Privacy Policy

iFortepay Privacy Notice

iFortepay Privacy Notice

Last updated: August 29, 2025

Effective on September 29, 2025 

Introduction

Hello, and welcome!

We are PT Iforte Payment Infrastructure (commonly known as "iFortepay”, “We", “Us” and/or “Our”), a company legally established in Indonesia, operating in the field of (digital) payment services and digital products. Our head office is located at Jl. Buncit Raya No.8a, RT.7/RW.3, Kalibata, Kec. Pancoran, South Jakarta City, Special Capital Region of Jakarta 12740, Indonesia.

This privacy notice (or simply the "Privacy Notice") tries to explain how we process and protect the Personal Data of:

  • merchants/sellers who use our Applications and/or Services, including the Instapay application, to receive and process payment transactions from their customers ("Merchant");

  • customers who purchase goods and/or services offered by a Merchant and make payments through our Applications and/or Services ("Merchant Customer");

  • customers who use Our Applications and/or Services to sign and/or affix an electronic stamp on a document or letter through the Pastisah Service at https://pastisah.id/ ("Pastisah Customer"); and

  • website Visitors who want to learn about the Applications and/or Services we provide ("Visitor").

In the rest of this Notice, Merchants, Merchant Customers, Pastisah Customers, and/or Visitors will be referred to as "Users", "You", “Your”, or "Yourself".

It's important to know that the processing of Personal Data includes the acquisition, collection, processing, analysis, storage, correction, updating, display, announcement, transfer, dissemination, disclosure, deletion, and/or destruction of Personal Data ("Data Processing").

We act as both a Data Controller and Data Processor for Digital Payment Services. In this Privacy Notice, iFortepay is the party that directly processes the personal data of Merchants when they want to and are using our Services (in this situation, we act as the Data Controller). When a Merchant wants to receive payments from their customers, we are the party that processes the Merchant Customers data, including their payment transactions, after we receive instructions from the Merchant to process the Merchant Customer's Personal Data (in this situation, we act as the Data Processor for the Merchant Customer's personal data).

We also act as a Data Controller and Data Processor for Pastisah Services. In other situations, we are the party that directly processes the Personal Data of Pastisah customers when You want to create a Pastisah account (in this situation, we act as the Data Controller for the personal data of Pastisah customers). However, when You want to use Pastisah Services, such as electronic signatures, electronic stamps, digital certificates, and/or electronic know your customer, we are the party that processes the Personal Data of Pastisah customers after we receive instructions from the Electronic Certification Provider We work with to provide the Pastisah Services to them (in this situation, we act as the Data Processor for the personal data of Pastisah customers). 

 

 

Who is this Privacy Notice for?

This Privacy Notice applies to You, whether You are a Merchant, a Merchant Customer, a Pastisah Customer, or a Visitor who uses Our online payment services, such as Online Payment (Payment Gateway), Payment Link & e-Invoice (Instapay), QRIS (either merchant-presented mode (MPM) or customer-presented mode (CPM)), Disbursement (fund transfer services) ("Digital Payment Services"), electronic signature, electronic stamp, digital certificate, electronic know your customer ("Pastisah Services"), or who accesses or visits Our Websites at https://ifortepay.id/; https://instapay.id/; and https://pastisah.id/ ("Our Websites") (collectively referred to as "Our Applications and/or Services").

Our suggestions for You:

  1. Read and understand this Privacy Notice.

  2. This Privacy Notice is provided in two languages: Indonesian and English. If there is any difference or misunderstanding between the two versions, the Indonesian version will be the one that applies.

  3. If You use Our Applications and/or Digital Payment Services to make payments on a Merchant application, please read the privacy notice on the payment page managed by the Merchant when You are completing the payment process on the Merchant application.

  4. In relation to the point (2) above, it's important to know that the primary responsibility for the Data Processing of Merchant Customers rests with Our Merchants as the Data Controller for the Merchant Customer's Personal Data. On the other hand, we are the Data Processor for the Merchant Customer’s Personal Data who only receives instructions or commands from the Merchant to process the Merchant Customer's Personal Data, including the payment transactions they make.

  5. If You are a Merchant using the Instapay Application, please read the privacy notice on the Instapay Application at https://instapay.id/en/privacy.

  6. If You are a Merchant Customer purchasing goods and/or services on a Merchant application that uses Instapay, please read the privacy notice on that Merchant application.

