Privacy Policy

Last updated: March 2026

This document is currently available in English only.

1. Introduction

PT Alpha Code Technologies ("AlphaCode") is committed to protecting the privacy of individuals whose data is processed through the Claro platform. This Privacy Policy explains what data we collect, how we use it, and your rights.

2. Data We Collect

2.1 Account Data

  • Administrator name and work email address
  • Tenant organisation name and configuration
  • Login timestamps and session metadata

2.2 Employee Simulation Data

  • Employee names and encrypted email addresses (AES-256-GCM)
  • Phishing simulation interaction events (click, open, submission)
  • Training module completion status
  • Department and group membership

2.3 Usage Data

  • Platform audit logs (action, resource, timestamp)
  • IP addresses associated with administrative actions (encrypted)

3. How We Use Data

  • To provide and operate the phishing simulation and training platform
  • To generate risk analytics and compliance reports for your organisation
  • To maintain platform security, audit trails, and integrity
  • To improve the platform and develop new features

4. Data Security

Employee PII (email addresses) is encrypted at the application layer using AES-256-GCM with per-tenant encryption keys. Keys are managed via envelope encryption: a master key encrypts per-tenant data encryption keys. For on-premise deployments, the master key never leaves your infrastructure.

5. Data Retention

  • Audit logs are retained for 90 days by default (configurable).
  • Simulation tracking events are retained for the duration of your subscription.
  • On account termination, data is crypto-erased by deleting the tenant encryption key.

6. Your Rights (GDPR / OJK)

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate data.
  • Erasure: Request deletion of your personal data (crypto-erasure).
  • Portability: Receive your data in a machine-readable format.

7. Third Parties

For on-premise deployments, no data is transmitted to AlphaCode servers. For cloud-hosted deployments, data is hosted on servers located in Indonesia or Singapore. We do not sell or share employee data with third parties.

8. Cookies

The Claro platform uses strictly necessary cookies for session management (HTTP-only JWT refresh token). No third-party tracking or advertising cookies are used.

9. Contact

For privacy requests or questions, contact our Data Protection Officer at privacy@alphacode.tech.