Your privacy. Our responsibility.

Effective May 1, 2026 · Operated by PT Riset Sinergi Sosial

TABLE OF CONTENTS

About This Policy
Data We Collect
Processing Purposes
Legal Basis
Data Sharing
Storage & Security
Your Rights
Cookies & Tracking
AI Processing
Minors
Policy Changes
Contact

1. About This Policy

Risos AI ("we", "the platform") is a product of PT Riset Sinergi Sosial — a research entity registered with the Indonesian Ministry of Law (Kemenkumham RI, AHU-050449.AH.01.30). This document explains how we collect, process, store, and protect your personal data when you use our service via web, WhatsApp, or Telegram.

We commit to data minimisation — we only collect what is genuinely needed to operate the service, and we do not sell your data to third parties.

2. Data We Collect

2.1 Account Identity

Account ID — derived from Google email, WhatsApp number, or Telegram ID
Display name, profile photo (if uploaded), bio, institution, role (S1/S2/S3/Lecturer/Researcher), research field
Phone number (optional, for reminders)
Email address (for Google sign-in)

2.2 Research Content

Files you upload: datasets (.xlsx, .csv), transcripts (.docx, .pdf, .txt), interview audio (.mp3, .m4a), images
Analysis metadata: research title, statistical test type, variables, results
Research projects (Journey): title, type, target date, milestones, team members
Messages in Consultation (advisor-student threads)
Conversation history with Risos AI Chat

2.3 Usage Data

Login history: IP address, user agent (browser/device), timestamp, method (Google/WhatsApp/Telegram), success/fail status
Platform activity: pages visited, features used
Preferences: theme (dark/light), language, density, enabled notifications

2.4 Payment Data

Risos AI does not store your credit/debit card numbers. Payments are processed by third-party gateways: Tripay (QRIS) and NowPayments (crypto). We only store transaction reference, amount, status, and timestamp.

3. Processing Purposes

Service operation: running statistical analysis, QDA, AI chat, journey tracking, team consultation features
Personalisation: AI Persona tailors responses to your research background
Security: detecting suspicious logins, preventing abuse
Communication: sending notifications per your settings
Service improvement: anonymous aggregates to understand usage patterns
Legal compliance: retaining logs as required by applicable regulation

4. Legal Basis

Processing of your data is based on:

Consent — given when you sign up and enable specific features (notifications, AI Persona)
Contract performance — we must process data to provide the service you request
Legitimate interests — platform security, fraud detection, service quality improvement
Legal obligations — Indonesian Personal Data Protection Law (UU PDP No. 27/2022) and derivative regulations

We do not sell your data. Sharing is limited to:

Third-party AI providers — Content you send to chat is processed by external AI providers under business-tier contracts that prohibit training on your data. Provider details are available on request.
Payment gateways — Tripay (QRIS), NowPayments (crypto) for transaction processing.
Journey team members — when you invite an advisor/member to a research project, they can see content you share within that project.
Law enforcement — only with valid legal orders from competent Indonesian authorities.

6. Storage & Security

Data is stored in our PostgreSQL servers located in Indonesia. We implement:

TLS 1.3 encryption for all connections (HTTPS only)
Password hashing (if you set one) using bcrypt
Session tokens with limited validity, JWT signed
Database access restricted to internal infrastructure
Daily backups with 30-day retention
Audit logs for all access to sensitive data

DATA RETENTION

Active data is retained while your account is active. After you delete your account, data is permanently deleted within 7 working days, except those required for legal compliance (payment transactions retained 5 years per tax regulations).

7. Your Rights

Per UU PDP No. 27/2022, you have the right to:

Access — request a copy of all your data (use the Export Data button in Settings → Privacy)
Rectification — modify inaccurate data (directly in Settings → Profile)
Erasure — request permanent account deletion (Settings → Privacy → Delete Account)
Portability — download data in JSON format that can be imported elsewhere
Objection — refuse processing for specific purposes (toggle off in Notifications)
Withdrawal of consent — anytime, with the consequence that certain services become unavailable

To exercise these rights, visit Settings or contact admin@risos.co.id.

8. Cookies & Tracking

We use minimal cookies:

risos_token — session authentication (HTTP-only, secure, same-site lax)
guest_session_id — rate-limit guest chat on the landing page

We do not use ad cookies, third-party tracking pixels, or fingerprinting analytics tools.

9. AI Processing

Risos AI uses large language models for Chat, Methodology Consultation, and AI Persona. Important notes:

Content sent to chat is forwarded to model providers to generate responses
We cache only conversations for the "AI memory" feature — you can delete them in Settings → Privacy
Your AI Persona is injected as a system instruction into every new conversation
AI output does not replace professional advice — always verify with your supervisor
We do not use your content to train our own AI models

10. Minors

This service is intended for users aged 17 and above (undergraduate level upwards). We do not knowingly collect data from users below that age. If you believe a child under 17 is using a Risos AI account, please contact us.

11. Policy Changes

We may update this policy from time to time. Material changes will be communicated via email and/or in-app notification at least 14 days before they take effect. Previous versions are available upon request.

12. Contact

PT Riset Sinergi Sosial
Pekanbaru, Riau, Indonesia
NIB: 1709250119286
Email: admin@risos.co.id

Privacy-related questions, complaints, or requests will be addressed within 14 working days.