  7. If You use Pastisah Services to sign and/or affix an electronic stamp on a document or letter, please read the privacy notice on the Pastisah Services at https://pastisah.id/privacy/#all.

  8. If You provide Us with Personal Data related to a person other than Yourself, or if someone else provides Us with Personal Data related to You, we recommend that You first obtain consent from that person or contact them to understand the source and purpose of their collection of Your Personal Data. By doing so, You agree to allow Us to process the Personal Data of that other person. We may, at any time, ask You to provide Us with proof of such consent.

 

 

Changes to this Privacy Notice

Considering factors such as:

  1. new and/or amended relevant laws and regulations;

  2. new technical guidelines issued by competent authorities, industry associations, or other relevant institutions;

  3. the development of Our products, activities, and/or cooperations;

  4. changes in the way We conduct Data Processing;

  5. corporate actions such as mergers, consolidations, separations, and/or acquisitions of companies or other legal entities that we undergo or are carried out to Us ("Corporate Actions");

  6. the use of new technologies such as artificial intelligence, blockchain, internet of things, etc.;

  7. information security incidents, data breaches, and other similar events; and

  8. other reasons.

We may change and/or add to the provisions related to Our Data Processing practices as regulated in this Privacy Notice from time to time. We will notify You of all such changes and/or additions in advance through Your registered email at least 30 calendar days ("Notice Period") before the changes and/or additions become effective in this Privacy Notice. If You wish to provide feedback and/or objections during this Notice Period, You can send them to helpdesk@ifortepay.id or support@pastisah.id. The updated Privacy Notice will be accessible on Our Websites.

 

 

Types of Personal Data We process

Definition of Personal Data. In this Privacy Notice, Personal Data is data about a person that can be identified directly, or combined with other data or information, either directly or indirectly through electronic or non-electronic systems ("Personal Data").

Types of Personal Data. The Personal Data we process depends on who You are in this Privacy Notice (please refer to the "Introduction" section above), the type of Application and/or Service You choose (applies to Merchants and Pastisah Customers), and the transactions You make (applies to Merchant Customers).

  1. If You are a Merchant, the Personal Data we process includes:

    1. identity data, including Your name based on Your identity document (KTP/Passport/Stay Permit), the data specified within the KTP/Passport/Stay Permit, and Your taxpayer identification number (NPWP) or other relevant tax-related documents;

    2. Merchant account data, including the email and password used to access the Merchant Dashboard;

    3. contact data, including billing and shipping addresses, office address, email, and telephone/mobile number;

    4. eligibility/KYC data, including the data we need when a prospective Merchant is in the process of the know your customer (KYC) before they can use the Services, such as company legality data and other supporting data;

    5. transaction data, including data that explains the details of the payment transaction value and information about ordering and purchasing goods and/or services;

    6. credit/debit card transaction data, including the card type, the payment account used, the cardholder's name, the card issuer's name, the card number, the card verification code, the card expiration date, virtual account data, account statements, and card status; and

    7. payment data, including data that explains the details of payments/transfers made through the Services, such as usage and payment/transfer information, information about the funds recipient (along with their account information), the payment method used, the transaction value, and billing information.

  2. If You are a Merchant Customer, the Personal Data we process includes data about Your purchase transactions of goods and/or services on the Application and/or Services provided by the Merchant, such as:

    1. transaction data, including data that explains the details of the payment transaction value, transaction information about ordering and purchasing goods and/or services (not including information about the type of goods and/or services ordered), the name of the person placing the order, the email address, and Your telephone/mobile number entered on the Merchant's payment page; and

    2. Merchant Customer's financial data, including the card type, the payment account used, the name of the cardholder entered, the card issuer's name, a portion of the card number, virtual account data, and card status.

  3. If You are a Pastisah Customer, the Personal Data we process includes information You provide to Us when You want to register as a Pastisah Customer, as well as information we process when You use Pastisah Services, such as:

    1. identity data, including full name, email, (mobile) phone number, and password, which we need to register You as a Pastisah Customer;

    2. account data, including the email and password You need to access Pastisah Services, whether You are an individual or corporate/business account owner;

    3. eligibility/KYC data, including citizenship status, identity documents (KTP/Passport/Stay Permit), and a selfie, which we need to verify Your identity before we can issue a digital certificate for You; and

    4. service usage data, including information we collect when You use Pastisah Services, such as: which services You use, top-up balances, signed document, the time and date of signing, the status of the signing process, and other related information.

