Spıcelab

Privacy Policy

Effective date: 22 May 2026 · Version 2.0

1. Introduction

Spicelab (“Spicelab”, “we”, “us”, or the “Service”) is operated by PT Spicelab Technology Intelligence, a legal entity established in the Republic of Indonesia, with registered address at Jl Cikini Raya FG 6 No 2, Tangerang Selatan 15227, Indonesia.

This Policy explains how we collect, store, process, transfer, and protect your personal data when you use our services via the website spicelab.ai, the dashboard app.spicelab.ai, third-party integrations (Meta Platform, WhatsApp Business, etc.), and other channels we provide.

Our compliance is based on: Republic of Indonesia Law Number 27 of 2022 on Personal Data Protection (PDP Law), the General Data Protection Regulation (GDPR) for users in the European Economic Area, Meta Platform Terms & Developer Policies, and Standard Contractual Clauses (SCCs) for cross-border data transfers.

2. Data We Collect

We collect the following categories of data:

  • Account data: name, email, WhatsApp number, business name, tax ID (for invoices).
  • AI Consultant conversation data: diagnostic chat content to personalize package recommendations and your PDF report.
  • Third-party integration data: when you connect Instagram, WhatsApp Business, TikTok, or POS — we access data per your granted permissions.
  • Your customer (end-user) data: when our AI replies to DMs/chats from your customers, we retain conversation history as context memory.
  • Analytics data: cookies, IP, browser type, landing page behavior (Google Analytics 4, Meta Pixel, Microsoft Clarity).
  • Payment data: processed directly by DOKU — we do not store card numbers, CVV, or bank details.

3. Data from Meta Platform (Instagram, Facebook, WhatsApp)

Spicelab is a registered application on Meta Developer Platform. We access the following data from connected Meta accounts, only with your explicit consent:

  • Instagram Graph API — permissions: instagram_basic, instagram_manage_messages, instagram_manage_comments, instagram_content_publish, pages_show_list, pages_read_engagement. Data accessed: business profile, incoming DMs, comments on your posts, media library, follower count (aggregate, without individual identity).
  • Messenger Platform — permissions: pages_messaging, pages_manage_metadata. Data: incoming Messenger conversations to your business Page for auto-reply.
  • WhatsApp Business API — permissions: whatsapp_business_messaging, whatsapp_business_management. Data: phone number ID, incoming/outgoing messages via WABA, template messages, business profile.
  • Business Management — permission: business_management. Data: Business Manager name, ad account ID, asset assignments (for the AI Social Media Manager module which publishes to your account).

The exact permission scope can be viewed and revoked at any time at Facebook Settings → Business Integrations or Instagram → Apps and Websites. Revocation will deactivate the related module within 24 hours.

Token strategy: we use System User Tokens (long-lived, non-expiring) issued by your Business Manager. Tokens are stored encrypted (AES-256) in an isolated vault and never exposed to other application modules.

4. How We Use Data

  • Operating your AI Customer Service, AI Social Media Manager, and AI Consultant services.
  • Generating the PDF diagnostic report you request.
  • Calibrating AI brand voice for your business.
  • Auto-reply DMs/comments on Meta and WhatsApp from your customers per your brand voice configuration.
  • Account-related communication (invoices, service changes, security alerts).
  • Marketing analytics — using aggregated and anonymized data only.
  • Complying with legal obligations (tax, audit, lawful law enforcement requests).

We will NEVER:

  • Sell your data or your customer's data to third parties.
  • Use your data to train public AI models (Claude, GPT, Gemini, etc.) — our contracts with Anthropic and OpenAI enforce zero data retention.
  • Share your customer conversations with other businesses.
  • Use Meta data for any purpose outside the scope explained in user permission grants.
  • Share Meta data with any party not listed as sub-processor in Section 8.

5. Data Security

Your data is encrypted at rest (AES-256) and in transit (TLS 1.3). Primary servers are located in Asia-Pacific data center regions with failover regions. Developer access is restricted via role-based access control (RBAC) + per-request audit trail. Meta tokens are stored isolated in a secret vault. SOC 2 Type II certification is in progress.

