Terms & Conditions of Service

PT Visi Maju Anak Negeri ("Grou", "we", "us", or "our") is committed to protecting the privacy and security of personal data processed through the Grou platform. This Privacy Policy describes how we collect, use, store, and share personal data in connection with the Service, and the rights available to individuals whose personal data we process.

This Policy applies to: (a) HR administrators and authorised personnel of our Client organisations who access the Grou platform; and (b) employees and end users of our Clients whose personal data is processed by Grou as part of service delivery.

This Policy is to be read alongside the Grou Terms of Service and, where applicable, any Data Processing Agreement between Grou and the Client.

1. Controller and Processor Roles

Grou operates as a data processor in respect of personal data submitted by Clients through the Service. Each Client is the data controller for the personal data of its employees and Authorised Users. Grou processes such data only on the documented instructions of the Client.

Where Grou processes personal data for its own operational purposes such as account management and platform security, Grou acts as an independent data controller.

2. Data We Collect

2.1 Data Submitted by Clients

As part of normal platform operation, Clients may submit personal data including: employee identification information such as full name, employee ID, and job title; contact information including work email and telephone numbers; HR and employment records including leave balances, attendance data, performance notes, and employment status; and organisational data including reporting lines, department structures, and role classifications.

2.2 Data Collected Automatically

When Authorised Users access the Service, we automatically collect: login and authentication records including timestamps and IP addresses; usage logs including feature interactions, session duration, and query patterns; and device and browser metadata for security and compatibility purposes. Where Google Workspace Single Sign-On is used, login records will reflect the SSO authentication method and originating identity provider.

2.3 Data Not Collected

Grou does not knowingly collect sensitive categories of personal data such as health data, biometric data, racial or ethnic origin, or political opinions unless explicitly agreed in writing with the Client and subject to enhanced safeguards. Where Google Workspace SSO is enabled, Grou accesses only the identity and profile data expressly approved by the Client's administrator and does not access Google email, calendar, documents, or any other Google Workspace productivity data.

3. Purposes and Legal Bases for Processing

We process personal data for the following purposes:

Service Delivery: to operate, maintain, and improve the Grou platform including AI Agents that assist HR operations under the legal obligations of UU PDP Law No. 27 of 2022 on Personal Data Protection, subject to applicable exceptions: the right to access their personal data; the right to correct inaccurate or incomplete data; the right to request deletion of data in circumstances provided by law; the right to withdraw consent where processing is based on consent; and the right to object to processing in certain circumstances.

4. Use of Third-Party AI Infrastructure

Grou uses third-party AI infrastructure providers to power core capabilities of the Service including natural language processing, data analysis, and conversational AI functions. Client Data, including personal data, may be transmitted to and processed by such providers as part of delivering the Service. Grou ensures that all such providers are contractually bound to process data only on Grou's instructions, maintain security standards no less protective than this Policy, and are subject to appropriate data processing agreements and transfer mechanisms where required by law.

Grou does not publicly disclose the identities of individual AI infrastructure providers as this constitutes confidential operational detail. Clients may request further information by contacting admin @grou.co.id.

5. Data Sharing and Disclosure

We do not sell, rent, or trade personal data. We may share personal data only in the following circumstances:

With Service Providers: third-party vendors engaged to support the Service, including cloud infrastructure, security monitoring, and AI infrastructure providers, under appropriate data processing agreements.

With the Relevant Client: employee and end user data is accessible to the Client's authorised HR administrators in accordance with their role and access level.

Legal Obligations: where required by applicable law, court order, or competent authority, including under Indonesian law.

Business Transfers: in connection with a merger, acquisition, or asset sale, where the recipient is bound by obligations no less protective than this Policy.

6. International Data Transfers

Client Data may be processed in the United States and other jurisdictions where Grou's third-party AI infrastructure providers operate. Grou does not guarantee processing within Indonesian or European Economic Area territory. Where personal data is transferred outside Indonesia or, where applicable, outside the EEA, Grou ensures such transfers are subject to appropriate safeguards including standard contractual clauses, adequacy decisions where applicable, and other legally recognised transfer mechanisms.

7. Data Retention

Grou retains Client Data for the duration of the Subscription Term plus thirty (30) days following termination, during which the Client may export its data. Thereafter, Client Data is securely deleted from production systems in accordance with Grou's data deletion procedures.

Automatically collected technical and usage data is retained for twelve (12) months unless a shorter or longer period is required by law.

8. Security

Grou maintains commercially reasonable technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include access controls, encryption of data in transit and at rest, security monitoring, and regular security assessments.

No security measure is infallible. In the event of a personal data breach, Grou will notify affected Clients in accordance with applicable law and as described in the Data Processing Agreement.

9. Rights of Data Subjects

9.1 Rights Under UU PDP (Indonesia)

Individuals whose personal data is processed in connection with the Service have the following rights under Law No. 27 of 2022 on Personal Data Protection, subject to applicable exceptions: the right to access their personal data; the right to correct inaccurate or incomplete data; the right to request deletion of data in circumstances provided by law; the right to withdraw consent where processing is based on consent; and the right to object to processing in certain circumstances.

9.2 Exercising Rights

As Grou acts as data processor, requests from individuals whose data is processed on behalf of a Client should first be directed to the relevant Client as data controller. Where Grou receives such requests directly, it will forward them without undue delay and assist the Client in responding as required by law. Direct requests relating to data Grou controls as an independent controller may be submitted to admin@grou.co.id.

10. AI-Assisted Decision Making

Grou's platform includes AI Agents that assist HR operations through automated data analysis and response generation. Where such processing may inform decisions with significant effects on individuals, Grou requires Clients as data controllers to: ensure meaningful human review before acting on AI-generated recommendations on employment, performance, or other consequential HR matters; implement appropriate internal policies governing use of AI HR tools; and inform employees of the use of AI-assisted tools to the extent required by applicable law.

Grou does not make final automated decisions about individuals. All AI Agent outputs are advisory and require human ratification by the Client.

11. Cookies and Tracking Technologies

The Grou platform uses cookies solely for authentication, session management, and security. We do not use third-party advertising cookies or behavioural tracking technologies. Users may configure their browser to refuse cookies, though this may affect Service functionality.

12. Children's Privacy

The Service is intended for organisations and their adult employees. We do not knowingly process personal data of individuals under 18. If we become aware that a minor's data has been submitted, we will take steps to delete it promptly.

13. Changes to This Policy

Grou may update this Privacy Policy from time to time. Where changes are material, we will notify affected Clients no less than thirty (30) days before they take effect. Continued use of the Service following the effective date constitutes acceptance.

14. Contact and Supervisory Authority

For questions, concerns, or requests relating to this Privacy Policy or Grou's data processing practices, please contact:

PT Visi Maju Anak Negeri

Email:admin@grou.co.id 

Website:https://grou.co.id