  4. If You are a Visitor, the Personal Data we process is limited to the information You provide to Us or data that is automatically collected when You access and use Our Websites, such as:

    1. device data, including the type of device You use, the operating system, and network information (such as Your IP address).

    2. log data, including information about Your visit to Our Website at https://ifortepay.id/, such as the pages You see, the time and date of access, the links You click, and Your approximate location information (if You give the permission).

    3. data You provide, if You fill out a form at https://ifortepay.id/hubungi-kami/kontak-sales/ and/or use Our Helpdesk Service through the chat feature located on the bottom right of the https://ifortepay.id/ Website.

      1. data You provide (for Pastisah Customers), if You access the link https://pastisah.id/contact/#all to contact Us, either through the live chat feature or the send email feature.

Exclusion of child Personal Data collection. It's important to know that Our Services are not provided for children. Therefore, we do not collect or process Personal Data of children. If You are an individual who is legally categorized as a child, we require You not to use Our Services or to ask Your parent or guardian for permission to use Our Services.

 

 

When do We collect Your Personal Data?

  1. For Merchants

    1. If You are a Merchant of Applications and/or Digital Payment Services, we collect Your Personal Data when You:

      1. click a button or option indicating Your consent to be registered as a Merchant and use the Digital Payment Services on the Merchant's electronic onboarding page; 

      2. begin using the Digital Payment Services; and

      3. contact Us when You need Merchant Services.

 

  1. For Merchant Customers

    1. If You are a Merchant Customer who purchases goods or services on a Merchant application, we collect Your Personal Data when:

      1. You click the "pay now" button on the Merchant application or perform any action that indicates You are about to complete the payment on the Merchant application;

      2. We send Your transaction and financial data to the parties we work with Us to process Your payment transaction, such as the acquiring bank, switching institution, issuing bank, and/or Our payment service provider partners (such as e-money and/or e-wallet providers); 

      3. We complete Your payment transaction so that the funds can be received by the Merchant; and

      4. We also receive Your Personal Data directly when You contact Us through the Merchant Customer Service, either via email, telephone, Helpdesk feature, Contact Sales, Live Chat, or other official communication media, to submit questions, complaints, information requests, requests to exercise Your rights as a Personal Data owner, technical issues during Your use of Our Services, suggestions, and/or feedback related to Our Services.

Our responsibility as a Data Processor. For Your information, in relation to point (i) above, Your Data Processing is one of the activities when You transact with a Merchant. In this case, we only help the Merchant to process Your payment transaction. This means that Your Data Processing will only be carried out if we receive instructions from the Merchant to process Your payment transaction. Therefore, Our responsibility in protecting Your Personal Data is limited to when we receive Data Processing instructions from the Merchant.

  1. For Pastisah Customers

If You are a Pastisah Customer who wants to sign and/or affix an electronic stamp on a document or letter, we collect Your Personal Data when You access the https://pastisah.id/ website, register for an account as a Pastisah Customer, want to contact Us if You need Pastisah Customer Service, and/or use Pastisah Services.

  1. For Visitors

If You are a Visitor to Our Websites, we collect Your Personal Data when You access Our Websites, including when You agree to give Us access to Your Personal Data and information about Your visit to Our Website through cookie technology when You first visit Our Website. You can also choose not to give Us cookie access or only give Us access to certain types of cookies, but it's important to note that You may not get optimal information and/or Services because the quality of the information and/or Services You receive depends on the cookie consent You provide.

 

 

Purpose of Your Personal Data Processing

After we obtain your consent to process Your Personal Data, we will use Your Personal Data for the following purposes ("Purposes"):

  1. If You are an iFortepay Merchant using Digital Payment Services, we will use Your Personal Data to:

    1. Registration and KYC. register You as an iFortepay Merchant, including conducting the verification/KYC (know your customer) process before you can use the Digital Payment Services;

    2. Account management. manage Your account as an iFortepay Merchant, including repairing, freezing, deactivating, and/or deleting Your Account;

    3. Provision of Our Services. provide Digital Payment Services, including updates/adjustments to those Services;

    4. Payment facilitation. facilitate payment transactions made by Merchant Customers, including payment transactions made via bank transfers, automated teller machines (ATMs), debit and credit cards, electronic wallets, or virtual accounts;

    5. Activity reports. inform You about payment transaction details and/or other activities that occur within the Digital Payment Services or other application systems connected to Our Services;

