Legal

Privacy Policy

Klaut AI · Jakarta, Indonesia

Effective date: 16 May 2026 Last updated: 16 May 2026

1. The short version

Klaut AI ("Klaut," "we," "us") is an enterprise AI transformation firm. We operate the public sites at klaut.id and compass.klaut.id, the Compass application at compass-app.klaut.id, and the consulting and product engagements those sites describe. This policy explains what personal data we collect across those surfaces, why we collect it, who we share it with, and the rights you hold over it.

We collect the data we need to run a credible enterprise practice — nothing we cannot justify in a client conversation. Where Compass observes how employees work, we enforce a three-way privacy split between the employee, their manager, and HR. That split is built into the architecture, not into a configuration setting.

If you only read one section, read the one that applies to you: Section 4 if you are a site visitor or prospect, Section 5 if you are an end user of Compass, Section 6 if you are a client representative.

2. Who this policy applies to

This policy covers:

  • Visitors to klaut.id and compass.klaut.id, including the Indonesian and English versions of each site.
  • People who contact us by email, form, or call to enquire about Foundation, Chief AI Officer, Compass, or Audit engagements.
  • Employees, managers, and HR administrators of client organisations who use Compass through compass-app.klaut.id under a signed client agreement.
  • Authorised representatives of client organisations during a paid engagement.

Where Klaut acts as a data processor on behalf of a client — most commonly inside a Compass deployment — the client is the data controller. Their own privacy notice governs the employees they enrol, and Klaut's role is defined in the data processing terms attached to the engagement.

3. The data we collect

Identification and contact data. Name, business email, role, company name, country. We collect these when you contact us, request a call, or are listed as a point of contact under a client engagement.

Communications data. The content of emails, call notes, proposals, and signed documents exchanged with you in the course of an engagement or pre-engagement conversation.

Site usage data. Aggregate analytics from Vercel Web Analytics — page views, referrers, country-level location, anonymised device and browser type. We do not deploy advertising trackers, behavioural profiling cookies, or session replay tools on either site.

Compass platform data. When a client deploys Compass, the system observes employee work inside the systems the client connects (for example a customer service platform). This produces:

  • Performance signals from the connected systems (response times, quality scores, error patterns).
  • Personalised micro-lessons generated for each employee.
  • Assessment results and skill scores.
  • Reporting outputs delivered to three audiences under separate privacy boundaries.

The categories of data observed are agreed in writing with the client before deployment. Klaut does not unilaterally expand the observation scope of a Compass instance.

Client engagement data. Documents, system access details, sample data, and operational context shared with us under an active engagement, including any personal data contained inside the materials a client provides.

We do not knowingly collect data from anyone under the age of 18. Compass is deployed inside enterprise client workforces and is not intended for minors. If we learn that we have collected personal data from someone under 18, we delete it.

4. If you are a site visitor or prospect

We use your data to respond to you, to qualify whether Klaut is the right fit for what you need, and to maintain the records a regulated business is expected to keep.

We rely on the following legal bases, depending on which framework applies to you:

  • Indonesian Personal Data Protection Law (Undang-Undang No. 27 Tahun 2022, "UU PDP"): your consent and our legitimate interests in operating the business.
  • GDPR or UK GDPR, where applicable: legitimate interests (Article 6(1)(f)) for prospect contact and analytics, and consent (Article 6(1)(a)) where you submit information directly.
  • Other regional frameworks: the closest equivalent of the above.

You can unsubscribe from any direct outreach by replying to the email or writing to hello@klaut.id. Analytics on the public site can be blocked by your browser or extension of choice. We do not consider doing so an unfair use of the site.

5. If you are an end user of Compass

If your employer has deployed Compass, this section governs the data Compass holds about you. Your employer is the data controller; Klaut is the processor acting on their instructions.

Three-way visibility, enforced by architecture.

Compass produces three views of the same underlying data:

  • Your view shows your personal performance, mistakes, lessons, assessments, and skill score. Other employees cannot see it. Your manager sees a limited subset of it, defined in the deployment scope.
  • Your manager's view shows team-level trends and the limited individual data the deployment scope permits — typically gap categories and improvement direction, not raw activity recordings.
  • HR's view shows aggregate workforce capability. HR cannot drill down from an aggregate trend to identify which employee produced which signal without an explicit, audited consent action.

The boundary between these three views is enforced by the Compass data model and access control layer. A manager who tries to access HR-only data, or HR who tries to access individual-level detail, will not succeed by clicking around — there is no path to that data inside the product.

Skill data follows the person.

