Clear consent. Limited use.

This Privacy Policy explains how PT LARAS TEKNOLOGI INTERNATIONAL ("Laras", "we", "us") processes information through the Laras platform at larasx.com. Laras is an AI operating layer for business work. It operates connected channels, prepares governed business actions, and keeps a verifiable audit trail on behalf of authorized Clients.

PT LARAS TEKNOLOGI INTERNATIONAL is incorporated in the Republic of Indonesia, with registered domicile in Kabupaten Langkat, Sumatera Utara. This Policy applies to every visitor of larasx.com, every Client that engages the Service, and every end-user whose data Laras processes on behalf of a Client.

By accessing or using Laras, you consent to the practices described in this Policy. If you do not agree, you must stop using the Service.

When you register and use Laras as a Client, we collect the following categories of data directly from you and your authorized operators.

• Account identity. Email address, optional display name, phone number for verification, business name, billing contact, and authentication metadata from your sign-in provider.
• Brand and content context. Brand voice samples, offer catalog (products, services, packages, pricing), forbidden claims, blacklist terms, knowledge base entries, brand memory, and uploaded reference assets.
• Platform integrations. OAuth access tokens, refresh tokens, token expiry timestamps, granted permission scopes, connected social account handles, webhook subscription metadata. Tokens are stored encrypted at rest.
• Service usage. Chat history with Laras, declared business objectives, decision logs, generated assets, draft history, and approval outcomes.
• Compliance records. Consent version history, audit log entries for sensitive operations, and acceptance records for Terms and DPA.

Laras operates a three-tier role model. Laras is the technology provider and infrastructure operator. A Partner is an independent business that distributes Laras to its own customers, typically under the Partner's own brand, and is the Data Controller of the Partner-to-customer relationship. A customer-of-Partner is the natural or legal person served by the Partner and is the data subject; for their own business data the customer-of-Partner is also a Data Controller.

Where a Client engages Laras directly (no Partner in the middle), the Client occupies the Partner role for the purposes of this Policy and is the Data Controller for its end-users.

Laras processes end-user data ON BEHALF OF the Partner. Laras is the Data Processor and Tech Provider; the Partner is the Data Controller of the customer-of-Partner relationship. Where a customer-of-Partner uploads their own business records (contacts, catalogs, brand context) into a workspace they administer, that customer-of-Partner is the Data Controller of those records and the Partner is treated as Joint Controller only where it administers the same workspace.

Purpose statement. The primary purpose of processing end-user data through connected Meta surfaces is to enable an AI worker to auto-reply to customer-of-Partner messages on the Partner brand, follow up on sales, deliver service answers, and keep a verifiable audit trail of every action. Laras processes these messages solely to operate the connected business's own customer service and sales; it is not a general-purpose or open-domain AI assistant and is not offered to end customers as a standalone chatbot.

When a Partner connects an official channel (for example WhatsApp Business, Instagram, Facebook Page Messenger, or Threads) and configures Laras to handle inbound conversations, Laras receives and processes the following categories of end-user data on the Partner's behalf.

Meta WhatsApp Business Platform API. Where a Partner connects a WhatsApp Business account, Laras uses the Meta WhatsApp Business Platform API on the Partner's behalf to receive inbound customer messages and to send business replies within the 24-hour customer-service window. Meta's WhatsApp Business Solution Terms and Meta's Platform Terms apply to that processing, in addition to this Privacy Policy.

Meta Instagram Graph API. Where a Partner connects an eligible Instagram Business or Creator account, Laras uses the Meta Instagram Graph API on the Partner's behalf to receive customer messages (Direct Messages and public comments on the Partner's own posts) and to send business replies. Meta's Instagram Platform Policy applies to that processing, in addition to this Privacy Policy.