    6. Regulatory compliance. fulfill Our obligations in accordance with Applicable Law, including complying with requests for reporting, audits, due diligence, investigations, examinations, court decisions, and/or decisions from competent law enforcement authorities ("Regulatory Compliance") such as Bank Indonesia, the Financial Transaction Reports and Analysis Center (PPATK), and the Ministry of Communication and Digital ("Law Enforcement Authorities");

    7. Crime prevention and mitigation. prevent, detect, investigate, handle, and mitigate suspicious payment transactions related to criminal acts, such as fraud, money laundering, terrorism financing, proliferation of weapons of mass destruction (WMD), and other related criminal acts;

    8. Facilitate Corporate Actions. assist Us in conducting Corporate Actions, such as decisions to merge, consolidate, separate, acquire, and/or sell company assets (Limited Liability Company or PT) or other legal entities;

    9. Merchant Services. provide merchant support services and inform You of data related to the use of Our Services;

    10. Service updates. inform You about updates and/or changes to Our Services;

    11. Service management. perform maintenance, development, testing, and/or personalization of Our Services according to Your needs and preferences as a Merchant;

    12. Behavioral monitoring. monitor and analyze the activities, trends, habits, behavior, and demographic data of Merchants using the Digital Payment Services and related features;

    13. Partner service offerings. offer or provide services from Our affiliates or partners; and

    14. Service promotions. send You information such as promotions, advertisements, vouchers, surveys, events, and/or new features of Digital Payment Services through Your registered email.

  2. If You are a Merchant Customer, we will use Your Personal Data to:

    1. Merchant Customer Service. provide helpdesk services to You related to technical and operational issues while using the Digital Payment Services available on the Merchant's Application and/or Services;

    2. Service usage analysis. monitor and analyze the use of Digital Payment Services while Merchant Customers make purchase transactions through the Merchant's Application and/or Services;

    3. Service efficiency improvement. manage, support, and improve the efficiency of Services and the experience of Merchant Customers when making purchase transactions through the Merchant Application; and

    4. Service research and development. test, research, analyze, and develop Our Services, products, activities, and corporations with other related parties.

  3. If You are a Pastisah Customer, we will use Your Personal Data to:

    1. Registration and KYC. create Your account as a Pastisah Customer, including conducting the verification/KYC (know your customer) process to get a digital certificate before You can use Pastisah Services;

    2. Account management. manage Your account as a Pastisah Customer, including repairing, freezing, deactivating, and/or deleting Your Account;

    3. Provision of Services. provide Pastisah Services, including updates/adjustments to those Services;

    4. Activity information. inform You about the status of signing and/or affixing an electronic stamp on documents;

    5. Pastisah Customer Service. provide customer service and inform You about Your use of Pastisah Services;

    6. Service updates. inform You about updates and/or changes to the Pastisah Services;

    7. Service management. perform maintenance, development, testing, and/or personalization of Services according to Your needs and preferences as a Pastisah Customer;

    8. Behavioral monitoring. monitor and analyze the activities, trends, habits, behavior, and demographic data of Pastisah Customers using the Services and related features;

    9. Partner service offerings. offer You services from Our partners or affiliates; and

    10. Service promotions. inform You about promotions, advertisements, vouchers, surveys, events, and/or new features of Pastisah Services through Your registered email;

  4. If You are a Visitor, we will use Your Personal Data for:

    1. Improving the experience of Merchant and Pastisah Customers. analyze Your use of Our Websites during Your visit so that the content and offers we provide on Our Websites related to Our Services are tailored to Your needs and preferences;

    2. Visitor Services. answer Your questions and provide information about the Services we offer through the communication media, such as the Helpdesk, Contact Sales, Live Chat, and Send e-mail features;

    3. Research and development. for the purposes of research, development, trend analysis, and statistics on the use of Our Services;

    4. Service promotions. provide You with relevant offers based on Your previous visits to Our Websites;

    5. Regulatory Compliance. please read point 1.f. above; and

    6. Crime prevention. detect and prevent suspicious activities and/or criminal acts carried out through and/or on Our Websites.

