Analytics Data
We collect anonymized and pseudonymized usage events to improve the App, including:
- App lifecycle events (open, close, background, foreground)
- Feature usage (chat started, journal entry created, lesson completed, exercise completed)
- Navigation and screen views
- Quest and streak progress
- Onboarding completion steps
These events are associated with a pseudonymous user ID and do not contain the content of your messages, journal entries, or mood data.
3.11 Feedback & Rating Data
| Data | Purpose | Legal Basis |
|---|---|---|
| User-submitted feedback text | Product improvement, feature prioritization | Consent |
| Suggestion type / category | Feedback classification | Consent |
| In-app rating responses | User satisfaction measurement | Legitimate Interest |
| Device info collected with feedback (platform, OS version, app version) | Debugging, context for reported issues | Legitimate Interest |
4. How We Use Your Data
4.1 Providing the Service
- Generating AI persona responses based on your messages, emotional context, and memory
- Building and maintaining the AI memory system to personalize your experience over time
- Performing emotion analysis to adapt tone and recommendations
- Generating AI insights for journal entries
- Processing mood check-ins and displaying trends
- Managing your subscription and in-app economy (Stoic Seeds)
- Delivering push notifications (reminders, daily quotes, quest updates)
4.2 Safety & Crisis Detection
We operate an automated safety system that analyzes message content to detect potential crisis situations (self-harm, suicidal ideation). This system:
- Uses multiple layers of analysis to identify concerning content
- Triggers an immediate compassionate response with crisis resources when a potential crisis is detected
- Does not notify third parties or authorities — it provides resources directly to the user
Legal basis: Vital interests of the data subject (UU PDP Article 20(d); GDPR Article 6(1)(d) and Article 9(2)(c)).
4.3 Improvement & Analytics
- Analyzing aggregated, anonymized usage patterns to improve features
- Monitoring app performance and fixing crashes
- Conducting A/B testing for feature optimization
Legal basis: Legitimate interest.
4.4 AI Transparency & Emotion Analysis
In compliance with the EU AI Act (Regulation 2024/1689) Article 50 and California SB 243, we provide the following transparency disclosures about AI processing in Calm Stoic:
- AI personas are fictional characters: Fannia, Epictetus, Seneca, and Marcus Aurelius are AI-powered virtual characters — they are not real people, licensed professionals, or human operators.
- Emotion analysis: Every message you send is automatically analyzed for emotional content (valence, arousal, and emotion labels) to personalize the AI's tone, recommendations, and crisis detection responses.
- Automated memory extraction: The AI system automatically extracts facts, preferences, behavioral patterns, and personal context from your conversations to build a personalization profile over time.
- User control: You can disable AI memory, manage your preferences, and review extracted memories at any time in the App's Settings. You can also request deletion of all AI memory data.
- Right to object: You have the right to object to automated emotional processing and memory extraction. See Section 9.6 for details on exercising this right.
Legal basis: Explicit Consent + Legitimate Interest (for safety-related emotion analysis).
4.5 Do Not Sell or Share
We do not sell, rent, or share your personal data for cross-context behavioral advertising, profiling for third parties, or with data brokers. This commitment applies to all users regardless of jurisdiction, and is consistent with the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), and equivalent US state privacy laws.
4.6 Communication
- Sending service-related notifications (account verification, password reset, subscription updates)
- Responding to support inquiries
Legal basis: Contract performance + Consent.
5. AI Processing & Automated Decision-Making
Calm Stoic relies extensively on artificial intelligence. This section provides transparency about how AI processes your data, as required by UU PDP and GDPR.
5.1 AI Models Used
Your data is processed by third-party large language models (LLMs) accessed through OpenRouter (an API gateway). The following providers are currently used:
- OpenAI (GPT): Chat responses, journal insights, answering questions, and emotion analysis
- Google (Gemini): Memory consolidation, breakthrough detection, reasoning tasks, and image analysis
- Mistral AI (Mistral): Text extraction and summarization
The specific models and providers used may change over time as we improve the service. We will update this policy accordingly.
5.2 What Data is Sent to AI Providers
When you interact with AI personas, the following data may be included in the AI prompt:
- Your current message
- Recent chat history for conversational context
- Relevant AI memories for personalization
- Your current emotional state
- Persona personality and instructions (not your data)
- Conversation summary (for longer sessions)
- Images you upload (Stoa tier only)
Your data is not used by AI model providers for training their models. We use API endpoints that contractually prohibit the use of input/output data for model training.
5.3 Automated Decision-Making
The App makes the following automated decisions based on your data:
- Emotion analysis: Automatically determines your emotional state from messages to adjust AI tone
- Crisis detection: Automatically flags potential crisis situations and overrides normal AI responses
- Memory consolidation: Automatically categorizes and prioritizes information from your conversations
- Memory decay: Automatically archives memories deemed less relevant over time
- Exercise recommendations: Suggests breathing or grounding exercises based on emotional state
- Quest generation: Creates personalized daily challenges based on your usage
Under UU PDP Article 10 and GDPR Article 22, you have the right to object to automated decision-making. See Section 9 (Your Rights) for details.
