This Personal Data Protection Policy outlines Mailtarget's commitment to protecting users' personal data as governed by Indonesia's Personal Data Protection Act (Personal Data Protection Act No. 27 of 2022). Mailtarget is committed to protecting the privacy and security of user personal data and ensuring that it is processed transparently, securely, and in accordance with applicable law.

We ensure personal data is managed with strict integrity and security to strengthen user trust.

Mailtarget strives to provide clear information about personal data processing and ensure compliance with applicable law.

Respect and facilitate users' rights about their personal data, including the right to access, correct, or delete such data.

Periodically review and update our policies and practices to reflect changes in laws, technology, and commercial practices.

Personal Data refers to information about an individual that is identified or can be identified directly or indirectly through electronic or non-electronic systems, as regulated in Article 1 of the Personal Data Protection Law.

Mailtarget categorizes personal data into two types according to Article 4 of the Personal Data Protection Law, namely general personal data and specific personal data.

2.2.1 General personal data managed by Mailtarget includes, such as full name, gender, nationality, email address, and personal data combined to identify an individual.

2.2.2 Specific personal data is limited to tax identification number (NPWP) data and payment data, and/or other data in accordance with applicable laws and regulations.

Mailtarget manages personal data with strict protection principles, ensuring that processing is conducted for legitimate, transparent purposes and only within the necessary limits according to applicable legal provisions.

Mailtarget collects personal data in a limited and specific manner to support legitimate operational objectives, such as service provision, fulfilling user requests, improving service quality, and fulfilling legal obligations. We ensure that data collection is carried out in a way that minimizes impact on user privacy.

The data we collect may include names, addresses, email addresses, phone numbers, and other information as provided by you through forms within our application. We ensure that the data collected is relevant and not excessive in relation to the purposes of its collection.

Users have the right to access, update, and delete their personal data. We are committed to facilitating these rights, providing information on data protection failures, and carefully reviewing user requests. See point #6 for more details.

Personal data is processed in a limited and specific manner in accordance with clear, legitimate, and transparent purposes in accordance with applicable laws.

Personal data processing is conducted based on informed user consent, obligations under agreements, legitimate legal interests, or fulfillment of legal obligations in accordance with applicable regulations. This refers to Article 16 of the Personal Data Protection Law.

Personal data is processed lawfully and transparently. We ensure that data is only used for clear purposes and not used in a way that contradicts these purposes. We are committed to ensuring data accuracy and security and informing users about the purposes and processes of data processing.

Mailtarget ensures that personal data processed is always accurate, complete, and compliant with the purpose of processing as stipulated in Article 29 of the Personal Data Protection Law. We proactively conduct verifications and updates on a regular basis to ensure accuracy. Users are also provided the facility to correct or update their data to support data integrity and relevance.

In an effort to protect personal data in accordance with Article 35 of the Personal Data Protection Law, Mailtarget adopts comprehensive technical and organizational measures. This includes the use of encryption, the latest technology-based security systems, strict access controls, and risk management protocols to prevent unauthorized access, disclosure, or processing. We also ensure that privacy training and awareness are routinely provided to all employees.

In the event of joint processing with other controllers in the context of Article 51 of the Personal Data Protection Law, when cooperating with third parties, Mailtarget establishes agreements outlining each party's roles and responsibilities. We ensure that all data processors adhere to high security and privacy standards, conduct audits and feasibility assessments regularly to maintain compliance with legal provisions and internal company policies.

By adhering to these principles, Mailtarget ensures personal data processing is conducted ethically, securely, and according to the Personal Data Protection Law, providing optimal protection for all managed personal data.

Mailtarget is committed to ensuring that every personal data processing is conducted based on a legitimate legal basis according to Article 20 of the Personal Data Protection Law. This processing is based on the following principles:

Mailtarget obtains clear and explicit consent from users before processing data. The consent process is conducted with complete transparency, ensuring users understand the purpose and nature of the data to be processed.

Necessary personal data for executing contracts between Mailtarget and users will be processed. This includes service agreements requiring data usage for the agreed purposes.

Mailtarget processes personal data when necessary to fulfill applicable legal obligations. This includes various legal compliance mandated by regulation.

In situations where the vital interests of users or other individuals may be threatened, Mailtarget will process relevant personal data to provide necessary protection.

Processing is conducted for Mailtarget's or third parties’ legitimate interests, provided such processing does not override the rights and freedoms of users. The evaluation of legitimate interests is conducted carefully to ensure a fair balance.

Mailtarget complies with these provisions with the aim of protecting users' privacy rights while ensuring efficient and legitimate data processing.

Mailtarget fully respects users' rights regarding their personal data and is committed to protecting these rights in accordance with the Personal Data Protection Act. These rights include:

Users have the right to obtain transparent & clear information about their personal data management, including the identity of the data controller, legal basis, and processing purposes.

Users have the right to complete, update, or correct their personal data to ensure that the information stored by Mailtarget is accurate and current.

