Privacy Policy

We act as both a data controller (for account and billing data we process on our own behalf) and a data processor (for business data your organisation stores in your workspace — such as employee records — where you are the controller).

We do not sell your personal data. We do not use your business data to train AI models or for any purpose outside of operating and improving the Service.

We collect information in the following categories:

a. Account and registration data

• Name, work email address, and password (stored as a bcrypt hash via Supabase Auth)
• Company name, workspace URL slug, and company settings you configure
• Role and permission level within the workspace

b. Business / customer data

This is data you enter about your organisation and employees, including:

• Employee profiles: names, job titles, departments, employment status
• Attendance logs, leave requests and approvals
• Tasks, project data, comments, and file attachments
• HR policies, payroll-adjacent settings (we do not process raw payroll disbursements)

You control this data and are responsible for its accuracy and lawful basis for processing.

c. Usage and analytics data

• Pages visited, features used, and click interactions (collected by PostHog)
• Session duration and approximate geographic region
• Browser type, operating system, screen resolution

PostHog analytics can be opted out via your browser's Do Not Track signal or by contacting us.

d. Error and diagnostic data

• JavaScript error stack traces and unhandled exceptions (collected by Sentry)
• The page URL, user ID, and user email at the time of the error, to help us identify and fix bugs
• Browser version and device metadata

e. Payment data

• Billing email, company name, and billing address provided during checkout
• Stripe customer ID and subscription status
• We do not store raw credit or debit card numbers — all payment card data is tokenised and held exclusively by Stripe

f. Technical data

• IP address (used for rate limiting and fraud prevention)
• HTTP request headers, timestamps, and referrer URLs

We use the data we collect to:

• Provide and operate the Service — authenticate users, store workspace data, deliver features
• Process payments — manage subscriptions, issue invoices, handle failed payments
• Diagnose and fix errors — identify and resolve bugs reported via Sentry
• Improve the product — understand which features are used and where users encounter friction (via PostHog)
• Communicate with you — send transactional emails (account confirmation, password reset, invite emails, billing receipts)
• Comply with legal obligations — retain records as required by Indonesian law, respond to lawful requests
• Prevent fraud and abuse — detect and block suspicious activity

We do not use your data for unsolicited marketing. If we ever introduce a marketing newsletter, it will be strictly opt-in.

We share data only with the processors listed below, each operating under a data processing agreement. We do not sell or rent data to any third party.

We may also share data with professional advisers (lawyers, accountants, auditors) under confidentiality obligations, and with government authorities when required by Indonesian law.

We use the following types of cookies and similar technologies:

• Strictly necessary: Session cookies managed by Supabase Auth to keep you signed in. These cannot be disabled without breaking core functionality.
• Functional: Cookies that remember your preferences (e.g. sidebar state, theme).
• Analytics: PostHog sets a persistent cookie to track product usage across sessions. This cookie does not identify you by name; it uses a pseudonymous identifier.
• Error monitoring: Sentry may set a session cookie to correlate error events within a single session.

You can control cookies through your browser settings. Blocking strictly necessary cookies will prevent you from signing in. Blocking analytics or monitoring cookies will not affect core functionality.

All Customer Data is stored in Supabase-managed PostgreSQL databases hosted on AWS infrastructure. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

We apply the following security controls:

• Row-level security (RLS) policies enforce strict company-scoped data isolation — one workspace cannot access another workspace's data
• Passwords are never stored in plain text; Supabase Auth uses bcrypt hashing
• All API endpoints require authenticated sessions validated server-side via Supabase's getUser() — not client-readable local storage
• File uploads are stored in access-controlled Supabase Storage buckets
• Application errors are captured and triaged in Sentry with access limited to engineering staff

Despite these controls, no system is perfectly secure. We will notify affected users within 72 hours of becoming aware of a data breach that poses a material risk, in line with applicable regulations.

• Active workspace data — retained indefinitely while your subscription is active
• Deleted or cancelled workspace data — retained for 30 days after cancellation to allow export, then permanently deleted
• Billing records — retained for 10 years as required by Indonesian tax law
• Error logs (Sentry) — retained for 90 days per Sentry's default retention
• Analytics events (PostHog) — retained for 1 year by default
• Backups — database backups are retained for 30 days then automatically purged

Depending on your location and applicable law, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you
• Correction — request correction of inaccurate data
• Deletion — request erasure of your personal data (subject to legal retention obligations)
• Portability — request your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — request that we restrict processing in certain circumstances

Workspace Admins can export most workspace data directly from the platform. For personal data requests, contact us at jsales@tdmteam.com. We will respond within 30 days.

If you are an employee whose data was added to Modus by your employer, your employer (the Workspace Admin) is the data controller for that data. Please contact your employer directly.

Modus is operated from Indonesia. Our third-party processors (Supabase, Stripe, Sentry, PostHog) are based in the United States. By using the Service you consent to the transfer of your data to countries outside Indonesia, including the United States, which may have different data protection standards.

We rely on standard contractual clauses and the processors' own compliance frameworks (including SOC 2 Type II certification where applicable) to ensure adequate protection.

Modus is a business platform not intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. We will post the updated policy on this page and, for material changes, notify you by email or in-app notice at least 14 days before the changes take effect.

The "Effective date" at the top of this page shows when the current version took effect.

For privacy inquiries, data subject requests, or concerns about this policy, contact us at:

We aim to respond to all privacy requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction. In Indonesia, this is the Ministry of Communication and Information Technology (Kominfo).