6. Third-Party Services & Data Sharing
We share your data with the following third-party service providers, solely for the purposes described. We do not sell your personal data to any third party.
| Service | Country | Data Shared | Purpose |
|---|---|---|---|
| OpenRouter (API gateway) | United States | Chat messages, journal text, emotion data, images (Stoa) | AI model routing |
| OpenAI | United States | Chat messages, journal text, emotion data | AI response generation, emotion analysis |
| Google (Gemini) | United States | Memory data, chat context, images (Stoa) | Memory consolidation, image analysis |
| Mistral AI | France | Chat messages | Text extraction, summarization |
| Subscription Management | United States | User ID, subscription status, transaction IDs | In-app purchase processing |
| Product Analytics | United States | Pseudonymous user ID, usage events, device info | Product analytics and improvement |
| Crash Reporting | United States | Crash logs, device info | App stability monitoring |
| Push Notifications | United States | Device token, notification payload | Sending push notifications |
| Database & Authentication | Indonesia | All user data | Data storage, authentication |
Each third-party provider processes data under their own privacy policy and our data processing agreements. You may request a list of specific providers by contacting privacy@calmstoic.com.
7. Cross-Border Data Transfer
Your primary data is stored on our self-hosted servers in Indonesia. However, certain data is transferred to third-party service providers located in the United States, as detailed in Section 6.
In accordance with UU PDP and MOCI Regulation 20/2016, we ensure the following safeguards for cross-border data transfers:
- Contractual safeguards: We maintain data processing agreements with all third-party providers that include obligations equivalent to or exceeding the protections of UU PDP.
- Explicit consent: During account registration, you will be asked to provide explicit consent for the transfer of your data to third-party AI and analytics providers located outside Indonesia.
- Regulatory reporting: We report cross-border data transfers to the relevant Indonesian regulatory authority as required.
For EU/EEA users: Transfers to the United States are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission, or other applicable transfer mechanisms under GDPR Chapter V.
8. Data Retention
| Data Category | Retention Period | After Account Deletion |
|---|---|---|
| Account information | Duration of account | Deleted within 30 days |
| Chat messages | Duration of account | Deleted within 30 days |
| Journal entries | Duration of account | Deleted within 30 days |
| Mood & emotion data | Duration of account | Deleted within 30 days |
| AI memory data | Active memories: duration of account. Low-relevance data auto-archived over time | Deleted within 30 days |
| Message embeddings (vectors) | Duration of account | Deleted within 30 days |
| Subscription & transaction records | Duration of account + 5 years (legal/tax requirement) | Retained for legal compliance |
| Stoic Seeds transaction history | Duration of account + 1 year | Anonymized after deletion |
| Usage analytics | Up to 7 years (provider retention) | Pseudonymized; cannot be linked to deleted account |
| Crash reports | 90 days | Automatically expired |
| Server-side caches | Short-lived (minutes to hours) | Auto-expired |
When you delete your account, we initiate a cascading deletion of all personal data from our databases within 30 days. Data that has already been transmitted to third-party providers is subject to their respective retention policies. Anonymized or aggregated data that cannot be used to identify you may be retained indefinitely for statistical purposes.
9. Your Rights
Under UU PDP (Articles 5-14) and GDPR (Articles 15-22), you have the following rights regarding your personal data:
9.1 Right to Information (UU PDP Art. 5; GDPR Art. 13-14)
You have the right to know what personal data we collect, how it is processed, and who has access to it. This Privacy Policy serves as our primary disclosure.
9.2 Right of Access (UU PDP Art. 6; GDPR Art. 15)
You may request a copy of all personal data we hold about you. We will provide this in a structured, commonly used, machine-readable format (JSON) within 30 days of your request.
9.3 Right to Rectification (UU PDP Art. 7; GDPR Art. 16)
You may request correction of inaccurate or incomplete personal data. You can update your display name and profile information directly in the App. For other corrections, contact us.
9.4 Right to Deletion (UU PDP Art. 8; GDPR Art. 17)
You may request deletion of your personal data. You can delete your account through the App settings, which triggers a cascading deletion of all associated data. We will complete the deletion within 30 days, except where retention is required by law.
9.5 Right to Withdraw Consent (UU PDP Art. 9; GDPR Art. 7(3))
You may withdraw your consent for data processing at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal. You can withdraw consent by:
- Disabling specific features (e.g., AI memory, analytics) in App settings
- Deleting your account
- Contacting us at privacy@calmstoic.com
9.6 Right to Object to Automated Decision-Making (UU PDP Art. 10; GDPR Art. 22)
You have the right to object to decisions made solely based on automated processing, including AI-generated emotion analysis, memory consolidation, and crisis detection. If you object, we will review the automated decision with human involvement. Contact us to exercise this right.
9.7 Right to Restrict Processing (UU PDP Art. 11; GDPR Art. 18)
You may request that we limit the processing of your personal data in certain circumstances, such as while a rectification request is being processed or while an objection is being considered.
9.8 Right to Data Portability (UU PDP Art. 13; GDPR Art. 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON), and to request that we transmit this data to another service provider where technically feasible.
9.9 Right to Lodge a Complaint (UU PDP Art. 14)
If you believe your data protection rights have been violated, you may:
- Contact us at privacy@calmstoic.com
- File a complaint with the Indonesian Personal Data Protection Agency (Lembaga PDP) once operational
- For EU/EEA residents: File a complaint with your local Data Protection Authority
9.10 Right to Compensation (UU PDP Art. 12)
If you suffer damages due to a violation of your data protection rights, you are entitled to seek compensation in accordance with applicable law.
9.11 Additional Regional Rights
United States
Residents of US states with comprehensive privacy laws have additional rights regarding their personal data. Calm Stoic classifies health, wellness, and emotion data as Sensitive Personal Information under applicable state laws. We conduct Data Protection Assessments for high-risk processing activities including emotion analysis and AI profiling.
