Privacy & Trust

Privacy, handled
with care.

How Nirmalab — an independent technology provider — collects, uses, and safeguards personal data across our websites, applications, APIs, and Meta / Facebook Messenger integrations.

Effective July 18, 2026 Last updated July 18, 2026
01

We only collect the data we need to run our services and deliver client work.

02

We never sell your personal data — and we don’t use Meta data for our own ads.

03

You can access, correct, or delete your data at any time. See §14–15.

01

Introduction

Nirmalab (“Nirmalab”, “we”, “us”, or “our”) is an independent technology provider offering website development, application engineering, systems integration, maintenance, and business-messaging automation. We are committed to protecting the privacy and security of the personal data entrusted to us by our website visitors, clients, and the end users who interact with the messaging experiences we operate.

This Privacy Policy describes our practices transparently and explains the choices and rights available to you. By using our website (https://nirmalab.com), contacting us, engaging our services, or interacting with a Meta/Facebook Messenger experience we operate, you acknowledge that you have read and understood this Policy.

02

Who We Are

For the purposes of applicable data protection laws:

  • We act as a data controller for data we collect for our own purposes — e.g. prospective-client enquiries, website analytics, and business contacts.
  • We act as a data processor when we handle data on behalf of our business clients — e.g. building, hosting, or operating a Messenger automation for them. There, our client is the controller and a separate agreement governs our processing.
03

Scope of This Policy

This Policy applies to personal data processed through:

  • Our public websites and landing pages, including https://nirmalab.com;
  • Contact, enquiry, quotation, and booking forms;
  • Our applications, APIs, and dashboards;
  • Meta/Facebook Pages, Messenger, Instagram messaging, and WhatsApp Business integrations we build or operate;
  • Email, chat, and other business communications with us.

It does not cover third-party websites or platforms we do not control, even where we link to them (see §17).

04

Information We Collect

4.1 Information you provide

  • Identity & contact data: name, business name, email, phone, and job title.
  • Project & enquiry data: messages, requirements, briefs, attachments, and anything you share when requesting a quote or support.
  • Account data: credentials and profile details where you register for a service or dashboard.
  • Billing data: billing name, address, and tax identifiers. We do not store full card numbers; payments are handled by regulated processors.

4.2 Information collected automatically

  • Device & usage data: IP address, browser, OS, referring pages, pages viewed, and timestamps.
  • Cookies & identifiers: as described in §8.
  • Diagnostic data: logs and error reports that keep our services secure and reliable.

4.3 Information from third parties

  • Meta/Facebook platforms: when you message a Page or bot we operate (see §5).
  • Business clients: end-user contact details provided so we can deliver a contracted service.
  • Analytics & advertising partners: aggregated or pseudonymised measurement data.
05

Meta / Facebook Platform Data

Some services run on the Meta platform — Messenger bots, Facebook Page automation, Instagram messaging, and WhatsApp Business. When you interact with one, we may process the following in accordance with the Meta Platform Terms and Developer Policies:

  • Public profile information Meta makes available, such as name and profile picture;
  • The Page-scoped ID (PSID) or Instagram-scoped ID for your interaction;
  • The content of messages you send to and receive from the automated experience;
  • Metadata such as timestamps and delivery/read status;
  • Anything you voluntarily provide in the conversation (e.g. an email or order reference).

We use this data solely to respond to your messages, provide the requested service or support, and operate the experience on behalf of the relevant business. We do not use Meta Platform Data for independent advertising, and we do not sell it. Our use of information received from Meta APIs adheres to the Meta Platform Terms and Developer Policies, including limits on use, transfer, storage, and retention. To remove your data from a Messenger experience we operate, see §15.

