Toko21 Help Center Policy 7.4
Privacy and Data Policy
Version: 1.1 (July 2025)
Prepared by: Ken for PT Belanja Lebih Cepat

PURPOSE
This Privacy and Data Policy explains how PT Belanja Lebih Cepat ("Toko21") collects, uses, manages, shares, protects, and governs the personal and business data of users and merchants interacting with its digital platform. This policy covers both the Customer App (User-App) and Merchant App (Merchant-App) in full alignment with Indonesian data protection laws, including UU PDP (UU No. 27 Tahun 2022).

By using Toko21’s services, you consent to the processing of your data as outlined in this policy. Toko21 is committed to upholding high standards of data governance, transparency, and privacy rights for all parties.

SECTION 1: WHAT DATA WE COLLECT

1.1 Personal Data from Customers (User-App)

• Full Name (as per legal ID)
• Date of Birth (age-restriction validation)
• Mobile Number and/or Email Address
• Delivery Address(es)
• Order History & Transaction Amounts
• Saved Payment Preferences (tokenized only, never stored in raw form)
• Behavioral Data (search, click, wishlist)
• Device ID, IP Address, geolocation (if enabled)

1.2 Personal & Business Data from Merchants (Merchant-App)

• Business Name, Legal Form, and Outlet Type (Vape/Kelontong)
• Contact Person Name, Number, and e-KTP
• Business License Information (e.g., NIB, NPWP)
• Storefront Photos, GPS Data (if collected)
• Bank Account Details for Disbursement
• Login History, Session Logs, SKU Preferences

1.3 Automatically Collected Technical Data

• IP Address, OS Version, App Build
• Crash Logs, Freeze Events, Error Traces
• Usage Pathways, Bounce Rates, Click Heatmaps

1.4 Communications and Uploaded Media

• In-app Chat with Support or Drivers
• Customer Feedback, Ratings, Dispute Media
• SPG/Field Rep Notes (for merchant onboarding)
• Recorded audio/photo (only if permission granted)

Toko21 does not collect sensitive biometric data, except in limited verification scenarios (see Policy 9.1).

SECTION 2: HOW WE USE YOUR DATA

Toko21 processes collected data for the following legitimate and contract-bound purposes:

• Account Lifecycle Management: From registration to deletion
• Age Compliance Validation: Enforcing 21+ rule via DOB and future KTP checks
• Order Fulfillment & Inventory Routing: Matching your order to the best merchant
• Payment & Payout Handling: Syncing with payment gateway and bank APIs
• Customer Support Resolution: Accessing history to resolve issues
• Fraud Prevention: Detecting unusual IP/device, duplicate accounts, and abuse
• Personalized Experience: Displaying relevant brands, promos, or locations
• Regulatory Fulfillment: Complying with BPOM, excise law, and tax audits
• Loyalty Point Management: Tracking earned and redeemed XP (see Policy 5.1)

Anonymized or aggregated data may be used for system improvement, product research, or commercial reporting — without identifying any individual.

SECTION 3: WHO WE SHARE DATA WITH

Toko21 does not sell user or merchant data. We only share specific data types with qualified third parties when necessary to operate the platform:

• Payment Gateway (e.g., OY!) – Order confirmation, refund, and disbursement data
• Logistics Partner (e.g., Biteship) – Delivery address, item quantity, and contact
• Customer Service Platforms – Ticket logs, ratings, and incident history
• Field Ops (SPG/Verification Team) – Business registration info and storefront audit
• Government Authorities – When required by law, especially for excise control, underage access audits, and PKP taxation

All third parties operate under strict data handling contracts. They are not permitted to use or re-share the data for unrelated purposes.

SECTION 4: DATA STORAGE, RETENTION & DELETION

• All data is encrypted and stored securely on cloud infrastructure with geofencing and role-based access control
• Passwords are hashed using one-way algorithms and never stored in plaintext
• Order and payment data is retained for minimum 12 months for support traceability
• Taxable financial and merchant data is retained for 5+ years in compliance with Indonesian law
• Unused accounts may be auto-flagged for dormancy review
• Upon verified deletion request, data is anonymized unless under audit lock

SECTION 5: USER RIGHTS & DATA CONTROL

As a user or merchant, you have the right to:

• Access, view, or update your stored personal or business data
• Correct errors in your account profile
• Request full deletion of your account (post-dispute & payout reconciliation)
• Request a summary of how your data is processed or shared
• Revoke marketing communications at any time

To exercise these rights, submit a request via the Help Center or email privacy@toko21.co.id.

Requests will be verified and fulfilled within 7 working days unless legal exceptions apply.

SECTION 6: DATA SECURITY MEASURES

Toko21 enforces robust digital and operational protections, including:

• End-to-end SSL encryption for data in transit
• Token-based login sessions and auto-expiry
• IP-restricted backend dashboards
• Role-based admin privilege assignment
• Rate limiting to prevent brute force attacks
• Regular penetration testing and system audits
• Employee confidentiality clauses and security training

In the event of a suspected data breach, affected parties will be notified within 72 hours in accordance with applicable regulation.

FINAL NOTES:

• This policy applies uniformly across all Toko21 interfaces and systems (User-App, Merchant-App, backend portals)
• By continuing to use Toko21, you agree to any updates to this policy
• Major revisions will be communicated via email and/or in-app notices
• You may download a copy of this policy at any time from the Help Center