 

 

We Guarantee Your Rights as a Personal Data Owner

According to Applicable Law, You have rights related to Your Personal Data that we process. Therefore, we strive to protect Your rights as a Personal Data owner, such as:

  1. the right to get information about Our identity, the legal basis and Purpose of Data Processing, and Our accountability as the Processor or Controller of Your Personal Data;

  2. the right to access and get a copy of Your Personal Data;

  3. the right to correct, update, and complete Your Personal Data that is wrong or inaccurate/incomplete;

  4. the right to withdraw the Data Processing consent You have given us;

  5. the right to terminate Data Processing, delete and/or destroy Your Personal Data;

  6. the right to object to decision-making actions that are only based on automated Data Processing, including for the purpose of automated profiling of Yourself;

  7. the right to sue and receive compensation for Personal Data breaches that are legally proven to be caused by us;

  8. the right to reasonably and fairly delay or limit Data Processing. You can ask Us to delay and limit the processing of Your data if the request is submitted reasonably and with sufficient reason; and

  9. the right to get a copy of Your Personal Data and use it further for other purposes (data portability rights).

Steps to exercise Your rights. To exercise Your rights above, You can contact Us via email at helpdesk@ifortepay.id or support@pastisah.id with a relevant email subject corresponding to the right You wish to exercise and include Your identity as the applicant or the authorized representative of the applicant (at least including a relevant ID card such as a KTP, driving license, passport, and supporting documents such as a power of attorney, will, or similar). We will provide You with the requested information, a copy of Your Personal Data, access to correct Your Personal Data, and/or other access or rights within 3 x 24 hours (three times twenty-four hours) from the time we receive Your request.

We may reject Your request to exercise Your rights above if it:

  1. endangers Your physical or mental safety or that of others;

  2. involves the disclosure of other people's Personal Data;

  3. is contrary to national defense and security interests;

  4. is for law enforcement purposes;

  5. is for public service purposes;

  6. is for the purpose of supervision in the financial services, monetary, payment systems, and financial system stability sectors conducted for public interest; and

  7. is for statistical and scientific research purposes.

We will inform You if we decide to reject Your request for the reasons above.

Choice and consequences of refusing to provide Personal Data. You can choose not to provide Us with Your Personal Data. You can still access Our Websites, but be aware that this may make it difficult for Us to provide You with optimal information and/or Services.

 

 

How can We guarantee the security and confidentiality of Your Personal Data?

Technical and organizational mechanisms and procedures. We implement technical and organizational mechanisms and procedures to protect the confidentiality and security of Your Personal Data from access, collection, use, processing, and/or disclosure of Personal Data that violates Applicable Law by unauthorized parties, loss of Personal Data whether intentional or not, destruction, damage, and/or other similar risks.

These mechanisms and procedures include:

  1. Technical mechanisms and procedures:

    1. Data encryption. We use encryption methods/technologies, such as SSL/TLS and multi-level authentication, to secure the transfer of Your Personal Data between Your device and Our servers (data in motion). Your Personal Data is also encrypted when the data is not being transferred/is at rest (data at rest).

    2. Access control. We implement a strict access control system to ensure that only Our designated staff have access to Your Personal Data. Access is granted based on the need to perform duties and through strong authentication (e.g., strong and complex passwords and multi-factor authentication).

    3. Firewalls and network security systems. We use firewalls and intrusion detection systems to protect Our network from unauthorized access and potential cyberattacks.

    4. Penetration testing (Pentest). We conduct security testing and vulnerability assessments (pentests) to identify and address weaknesses in Our systems at least once a year.

    5. Software and system updates. We ensure that all software and systems we use are always updated with the latest security patches to protect Us from potential cyberattacks and vulnerabilities.

    6. Data backup. We perform regular data backups to minimize the risk of data loss due to cyberattacks, data breaches, or other security incidents.

    7. Data anonymization and pseudonymization. When we obtain other Personal Data related to You that is not relevant to Our Purposes, we will anonymize and/or pseudonymize that data before it is further processed to prevent You from being re-identified.

    8. Data minimization. We only process certain Personal Data that is relevant to providing Our Services. This means that if we obtain Your Personal Data from other parties that is not relevant to Our Data Processing Purposes, whether data combined with other data or not, that can identify You as an individual, we will delete that irrelevant Personal Data to avoid the risk of misuse of Personal Data.

  2. Organizational mechanisms and procedures:

    1. Appointment of a data protection officer (DPO). We have appointed a DPO who is responsible for always ensuring we comply with the provisions in this Privacy Notice and Applicable Law. If You wish to ask questions about Your Data Processing, You can contact Our DPO via the email provided in the "How You can contact us" section of this Privacy Notice.

