Privacy Policy

Last updated: July 7, 2026

Summary: We store your account details and usage logs to operate the service. For face processing, uploaded images and videos are processed transiently and are not stored — only the numerical face embeddings you register are kept, in a database isolated to your account, and you can delete them at any time.

1. Who We Are

ARSA Face Recognition API ("the Service") is operated by ARSA Technology, an Indonesian technology company. This policy describes how we collect, use, store, and protect personal data when you use the Service at faceapi.arsa.technology, including its website, dashboard, and REST API.

When you use our API to process images of your own end users, you act as the data controller for that data and we act as a processor on your instructions. Section 3 describes exactly what we do with face data so you can meet your own obligations under laws such as the GDPR and Indonesia's Personal Data Protection Law (UU PDP).

2. Data We Collect

Account data. When you register we collect your email address, your name (optional), and a password, which is stored only as a bcrypt hash — we never store plaintext passwords. If you sign in with Google or GitHub, we receive your email and profile name from the provider instead of a password.

Billing data. Paid subscriptions are processed by PayPal. We store your subscription status, plan, and invoice records. We never see or store your credit card or bank details — those stay with PayPal.

API usage data. For each API request we log the endpoint, HTTP method, response status, latency, a truncated API-key prefix, and the client IP address. We use these logs to enforce plan quotas, detect abuse, and give you a request history in your dashboard.

Authentication events. We record security-relevant events such as logins, failed login attempts, and password resets, including IP address and timestamp, to protect your account.

Cookies. We use strictly necessary cookies to keep you signed in (JWT access and refresh tokens). We do not use advertising cookies.

3. How We Handle Face & Biometric Data

This is the part of the Service where data sensitivity is highest, so we are specific:

You are responsible for obtaining any consent legally required from the individuals whose faces you submit. Our guides to biometric consent under the GDPR and Indonesia's UU PDP explain what that typically involves.

4. How We Use Your Data

We do not send marketing email without your consent, and we never use biometric data for any purpose other than serving your own API requests.

5. Third-Party Services

No face images or embeddings are ever shared with these providers.

6. Data Retention & Deletion

7. Your Rights

Depending on your jurisdiction (including under the GDPR and UU PDP), you have the right to:

To exercise any of these rights, email us at hello@arsa.technology. We respond within 30 days.

8. Security Measures

We protect your data with HTTPS-only transport, bcrypt password hashing, per-account database isolation, API key authentication with instant revocation, rate limiting, security headers, and full request and admin audit logging. See our Security page for the complete overview.

We process account and usage data as necessary to perform our contract with you and to pursue our legitimate interest in securing the Service. We process biometric data solely on your instructions as our customer. ARSA Technology is an Indonesian company and processes data in accordance with Indonesia's Personal Data Protection Law (UU No. 27/2022). Where the GDPR applies to your use of the Service, we support your controller obligations as described in Section 3.

10. Changes to This Policy

We may update this policy as the Service evolves. Material changes will be announced by email or a dashboard notice before they take effect. The "Last updated" date at the top reflects the current version.

11. Contact Us

Privacy questions, rights requests, or concerns: hello@arsa.technology

ARSA Technology — arsa.technology