CRIVE CRIVE
Privacy Policy Terms of Service UU PDP Compliance
Daftar Waitlist →

Kebijakan Privasi

Versi: 1.7.0 · Berlaku: 12 Mei 2026
Pengendali Data: PT Vintora Teknologi Indonesia
Platform: CRIVE — crive.app

Daftar Isi

  1. Pendahuluan
  2. Data yang Dikumpulkan
  3. Tujuan & Dasar Hukum
  4. Pihak Ketiga & Sub-Processor
  5. Hak-Hak Subjek Data
  6. Keamanan Data
  7. Retensi & Penghapusan
  8. Notifikasi Pelanggaran
  9. Cookie & Pelacakan
  10. Persetujuan AI
  11. Perlindungan Anak
  12. DPO & Kontak
  13. Perubahan Kebijakan

1. Pendahuluan

PT Vintora Teknologi Indonesia ("Perusahaan", "kami") mengoperasikan platform CRIVE — platform kreator ekonomi berbasis AI dengan misi "Monetize Your GENIUS" — melalui aplikasi mobile dan situs web crive.app ("Layanan").

Kebijakan ini menjelaskan bagaimana kami mengumpulkan, menggunakan, dan mengungkapkan data pribadi Anda, serta hak-hak Anda sebagai Subjek Data berdasarkan Undang-Undang No. 27 Tahun 2022 tentang Pelindungan Data Pribadi ("UU PDP").

Dengan menggunakan Layanan, Anda menyetujui kebijakan ini. Jika tidak setuju, harap tidak menggunakan Layanan kami.

2. Data Pribadi yang Kami Kumpulkan

2.1 Data yang Anda Berikan Langsung

  • Nama lengkap dan nama tampilan
  • Alamat email dan nomor telepon
  • Foto profil
  • Akun media sosial yang dihubungkan (Instagram, TikTok, YouTube, Facebook, LinkedIn, Twitter/X)
  • Konten yang Anda buat (teks, gambar, video)
  • Preferensi dan pengaturan akun
  • Informasi pembayaran melalui Midtrans, Xendit, Apple App Store (iOS), dan Google Play (Android) — kami tidak menyimpan data kartu secara langsung

2.2 Data yang Dikumpulkan Otomatis

  • Data penggunaan: fitur yang diakses, frekuensi, durasi sesi
  • Data perangkat: jenis, OS, versi aplikasi, identifier
  • Data log: alamat IP, waktu akses, halaman yang dikunjungi
  • Lokasi umum (kota/wilayah) berdasarkan IP
  • Data perilaku: pola interaksi untuk peningkatan Layanan
  • Cookie dan teknologi pelacak di situs crive.app

2.3 Data dari Pihak Ketiga

  • Profil dari platform media sosial yang Anda sambungkan via OAuth
  • Data analitik performa konten dari platform yang terhubung

3. Tujuan dan Dasar Hukum Pemrosesan

TujuanDataDasar Hukum (UU PDP)
Penyediaan Layanan CRIVENama, email, kontenPasal 20(a): Kontrak
Autentikasi & KeamananEmail, HP, perangkatPasal 20(b): Kepentingan sah
Personalisasi & AIPerilaku, preferensiPasal 20(c): Persetujuan
PembayaranTransaksi (Midtrans/Xendit/Apple/Google)Pasal 20(a): Kontrak
Publikasi KontenKonten kreator, akun medsosPasal 20(a): Kontrak
AnalitikData penggunaan agregatPasal 20(b): Kepentingan sah
KomunikasiEmail, push notificationPasal 20(a) / Persetujuan
Kepatuhan HukumData yang diwajibkan UUPasal 20(d): Kewajiban hukum

4. Pengungkapan Data kepada Pihak Ketiga

Komitmen CRIVE: Kami tidak pernah menjual data pribadi Anda kepada siapa pun.

