1. Data we process
- Account and identity data: name, NIK, email, phone, birth date, addresses, and encrypted credentials.
- Sensitive KYC data: ID-card image, selfie/liveness, quality results, consent record, and verification status.
- Transaction data: products, dates, fees, payments, deposits, payout accounts, handover evidence, communications, reviews, and disputes.
- Technical data: IP address, device, user agent, sessions, security logs, essential cookies, and user-provided location.
- Vendor and SaaS data: business profiles, inventory, tenant members, invoices, and administrative activity.
2. Purposes and legal bases
We process data to perform contracts, take requested pre-contract steps, comply with law, obtain consent where required, and pursue legitimate security and fraud-prevention interests.
- Account creation, identity checks, bookings, payments, escrow, deposits, payouts, refunds, and support.
- Abuse prevention, audit, terms enforcement, claims, and disputes.
- Service communications and properly authorized marketing.
- Service analytics using minimized or aggregated data.
4. Retention and deletion
Data is retained while accounts or transactions are active and afterward for [VERIFIED_RETENTION_PERIOD] to meet legal, accounting, fraud-prevention, and dispute obligations. KYC and handover-media schedules require approval before production.
After retention expires, data is deleted, anonymized, or restricted unless longer storage is legally required.
5. Data-subject rights
Under Indonesian Law No. 27 of 2022 on Personal Data Protection and related rules, you may request access, correction, a copy, cessation/deletion where applicable, consent withdrawal, objection, or complaint.
Send requests to [privacyEmail]. Identity verification may be required, and lawful restrictions may apply.
6. Security and incidents
We use access controls, credential encryption, logging, limited access, and proportionate technical and organizational measures. No system is risk-free.
Qualifying personal-data protection failures will be handled and notified within legally required timelines and content.
7. Children and international processing
The transaction service is not intended for children lacking capacity to contract without guardian authorization. We will address improperly processed child data when identified.
Cross-border processing will use the legally required transfer basis and safeguards.
8. Controller and contact
The data controller is PT. Rentalnesia Kreasi Solusindo, NIB [companyRegistrationNumber], at [companyAddress]. Privacy contact: [privacyEmail].