Meta Messenger Platform (Facebook Page Messenger API). Where a Partner connects a Facebook Page, Laras uses the Messenger Platform on the Partner's behalf to receive customer messages directed to that Page and to send business replies within the messaging windows Meta defines. Meta's Messenger Platform Policy applies to that processing, in addition to this Privacy Policy.

Meta Threads API. Where a Partner connects a Threads account, Laras uses the Threads API on the Partner's behalf to receive customer messages and public reply signals and to send business replies. Meta's Threads platform policies apply to that processing, in addition to this Privacy Policy.

• Customer contact information (phone number, email address, name where provided)
• WhatsApp Business phone numbers and the associated end-user contact identifiers
• Instagram handles, usernames, and Instagram-Scoped User IDs (IGSID)
• Facebook Page IDs and Page-Scoped User IDs (PSID) for Page-mediated conversations
• Threads user identifiers
• Message content (text, images, voice notes, attachments) inbound and outbound, including draft replies held for owner approval
• Public comments on the Partner's own Instagram and Facebook posts where the Partner has authorized comment processing
• Sentiment scores computed by Laras from message content
• CRM records (interaction timeline, opportunity status, notes)
• Opt-out timestamps and unsubscribe signals
• Sales pipeline data (opportunities, stage transitions, deal values)
• Customer lifetime value (CLV) and segment classifications derived from interactions

Partners are solely responsible for obtaining valid consent from their customers-of-Partner before processing their personal data through Laras. Partners release Laras from any claims, demands, or fines arising from customers-of-Partner or competent authorities due to data processing violations committed by Partners.

To deliver the Service, Laras engages the named Subprocessors below. Each handles a specific operational function and receives only the data necessary for that function. Naming Subprocessors in this Policy is the legal disclosure venue required by GDPR Article 28 and Meta Platform Terms; it is separate from how the Service is described in marketing copy.

Each Subprocessor is bound by a Data Processing Agreement with Laras (or, in the case of self-hosted components, operated by Laras under its own controls) and is contractually required to implement appropriate technical and organizational security measures. Their processing is governed by their own privacy policies where applicable. By using Laras, you acknowledge that data may flow to these Subprocessors as part of normal Service operation.

The authoritative, dated list with legal entity, processing region, and certification posture is published and maintained at https://larasx.com/legal/subprocessors. We will provide at least 30 days advance email notice before adding a new Subprocessor or making a material change to that list. Our Data Processing Agreement, available at https://larasx.com/legal/dpa, governs the controller-processor relationship for these data flows in full.

Laras processes the data described above for the following purposes.

• Core service delivery. Grounding AI replies in the Client's brand voice, offer catalog, and conversation history so generated text reflects the actual business.
• Autonomy kernel. Routing decisions through the Laras Autonomy Business Intelligence (ABI) engine, including objective parsing, skill selection, evaluator scoring, and the outcome learning loop.
• Client observability. Powering the Client dashboard, activity feed, evidence chain, and decision audit trail so every Laras action is reviewable.
• Compliance and safety. Safety-classifier guardrails, blacklist enforcement, opt-out propagation, brand-violation scans, and regulatory disclosure footers.
• Cost efficiency. Model routing, prompt caching, and inference budgeting to keep operating costs sustainable.
• Workspace learning. Laras uses each Client's own operating outcomes to improve that workspace. Any future cross-workspace analytics would require explicit opt-in consent and would not share individual Client data.

Lawful basis for processing (GDPR Article 6). For Client data, Laras processes on the basis of (a) performance of a contract, namely the engagement agreement between the Client and Laras, and (b) Laras' legitimate interest in operating, securing, and improving the Service, balanced against the Client's rights. For End-User data, Laras processes on the Client's documented instructions in its role as Data Processor under Article 28; the Client, as Data Controller, is responsible for establishing the lawful basis for its own collection and use of that End-User data (typically consent, contract, or legitimate interest).

