Terms of Service
Defines the contract; our privacy policy defines the data side of that contract. Both pages share the same definitions block so terminology never drifts between them.
LEGAL REFERENCE
Our Privacy Policy, Plainly Written
This is the dapatduit privacy policy — the page that tells you what we collect when you open an account, how we store it, and which third parties...
Plain EnglishIndonesia-FocusedAccount DataCookies ExplainedLast Updated
How We Handle Your Data
We collect the basics needed to run your dapatduit account: name, contact details, device fingerprint, and the e-wallet reference you choose at checkout. Where local law permits, we keep this data only as long as your account is active, plus the retention window our auditors require. We never sell your information. Payment processors see only the transaction reference tied to DANA, OVO,
GoPay or QRIS — not your lobby activity. Marketing consent is opt-in, and you can withdraw it from your account page at any time. Cross-border transfers happen only with safeguards in place, and we notify you if a material change shifts how your data is processed in supported regions.
Service availability is jurisdiction-dependent. Users are responsible for checking local law before access.
REVIEW SIGNALS
How This Policy Is Maintained
Legal Review
Our policy is reviewed twice a year by counsel familiar with Indonesia data protection rules, plus an ad-hoc review whenever a processor or lobby feature changes how your information flows.
Named Owner
A named data protection lead signs off every revision. You'll see their title in the footer of this page so you know a real person stands behind the wording you're reading.
Version History
Each update carries a date stamp and a short changelog at the bottom. Nothing changes silently — if a clause shifts, we log what moved and when it moved.
Processor List
We publish the categories of vendors that touch your data: hosting, analytics, payment routing and KYC. The list is refreshed whenever we onboard or retire a partner.
Breach Protocol
If something goes wrong, we follow a documented breach protocol: contain, assess, notify affected accounts and inform the regulator within the statutory window for supported regions.
Independent Audit
An external auditor checks our controls each year. Their findings shape the next policy revision, so what you read here reflects practice, not aspiration.
SIDE BY SIDE
Consistency Across Our Legal Pages
Cookie Notice
Lists every cookie category in detail. This privacy policy summarises them; the cookie notice is where you toggle non-essential trackers on or off for your session.
KYC Policy
Explains identity checks at withdrawal. This page covers what happens to the documents you upload — retention, access controls and deletion timing once verification closes.
AML Notice
Sets out monitoring obligations. We reference it here because anti-money-laundering checks are a lawful basis for keeping certain records beyond normal retention windows.
Marketing Preferences
Sits inside your account settings. This policy explains the legal basis (consent) and how withdrawing it stops messages without closing your dapatduit account.
Complaints Policy
Routes disputes. Privacy complaints follow the same intake form but are flagged for the data protection lead rather than general customer care.
Jurisdiction Notice
Clarifies which laws apply. Our privacy commitments scale to the strictest applicable rule across supported regions, so Indonesia accounts always get the same protections.
What This Policy Page Covers
Data Categories
A clear inventory of what we collect — identity, contact, device, transaction reference and lobby activity. Each category links to the lawful basis we rely on under Indonesia rules.
Your Rights
Access, correction, deletion, portability and objection are all listed with the exact route to exercise them. No hidden forms, no obscure email aliases buried in footnotes.
Retention Windows
We state how long each data category sits on our systems and what triggers deletion. Closed accounts move to a minimal archival record within the statutory window.
Third Parties
The processor categories we share data with are named here, alongside the reason. Payment routing, fraud screening and analytics each get their own short paragraph.
Security Posture
Encryption in transit, encryption at rest, role-based access and logged admin actions. We describe controls in language you can verify against any standard checklist.
Policy Updates
How we tell you when something changes. Material updates trigger an in-account banner; minor edits are logged in the changelog at the foot of this page.
Privacy Policy Questions
We collect your name, date of birth, contact details, device fingerprint and the e-wallet handle you nominate for DANA, OVO, GoPay or QRIS. Lobby activity is logged separately and tied to your account ID, not your wallet.
Yes. Send a request through the privacy inbox or live chat and we'll prepare a portable file within thirty days. We verify your identity first so nobody else can pull your records on your behalf.
Active account data is deleted shortly after closure. A minimal record — identifier, closure reason and transaction history — is retained for the period our anti-money-laundering obligations require in supported regions, then erased.
No. We don't sell or rent your personal data. Marketing we send comes from us directly, based on the consent toggle in your account, and you can switch it off whenever it stops feeling relevant.
Primary storage sits with regional cloud providers serving Southeast Asia. Where transfers leave the region, we apply contractual safeguards approved for cross-border processing and document them in our processor list.
Material changes trigger a banner inside your logged-in dashboard and an email to the address on file. Minor wording fixes appear in the changelog at the bottom of this page, dated and summarised.
Escalate to our data protection lead through the privacy inbox, flagging the original ticket number. If we still can't resolve it, you may approach the relevant Indonesia supervisory authority for an independent review.