By using CloudSphere services, you agree to the data collection and use practices described in this policy. This policy applies to our website, SaaS platform, and consulting services.
1. Information We Collect
We collect information you provide directly and information collected automatically:
Identity Information
- Full name and job title
- Company or organization name
- ID number (if relevant for agreement purposes)
Contact Information
- Business email address
- Phone number or WhatsApp
- Mailing address
Technical Information
- IP address and approximate geographic location
- Browser type and operating system
- Pages visited and session duration
- Referral source (where you accessed our website from)
Service Information
- Data you enter into our SaaS platform (compliance, risk, asset data)
- Communication history with our team
- Documents you upload in the context of an engagement
2. How We Use Your Information
The information we collect is used solely for the following purposes:
- Providing, operating, and improving CloudSphere services in accordance with the agreed contract
- Responding to inquiries, information requests, and business communications
- Sending service updates, policy changes, and important notifications
- Analyzing platform usage patterns to improve features and user experience
- Detecting, preventing, and responding to security incidents or abuse
- Fulfilling legal and regulatory obligations applicable in Indonesia
- Billing and financial administration related to services provided
We do not use your data for third-party marketing purposes or sell it to anyone.
3. Legal Basis for Processing Data
We process your personal data based on Law Number 27 of 2022 on Personal Data Protection (UU PDP) with a clear legal basis:
Consent
For processing not required by contract, we request your explicit consent in advance.
Contract Performance
Processing necessary to fulfill the service agreement between you and CloudSphere.
Legitimate Interest
Processing necessary for our business operations, including platform security and service improvement.
Legal Obligation
Processing required by applicable Indonesian laws and regulations.
4. Sharing Information with Third Parties
We do not sell, rent, or trade your personal data. Information is only shared under the following conditions:
- Infrastructure Service Providers — hosting, database, and analytics partners bound by confidentiality agreements and prohibited from using your data for other purposes
- Legal Obligations — if required by law, court order, or authorized regulatory authority
- Rights Protection — to protect the safety of users, platform integrity, or CloudSphere's legal rights
- Your Consent — in any other situation, only with your explicit consent
Every third-party service provider we use is rigorously vetted and bound by data protection obligations equivalent to our standards.
5. Data Security
As a company operating in the information security field, we apply the highest data protection standards:
Transit Encryption
TLS 1.2+ for all data communications
Storage Encryption
AES-256 for data at rest
Access Control
RBAC with least privilege principle
Authentication
MFA required for internal system access
Monitoring
Continuous security monitoring 24/7
Regular Audits
Annual penetration testing and audits
That said, no system is completely immune. If you suspect a security vulnerability, please report it to security@cloudsphere.id.
6. Data Retention
We retain your personal data only as long as necessary to fulfill the processing purpose or as required by applicable legal obligations:
- Active account data — retained for the duration of the business relationship and up to 12 months after it ends
- Consulting engagement data — minimum 3 years per ISO 27001 audit requirements
- Financial records and invoices — 5 years per Indonesian tax regulations
- Security logs and audit trails — minimum 1 year for incident investigation needs
After the retention period ends, data will be securely deleted or anonymized so it can no longer be linked to your identity.
7. Your Rights as a Data Subject
Under UU PDP No. 27/2022, you have the following rights over your personal data:
Right of Access
Request confirmation of whether we process your data and obtain a copy of it.
Right to Rectification
Update or correct data that is inaccurate, incomplete, or outdated.
Right to Erasure
Request deletion of your data under certain conditions (right to erasure).
Right to Restriction
Limit how or for what purpose we process your data on a temporary basis.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to data processing for specific purposes, including direct marketing.
Right to Withdraw Consent
Withdraw consent at any time without affecting the lawfulness of prior processing.
How to submit a request:
Send your request in writing to privacy@cloudsphere.id. We will respond within 14 business days in accordance with UU PDP requirements.
9. Policy Changes
We may update this policy periodically to reflect changes in our services, technology, or regulations. For material changes, we will:
- Notify you by email to your registered address at least 30 days before the change takes effect
- Display a clear notice on our platform
- Update the “Last updated” date at the top of this document
Continued use of the service after a change takes effect constitutes acceptance of the revised policy. If you disagree with a change, you have the right to stop using the service and request deletion of your data.
10. Contact Us
For questions, data subject rights requests, or privacy concerns, please contact us at:
PT CloudSphere Digital Indonesia
Jl. Haji Salim, Gang Haji Musa 1 RT 006/RW 010
Cimanggis, Tugu, Kota Depok 16451
Privacy Email: privacy@cloudsphere.id
General Email: hello@cloudsphere.id
Response: Maximum 14 business days for data subject rights requests
For specific security questions, please visit our Security page.