- California (CCPA/CPRA): Right to know, delete, correct, opt-out of sale/sharing, and limit use of sensitive personal information. We recognize and honor the Global Privacy Control (GPC) signal. California residents may designate an authorized agent to exercise rights on their behalf.
- Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA): Similar consumer rights apply, including the right to access, delete, correct, opt out of targeted advertising and profiling, and appeal a denied request.
- Iowa, Indiana, Tennessee, Texas, Florida, Maryland, Minnesota, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Rhode Island: Residents of these states with enacted comprehensive privacy laws have equivalent consumer data protection rights as described above.
We do not discriminate against users who exercise their privacy rights. To exercise any US state privacy right, contact privacy@calmstoic.com.
European Union (EU AI Act 2024)
In addition to GDPR rights described throughout this policy, Calm Stoic complies with the EU AI Act (Regulation 2024/1689):
- AI system transparency: We disclose that our application uses AI systems for conversational responses, emotion analysis, memory extraction, and crisis detection (see Section 4.4).
- Emotion recognition notification: Per Article 50, we inform you that the App performs emotion recognition on your text inputs to personalize AI responses and detect potential crisis situations.
- Continuous assessment: We continuously evaluate our AI systems against the requirements of the EU AI Act, including risk classification and compliance obligations.
- Right to human review: You may request human review of any automated decision made by our AI systems (see Section 9.6).
India (DPDP Act 2023)
- Neurakara Labs acknowledges its obligations as a Data Fiduciary under the Digital Personal Data Protection Act, 2023.
- We provide granular consent management for data processing activities via the App's Settings.
- Cross-border data transfers are conducted with appropriate contractual safeguards in place.
- Indian users may contact privacy@calmstoic.com to exercise their rights under the DPDP Act.
Brazil (LGPD)
- Brazilian users have rights under LGPD Articles 18-20, including the right to access, correction, anonymization, portability, deletion, and information about sharing.
- Our Data Protection Officer can be contacted at privacy@calmstoic.com.
How to exercise your rights: Send a written request to privacy@calmstoic.com with the subject line "Data Subject Request". We will verify your identity and respond within 30 days. Requests are free of charge unless manifestly unfounded or excessive.
10. Data Security
We implement comprehensive technical and organizational measures to protect your personal data:
10.1 Encryption
- In transit: All data transmissions use HTTPS/TLS 1.2 or higher
- At rest (server): Database with disk-level encryption
- At rest (device): Local data stored in an encrypted database on your device
- Secrets: Authentication tokens and encryption keys stored in iOS Keychain / Android Keystore
10.2 Access Control
- Data isolation: Database-level policies ensure users can only access their own data
- API authentication: Token-based authentication with expiry and refresh
- Rate limiting: Automated rate limiting to prevent abuse
- Input validation: All API inputs validated against strict schemas
10.3 Infrastructure
- Self-hosted database infrastructure in Indonesia
- Regular security updates and patches
- Automated daily database backups with rolling retention
- Environment-based API key management (keys not stored in code)
11. Data Breach Notification
In the event of a personal data breach, we will:
- Notify affected data subjects in writing within 3 x 24 hours of becoming aware of the breach, as required by UU PDP Article 46
- Notify the Indonesian Personal Data Protection Agency within the same timeframe
- Include the following in the notification: the nature of the data involved, when and how the breach occurred, remedial measures taken, and contact information for further inquiries
- For EU/EEA users: Notify the relevant supervisory authority within 72 hours as required by GDPR Article 33
12. Children's Privacy
Calm Stoic is intended for users aged 18 and above.
In compliance with Government Regulation No. 17 of 2025 on Child Online Protection, we implement the following measures:
- Age requirement: By continuing to use Calm Stoic, users confirm they are at least 18 years of age
- No intentional collection: We do not knowingly collect personal data from individuals under 18
- Discovery & deletion: If we discover that we have collected data from a minor under 18 without appropriate parental consent, we will promptly delete all associated data
If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@calmstoic.com and we will take steps to delete the information.
13. Cookies & Local Storage
The Calm Stoic mobile application does not use browser cookies. However, we use the following local storage mechanisms:
- Encrypted local database: Stores chat history, journal entries, and mood data locally for offline access
- Secure storage: Stores authentication tokens, PIN (encrypted), and encryption keys
- Shared preferences: Stores non-sensitive app settings (theme, language, notification preferences)
For our website (calmstoic.app), we do not use tracking cookies. We may use essential cookies for functionality (language preference).
14. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes:
- We will update the "Last Updated" date at the top of this policy
- We will notify you via in-app notification or email for significant changes
- We will request renewed consent where required by law
- Continued use of the App after notification constitutes acceptance of the updated policy
15. Governing Law & Jurisdiction
This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Indonesia, particularly UU No. 27 Tahun 2022 (Personal Data Protection). Any disputes arising from this policy shall be resolved through the courts of Jakarta, Indonesia.
For EU/EEA residents, this policy also complies with the General Data Protection Regulation (EU) 2016/679, and you retain the right to lodge complaints with your local Data Protection Authority.