    2. Staff training and awareness. We conduct regular training and awareness-building for Our staff about the importance of personal data protection and information security, the importance of this Privacy Notice, the procedures that must be followed, and a culture of respecting a person's privacy.

    3. Internal policies and procedures. We have created and implemented internal policies and procedures related to the collection, use, processing, storage, disclosure, and deletion of Personal Data. For this reason, we require Our staff to comply with these policies and procedures.

    4. Physical access control. We implement physical security measures to restrict access to facilities, premises, rooms, and/or physical servers where Your Personal Data is stored. We ensure that only Our designated staff have physical access to the location where Your Personal Data is stored. Access is granted based on the need to perform duties and through adequate security measures (e.g., locked rooms, racks, and/or cabinets with separate backup keys).

    5. Data protection impact assessment (DPIA). We ensure that we conduct a DPIA regularly, at least once a year, especially for Data Processing that requires specific Personal Data, such as data related to eligibility/KYC, transactions, and payments. In such cases, the Data Processing can have a significant impact on an individual, in this case, You as the User.

    6. Data processing agreements. When we cooperate with any third party that needs Your Personal Data, we ensure that we enforce agreements or legal provisions related to Personal Data protection that they must comply with (Data Processing agreements or similar) to protect Your Personal Data in accordance with Applicable Law.

    7. Non-disclosure agreement (NDA). To complement point (f), we enforce an NDA on all Our staff, members of the board of directors and commissioners, management, all Our affiliates, and all third parties we work with to ensure they maintain the confidentiality and security of Your Personal Data as long as they have access to Your Personal Data and/or the location where Your Personal Data is stored, even if they have terminated their employment and/or cooperation with us.

    8. Personal Data breach handling. We have created and implemented written policies and procedures to handle and mitigate the impact of Personal Data breaches, including policies and procedures to identify the breach, contain the Data Processing, notify affected Users, and work towards mitigation and/or recovery.

Please remember that:

  1. Our limitations in protecting Personal Data. Regardless of the technical and organizational mechanisms and procedures we implement above, we still have vulnerabilities and limitations in guaranteeing the confidentiality and security of Your Personal Data given the possibility or potential for security incidents such as hacking, phishing, social engineering, malware attacks, DDoS (distributed denial of service), carding, defacing, etc., which are difficult to avoid because these risks are beyond Our reasonable control.

  2. Personal Data protection tips. By understanding the risks mentioned in point (a), we recommend that You reduce or prevent these risks from occurring by taking the following steps:

    1. keep Your account details confidential and secure, such as Your username, password, and one-time password (OTP), if any;

    2. do not share Your account details with anyone, unless Your account details are legally authorized or transferred to another party or person;

    3. change Your password regularly by combining the use of lowercase and capital letters, numbers, and symbols; and

    4. maintain the security of the device You use to access Our Services.

  3. Contact person for Personal Data protection. If You suspect that Your Personal Data has been collected, processed, and/or disclosed illegally or unlawfully, causing a data breach and harm to You, please contact Us immediately via email at helpdesk@ifortepay.id or support@pastisah.id.

 

 

Where is Your Personal Data stored?

Personal Data storage methods. The Personal Data we collect is stored both electronically in Our servers located in Our data center, and non-electronically or physically in document storage at Our office.

Personal Data storage media. Furthermore, the Personal Data stored electronically uses media such as co-location/cloud servers that we lease from secure data center service vendors. Meanwhile, for the physical Personal Data we store in document storage, we use secure document storage media, such as locked archive cabinets with limited access control.

Third parties may store Your Personal Data. In certain conditions, Your Personal Data may also be stored on servers and/or physical document storage managed by third parties, such as banks, payment service provider partners, Merchants, vendors, Our affiliates, Law Enforcement Authorities, and/or other interested or cooperating third parties.

 

 

Is Your Personal Data stored and/or transferred outside of Indonesian jurisdiction?

No, currently, we only provide Our Applications and/or Services within the jurisdiction of Indonesia. If in the future Our Applications and/or Services become available abroad, requiring Your Personal Data to be processed outside of Indonesian jurisdiction, we will take the steps required by Applicable Law to ensure that Your rights as a Personal Data owner remain protected. These steps include:

  1. ensuring that the country where Your Personal Data is transferred has a level of data protection that is equivalent to or better than what is regulated or applicable in Indonesia;

  2. ensuring we have adequate and binding Personal Data protection mechanisms and procedures; or

  3. ensuring we obtain Your explicit consent as the Personal Data owner.