Laras runs a multi-model architecture across three roles (analytical, customer-voice, creative), each served by a different foundation-model family so failures and biases do not correlate. For higher-risk drafts an evaluator model from a different family scores the output before it can be sent. A pre-publish Truth Firewall scans drafts for medical, legal, financial, regulated, or brand-violation language and holds them for owner review regardless of model confidence. Whether automated replies carry an AI-assisted disclosure is controlled by the workspace owner, who is responsible for any per-message disclosure required in their jurisdiction (for example under EU AI Act Article 50); by default Laras does not append a disclosure footer.

Operating Laras requires data to be processed across multiple jurisdictions. Data may be processed in:

• Singapore — primary application hosting, primary database region, and the regional endpoint used for the majority of AI inference traffic
• United States — payment processing, certain edge compute regions, and selected AI inference providers
• European Union — selected edge compute regions
• China / Alibaba Cloud — certain AI inference workloads routed through the international (Singapore) endpoint may execute in Alibaba Cloud regions that include mainland China

For EU and UK Clients: cross-border transfers rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by the contractual safeguards each Subprocessor commits to. For Indonesian Clients: cross-border transfer is consented to by continued use, in accordance with UU Pelindungan Data Pribadi (UU 27/2022) Article 56. Receiving countries either provide an adequate level of protection or are bound by contractual safeguards that meet UU PDP standards.

China inference disclosure. A portion of inference traffic served by China-region foundation-model providers (Alibaba Cloud DashScope / Qwen, DeepSeek, and Moonshot AI / Kimi) is routed through international (Singapore) endpoints; the actual inference compute may execute in provider regions that include mainland China. Clients with regulatory constraints that prohibit China processing may opt out at the workspace level (Settings -> Routing) or contact Laras to negotiate a region-restricted plan. Continued use of the default routing constitutes consent to this processing path. The current Subprocessor list at https://larasx.com/legal/subprocessors sets out our Subprocessors by category and processing region; the specific legal entities are available under the Data Processing Agreement on request.

We retain data only as long as needed to operate the Service, satisfy legal obligations, or maintain auditability. Specific retention periods are set out below.

After the applicable period, data is permanently purged by an automated retention sweep. External-store cleanup (object storage attachments, vector embeddings) follows the same schedule and is processed alongside primary database purges.

Subject to UU Pelindungan Data Pribadi (Indonesia), the General Data Protection Regulation (EU/UK), and other applicable laws, you have the following rights regarding your personal data.

• Right to access the personal data we hold about you
• Right to rectification of inaccurate or incomplete data
• Right to erasure ("right to be forgotten"), subject to legal retention exceptions
• Right to data portability in a structured, machine-readable format
• Right to withdraw consent at any time, without affecting prior lawful processing
• Right to object to processing in defined circumstances
• Right to restrict processing where accuracy or lawfulness is contested
• Right to lodge a complaint with the competent supervisory authority

• Clients. Email help@larasx.com. We will respond within 30 days.
• End-users. Contact the Client (Data Controller) directly first. Laras assists Clients in fulfilling these requests. If unresolved, end-users may contact help@larasx.com and we will route the request appropriately.

We apply the following technical and organizational controls to protect personal data.

• Encryption at rest (AES-256 level at the storage layer)
• Encryption in transit (TLS 1.3 for client and platform API traffic)
• Role-based access control (RBAC) with least-privilege principle
• Tenant isolation at the database level via Postgres Row Level Security
• Audit logging for every business decision, model call, and external send
• Encrypted secret storage for OAuth tokens and Subprocessor credentials
• Truth Firewall: hard guardrails against forbidden claims and blacklist words
• Regular security reviews, dependency updates, and red-team audits

Despite reasonable industry-standard measures, no system is immune to breach. In the event of a data breach affecting Customer Data, Laras will notify affected Clients without undue delay and within 72 hours of confirmed awareness, in accordance with UU PDP and GDPR standards.

A public summary of our security posture, including architectural defenses and the responsible-disclosure process, is published at https://larasx.com/security.