4.1 Penyedia Layanan (Sub-Processor)

PenyediaLokasiTujuan
Amazon Web ServicesSingapuraInfrastruktur cloud, penyimpanan, komputasi
Google LLC / DeepMindUSAOAuth, FCM, Gemini 3.1 Pro (AI teks), Imagen 4 (AI gambar), Veo 3.1 (AI video)
DeepSeekTiongkokAI teks V3.2 (cached inference)
Groq Inc.USAAI inference Llama 3.1 (tier Free)
Black Forest LabsJermanFlux Pro — AI gambar alternatif
Adobe Inc.USAFirefly — AI gambar (Enterprise)
ElevenLabsUSAText-to-Speech (Premium+)
SunoUSAGenerasi musik AI
Beatoven.aiIndiaGenerasi musik AI (Enterprise)
Runway Inc.USAGen-4.5 — AI video utama
HeyGen Inc.USAAI Avatar (Expert/Enterprise)
Anthropic PBCUSAClaude Sonnet 4.6 + Haiku 4.5 (Elite+)
MidtransIndonesiaGateway pembayaran utama
XenditIndonesiaPembayaran & withdrawal
Twilio / SendGridUSASMS OTP & email transaksional
Apple Inc.USASign in with Apple, APNs, StoreKit 2 (IAP)
DataDog Inc.USAMonitoring infrastruktur (tanpa PII)
HoneygainLithuaniaPoinmate bandwidth sharing — Android & Desktop saja
Pawns.appLithuaniaPoinmate bandwidth sharing
EarnApp (Bright Data)IsraelPoinmate bandwidth sharing
OpenAI LLC TIDAK AKTIFUSATidak lagi digunakan sejak AI Stack v3.0
Leonardo.ai TIDAK AKTIFUSATidak lagi digunakan sejak AI Stack v3.0

Total: 20 penyedia aktif + 2 tidak aktif.

4.2 Pengungkapan Hukum

Kami dapat mengungkapkan data jika diwajibkan oleh hukum, perintah pengadilan, atau otoritas pemerintah yang berwenang.

4.3 Transfer Data Internasional

Transfer data lintas batas dilakukan dengan perlindungan setara sesuai Pasal 35–37 UU PDP melalui Data Processing Agreement (DPA).

4.4 Data yang Tidak Digunakan untuk AI Training

7 kategori berikut tidak pernah digunakan untuk melatih model AI:
  1. Data keuangan dan perbankan
  2. Data medis dan kesehatan
  3. Data hukum dan peradilan
  4. Dokumen identitas pemerintah (KTP, Paspor, NPWP)
  5. Data biometrik
  6. Data anak-anak (di bawah 18 tahun)
  7. Data keyakinan agama dan pandangan politik

5. Hak-Hak Anda sebagai Subjek Data

Berdasarkan UU PDP No. 27/2022, Anda memiliki hak berikut:

HakCara Menggunakan
AksesMinta salinan data via privacy@crive.app
KoreksiPerbarui data langsung di profil akun atau hubungi DPO
PenghapusanHapus akun via Pengaturan — dihapus permanen dalam 30 hari (Cryptographic Erasure)
PortabilitasUnduh data dalam format JSON via Pengaturan > Export Data
MenolakOpt-out dari pemasaran atau personalisasi AI via Pengaturan Privasi
Tarik PersetujuanCabut consent kapan saja via Pengaturan Privasi > Persetujuan AI

6. Keamanan Data

CRIVE menerapkan arsitektur keamanan 7 lapis sesuai CVE-003 v7.0.0 §69:

  • Enkripsi transit: TLS 1.3
  • Enkripsi at-rest: AES-256 pada database dan file storage
  • Autentikasi: JWT RS256 (token akses 15 menit + refresh 30 hari)
  • Kontrol akses: Role-Based Access Control (RBAC)
  • Monitoring: Audit log dan pemantauan real-time
  • Pengujian: Assessment keamanan OWASP Top 10 rutin
  • Password: Argon2id hashing dengan salt 16-byte

7. Retensi dan Penghapusan Data

Kategori DataPeriode RetensiMetode / Alasan
Profil & konten30 hari setelah penghapusan akunCryptographic Erasure
Transaksi keuangan5 tahunKewajiban perpajakan
Log sistem12 bulanKeamanan & audit
Backup90 hariDisaster recovery

8. Notifikasi Pelanggaran Data

  • Notifikasi ke otoritas dalam 3×24 jam (standar CRIVE — lebih ketat dari UU PDP 14 hari)
  • Notifikasi ke Subjek Data terdampak tanpa penundaan yang tidak semestinya
  • Kontak pelaporan: privacy@crive.app

9. Cookie dan Pelacakan

  • Esensial: Diperlukan agar situs berfungsi — tidak dapat dinonaktifkan
  • Analitik: Memahami penggunaan situs — dapat dinonaktifkan
  • Personalisasi: Mengingat preferensi — dapat dinonaktifkan

Anda dapat mengontrol cookie melalui banner persetujuan atau pengaturan browser.