 

 

How long do We store Your Personal Data?

Use of Personal Data during the Data Retention Period. We may store Your Personal Data as long as You use Our Services. When You have terminated Your use of the Services or Your business relationship with Us, Your Personal Data will still be stored on Our servers for a period of 10 (ten) years ("Data Retention Period") and can be extended as permitted by Applicable Law. During this Data Retention Period, We can still store and use Your Personal Data if there are Regulatory Compliance, obligations, and/or other needs that we must fulfill.

Your Personal Data will be deleted and/or destroyed if:

  1. the Data Retention Period has ended; 

  2. Your Personal Data is no longer needed; 

  3. You withdraw Your consent to process Your Personal Data; 

  4. You object to the Data Processing we perform; 

  5. You request that we delete Your Personal Data; 

  6. a Personal Data breach or similar security incident occurs; or

  7. Regulatory Compliance, obligations, and/or other needs that we must fulfill have been met.

Deletion of Personal Data after an offer. If we make an offer or You ask Us to offer or demo Our Services to You, we will delete Your Personal Data within a maximum period of 1 (one) year from the last time we offered or demoed the Service to You. This period prevents Us from contacting You too early, especially if You wish to delay other offers from us.

 

 

With whom do We disclose Your Personal Data?

Legal basis for Personal Data disclosure. We may disclose, share, transfer, and/or provide access to Your Personal Data to Our affiliates, Merchants, Merchant Customers, vendors, Law Enforcement Authorities, and other authorized or interested parties as long as we have a valid legal basis, such as: (1) obtaining explicit consent from You; (2) fulfilling obligations in a contract/agreement; (3) fulfilling Regulatory Compliance; (4) protecting Your vital interests as the Personal Data owner; and (5) for other legitimate interests as permitted by Applicable Law ("Personal Data Disclosure"). This Personal Data Disclosure is carried out for the following purposes:

  1. If You are a Merchant:

    1. Merchant Customer communication channels. We may share Your Personal Data with Merchant Customers to allow them to contact You regarding the applications and/or services You provide, including requests to use Your applications and/or services, submission of complaints and/or claims from Merchant Customers, events You hold, promotions, special offers, and discounts on the applications and/or services You offer.

    2. Merchant KYC. We may share Your Personal Data with Our KYC service vendors to help Us verify Your Personal Data as a prospective Merchant before You can use Our Services.

    3. Merchant registration to the Acquiring Bank. We may share the Personal Data You provide related to identity, contact, and eligibility/KYC with the Acquiring Bank we work with so that You can obtain a Merchant ID and Merchant discount rate (MDR) as agreed with us, enabling You to use Our Services.

    4. Third-party partner integration. We share Your Personal Data with Our third-party partners to make it easier for You to integrate with these third parties if You want to use Our Services on their platforms, such as online shopping (e-commerce) and social media platforms.

    5. Regulatory Compliance. We are obliged to provide Your Personal Data to Law Enforcement Authorities to answer questions they ask regarding Our compliance with Applicable Law, including Our Data Processing practices, and to comply with investigation, examination, on site visit, reporting, court decision orders, and Law Enforcement Authority decisions.

    6. Our vendor or partner services. We share Your Personal Data with Our cooperating vendors or partners, such as server service providers, anti-fraud, electronic know your customer, mail clients, customer relationship management (CRM) services, and other supporting services so that we can provide Digital Payment Services to You better.

  2. If You are a Merchant Customer:

    1. Preparation and delivery of Your order. We may share Your Personal Data with the Merchant, allowing the Merchant to:

      • Confirm the payment transaction You made.

      • Prepare and deliver Your order.

      • Update their internal order management and accounting systems.

      • Receive and respond to Your complaints, suggestions, and/or claims, provide Merchant Services, issue refunds, and resolve issues with Merchant Customers.

    2. Merchant Customer Service and problem resolution. We may share Your Personal Data with the Merchant if You want information about the payment transaction You have made with the Merchant. In this case, the Merchant requests the details of Your payment transaction that we process so the Merchant can help You get that information.

    3. Refund and chargeback services. We may share Your Personal Data with the Merchant so that we can help You claim a refund. In this case, we may share Your Personal Data related to the transaction You have made with the Merchant so that the Merchant can process Your refund claim.

