Legal
Privacy Policy
Last updated: June 9, 2026
Important Notice
This privacy policy is a detailed product template for review by legal counsel. It should be adapted to the customer base, applicable privacy laws, hosting location, subprocessors, retention schedule, and contractual commitments before production publication.
Personal Data Categories
MeetsIn may process user identity, login security events, employee profile, work email, personal email, phone, address, emergency contact, department, job title, salary, bank, tax, BPJS-related policy values, attendance, location proof, device ID, leave, overtime, OIL balance, performance, payroll, payslip, support, audit, candidate, CV, assessment, interview transcript, AI Interview Assistant summary, and analytics data.
Company and Tenant Data
We process tenant name, slug, logo, contact email, billing status, subscription plan, invoice records, usage metrics, policies, connectors, job posts, recruitment campaigns, templates, and configuration required to operate the workspace.
Purpose of Processing
Data is used for authentication, signup/email OTP delivery, Authenticator 2FA setup, Google OAuth linking, tenant isolation, role access, HR workflows, payroll preparation, leave entitlement, overtime approval, OIL conversion, payslip export, recruitment assessment, AI interview, analytics, support, billing, usage metering, audit, fraud prevention, reliability, and security monitoring.
Legal Basis and Customer Role
For enterprise tenants, the customer usually determines the purpose and means of HR/candidate processing, while MeetsIn acts as a processor/service provider. Customers must provide appropriate notices and collect required consent or other lawful basis from employees and candidates.
AI Processing
AI-assisted features may process visible page context, candidate data, CV text, assessment answers, interview transcripts, meeting transcripts, HR records, payroll summaries, and user prompts to generate summaries or recommendations. AI outputs should be reviewed by authorized users before decisions.
Payments
Stripe Checkout handles hosted card payment where enabled. MeetsIn stores billing records, invoice references, payment status, provider references, and plan/usage metadata, but should not store raw card numbers.
Cookies and Session Data
The product uses httpOnly authentication cookies, tenant slug storage, language preference, theme preference, guided UI dismissal state, and session-scoped trial banner state. These are used for security, preference, and product operation.
Security Measures
Controls include signup/email OTP verification, Authenticator 2FA, httpOnly sessions, session invalidation, tenant-aware routing, role-based permissions, audit logging, subscription gating, rate limiting, upload limits, restricted file types, and secure payment redirection. No system is risk-free, and customers should also apply access reviews and internal controls.
Data Sharing and Subprocessors
Data may be processed by hosting, database, email, payment, AI, analytics, storage, and support providers as needed to deliver the service. Production deployment should publish a current subprocessor list and data residency commitments.
International Transfers
If data is processed across borders, appropriate transfer safeguards and contractual terms should be assessed. Customers with strict residency requirements should configure hosting and vendor choices accordingly.
Retention
Retention should follow customer configuration, employment/candidate record obligations, invoice and tax requirements, support needs, security logs, and deletion requests. MeetsIn should support export/deletion workflows subject to legal holds and operational constraints.
Data Subject Requests
Authorized tenant admins may request access, correction, export, restriction, or deletion assistance. Identity and authority should be verified before fulfilling requests that involve employee, candidate, payroll, or security data.
Children and Sensitive Data
The service is designed for workplace and recruitment operations, not children. Customers should avoid collecting sensitive data unless necessary, lawful, and configured with appropriate access controls.
Incident Response
Suspected data incidents should be triaged, contained, investigated, documented, and communicated according to applicable law and contractual notice periods. Customers should maintain their own escalation contacts.