16. Contact Us
General privacy inquiries: privacy@calmstoic.com
Data Protection Officer: dpo@calmstoic.com
Data subject requests: privacy@calmstoic.com (subject: "Data Subject Request")
Mailing address: Neurakara Labs, Jakarta, Indonesia
Kebijakan Privasi
Tanggal Berlaku: 18 Februari 2026 · Terakhir Diperbarui: 5 Maret 2026
Kebijakan Privasi ini menjelaskan bagaimana Calm Stoic, yang dikembangkan dan dioperasikan oleh Neurakara Labs ("Neurakara Labs", "kami"), mengumpulkan, menggunakan, menyimpan, membagikan, dan melindungi data pribadi Anda saat menggunakan aplikasi seluler Calm Stoic ("Aplikasi"). Kebijakan ini disusun sesuai dengan Undang-Undang Perlindungan Data Pribadi Indonesia (UU No. 27 Tahun 2022, "UU PDP"), Peraturan Pemerintah No. 17 Tahun 2025 tentang Perlindungan Anak di Ruang Digital, Peraturan Perlindungan Data Umum Uni Eropa (GDPR) jika berlaku, dan kebijakan Google Play Store.
1. Pengendali Data
Pengendali data yang bertanggung jawab atas data pribadi Anda adalah:
Untuk pertanyaan mengenai pemrosesan data pribadi Anda, silakan hubungi Pejabat Perlindungan Data kami di dpo@calmstoic.com.
2. Definisi
Dalam Kebijakan Privasi ini:
- "Data Pribadi" berarti setiap informasi yang berkaitan dengan orang perseorangan yang teridentifikasi atau dapat diidentifikasi, sebagaimana didefinisikan dalam Pasal 1 ayat (1) UU PDP.
- "Data Pribadi Umum" berarti data pribadi seperti nama lengkap, alamat email, dan pengenal perangkat.
- "Data Pribadi Spesifik" (Data Sensitif) berarti data pribadi yang memerlukan perlindungan lebih tinggi, termasuk data kesehatan, data biometrik, data anak, dan data keuangan, sebagaimana didefinisikan dalam Pasal 4 ayat (2) UU PDP.
- "Pemrosesan" berarti setiap operasi yang dilakukan terhadap data pribadi, termasuk pengumpulan, penyimpanan, perubahan, pengungkapan, transfer, dan penghapusan.
- "Persona AI" berarti karakter virtual bertenaga kecerdasan buatan dalam Aplikasi (Fannia, Epictetus, Seneca, dan Marcus Aurelius) yang menghasilkan respons percakapan menggunakan model bahasa besar (large language models).
3. Data yang Kami Kumpulkan
Kami mengumpulkan kategori data pribadi berikut. Berdasarkan UU PDP, sebagian besar data ini termasuk Data Pribadi Spesifik karena sifatnya yang berkaitan dengan kesehatan dan sensitif.
3.1 Informasi Akun (Data Pribadi Umum)
| Data | Tujuan | Dasar Hukum |
|---|---|---|
| Alamat email | Pembuatan akun, autentikasi, komunikasi | Persetujuan + Kontrak |
| Nama tampilan | Personalisasi dalam Aplikasi | Persetujuan |
| Kata sandi (di-hash) | Keamanan akun | Kontrak |
| Preferensi metode autentikasi | Login (email, biometrik, PIN) | Kontrak |
3.2 Data Percakapan & Chat (Data Pribadi Spesifik)
| Data | Tujuan | Dasar Hukum |
|---|---|---|
| Pesan chat (teks) | Respons persona AI, pembangunan memori, personalisasi | Persetujuan Eksplisit |
| Riwayat chat (per sesi) | Respons AI kontekstual dalam percakapan | Persetujuan Eksplisit |
| Metadata sesi (waktu, durasi) | Analitik penggunaan, peningkatan kualitas | Kepentingan Sah |
| Embedding pesan (vektor numerik) | Pencarian memori semantik untuk personalisasi | Persetujuan Eksplisit |
| Gambar yang diunggah di chat (tier Stoa) | Analisis AI multimodal | Persetujuan Eksplisit |
3.3 Data Jurnal (Data Pribadi Spesifik)
| Data | Tujuan | Dasar Hukum |
|---|---|---|
| Teks jurnal bebas | Penjurnalan pribadi, wawasan AI | Persetujuan Eksplisit |
| Respons jurnal terpandu | Latihan refleksi terstruktur | Persetujuan Eksplisit |
| Jenis entri jurnal | Personalisasi fitur | Kepentingan Sah |
| Wawasan jurnal yang dihasilkan AI | Umpan balik reflektif | Persetujuan Eksplisit |
3.4 Data Suasana Hati & Emosi (Data Pribadi Spesifik)
| Data | Tujuan | Dasar Hukum |
|---|---|---|
| Check-in suasana hati harian | Pelacakan suasana hati, visualisasi pola | Persetujuan Eksplisit |
| Indikator keadaan emosi | Konteks emosional untuk respons AI | Persetujuan Eksplisit |
| Label emosi | Analisis emosi, konteks sesi | Persetujuan Eksplisit |
| Sumber emosi | Atribusi data | Kepentingan Sah |
3.5 Data Memori AI (Data Pribadi Spesifik)
Sistem memori AI Aplikasi mengekstrak dan menyimpan data personalisasi dari interaksi Anda untuk memberikan panduan yang semakin personal. Ini dapat mencakup preferensi Anda, topik yang diminati, konteks pribadi, pola perilaku, tujuan, dan pencapaian.
Data memori dikonsolidasi secara berkala dan data dengan relevansi rendah secara otomatis diarsipkan seiring waktu.
