PRIVACY

Privacy Policy

Last updated: March 16, 2026

At Orqestra (operated by Harmoni Mitra Tekno, "HMT", "we", "us", or "our"), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our multi-channel communication platform for WhatsApp and Instagram.

By using Orqestra, you consent to the data practices described in this policy. If you do not agree with our policies and practices, please do not use our service.

Information We Collect

Account Information

  • Organization name and unique identifier
  • User names, email addresses, and encrypted passwords
  • Role assignments and permission settings
  • WhatsApp Business Account (WABA) configuration details
  • Instagram Professional Account connection details

Message & Communication Data

  • Inbound and outbound WhatsApp message content (text, media, documents)
  • Instagram direct messages, comments, and media interactions
  • Contact information from WhatsApp (phone numbers, profile names) and Instagram (user IDs, usernames)
  • Message delivery status and timestamps
  • Conversation flow session data

Usage Data

  • Feature usage analytics (broadcasts sent, flows created, AI interactions)
  • Login timestamps and session information
  • Credit consumption and subscription status
  • Agent performance metrics

How We Use Your Information

  • Service Operation: To provide, maintain, and improve Orqestra's core functionality including message routing, team inbox, automation, and Instagram engagement
  • AI Processing: To power AI features through integrated LLM providers (such as OpenAI, Anthropic, Google Gemini, Groq, Ollama) and our Dify integration, using your uploaded knowledge base documents
  • Analytics: To generate dashboard insights and performance reports for your organization
  • Billing: To process payments, manage subscriptions, and track usage against your plan limits
  • Support: To respond to your inquiries and provide customer service
  • Communication: To send transactional emails (verification, password reset, subscription notifications)
  • Security: To detect and prevent fraud, abuse, and security incidents

Third-Party Services

Orqestra integrates with the following third-party services to provide its functionality:

Meta / WhatsApp Cloud API

Official WhatsApp Business API for message sending and receiving. Subject to Meta's privacy policy.

Meta / Instagram Graph API

Instagram messaging, comments, and content management. Subject to Meta's privacy policy.

AI / LLM Providers

AI processing through Dify, OpenAI, Anthropic (Claude), Google Gemini, Groq, and Ollama for chatbot responses and knowledge base queries.

Google Cloud Storage

Secure storage for media files and documents.

AWS Simple Email Service

Transactional email delivery for verification and notifications.

DOKU Payment Gateway

Payment processing for subscriptions (we do not store your payment card details).

Sentry

Error monitoring and performance tracking to improve service reliability.

Data Retention

  • Message Data: Retained for the duration of your subscription plus 30 days after account termination
  • Account Data: Retained until you request deletion or 90 days after subscription cancellation
  • Analytics & Logs: Aggregated analytics retained for up to 2 years; detailed logs retained for 90 days
  • Billing Records: Retained as required by Indonesian tax regulations (minimum 10 years)

Your Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate personal data
  • Deletion: Request deletion of your personal data (subject to legal retention requirements)
  • Export: Request an export of your data in a machine-readable format
  • Withdraw Consent: Withdraw consent for non-essential data processing

To exercise these rights, please contact us at privacy@orqestra.id

Security Measures

  • All data transmitted over HTTPS with TLS encryption
  • Passwords are hashed using bcrypt with strong salt
  • Role-based access control (RBAC) with 31 granular permissions
  • Organization-level data isolation (multi-tenant architecture)
  • Regular security audits and vulnerability assessments
  • Webhook signature verification for WhatsApp and Instagram API calls

Cookies

We use essential cookies only for authentication and session management. We do not use advertising or tracking cookies. The cookies we use are:

  • wa_user_session: Signed session cookie for authenticated users
  • wa_admin_session: Signed session cookie for platform administrators

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will send an email notification to organization administrators.

Contact Us

If you have questions about this Privacy Policy, please contact us:

Harmoni Mitra Tekno (HMT)

Email: privacy@orqestra.id

Website: orqestra.id