Privacy Policy

This Privacy Policy explains how PT coretAIx ("coretAIx", "we", "us", "our") collects, uses, stores, and protects your personal information when you use the coretAIx services available at coretaix.com (the "Service").

coretAIx is an AI-powered tool that assists with Indonesian annual tax return (SPT Tahunan) filing. coretAIx is NOT an official product of the Directorate General of Taxes (DJP) and is NOT affiliated with DJP, the Ministry of Finance, or the Government of the Republic of Indonesia.

By accessing or using our Service, you consent to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this policy, please do not use our Service.

This policy is prepared in compliance with Law Number 27 of 2022 on Personal Data Protection (UU PDP) of the Republic of Indonesia.

We collect several types of information to provide and improve the Service:

2.1 Account Data

• Email address
• Full name
• Password hash (managed by Supabase Auth using bcrypt; we never store your password in plain text)

2.2 Tax Profile Data

We do NOT collect or store your NPWP (Taxpayer Identification Number) or NIK (National Identity Number). The NPWP/NIK checker tool processes data locally on your device and does not save any data to our servers.

• Marital status
• Number of dependents
• Income data (gross income, deductions, allowances)
• Employment/business type

2.3 Uploaded Documents

• Withholding tax slips (Bukti Potong 1721-A1, 1721-A2, etc.)
• Financial records and other tax documents
• Documents are stored in Supabase Storage with Row Level Security (RLS) access controls

2.4 AI Chat Conversations

• All chat messages between you and the coretAIx AI assistant
• Tax profile context sent to the AI to generate personalized responses

2.5 Usage Analytics Data

• Pages visited
• Features used
• Device type and browser
• IP address (anonymized)
• Session time and duration

2.6 Payment Data

• For card/e-wallet payments: processed entirely by Lemon Squeezy as Merchant of Record. We do NOT store your credit card numbers, debit card numbers, or bank account details.
• For cryptocurrency payments: sender wallet address, transaction hash (TX hash), payment amount, and cryptocurrency type (BTC/ETH/USDT)

We use the information collected for the following purposes:

3.1 Provide AI Tax Assistance

• Process your questions and provide personalized tax information
• Analyze tax documents you upload
• Calculate tax obligations based on your profile

3.2 Personalize Tax Calculations and Recommendations

• Customize PPh 21 and UMKM tax calculators based on your data
• Provide SPT filing guidance relevant to your situation
• Analyze NIHIL status based on your withholding tax slips

3.3 Process Payments

• Process subscriptions via Lemon Squeezy
• Verify cryptocurrency payments
• Manage your subscription status

3.4 Improve Our Services

• Analyze usage patterns to enhance features
• Identify and fix bugs
• Develop new features based on user needs

3.5 Send Deadline Reminders (with Consent)

• SPT filing deadline notifications
• Tax payment reminders
• You can disable these notifications at any time through your account settings

We implement appropriate technical and organizational security measures to protect your data:

4.1 Storage Infrastructure

• All data is stored on Supabase hosted in the Singapore region (Southeast Asia)
• Supabase uses PostgreSQL as its database with SOC 2 Type II security certification

4.2 Data Encryption

• We do NOT store NPWP or NIK on our servers, so no government identity data requires encryption
• All data is encrypted during transmission using HTTPS/TLS 1.3 (encryption in transit)

4.3 Access Controls

• Row Level Security (RLS) is enforced on all database tables — each user can only access their own data
• Authentication uses Supabase Auth with bcrypt password hashing
• Access tokens use JWT with limited expiration

4.4 Password Security

• Passwords are hashed using bcrypt via Supabase Auth
• We never store or have access to your password in plain text

4.5 Data Breach Notification

In the event of a data breach affecting your personal data, we commit to notifying you and the relevant authorities within 72 (seventy-two) hours after the breach is identified, in accordance with the UU PDP.

We share your data with the following third parties on a limited basis and only for necessary purposes:

5.1 OpenAI

• Your chat messages and tax profile context are sent to the OpenAI API (GPT-5.2) for AI processing
• Data is processed in accordance with OpenAI’s data usage policy
• We do NOT opt-in your data for OpenAI’s AI model training
• Please be aware that data sent to OpenAI is processed on OpenAI’s servers outside of Indonesia

5.2 Lemon Squeezy

• Processes credit card, debit card, and e-wallet payments
• Acts as Merchant of Record (MoR) for payment transactions
• Subject to Lemon Squeezy’s privacy policy

5.3 CoinGecko

• Used for cryptocurrency price conversion API
• NO personal data is sent to CoinGecko — only market price requests

5.4 Supabase

• Database, authentication, and file storage infrastructure provider
• Data is processed in accordance with Supabase’s Data Processing Agreement (DPA)

We do NOT sell, rent, or trade your personal data to third parties for marketing or any other purposes.

We retain your data according to the following periods:

6.1 Account Data

• Retained while your account is active
• After account deletion: all data is deleted within 30 (thirty) days

6.2 Chat History

• Retained while your account is active
• Deleted together with account deletion

6.3 Tax Documents

• Retained for the current tax year and one previous tax year
• Documents older than this period are automatically deleted

6.4 Analytics Data

• Anonymized after 12 (twelve) months
• Anonymized data cannot be re-associated with your identity

6.5 Payment Data

• Transaction records are retained in accordance with applicable legal obligations
• Payment card data is never stored by us (managed by Lemon Squeezy)

Under the UU PDP (Law Number 27 of 2022 on Personal Data Protection), you have the following rights:

7.1 Right to Access

• You have the right to know and access the personal data we hold about you
• You can download your data through the export feature in your account settings

7.2 Right to Correction

• You have the right to correct any inaccurate or incomplete personal data
• Changes can be made through your profile settings page

7.3 Right to Deletion

• You have the right to delete your account and all personal data
• Deletion can be initiated through your account settings
• All data will be deleted within 30 days of the deletion request

7.4 Right to Export (Data Portability)

• You have the right to obtain a copy of your personal data in a machine-readable format
• The export feature is available in your account settings

7.5 Right to Withdraw Consent

• You have the right to withdraw your consent to data processing at any time
• Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal
• Withdrawal of consent may result in your inability to use some or all of the Service

7.6 Right to Object

• You have the right to object to the processing of your personal data
• Contact us through the information below to lodge an objection

To exercise your rights, contact us by email at privacy@coretaix.com.

8.1 Cookies We Use

• We only use essential cookies required for basic Service functionality
• Supabase authentication session cookies are used to maintain your login session

8.2 Cookies We Do NOT Use

• We do NOT use third-party tracking cookies
• We do NOT use advertising cookies
• We do NOT use third-party analytics cookies

Because we only use essential cookies required for Service functionality, separate cookie consent is not required.

Our Service is not intended for users under the age of 17 (seventeen). We do not knowingly collect personal data from children under 17.

If you are a parent or guardian and become aware that your child has provided personal data to us, please contact us. If we become aware that we have collected personal data from a child under 17 without parental consent, we will take steps to delete that information from our servers.

We may update this Privacy Policy from time to time. Changes will become effective immediately after we post the updated policy on this page.

We will notify you of material changes through:

• Email notification to your registered email address
• In-app notification when you log in

We encourage you to review this Privacy Policy periodically. Continued use of the Service after changes constitutes your acceptance of the updated policy.

The "Last updated" date at the top of this page indicates when the last revision was made.

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact us:

• Email: privacy@coretaix.com
• Website: coretaix.com

For requests related to your personal data rights under the UU PDP, we will respond within 14 (fourteen) business days of receiving your request.