3.6 Data Asesmen & Profil
| Data | Tujuan | Dasar Hukum |
|---|---|---|
| Jawaban asesmen onboarding | Rekomendasi filsuf, personalisasi | Persetujuan |
| Persona yang disukai | Pendamping chat default | Persetujuan |
| Tujuan | Panduan yang dipersonalisasi | Persetujuan |
| Preferensi notifikasi | Pengaturan komunikasi | Persetujuan |
3.7 Data Langganan & Transaksi (Data Pribadi Spesifik)
| Data | Tujuan | Dasar Hukum |
|---|---|---|
| Tier langganan (Free, Premium, Stoa) | Kontrol akses fitur | Kontrak |
| Status langganan & kedaluwarsa | Manajemen penagihan | Kontrak |
| ID Transaksi (dari Apple App Store atau Google Play) | Verifikasi pembayaran | Kontrak + Kewajiban Hukum |
| Saldo Stoic Seeds & riwayat transaksi | Ekonomi dalam aplikasi | Kontrak |
Kami tidak secara langsung mengumpulkan atau menyimpan detail kartu pembayaran Anda. Semua pemrosesan pembayaran ditangani oleh Apple App Store, Google Play, dan penyedia manajemen langganan kami.
3.8 Data Perangkat & Teknis (Data Pribadi Umum)
| Data | Tujuan | Dasar Hukum |
|---|---|---|
| Model perangkat, OS, versi OS | Kompatibilitas, diagnostik kerusakan | Kepentingan Sah |
| Versi aplikasi | Ketersediaan fitur, debugging | Kepentingan Sah |
| Alamat IP (di-hash) | Keamanan, pembatasan laju | Kepentingan Sah |
| Token Firebase Cloud Messaging | Notifikasi push | Persetujuan |
| Laporan kerusakan dan stack trace | Peningkatan stabilitas aplikasi | Kepentingan Sah |
| Pengenal sesi (anonim) | Analitik | Kepentingan Sah |
3.9 Data Biometrik (Data Pribadi Spesifik)
Jika Anda mengaktifkan autentikasi biometrik (sidik jari, pengenalan wajah), data biometrik itu sendiri diproses dan disimpan secara eksklusif di perangkat Anda dalam secure enclave (iOS Keychain / Android Keystore). Kami tidak mengirim, mengakses, atau menyimpan data biometrik Anda di server kami. Kami hanya menyimpan tanda boolean yang menunjukkan bahwa autentikasi biometrik diaktifkan untuk akun Anda.
3.10 Data Penggunaan & Analitik
Kami mengumpulkan event penggunaan yang dianonimkan dan dipseudoanonimkan untuk meningkatkan Aplikasi, termasuk:
- Event siklus hidup aplikasi (buka, tutup, latar belakang, latar depan)
- Penggunaan fitur (chat dimulai, entri jurnal dibuat, pelajaran diselesaikan, latihan diselesaikan)
- Navigasi dan tampilan layar
- Progres quest dan streak
- Langkah penyelesaian onboarding
Event ini dikaitkan dengan ID pengguna pseudonim dan tidak mengandung konten pesan, entri jurnal, atau data suasana hati Anda.
3.11 Data Umpan Balik & Penilaian
| Data | Tujuan | Dasar Hukum |
|---|---|---|
| Teks umpan balik yang dikirim pengguna | Peningkatan produk, prioritas fitur | Persetujuan |
| Jenis / kategori saran | Klasifikasi umpan balik | Persetujuan |
| Respons penilaian dalam aplikasi | Pengukuran kepuasan pengguna | Kepentingan Sah |
| Info perangkat yang dikumpulkan dengan umpan balik (platform, versi OS, versi aplikasi) | Debugging, konteks untuk masalah yang dilaporkan | Kepentingan Sah |
4. Bagaimana Kami Menggunakan Data Anda
4.1 Menyediakan Layanan
- Menghasilkan respons persona AI berdasarkan pesan, konteks emosional, dan memori Anda
- Membangun dan memelihara sistem memori AI untuk mempersonalisasi pengalaman Anda dari waktu ke waktu
- Melakukan analisis emosi untuk menyesuaikan nada dan rekomendasi
- Menghasilkan wawasan AI untuk entri jurnal
- Memproses check-in suasana hati dan menampilkan tren
- Mengelola langganan dan ekonomi dalam aplikasi (Stoic Seeds)
- Mengirimkan notifikasi push (pengingat, kutipan harian, pembaruan quest)
4.2 Keselamatan & Deteksi Krisis
Kami mengoperasikan sistem keselamatan otomatis yang menganalisis konten pesan untuk mendeteksi potensi situasi krisis (menyakiti diri sendiri, ideasi bunuh diri). Sistem ini:
- Menggunakan beberapa lapisan analisis untuk mengidentifikasi konten yang mengkhawatirkan
- Memicu respons penuh empati dengan sumber daya krisis ketika potensi krisis terdeteksi
- Tidak memberi tahu pihak ketiga atau otoritas — sistem menyediakan sumber daya langsung kepada pengguna
Dasar hukum: Kepentingan vital subjek data (UU PDP Pasal 20 huruf d; GDPR Pasal 6(1)(d) dan Pasal 9(2)(c)).
4.3 Peningkatan & Analitik
- Menganalisis pola penggunaan agregat dan anonim untuk meningkatkan fitur
- Memantau kinerja aplikasi dan memperbaiki kerusakan
- Melakukan pengujian A/B untuk optimasi fitur
Dasar hukum: Kepentingan sah.