Your skill score and assessment record are designed to be portable. If you change roles inside the same employer, your record moves with you. Export to a personal copy at the end of your employment is a feature offered through your employer's HR process; Klaut does not unilaterally release or withhold that data.

Layoffs are not a Compass use case.

Compass is sold and deployed as a workforce development product. We will not configure a Compass instance whose primary intent is to support workforce reduction decisions, and Section 8 of our standard client terms reflects this.

If you believe the privacy split has been crossed, or that data has been used to make a decision that the deployment scope did not authorise, write to hello@klaut.id with "Compass — concern" in the subject. We will treat the report as we would treat any incident, including notifying the client.

6. If you are a client representative

For named contacts inside a client organisation under an active engagement, we hold the data needed to deliver the engagement: contact details, signed documents, scoping notes, deliverables, billing and tax records, and the operational records required by Indonesian tax and corporate law.

We retain client engagement records for ten years after the engagement closes, in line with general Indonesian commercial record-keeping practice. Personal data inside those records that is not required for the record-keeping purpose is deleted earlier where practical.

7. How we use AI on your data

We are an AI firm. We use AI tools internally to draft, analyse, and accelerate our work — including on materials related to your engagement. The model and vendor selection for any given workload is part of our consulting methodology and is reviewed against the data sensitivity involved.

We do not submit identifiable client data to third-party model providers for the purpose of training their public models. Where a workload requires a model with a training-use clause, we either disable that clause in the vendor contract, route through a deployment that contractually excludes training, or use a self-hosted model. The applicable arrangement for a given engagement is documented in the engagement letter.

Inside Compass, model selection is part of the deployed configuration and is disclosed to the client. Compass uses models on customer data only for the observe-correct-educate-assess-report loop the client has signed up for.

8. Who we share data with

We share personal data with:

  • Infrastructure providers that run the sites and the application: Cloudflare (CDN and DNS) and Vercel (hosting, deployment, analytics).
  • Email delivery through Postmark for transactional and engagement-related email from our domain.
  • Model providers used inside a delivered solution, scoped per engagement and disclosed in the engagement letter.
  • Professional advisors — legal, tax, and accounting — under their own confidentiality obligations.
  • Regulators, courts, and authorities where a binding legal obligation applies in Indonesia or another jurisdiction with proper authority.
  • Successor entities in the event of a sale, merger, or restructuring, where Klaut's obligations under this policy carry forward.

We do not sell personal data. We do not share personal data with advertising networks. We do not enrich prospect lists from third-party data brokers.

9. International transfers

Klaut is established in Indonesia. Several of our infrastructure providers and model vendors operate from the United States and the European Union. When data is transferred outside Indonesia, we rely on the cross-border transfer provisions of UU PDP and, where the destination is subject to GDPR or UK GDPR, on standard contractual clauses or equivalent safeguards in the vendor agreement.

Where a client requires Indonesian data residency for a specific Compass deployment, that requirement is documented in the engagement letter and the deployment is configured accordingly.

10. Your rights

Under UU PDP and, where applicable, GDPR or UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete data we no longer have a lawful basis to hold.
  • Restrict or object to specific processing activities.
  • Withdraw consent where consent is the basis for processing.
  • Receive a portable copy of your data where the right applies.
  • Lodge a complaint with the relevant supervisory authority — in Indonesia, the authority designated under UU PDP.

To exercise any of these rights, write to hello@klaut.id with "Privacy request" in the subject and enough information for us to confirm your identity. We respond within thirty days. If you are an end user of Compass, route the request through your employer's HR contact in the first instance — your employer is the controller and we will act on their authenticated instruction.

11. Retention

We retain personal data for as long as it serves the purpose for which it was collected, after which it is deleted or anonymised. Specific retention periods:

  • Prospect communications without follow-on engagement: two years from last contact.
  • Active client engagement records: for the duration of the engagement and ten years after closure, in line with Indonesian commercial record-keeping practice.
  • Compass platform data: governed by the data processing terms in the client engagement. Default is full deletion within ninety days of contract termination.
  • Site analytics: aggregate retention of twenty-five months at the provider level, with no personally identifying records held by Klaut.

12. Security

The Security page at klaut.id/security describes the safeguards that apply to data Klaut holds and processes. It is part of this policy by reference. No security programme can guarantee zero incidents; ours is built to make incidents rare, contained, and disclosed honestly when they do occur.

13. Changes to this policy

We update this policy when our practice changes or when a legal framework that governs us changes. Material changes are notified to active clients in writing and posted on this page with a revised "Last updated" date. Continued use of our sites or services after the update means you have read it.

14. Contact

For any question about this policy, write to hello@klaut.id.

Klaut AI · Jakarta, Indonesia

Terms of Service Security Contact us