10. Persetujuan AI dan Pelatihan Model

Transparansi AI: Kami percaya kreator berhak tahu bagaimana data mereka digunakan.
  • Secara default, persetujuan AI training aktif (ai_training_consent = TRUE)
  • Anda dapat opt-out kapan saja via Pengaturan Privasi > Persetujuan AI
  • 7 kategori data sensitif (lihat Bagian 4.4) tidak pernah digunakan untuk AI

11. Perlindungan Anak

CRIVE tidak ditujukan untuk anak di bawah 17 tahun. Jika Anda mengetahui seorang anak telah memberikan datanya kepada kami, segera hubungi privacy@crive.app.

12. Data Protection Officer

Punya pertanyaan tentang privasi Anda?

privacy@crive.app

Jamal NR — CEO & DPO ad interim
PT Vintora Teknologi Indonesia
Respons dalam 14 hari kerja

13. Perubahan Kebijakan

Perubahan material akan diberitahukan melalui email atau notifikasi dalam aplikasi minimal 30 hari sebelum berlaku efektif.

Privacy Policy

Version: 1.7.0 · Effective: May 12, 2026
Data Controller: PT Vintora Teknologi Indonesia
Platform: CRIVE — crive.app

Table of Contents

  1. Introduction
  2. Data We Collect
  3. Purpose & Legal Basis
  4. Third-Party Disclosure
  5. Your Rights
  6. Data Security
  7. Retention & Deletion
  8. Breach Notification
  9. Cookies
  10. AI Consent
  11. Children's Privacy
  12. DPO & Contact
  13. Policy Changes

1. Introduction

PT Vintora Teknologi Indonesia ("Company", "we") operates CRIVE — an AI-powered creator economy platform with the mission "Monetize Your GENIUS" — via its mobile app and website crive.app ("Service").

This policy describes how we collect, use, and disclose your personal data, and your rights under Indonesian Law No. 27/2022 on Personal Data Protection ("UU PDP"). By using the Service, you agree to this policy.

2. Personal Data We Collect

2.1 Data You Provide

  • Full name and display name
  • Email address and phone number
  • Profile photo
  • Linked social media accounts (Instagram, TikTok, YouTube, Facebook, LinkedIn, Twitter/X)
  • Content you create (text, images, videos)
  • Account preferences and settings
  • Payment info processed via Midtrans, Xendit, Apple App Store (iOS), and Google Play (Android) — we do not store card data directly

2.2 Automatically Collected Data

  • Usage data: features accessed, frequency, session duration
  • Device data: type, OS, app version, identifiers
  • Log data: IP address, access time, pages visited
  • General location (city/region) based on IP
  • Behavioral data: interaction patterns for Service improvement
  • Cookies and tracking technologies on crive.app

2.3 Data from Third Parties

  • Profiles from social media platforms connected via OAuth
  • Content performance analytics from connected platforms

3. Purpose and Legal Basis

PurposeDataLegal Basis (UU PDP)
Providing CRIVE ServiceName, email, contentArticle 20(a): Contract
Authentication & SecurityEmail, phone, deviceArticle 20(b): Legitimate interest
Personalization & AIBehavior, preferencesArticle 20(c): Consent
Payment ProcessingTransactions (Midtrans/Xendit/Apple/Google)Article 20(a): Contract
Content PublishingCreator content, social accountsArticle 20(a): Contract
AnalyticsAggregated usage dataArticle 20(b): Legitimate interest
CommunicationsEmail, push notificationsArticle 20(a) / Consent
Legal ComplianceLegally required dataArticle 20(d): Legal obligation

4. Disclosure to Third Parties

CRIVE Commitment: We never sell your personal data to anyone.

