/ LEGAL

Privacy Policy

LAST UPDATED — 18 APRIL 2026

This Privacy Policy explains how Aureon ("Aureon", "we", "us") collects, uses, shares, and protects personal data when you visit our website, contact us, or engage our services. We handle personal data in accordance with Indonesia's Personal Data Protection Law (UU No. 27/2022 — UU PDP) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Data Controller

Aureon — Bandung, Indonesia
Contact: zulfikar.nauval1998@gmail.com

2. Information We Collect

Category	Examples	Source
Contact data	Name, email, phone, company, job title	You (contact form, email, meetings)
Engagement data	Project briefs, contracts, correspondence	You
Technical data	IP address, browser, device, referring URL	Automatic (website)
Usage data	Pages viewed, time on site, interactions	Analytics tools
Client data	Datasets and systems shared for project work	You (as data controller)

We do not intentionally collect sensitive data (e.g. health, biometric, political views). If your project requires processing such data, this will be governed by a separate Data Processing Agreement.

3. How We Use Your Information

Deliver services — respond to inquiries, prepare proposals, perform engagements, and deliver results.
Communicate — send project updates, invoices, and occasional service announcements.
Improve the website — analyse usage patterns to fix bugs and enhance content.
Comply with law — meet tax, accounting, and regulatory obligations.
Protect our rights — detect, prevent, or investigate fraud, abuse, or security incidents.

4. Legal Bases

Where GDPR applies, we rely on the following legal bases:

Contract — processing necessary to perform an engagement or take steps at your request before entering one.
Consent — where you have explicitly opted in (e.g. marketing emails). You may withdraw consent at any time.
Legitimate interests — running our business, securing our systems, and improving our services, balanced against your rights.
Legal obligation — tax, accounting, and regulatory requirements.

5. Cookies and Analytics

Our website may use essential cookies to function and, where enabled, privacy-respecting analytics cookies to understand aggregated traffic. You can disable cookies in your browser settings; some features may then not work as intended.

6. Sharing Your Information

We do not sell personal data. We may share data with:

Service providers — cloud hosting, email, payment, and analytics providers acting under contractual obligations;
Professional advisors — lawyers, accountants, and auditors where legally required;
Authorities — when required by law, court order, or to protect rights, property, or safety;
Successors — in connection with a merger, acquisition, or sale of assets, subject to equivalent protections.

7. International Transfers

Some of our service providers are located outside Indonesia or the EEA. Where data is transferred internationally, we use appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms permitted under UU PDP and GDPR.

8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or to comply with legal, tax, accounting, or contractual requirements. General retention guidelines:

Inquiries that do not lead to engagement — up to 24 months;
Active clients — for the duration of the engagement plus 5 years;
Accounting records — up to 10 years as required by Indonesian law.

9. Data Security

We apply technical and organisational measures appropriate to the risk, including access controls, encryption in transit (TLS), least-privilege principles, and vendor due diligence. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

10. Your Rights

Subject to applicable law, you have the right to:

Access the personal data we hold about you;
Request correction of inaccurate or incomplete data;
Request deletion where retention is no longer justified;
Restrict or object to certain processing;
Request data portability in a commonly used machine-readable format;
Withdraw consent at any time, without affecting prior lawful processing;
Lodge a complaint with the relevant data protection authority.

To exercise any of these rights, contact us at zulfikar.nauval1998@gmail.com. We will respond within the timeframes required by law (typically 30 days).

11. Children's Privacy

Our services are intended for organisational clients and individuals aged 18 and over. We do not knowingly collect personal data from children.

12. AI Processing

When we process your data using AI or machine-learning systems as part of an engagement, we do so under the instructions defined in your SOW or Data Processing Agreement. We do not use client data to train third-party public models unless you have given explicit written consent.

13. Changes to This Policy

We may update this Policy to reflect operational, legal, or regulatory changes. The "Last Updated" date above shows when the latest version took effect. Material changes will be communicated through the website or email.

14. Contact

For any privacy-related inquiry, request, or complaint:

Aureon — Privacy
Bandung, Indonesia
zulfikar.nauval1998@gmail.com