Data policy
What we collect, why, how long we keep it, and what your rights are. Full text in the Privacy Policy; this page is a developer-oriented summary.
What we collect
| Category | Examples | Retention |
|---|---|---|
| Account data | Email, hashed password, name, company, country | Account lifetime + 30 days |
| API keys | SHA-256 hash, prefix (first 12 chars), name, scopes | Account lifetime; revoked keys 90 days |
| Usage events | Timestamp, model, endpoint, token counts, cost, latency, HTTP status, cache hits. No request/response content. | 90 days |
| Files (you upload) | JSONL batch input/output; documents uploaded with purpose=knowledge |
30 days from upload (or until delete) |
| Batch records | Batch ID, status, request counts, link to input/output files | 30 days from completion |
| Knowledge chunks | Text chunks extracted from your documents + their embeddings | Until source file deleted |
| Webhook delivery log | Event payloads we POST to your URL, HTTP response status, retry history | 30 days |
| Billing events | Topups, refunds, signup credits, adjustments | 7 years (tax/audit) |
| Audit log | Admin actions, key creation/revocation, suspensions, login events | 365 days |
| Session data | JWT issued at login; stored in your browser localStorage | 24h (auto-expire) |
What we do NOT collect
- Content of your realtime requests (chat, embed, rerank, image endpoints) is not persisted. It passes through gateway memory and is discarded after the response returns.
- Content of model responses for realtime endpoints (text completions, embeddings, generated/edited images).
- Retrieval query text when you call
/v1/retrieval- the query is embedded server-side but not logged (only the embed-token count is recorded for billing). - IP addresses are not persisted with usage events. They appear transiently in nginx/Caddy access logs (7-day rotation).
- Cookies for tracking, fingerprinting, or analytics. We use only a session JWT in localStorage.
- Third-party trackers, advertising IDs, or social plugins.
Data residency
All inference and storage runs on hardware physically located in Jakarta, Indonesia. We do not transfer data outside Indonesia under normal operation.
The one exception: outbound HTTP webhook deliveries go to URLs you specify. If you point a webhook at an overseas endpoint, that's an export you control.
UU 27/2022 (Pelindungan Data Pribadi)
Our data handling complies with the Indonesian Personal Data Protection Law (UU No. 27 Tahun 2022). Specifically:
- Lawful basis: contract (you signed up) and legitimate interest (abuse prevention).
- Data subject rights: access, correction, deletion, portability, objection (see below).
- Data residency: in-country.
- Security: TLS 1.2+ in transit, hashed credentials at rest, network isolation between gateway and backend.
For enterprise customers, we can sign a Data Processing Agreement (DPA) covering controller-processor responsibilities. Email hello@epithre.com with subject "DPA request".
Your rights
Under UU 27/2022 you have:
- Access: request a copy of your account data via email. We respond within 7 business days.
- Deletion: request account deletion. We erase your account and all linked data within 30 days, except billing records retained 7 years for tax/audit.
- Correction: change your email, name, company, country via the Settings page or by emailing support.
- Portability: request your usage logs and uploaded files as CSV / JSONL exports.
- Object to processing: disable specific features (e.g., audit logging beyond what's needed for security) by contacting support.
- Withdraw consent: at any time. Withdrawal does not retroactively invalidate prior processing.
Email hello@epithre.com for any of the above.
Security practices
- TLS 1.2+ on all API and dashboard traffic.
- Passwords hashed with Argon2id.
- API keys stored as SHA-256 hashes (we cannot recover originals).
- Backend services on a private network (LAN-only inference endpoints).
- Per-key revocation propagates within 30 seconds.
If you discover a vulnerability, email hello@epithre.com with subject "Security disclosure". We do not yet have a formal bug bounty but we respond to disclosures within 48 hours.