6. Your Rights (PDP Law / GDPR)

As a data subject, you have the right to:

  • Access — request a copy of your personal data we store.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your data. See full guide at spicelab.ai/en/data-deletion (except data we are legally required to retain, e.g. invoices for 10 years).
  • Portability — export your data in machine-readable format (CSV/JSON).
  • Withdraw consent — cancel your subscription anytime, 1-click in dashboard.
  • Object to processing — including automated profiling for recommendations.

Send requests to privacy@spicelab.ai or via the User Data Deletion page. We respond within 7 business days and execute within 30 calendar days max per PDP Law Article 16 and GDPR Article 12.

7. Cookies & Tracking

We use essential cookies (session, preference) and analytics cookies (Google Analytics 4, Meta Pixel, Microsoft Clarity). You may disable non-essential cookies via your browser settings or the cookie banner on first visit.

8. Sub-processors & Third Parties

For operations, we engage the following sub-processors under Data Processing Agreement (DPA):

  • AI models: Anthropic (Claude), OpenAI (GPT), Google (Gemini) — zero-retention contracts.
  • Infrastructure: Cloudflare (CDN + edge), Hetzner (compute), Google Cloud (storage), Vercel (frontend hosting).
  • Database: Neon / Supabase Postgres (Singapore region).
  • Payments: DOKU (Indonesia's licensed payment gateway, PCI DSS Level 1 certified).
  • Communications: WhatsApp Business Cloud API (Meta), Resend (transactional email), ElevenLabs (voice).
  • Analytics: Google Analytics 4, Meta Pixel, Microsoft Clarity.
  • Observability: Sentry, Phoenix (self-hosted).

Material changes to the sub-processor list will be notified at least 30 days in advance via email.

9. Cross-Border Data Transfers

Some of your data is processed on servers outside Indonesia (Singapore, Frankfurt) for AI inference and failover. Transfers are conducted under the following legal bases:

  • Standard Contractual Clauses (SCC) under European Commission Decision 2021/914.
  • Your explicit consent at onboarding (PDP Law Article 56).
  • Contractual necessity to deliver the AI service you requested.

Recipient countries used (Singapore, United States, Germany) provide equivalent protection level via DPA contracts with sub-processors.

10. Data Retention

  • Active account data: for the duration of active subscription + 90 days grace period after cancellation.
  • Your customer conversation data: 90-day rolling window (for AI context), unless you set a different retention.
  • Meta tokens: until user revokes or subscription is cancelled.
  • Invoice & tax data: 10 years per Indonesian Tax Law Article 28.
  • Audit logs: 12 months for security/forensic.
  • Encrypted backups: 30-day rolling, auto-purge.

11. Children Under Age

Spicelab services are intended exclusively for users aged 18 and above with legal capacity to run a business. We do not knowingly collect personal data from minors under 18. If you become aware that a minor's data has been submitted to us, please contact privacy@spicelab.ai — we will delete such data within 7 business days.

12. Data Protection Officer (DPO)

Per PDP Law Article 53, we have appointed a Data Protection Officer who may be contacted via:
Email: dpo@spicelab.ai
Postal address: Jl Cikini Raya FG 6 No 2, Tangerang Selatan 15227, Indonesia

13. Policy Changes

We may update this Policy from time to time. Material changes will be notified via email + dashboard notification at least 30 days before effective date. Continued use of services after the effective date constitutes acceptance of the new version.

14. Contact

Questions, complaints, or data subject right requests:
Privacy: privacy@spicelab.ai
Data Protection Officer: dpo@spicelab.ai
Legal: legal@spicelab.ai
WhatsApp: +62 811-1095-42
Address: Jl Cikini Raya FG 6 No 2, Tangerang Selatan 15227, Indonesia

If your request is not addressed within 30 days, you have the right to file a complaint with the Ministry of Communication and Informatics of the Republic of Indonesia (Kominfo) or the competent data protection authority.