← Back to Home
VisiFlow Logo

Privacy Policy

Effective since: May 14, 2026 Version: 1.0 Jurisdiction: Republic of Indonesia
This Privacy Policy is compiled in accordance with Law Number 27 of 2022 concerning Personal Data Protection (PDP Law) and its implementing regulations. Please read this document carefully before using VisiFlow services.

Table of Contents

  1. 1. Identity of the Data Controller
  2. 2. Definitions
  3. 3. Personal Data We Collect
  4. 4. Legal Basis and Purpose of Processing
  5. 5. Disclosure to Third Parties
  6. 6. Data Retention and Deletion
  7. 7. Data Security
  8. 8. Data Subject Rights
  9. 9. Cookies and Tracking Technologies
  10. 10. Third-Party Services
  11. 11. Cross-Border Data Processing
  12. 12. Policy Changes
  13. 13. Contact Us

1. Identity of the Data Controller

VisiFlow is operated by:

Service Name: VisiFlow — Operational Receipt Management

Operator: VisiFlow Team

Contact Email: email@airham.my.id

Application: https://app.visiflow.fun

In the context of the PDP Law, VisiFlow acts as a Personal Data Controller that determines the purposes and means of processing your data.

2. Definitions

  • "Personal Data" — Any data about an individual who is identified or can be identified separately or combined with other information (Article 1 point 1 of the PDP Law).
  • "Data Processing" — Any activity carried out on personal data, including collection, storage, use, disclosure, and deletion.
  • "Data Subject" — You as the owner of the personal data using VisiFlow services.
  • "Receipt" — A physical or digital document serving as proof of a transaction that you upload or scan through VisiFlow services.

3. Personal Data We Collect

We collect the following data in order to operate the service:

Data Category Specific Type Required?
Account Identity Name, email address (via Google OAuth) Yes
Document Data Receipt image, extracted text content (vendor, date, amount, items) Yes
Google Access Google Sheets OAuth access token (scope limit: Spreadsheets only) Yes*
Technical Data IP address, device type, application activity logs Automatic

*) Only if you use the Google Sheets synchronization feature.

4. Legal Basis and Purpose of Processing

According to Article 20 of the PDP Law, every data processing must have a valid legal basis. We process your data based on:

  • Performance of a Contract

    Processing of receipt images, AI data extraction, and synchronization to Google Sheets are carried out to fulfill the services you requested upon registration.

  • Explicit Consent

    By enabling Google Sheets synchronization, you provide explicit consent for limited access to your Google account according to the stated scope.

  • Legitimate Interest

    Technical logs and usage data are processed for system security purposes, abuse prevention, and service performance improvement.

5. Disclosure to Third Parties

We do not sell, rent, or trade your personal data. Data may be shared on a limited basis with:

  • Google LLC

    For authentication purposes (Google OAuth), Vision AI execution (Google Cloud Vision API), and data synchronization (Google Sheets API). Google is subject to the Google Cloud Data Processing Addendum.

  • Cloud Infrastructure (Google Cloud Platform)

    Data is stored on Google Cloud Run and Google Cloud Storage servers based on a data processing agreement that guarantees security.

  • Legal Authorities

    Only if required by applicable law, court order, or government regulations of the Republic of Indonesia.

6. Data Retention and Deletion

In accordance with the principle of data minimization (Article 16 of the PDP Law), we retain data only for as long as necessary:

  • Active account data: As long as your account is active and there is no deletion request.
  • Receipt images: Automatically deleted from the server after extraction is successfully completed (not permanently stored on VisiFlow servers).
  • Technical logs: Stored for a maximum of 90 days for security and debugging purposes.
  • After account closure: All data is deleted within 30 calendar days of the request being received.

7. Data Security

We implement the following security standards in accordance with the obligations of Article 35 of the PDP Law:

  • Transmission encryption: All communication is protected with TLS 1.3.
  • Storage encryption: Sensitive data is encrypted at rest using AES-256.
  • Access control: The principle of least privilege is applied across the infrastructure.
  • Incident management: In the event of a data breach, we are obliged to notify you and the supervisory authority within a maximum of 72 hours from when the incident is known, in accordance with applicable regulations.
  • API Security: Google OAuth access tokens are stored in an encrypted Secret Manager, not in a regular database.

8. Data Subject Rights

Under Chapter IV of the PDP Law (Articles 5–16), you have the following rights that you can exercise at any time:

Right to Access (Article 5)

Request confirmation and a copy of the personal data we process about you.

Right to Rectification (Article 8)

Request correction of inaccurate or incomplete data.

Right to Erasure / Right to be Forgotten (Article 9)

Request the permanent deletion of your data from our systems, unless retention is required by law.

Right to Withdraw Consent (Article 10)

Withdraw the consent you previously gave without affecting the lawfulness of processing carried out beforehand.

Right to Data Portability (Article 11)

Request your data in a structured, machine-readable format to be transferred to another service.

Right to Object (Article 13)

Object to data processing that you deem inconsistent with the stated purpose.

To exercise these rights, send a written request to email@airham.my.id. We will respond within 14 business days.

9. Cookies and Tracking Technologies

VisiFlow uses session cookies for authentication and maintaining login security. We do not use third-party tracking cookies (such as Google Analytics or ad pixels). Types of cookies used:

  • Session Cookies: Necessary for authentication and account security. These cookies are deleted when the browser is closed.
  • Preference Cookies: Store simple display settings (e.g., interface language). Valid for 30 days.

You can disable cookies through your browser settings, but some service features may not function optimally.

10. Third-Party Services

VisiFlow integrates with the following services which have independent privacy policies:

We recommend that you read the privacy policies of these third-party services, as data processing on their end is beyond our control.

11. Cross-Border Data Processing

VisiFlow's infrastructure runs on Google Cloud Platform which may process data on servers located outside the territory of Indonesia (including the Asia-Pacific region). This cross-border data transfer is carried out with adequate safeguards in accordance with Article 54 of the PDP Law, namely through a data processing agreement (DPA) with Google LLC which provides a level of protection equivalent to Indonesian standards.

12. Policy Changes

We may update this Privacy Policy from time to time. Any material changes will be notified to you via:

  • Email notification to the registered address, and/or
  • Notification banner displayed on the application page.

Continued use of the service following the notification is deemed as acceptance of the applicable changes.

13. Contact Us

For questions, data right requests, or to report privacy concerns, please contact our Data Manager:

Email: email@airham.my.id

Email Subject: [PRIVACY] Data Rights Request

We are committed to responding to every request within 14 business days.

© 2026 VisiFlow. All rights reserved. Terms & Conditions →