4.4 Transparansi AI & Analisis Emosi
Sesuai dengan EU AI Act (Regulasi 2024/1689) Pasal 50 dan California SB 243, kami memberikan pengungkapan transparansi berikut tentang pemrosesan AI di Calm Stoic:
- Persona AI adalah karakter fiksi: Fannia, Epictetus, Seneca, dan Marcus Aurelius adalah karakter virtual bertenaga AI — mereka bukan orang nyata, profesional berlisensi, atau operator manusia.
- Analisis emosi: Setiap pesan yang Anda kirim secara otomatis dianalisis untuk konten emosional (valensi, gairah, dan label emosi) untuk mempersonalisasi nada AI, rekomendasi, dan respons deteksi krisis.
- Ekstraksi memori otomatis: Sistem AI secara otomatis mengekstrak fakta, preferensi, pola perilaku, dan konteks pribadi dari percakapan Anda untuk membangun profil personalisasi dari waktu ke waktu.
- Kontrol pengguna: Anda dapat menonaktifkan memori AI, mengelola preferensi Anda, dan meninjau memori yang diekstrak kapan saja di Pengaturan Aplikasi. Anda juga dapat meminta penghapusan semua data memori AI.
- Hak untuk menolak: Anda memiliki hak untuk menolak pemrosesan emosional otomatis dan ekstraksi memori. Lihat Bagian 9.6 untuk detail tentang cara menggunakan hak ini.
Dasar hukum: Persetujuan Eksplisit + Kepentingan Sah (untuk analisis emosi terkait keselamatan).
4.5 Tidak Menjual atau Membagikan
Kami tidak menjual, menyewakan, atau membagikan data pribadi Anda untuk iklan perilaku lintas konteks, pembuatan profil untuk pihak ketiga, atau kepada broker data. Komitmen ini berlaku untuk semua pengguna terlepas dari yurisdiksi, dan konsisten dengan California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), dan undang-undang privasi negara bagian AS yang setara.
4.6 Komunikasi
- Mengirimkan notifikasi terkait layanan (verifikasi akun, pengaturan ulang kata sandi, pembaruan langganan)
- Menanggapi pertanyaan dukungan
Dasar hukum: Pelaksanaan kontrak + Persetujuan.
5. Pemrosesan AI & Pengambilan Keputusan Otomatis
Calm Stoic sangat bergantung pada kecerdasan buatan. Bagian ini memberikan transparansi tentang bagaimana AI memproses data Anda, sebagaimana diwajibkan oleh UU PDP dan GDPR.
5.1 Model AI yang Digunakan
Data Anda diproses oleh model bahasa besar (LLM) pihak ketiga yang diakses melalui penyedia API. Kami menggunakan model khusus untuk berbagai tujuan termasuk:
- AI Percakapan: Menghasilkan respons chat, wawasan jurnal, dan menjawab pertanyaan
- AI Analisis: Analisis emosi dan ringkasan teks
- AI Memori: Mengkonsolidasi dan mengorganisir data personalisasi
- AI Gambar: Menganalisis gambar yang diunggah oleh pengguna tier Stoa
Model dan penyedia spesifik yang digunakan dapat berubah seiring waktu saat kami meningkatkan layanan.
5.2 Data yang Dikirim ke Penyedia AI
Saat Anda berinteraksi dengan persona AI, data berikut dapat disertakan dalam prompt AI:
- Pesan Anda saat ini
- Riwayat chat terkini untuk konteks percakapan
- Memori AI yang relevan untuk personalisasi
- Keadaan emosional Anda saat ini
- Kepribadian dan instruksi persona (bukan data Anda)
- Ringkasan percakapan (untuk sesi yang lebih panjang)
- Gambar yang Anda unggah (tier Stoa saja)
Data Anda tidak digunakan oleh penyedia model AI untuk melatih model mereka.
5.3 Pengambilan Keputusan Otomatis
Aplikasi membuat keputusan otomatis berikut berdasarkan data Anda:
- Analisis emosi: Secara otomatis menentukan keadaan emosional Anda dari pesan untuk menyesuaikan nada AI
- Deteksi krisis: Secara otomatis menandai potensi situasi krisis dan mengganti respons AI normal
- Konsolidasi memori: Secara otomatis mengkategorikan dan memprioritaskan informasi dari percakapan Anda
- Peluruhan memori: Secara otomatis mengarsipkan memori yang dianggap kurang relevan seiring waktu
- Rekomendasi latihan: Menyarankan latihan pernapasan atau grounding berdasarkan keadaan emosional
- Pembuatan quest: Membuat tantangan harian yang dipersonalisasi berdasarkan penggunaan Anda
Berdasarkan UU PDP Pasal 10 dan GDPR Pasal 22, Anda memiliki hak untuk menolak pengambilan keputusan otomatis. Lihat Bagian 9 (Hak Anda) untuk detail.
6. Layanan Pihak Ketiga & Pembagian Data
Kami membagikan data Anda dengan penyedia layanan pihak ketiga berikut, semata-mata untuk tujuan yang dijelaskan. Kami tidak menjual data pribadi Anda kepada pihak ketiga mana pun.
| Layanan | Negara | Data yang Dibagikan | Tujuan |
|---|---|---|---|
| Penyedia Model AI | Amerika Serikat | Pesan chat, teks jurnal, data emosi, gambar (Stoa) | Pembuatan respons AI |
| Manajemen Langganan | Amerika Serikat | ID pengguna, status langganan, ID transaksi | Pemrosesan pembelian dalam aplikasi |
| Analitik Produk | Amerika Serikat | ID pengguna pseudonim, event penggunaan, info perangkat | Analitik produk dan peningkatan |
| Pelaporan Kerusakan | Amerika Serikat | Log kerusakan, info perangkat | Pemantauan stabilitas aplikasi |
| Notifikasi Push | Amerika Serikat | Token perangkat, payload notifikasi | Pengiriman notifikasi push |
| Database & Autentikasi | Indonesia | Semua data pengguna | Penyimpanan data, autentikasi |
Setiap penyedia pihak ketiga memproses data berdasarkan kebijakan privasi mereka dan perjanjian pemrosesan data kami. Anda dapat meminta daftar penyedia spesifik dengan menghubungi privacy@calmstoic.com.