4.1 Sub-Processors

ProviderLocationPurpose
Amazon Web ServicesSingaporeCloud infrastructure, storage, compute
Google LLC / DeepMindUSAOAuth, FCM, Gemini 3.1 Pro (AI text), Imagen 4 (AI image), Veo 3.1 (AI video)
DeepSeekChinaAI text V3.2 (cached inference)
Groq Inc.USAAI inference Llama 3.1 (Free tier)
Black Forest LabsGermanyFlux Pro — AI image alternative
Adobe Inc.USAFirefly — AI image (Enterprise)
ElevenLabsUSAText-to-Speech (Premium+)
SunoUSAAI music generation
Beatoven.aiIndiaAI music generation (Enterprise)
Runway Inc.USAGen-4.5 — primary AI video
HeyGen Inc.USAAI Avatar (Expert/Enterprise)
Anthropic PBCUSAClaude Sonnet 4.6 + Haiku 4.5 (Elite+)
MidtransIndonesiaPrimary payment gateway
XenditIndonesiaPayments & withdrawals
Twilio / SendGridUSASMS OTP & transactional email
Apple Inc.USASign in with Apple, APNs, StoreKit 2 (IAP)
DataDog Inc.USAInfrastructure monitoring (no PII)
HoneygainLithuaniaPoinmate bandwidth sharing — Android & Desktop only
Pawns.appLithuaniaPoinmate bandwidth sharing
EarnApp (Bright Data)IsraelPoinmate bandwidth sharing
OpenAI LLC RETIREDUSANo longer used since AI Stack v3.0
Leonardo.ai RETIREDUSANo longer used since AI Stack v3.0

Total: 20 active providers + 2 retired.

4.2 Legal Disclosure

We may disclose data when required by law, court orders, or authorized government requests.

4.3 International Data Transfers

Cross-border transfers are conducted with equivalent protection per Articles 35–37 UU PDP through Data Processing Agreements (DPA).

4.4 Data Excluded from AI Training

The following 7 categories are never used to train AI models:
  1. Financial and banking data
  2. Medical and health data
  3. Legal and judicial data
  4. Government ID documents (KTP, Passport, Tax ID)
  5. Biometric data
  6. Children's data (under 18)
  7. Religious beliefs and political views

5. Your Rights as a Data Subject

Under UU PDP No. 27/2022, you have the following rights:

RightHow to Exercise
AccessRequest a copy via privacy@crive.app
RectificationUpdate data in profile settings or contact DPO
ErasureDelete account via Settings — permanently deleted within 30 days (Cryptographic Erasure)
PortabilityDownload data in JSON format via Settings > Export Data
ObjectOpt out of marketing or AI personalization via Privacy Settings
Withdraw ConsentRevoke at any time via Privacy Settings > AI Consent

6. Data Security

CRIVE implements a 7-layer security architecture per CVE-003 v7.0.0 §69:

  • Transit encryption: TLS 1.3
  • At-rest encryption: AES-256 on database and file storage
  • Authentication: JWT RS256 (15-minute access + 30-day refresh tokens)
  • Access control: Role-Based Access Control (RBAC)
  • Monitoring: Real-time audit logs and security monitoring
  • Testing: Regular OWASP Top 10 security assessments
  • Passwords: Argon2id hashing with 16-byte salt

7. Data Retention and Deletion

Data CategoryRetention PeriodMethod / Reason
Profile & content30 days after account deletionCryptographic Erasure
Financial transactions5 yearsTax compliance
System logs12 monthsSecurity & audit
Backups90 daysDisaster recovery

8. Data Breach Notification

  • Notify authority within 3×24 hours (CRIVE standard — stricter than UU PDP 14-day requirement)
  • Notify affected Data Subjects without undue delay
  • Breach reporting contact: privacy@crive.app

9. Cookies and Tracking

  • Essential: Required for site functionality — cannot be disabled
  • Analytics: Help us understand site usage — can be disabled
  • Personalization: Remember your preferences — can be disabled

You can manage cookies through the consent banner or your browser settings.

10. AI Consent and Model Training

AI Transparency: We believe creators deserve to know how their data is used.
  • By default, AI training consent is on (ai_training_consent = TRUE)
  • You may opt out at any time via Privacy Settings > AI Consent
  • 7 categories of sensitive data (see Section 4.4) are never used for AI training

11. Children's Privacy

CRIVE is not intended for children under 17. If you learn that a child has provided personal data to us, contact privacy@crive.app immediately.

12. Data Protection Officer

Questions about your privacy?

privacy@crive.app

Jamal NR — CEO & DPO ad interim
PT Vintora Teknologi Indonesia
Response within 14 working days

13. Policy Changes

Material changes will be notified via email or in-app notification at least 30 days before taking effect.