06

How We Use Your Information

We use personal data to:

  • Respond to enquiries, quotes, and support requests;
  • Provide, operate, and maintain our services and messaging automations;
  • Deliver contracted projects and communicate about them;
  • Process billing and manage our business relationship;
  • Secure our systems, prevent fraud and abuse, and debug issues;
  • Understand and improve how our services perform;
  • Send service and, where permitted, marketing messages you can opt out of anytime;
  • Comply with legal, tax, and regulatory obligations.
08

Cookies & Similar Technologies

We use cookies and similar technologies to operate the website, remember preferences, and measure performance. Strictly necessary cookies are required for the site to function; analytics and preference cookies are used only where permitted by your choices. You can control cookies via your browser and, where offered, our cookie banner. Disabling some cookies may affect functionality.

09

How We Share Information

We do not sell your personal data. We share it only as needed:

  • Business clients for whom we operate a service, where you are their end user;
  • Service providers & sub-processors for hosting, infrastructure, analytics, communications, and payments;
  • Platform providers such as Meta, where the service runs on their platform;
  • Professional advisers such as auditors and lawyers, under confidentiality;
  • Authorities where required by law or to protect rights and safety;
  • Successors in a merger, acquisition, or reorganisation, subject to this Policy.
10

Service Providers & Sub-Processors

We engage carefully selected third parties — cloud hosting and content delivery, database and storage, email and messaging platforms, analytics, and payment processors. They may process personal data only on our documented instructions, under contractual confidentiality and security obligations, and only as necessary to provide their service to us.

11

International Data Transfers

We operate globally and use infrastructure and providers that may be located outside your country of residence, including outside Indonesia and the European Economic Area. Where we transfer data across borders, we apply appropriate safeguards required by law — such as standard contractual clauses, adequacy mechanisms, or your consent — so your data stays protected.

12

Data Retention

We keep personal data only as long as necessary for the purposes in this Policy, including legal, accounting, tax, or reporting obligations, and to resolve disputes and enforce agreements. Retention varies by data type and context; when data is no longer required we delete or irreversibly anonymise it. Messenger conversation data we process for a business client is retained per that client’s instructions and applicable platform rules.

13

How We Protect Your Data

We apply appropriate technical and organisational measures — encryption in transit, need-to-know access controls, network protections, logging and monitoring, and regular review of our security practices. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work continuously to safeguard your data and will notify you and the relevant authorities of a breach where required by law.

14

Your Privacy Rights

Subject to applicable law (including UU PDP, GDPR, and the CCPA), you may have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate or incomplete data;
  • Delete your data in certain circumstances;
  • Restrict or object to certain processing;
  • Portability — receive your data in a portable format;
  • Withdraw consent where processing is based on consent;
  • Opt out of marketing and of any “sale”/“sharing” (we do not sell personal data);
  • Lodge a complaint with a supervisory authority.

To exercise any right, email [email protected]. We respond within the timeframe required by law and may need to verify your identity. Where we process data for a business client, we will refer your request to that client where appropriate.

15

Data Deletion & Account Removal

You may request deletion of the personal data we hold, including data from a Messenger or Instagram experience we operate:

  • Email [email protected] with the subject “Data Deletion Request”, naming the account, Page, or conversation involved; or
  • In a Messenger conversation we operate, send “DELETE MY DATA” and follow the confirmation prompt.

Once verified, we delete or anonymise the relevant data within the period required by law, except where we must retain certain records. If we process the data solely for a business client, we forward your request to that client and act on their instructions.

16

Children’s Privacy

Our services are intended for businesses and adults. We do not knowingly collect personal data from children under the age required by applicable law (for example, under 17 in Indonesia, or the applicable age in your jurisdiction) without appropriate consent. If you believe a child has provided us personal data, contact us and we will delete it.

18

Changes to This Policy

We may update this Policy to reflect changes in our practices, technology, or legal requirements. For material changes we update the “Last updated” date above and, where appropriate, provide additional notice. Continued use of our services after an update constitutes acceptance of the revised Policy.

19

How to Contact Us

Questions, concerns, or requests about this Policy or your personal data:

Nirmalab — Independent Technology Provider

This document is provided for transparency and general information. It is not legal advice. We recommend confirming jurisdiction-specific requirements with qualified legal counsel.