7. Transfer Data Lintas Batas
Data utama Anda disimpan di server yang kami kelola sendiri di Indonesia. Namun, data tertentu ditransfer ke penyedia layanan pihak ketiga yang berlokasi di Amerika Serikat, sebagaimana dirinci di Bagian 6.
Sesuai dengan UU PDP dan Peraturan Menkominfo No. 20/2016, kami memastikan perlindungan berikut untuk transfer data lintas batas:
- Perlindungan kontraktual: Kami memiliki perjanjian pemrosesan data dengan semua penyedia pihak ketiga.
- Persetujuan eksplisit: Saat pendaftaran akun, Anda akan diminta untuk memberikan persetujuan eksplisit untuk transfer data.
- Pelaporan regulasi: Kami melaporkan transfer data lintas batas kepada otoritas regulasi Indonesia yang berwenang sesuai ketentuan.
8. Retensi Data
| Kategori Data | Periode Retensi | Setelah Penghapusan Akun |
|---|---|---|
| Informasi akun | Selama akun aktif | Dihapus dalam 30 hari |
| Pesan chat | Selama akun aktif | Dihapus dalam 30 hari |
| Entri jurnal | Selama akun aktif | Dihapus dalam 30 hari |
| Data suasana hati & emosi | Selama akun aktif | Dihapus dalam 30 hari |
| Data memori AI | Memori aktif: selama akun aktif. Data dengan relevansi rendah otomatis diarsipkan seiring waktu | Dihapus dalam 30 hari |
| Embedding pesan (vektor) | Selama akun aktif | Dihapus dalam 30 hari |
| Catatan langganan & transaksi | Selama akun aktif + 5 tahun (kewajiban hukum/pajak) | Disimpan untuk kepatuhan hukum |
| Riwayat transaksi Stoic Seeds | Selama akun aktif + 1 tahun | Dianonimkan setelah penghapusan |
| Analitik penggunaan | Hingga 7 tahun (retensi penyedia) | Dipseudoanonimkan |
| Laporan kerusakan | 90 hari | Kedaluwarsa otomatis |
| Cache server | Berumur pendek (menit hingga jam) | Kedaluwarsa otomatis |
Ketika Anda menghapus akun, kami memulai penghapusan bertingkat semua data pribadi dari database kami dalam 30 hari.
9. Hak Anda
Berdasarkan UU PDP (Pasal 5-14) dan GDPR (Pasal 15-22), Anda memiliki hak-hak berikut terkait data pribadi Anda:
9.1 Hak atas Informasi
Anda berhak mengetahui data pribadi apa yang kami kumpulkan, bagaimana data tersebut diproses, dan siapa yang memiliki akses.
9.2 Hak Akses
Anda dapat meminta salinan semua data pribadi yang kami miliki tentang Anda dalam format JSON dalam 30 hari.
9.3 Hak Perbaikan
Anda dapat meminta koreksi data pribadi yang tidak akurat atau tidak lengkap.
9.4 Hak Penghapusan
Anda dapat meminta penghapusan data pribadi Anda melalui pengaturan Aplikasi. Penghapusan diselesaikan dalam 30 hari.
9.5 Hak Menarik Persetujuan
Anda dapat menarik persetujuan Anda untuk pemrosesan data kapan saja melalui pengaturan Aplikasi, menghapus akun, atau menghubungi kami di privacy@calmstoic.com.
9.6 Hak Menolak Pengambilan Keputusan Otomatis
Anda berhak menolak keputusan yang dibuat semata-mata berdasarkan pemrosesan otomatis. Hubungi kami untuk menggunakan hak ini.
9.7 Hak Membatasi Pemrosesan
Anda dapat meminta agar kami membatasi pemrosesan data pribadi Anda dalam keadaan tertentu.
9.8 Hak Portabilitas Data
Anda berhak menerima data pribadi Anda dalam format JSON yang dapat dibaca mesin.
9.9 Hak Mengajukan Keluhan
Hubungi kami di privacy@calmstoic.com atau ajukan keluhan ke Lembaga Perlindungan Data Pribadi Indonesia.
9.10 Hak Ganti Rugi
Anda berhak menuntut ganti rugi jika hak perlindungan data Anda dilanggar.
9.11 Hak Regional Tambahan
Amerika Serikat
Penduduk negara bagian AS dengan undang-undang privasi komprehensif memiliki hak tambahan terkait data pribadi mereka. Calm Stoic mengklasifikasikan data kesehatan, kesejahteraan, dan emosi sebagai Informasi Pribadi Sensitif berdasarkan undang-undang negara bagian yang berlaku. Kami melakukan Penilaian Perlindungan Data untuk aktivitas pemrosesan berisiko tinggi termasuk analisis emosi dan pembuatan profil AI.
