Legal Document

Privacy Policy

We take protecting your data seriously. Learn what we collect, how we use it, and your rights as a user.

Effective: 1 May 2026 · Version 2.0 · UU PDP No. 27/2022 compliant

No Data Selling

HTTPS Encryption

UU PDP Compliant

Table of Contents

1. Data Collected 2. Purpose of Collection 3. Legal Basis for Processing 4. Third Parties 5. Cross-Border Data Transfer 6. Data Security 7. Data Breach Notification 8. User Rights 9. Data Retention 10. Cookies 11. Minors 12. Policy Changes

This Privacy Policy explains how kamu.co.id ("Platform", "we") collects, uses, stores, and protects your personal data in accordance with Law Number 27 of 2022 on Personal Data Protection (UU PDP) of the Republic of Indonesia.

1. Data Collected

We collect the following data when you use the Platform:

Account data Email address, username, display name, phone number (if OTP login)

Profile data Bio, profile photo, location, URL links, catalog information

Analytics data Profile visits, link clicks, device type, referrer, and timestamps. IP addresses are cryptographically hashed and not stored in original form

Payment Processed entirely by Midtrans. We do not store credit card data, bank account data, or other sensitive payment information

Cookies Functional session cookies to maintain your login state

2. Purpose of Data Collection

Your personal data is used to:

Provide and operate the Platform's services
Show you statistics and visitor analytics for your profile
Send important communications: verification emails, security notifications, and service updates
Process subscription payments via Midtrans
Improve service quality and security
Comply with applicable legal obligations

3. Legal Basis for Data Processing (Article 20 UU PDP)

Per Article 20 of Law No. 27/2022, we process your personal data based on the following legal grounds:

Consent You give explicit consent when registering and agreeing to the Terms of Service and this Privacy Policy (Article 20(2)(a))

Contract Processing is required to perform the service agreement between you and the Platform, including the provision of profile, analytics, and subscription features (Article 20(2)(b))

Legal Obligation Processing is required to comply with the Platform's legal obligations, including reporting to authorities and tax compliance (Article 20(2)(c))

Legitimate Interest Processing is required for the Platform's legitimate interests in service security, fraud prevention, and quality improvement, provided it does not override your rights (Article 20(2)(f))

4. Data Sharing with Third Parties

We do not sell your personal data to anyone.

Data is shared with third parties only as necessary to provide the service:

Midtrans

Payment (BI licensed)

Cloudflare

CDN & security

Firebase

Authentication & notifications

Google Analytics

Aggregate analytics

Data may be shared with authorities if required by the laws of the Republic of Indonesia or to protect user and Platform safety.

5. Cross-Border Data Transfer (Article 56 UU PDP)

To provide the service, some of your data may be processed by third-party providers located outside the Republic of Indonesia:

Cloudflare CDN & security — global servers (US, Europe, Asia)

Firebase/Google Authentication & push notifications — servers in the US

Midtrans Payment gateway — processed in Indonesia (BI-licensed)

Per Article 56 UU PDP, cross-border data transfers ensure that: (a) the destination country has data protection at least equivalent to UU PDP; or (b) a Data Processing Agreement is in place with the provider guaranteeing UU PDP-equivalent protection. We ensure every third-party provider is contractually bound to maintain confidentiality and security of your data.

6. Data Security

We apply reasonable security measures to protect your personal data:

HTTPS/TLS encryption

Passwords cryptographically hashed

Database access restricted

CSRF protection enabled

Rate limiting to prevent abuse

7. Data Breach Notification (Article 46 UU PDP)

Per Article 46 of Law No. 27/2022, in the event of a personal data protection failure (data breach), we will:

1. Notify the Data Subject (you) in writing no later than 3 × 24 hours after the breach is discovered, via the registered email

2. Notify the supervisory authority (Ministry of Communication & Informatics or designated body) no later than 3 × 24 hours after discovery

3. The notification will include: types of data affected, time and chronology of the incident, remediation and recovery efforts, and mitigation steps you can take

8. User Rights (per Indonesia UU PDP)

Per Law No. 27/2022, you have the following rights over your personal data:

Right of access View the personal data we hold about you

Right of rectification Correct inaccurate or incomplete data via profile settings

Right of erasure Delete your entire account and personal data via account settings

Right of portability Request a copy of your personal data in a machine-readable format

Right to object Refuse processing of your personal data for specific purposes

Right of restriction Request restriction of data processing under certain conditions

Right to withdraw consent Withdraw previously given consent without affecting lawfulness of prior processing (Article 9 UU PDP)

Right to complain File a complaint with the data protection supervisory authority if you believe your rights have been violated (Article 21 UU PDP). The supervisory authority currently sits under the Ministry of Communication & Informatics of the Republic of Indonesia

To exercise these rights, please contact us at [email protected]. We will respond within 3 × 24 hours.

Note: Consent withdrawal may result in the Platform being unable to provide some or all services. Consent withdrawal does not apply retroactively to processing already lawfully performed.

9. Data Retention

We retain your personal data for as long as your account is active. If you delete your account:

1. Public profile data will be immediately removed from display

2. All personal data is permanently deleted within 30 calendar days

3. Backups are deleted in the next cycle (max 7 days after deletion)

Aggregated analytics data that cannot be linked back to user identities may be retained for statistical purposes.

10. Cookies

The Platform uses the following cookies:

Required Session Cookie

Functional cookie to maintain your login session. Without this, the Platform cannot function.

Optional Google Analytics

Aggregate usage data. You can opt out via browser settings.

Cookies are never used to determine ranking or Kamu Score. If the Platform ever serves third-party ads, additional cookies will be disclosed on this page.

11. Data Protection Officer (Article 35 UU PDP)

Per Article 35 of Law No. 27/2022 on Personal Data Protection, we appoint a Data Protection Officer (DPO) responsible for ensuring compliance with data protection provisions.

Data Protection Officer (DPO)

DPO name not yet configured

DPO information will be updated soon. In the meantime, contact us via [email protected].

The DPO can be contacted for: personal data access requests, correction or deletion requests, consent withdrawal, processing complaints, and questions related to this privacy policy.

12. Minors' Data

The Platform is not intended for children under 17. We do not knowingly collect data from minors. If we learn that a user is under 17, we will delete the account and related data.

13. Policy Changes

We may update this Privacy Policy from time to time. Material changes will be notified by email to the registered address at least 14 days before taking effect. The latest version is always available on this page.

Have Questions?

If you have questions about this Privacy Policy, contact us via email.

[email protected]