Laras uses cookies and similar technologies grouped in three tiers.

• Essential cookies. Login session, security tokens, CSRF protection. Cannot be disabled; required for the Service to function.
• Functional cookies. Workspace preferences, language selection, UI state. Opt-in.
• Analytics cookies. Aggregated usage metrics to improve the Service. Opt-in.

We do not use marketing or advertising cookies and we do not sell cookie-derived data to third parties. A cookie banner on first visit offers granular control over non-essential cookies, and consent can be changed at any time from your account settings.

The Service is intended for business users and is not directed to children. Laras complies with the U.S. Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.) and does not knowingly collect or process personal data from children under 13 years of age. The Service as a whole is not intended for individuals under 18 years of age. If we become aware that personal data from a child or other minor has reached our systems, we will delete that data promptly. Clients are responsible for ensuring their end-users meet the legal age requirements of the Client's jurisdiction.

If you are a California resident, you have specific rights under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (collectively, the "CCPA"). These include the right to know what personal information we have collected about you, the right to access and receive a copy of that information, the right to request correction of inaccurate personal information, the right to request deletion of personal information, and the right to non-discrimination for exercising any of these rights.

Do not sell or share. Laras does not sell personal information, and does not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We do not exchange personal information for monetary or other valuable consideration, and we do not participate in interest-based advertising networks. Because we do not sell or share, no "Do Not Sell or Share My Personal Information" mechanism is required; if our practices change we will update this Policy and provide the required mechanism in advance.

To exercise CCPA rights, contact help@larasx.com from the email address associated with your account or from another address where you can reasonably verify the connection. We will respond within the timeframes required by the CCPA. Where Laras processes personal information on behalf of a Client as Service Provider, we will forward CCPA requests to the relevant Client unless we are directly required to respond.

Laras is responsible for protecting Personal Data to the extent such data is stored within systems Laras directly controls. Laras is NOT responsible for: (a) data breaches arising from a Client's own negligence, including weak passwords, shared credentials, or compromised devices; (b) failures or breaches of Subprocessors, each governed by their own policies; (c) unauthorized third-party access through means outside Laras' reasonable control; (d) misuse of the Service by Client or Client's end-users.

To the maximum extent permitted by law, Laras' aggregate liability under or in connection with this Privacy Policy shall not exceed the total fees paid by Client to Laras in the twelve (12) months preceding the event giving rise to the claim.

We will update this Privacy Policy from time to time to reflect product changes, new integrations, regulatory updates, or operational improvements. For material changes we will provide 30 days advance notice via email to the registered Client contact and via in-app notification. Continued use of Laras after the notice period constitutes acceptance of the updated Policy. Clients who do not accept material changes may terminate during the notice period in accordance with the Terms of Service.

This Privacy Policy is governed by the laws of the Republic of Indonesia. Disputes arising out of or in connection with this Policy shall be resolved before the Pengadilan Negeri Stabat (consistent with the registered domicile of PT LARAS TEKNOLOGI INTERNATIONAL in Kabupaten Langkat) or, at the election of Laras, through arbitration administered by Badan Arbitrase Nasional Indonesia (BANI). For international Clients, optional escalation to the Singapore International Arbitration Centre (SIAC) is available where agreed in writing.

For privacy-related questions, data subject requests, or compliance inquiries, use the channels below.

• Privacy concerns. help@larasx.com
• General legal. help@larasx.com
• Data Protection Officer. help@larasx.com
• Mailing address. PT LARAS TEKNOLOGI INTERNATIONAL, Jl. Sei Bilang, Lingkungan VII, Kel. Sei Bilah, Kec. Sei Lepan, Kab. Langkat, Sumatera Utara 20857, Indonesia.

Indonesian users may also lodge a complaint with the competent authority under UU PDP 27/2022. EU and UK users may contact their local supervisory data protection authority.