    4. Fraud prevention and mitigation. We are obliged to share Your Personal Data with Law Enforcement Authorities if there is a suspicion of fraudulent activity or other suspicious activity in the transaction You made, requiring Us to report the transaction to the Law Enforcement Authorities. To fulfill this obligation, we can coordinate with the Merchant and use fraud detection system (FDS) technology to collect and analyze Your Personal Data related to the suspected fraudulent activity for the purpose of reporting to the Law Enforcement Authorities.

    5. Analysis and reporting to the Merchant. We may share Your Personal Data with the Merchant, especially data related to Your payment transactions that we process and share in an aggregated and anonymous manner for the purpose of the Merchant's business analysis.

    6. Payment processing. We may share Your Personal Data with: (i) acquiring banks; (ii) switching institutions; (iii) issuing banks; and/or (iv) Our payment service provider partners (such as e-money providers). Each is used to process and receive funds (as Merchant revenue) from Your payment transactions, forward Your order to make a payment transaction, verify or ensure Your identity as an issuing bank customer, check the availability of Your bank balance before completing the payment transaction, and verify Your transaction data so that Your payment transaction can be facilitated through the e-money provider if You choose to use the e-money payment method.

    7. Regulatory Compliance. We are obliged to share Your Personal Data with Law Enforcement Authorities so that we can answer the questions they ask regarding Our compliance with Applicable Law, including how we process Your Personal Data, and to comply with investigation, examination, on site visit, reporting, audit, due diligence, court decision, and Law Enforcement Authority orders.

  3. Business transfer or Corporate Actions. Corporate Actions may result in company assets (including Your Personal Data) being transferred from the company that is the object of the Corporate Action (the merged, purchased, transferred, consolidated, or separated company) to the company carrying out the Corporate Action (the merging, purchasing, transferring, consolidating, or separating company). Therefore, if You consent to the Corporate Action we perform, we will then transfer Your Personal Data to the other company with which we performed the Corporate Action.

  4. Protection of rights and security. We are obliged to share Your Personal Data with Law Enforcement Authorities and/or other related or authorized parties immediately if there is a suspicion of misuse of Your Personal Data by another person. We do this to prevent the misuse of Your Personal Data from becoming widespread.

  5. If You are a Pastisah Customer. We may share Your Personal Data with Our service provider partners who help Us provide Pastisah Services to You. It is important to know that Pastisah Services are available because we work with electronic certification providers who have been registered and licensed by the Ministry of Communication and Digital of the Republic of Indonesia so that they can provide electronic signature services legally and a legally recognized in Indonesia.

We will not sell or rent Your Personal Data to anyone.

Data Processing location limitations. At the time of writing this Privacy Notice, we can confirm that Your Personal Data is used only within the jurisdiction of Indonesia. If in the future Our Services require Your Personal Data to be processed outside of Indonesian jurisdiction, we will take the actions described in the "Is Your Personal Data Stored and/or Transferred Outside of Indonesian Jurisdiction?" section above.

 

 

Direct promotions and marketing

Option to receive and reject Marketing Materials. We and/or Our partners (such as Merchants, vendors, and/or third parties we work with for commercial or non-commercial purposes) may send You direct marketing, advertisements, educational campaigns, and promotions via application push-notifications, in-app messaging features, chat platforms, social media, and Your registered email ("Marketing Materials") if You agree to subscribe to Our mailing list or marketing services. However, if You object to receiving Our Marketing Materials, You can choose to opt-out at any time by clicking the "unsubscribe" link or option located at the bottom of the Marketing Materials email, or You can contact Us via email at helpdesk@ifortepay.id or support@pastisah.id.

Important non-promotional information notices. Please note that if You choose to unsubscribe from Our Marketing Materials, we may still send You important non-promotional messages, such as notifications related to Your account, Your use of Our Services, Your payment transactions, updates to this Privacy Notice and/or Our Service terms and conditions, important information about account security, and other important information.

 

 

How can You contact Us?

Thank you for taking the time to read this Privacy Notice. If You would like to submit questions, comments, suggestions, complaints, or claims regarding this Privacy Notice, or if You would like to exercise Your rights as a Personal Data owner, please feel free to contact Us at any time via email at helpdesk@ifortepay.id or support@pastisah.id.

Please include a relevant email subject, corresponding to the right or purpose You wish to achieve.

Thank you for Your trust in Our Services!