- California (CCPA/CPRA): Hak untuk mengetahui, menghapus, memperbaiki, menolak penjualan/pembagian, dan membatasi penggunaan informasi pribadi sensitif. Kami mengenali dan menghormati sinyal Global Privacy Control (GPC). Penduduk California dapat menunjuk agen berwenang untuk menggunakan hak atas nama mereka.
- Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA): Hak konsumen serupa berlaku, termasuk hak untuk mengakses, menghapus, memperbaiki, menolak iklan tertarget dan pembuatan profil, serta mengajukan banding atas permintaan yang ditolak.
- Iowa, Indiana, Tennessee, Texas, Florida, Maryland, Minnesota, Montana, Oregon, Delaware, New Hampshire, New Jersey, Kentucky, Nebraska, Rhode Island: Penduduk negara bagian ini dengan undang-undang privasi komprehensif yang berlaku memiliki hak perlindungan data konsumen yang setara seperti yang dijelaskan di atas.
Kami tidak mendiskriminasi pengguna yang menggunakan hak privasi mereka. Untuk menggunakan hak privasi negara bagian AS, hubungi privacy@calmstoic.com.
Uni Eropa (EU AI Act 2024)
Selain hak GDPR yang dijelaskan dalam kebijakan ini, Calm Stoic mematuhi EU AI Act (Regulasi 2024/1689):
- Transparansi sistem AI: Kami mengungkapkan bahwa aplikasi kami menggunakan sistem AI untuk respons percakapan, analisis emosi, ekstraksi memori, dan deteksi krisis (lihat Bagian 4.4).
- Notifikasi pengenalan emosi: Sesuai Pasal 50, kami menginformasikan bahwa Aplikasi melakukan pengenalan emosi pada input teks Anda untuk mempersonalisasi respons AI dan mendeteksi potensi situasi krisis.
- Penilaian berkelanjutan: Kami terus mengevaluasi sistem AI kami terhadap persyaratan EU AI Act, termasuk klasifikasi risiko dan kewajiban kepatuhan.
- Hak peninjauan manusia: Anda dapat meminta peninjauan manusia atas keputusan otomatis yang dibuat oleh sistem AI kami (lihat Bagian 9.6).
India (DPDP Act 2023)
- Neurakara Labs mengakui kewajibannya sebagai Data Fiduciary berdasarkan Digital Personal Data Protection Act, 2023.
- Kami menyediakan manajemen persetujuan granular untuk aktivitas pemrosesan data melalui Pengaturan Aplikasi.
- Transfer data lintas batas dilakukan dengan perlindungan kontraktual yang memadai.
- Pengguna India dapat menghubungi privacy@calmstoic.com untuk menggunakan hak mereka berdasarkan DPDP Act.
Brasil (LGPD)
- Pengguna Brasil memiliki hak berdasarkan LGPD Pasal 18-20, termasuk hak akses, koreksi, anonimisasi, portabilitas, penghapusan, dan informasi tentang pembagian.
- Pejabat Perlindungan Data kami dapat dihubungi di privacy@calmstoic.com.
Cara menggunakan hak Anda: Kirim permintaan ke privacy@calmstoic.com dengan subjek "Permintaan Subjek Data". Kami akan merespons dalam 30 hari.
10. Keamanan Data
10.1 Enkripsi
- Dalam transit: HTTPS/TLS 1.2 atau lebih tinggi
- Saat diam (server): Database dengan enkripsi tingkat disk
- Saat diam (perangkat): Data lokal disimpan dalam database terenkripsi di perangkat Anda
- Rahasia: Token dan kunci enkripsi disimpan di iOS Keychain / Android Keystore
10.2 Kontrol Akses
- Isolasi data: Kebijakan tingkat database memastikan pengguna hanya dapat mengakses data mereka sendiri
- Autentikasi API: Autentikasi berbasis token dengan kedaluwarsa dan pembaruan
- Pembatasan laju: Pembatasan laju otomatis untuk mencegah penyalahgunaan
- Validasi input: Semua input API divalidasi terhadap skema ketat
10.3 Infrastruktur
- Infrastruktur database yang dikelola sendiri di Indonesia
- Pembaruan dan patch keamanan berkala
- Pencadangan database harian otomatis dengan retensi bergulir
11. Notifikasi Pelanggaran Data
Dalam hal terjadi pelanggaran data, kami akan memberitahu subjek data yang terkena dampak dalam 3 x 24 jam sesuai UU PDP Pasal 46.
12. Privasi Anak
Calm Stoic ditujukan untuk pengguna berusia 18 tahun ke atas. Kami tidak secara sadar mengumpulkan data dari individu di bawah 18 tahun.
13. Cookie & Penyimpanan Lokal
Aplikasi seluler tidak menggunakan cookie browser. Situs web kami tidak menggunakan cookie pelacakan.
14. Perubahan Kebijakan Ini
Kami dapat memperbarui Kebijakan Privasi ini. Perubahan material akan diberitahukan melalui notifikasi dalam aplikasi atau email.
15. Hukum yang Berlaku & Yurisdiksi
Kebijakan ini diatur oleh hukum Republik Indonesia, khususnya UU No. 27 Tahun 2022. Sengketa diselesaikan melalui pengadilan di Jakarta, Indonesia.
16. Hubungi Kami
Pertanyaan privasi umum: privacy@calmstoic.com
Pejabat Perlindungan Data: dpo@calmstoic.com
Permintaan subjek data: privacy@calmstoic.com (subjek: "Permintaan Subjek Data")
Alamat surat: Neurakara Labs, Jakarta, Indonesia