Users have the right to request the halt or deletion of their personal data if no longer necessary or relevant and under certain conditions as per regulation.

Users have the right to withdraw their consent for data processing at any time, without affecting the legality of processing based on consent before withdrawal.

Users have the right to object to processing their personal data, including decisions made automatically, and request processing limitations under certain situations.

Users can obtain and transfer their personal data to another data controller securely and structured, ensuring interoperability of information systems.

In case of a violation, users have the right to file compensation claims and submit complaints to the relevant authorities, as well as receive fair and speedy handling of such complaints.

Mailtarget strictly protects personal data and may refuse access or change data if it could potentially endanger the security, physical or mental health of users and other individuals. We will also refuse if such action discloses personal data belonging to others without permission or is contrary to the interests of national defense and security. This policy ensures that user security and privacy are met in accordance with Article 33 of the Personal Data Protection Act.

Mailtarget is committed to facilitating the exercise of these rights through efficient procedures, supporting transparency, and maintaining the integrity and confidentiality of users' personal data.

Mailtarget is committed to managing user data effectively and in accordance with data retention regulations prescribed by the Personal Data Protection Law. Further information about data retention can be found in Mailtarget's official policy in the MTARGET Data Protection Policy.

Data storage is carried out according to relevance and effectiveness for legitimate purposes. All data is stored considering strict security and privacy policies.

Personal data is managed within a determined time period according to operational standards and business needs, as stipulated in Article 42 of the Personal Data Protection Law. After the retention period ends or the processing purpose is achieved, data will be reviewed for deletion or destruction.

Mailtarget implements data deletion or updating mechanisms to maintain a balance between efficiency and security. Data that is no longer relevant will be deleted or updated to maintain the integrity and accuracy of information as per Article 44 of the Personal Data Protection Law.

Mailtarget has a strong commitment to user data security, implementing measures following the Personal Data Protection Act and international standards like GDPR. We ensure personal data is managed with diligence and maximum protection.

We ensure data protection from unauthorized access, disclosure, or alteration in accordance with Article 16 of the Personal Data Protection Law. We use the latest and standardized security systems, are ISO 27001:2013 certified, and use encryption technology to protect personal data from cyber threats and illegal access.

Access to personal data is restricted only to authorized personnel and for predetermined purposes. We utilize two-factor authentication and role-based access control to tighten information security.

Referring to Article 37 of the Personal Data Protection Law, Mailtarget conducts regular audits and monitoring of all data processing activities to ensure that all activities comply with established security standards.

Mailtarget regularly conducts vulnerability testing and risk assessment, following Article 34 of the Personal Data Protection Law, to identify potential threats and take mitigating actions.

According to Article 36 of the Personal Data Protection Law, ensuring data confidentiality is a priority. Personal data is treated as confidential information and can only be accessed by authorized personnel.

We ensure data is accessible whenever needed, with disaster recovery mechanisms designed to maintain data availability even if operational disruptions occur.

Mailtarget implements early detection systems and real-time alert systems to report security failures. If a data security breach occurs, Mailtarget will notify affected users and related authorities within 3x24 hours, including breach details and corrective actions:

In the event of an incident related to user information, proactive response steps will be taken.

Users will be given notification in a timely manner to ensure transparency.

Mailtarget will provide guidance related to necessary prevention and recovery steps.

Mailtarget is committed to ensuring users' personal data security by adhering to all applicable international standards and local regulations, providing comprehensive protection across all digital security aspects.

Mailtarget understands the importance of keeping personal data secure when it must be transferred, both domestically and cross-border. We comply with strict regulations to ensure data transfer is conducted safely and in accordance with the Personal Data Protection Act.

Each data transfer is conducted in accordance with applicable legal requirements, including obtaining consent from users if necessary and ensuring the destination country (if outside Indonesia) has adequate data protection in accordance with Article 21 and Article 55 of the Personal Data Protection Law.

Personal data is protected during transfer using encryption methods and strong security protocols to prevent unauthorized access and ensure data integrity.

We implement stringent controls and procedures to ensure that data transfer is only conducted with trusted third parties and have data protection policies aligned with Mailtarget's standards.

Any third party receiving data from Mailtarget must meet security and privacy commitments specified in the data agreements to ensure consistent data protection according to Article 51 of the Personal Data Protection Law.

Data transfer is monitored regularly to ensure compliance and process efficiency. If a violation occurs, we have a quick reporting and response mechanism to handle the incident.

Mailtarget upholds data protection principles by ensuring that data collection and deletion termination are conducted ethically and in accordance with the Personal Data Protection Act.

Collection termination is conducted after processing purposes are achieved or based on user requests. We ensure this process is transparent and easily accessible for users.

Personal data no longer necessary for its initial collection purpose will be deleted following the provisions of Article 44 of the Personal Data Protection Law. This includes data for which the retention period has expired or is no longer relevant.

Users have the right to request the deletion of their data, especially if the data is no longer relevant or if the user withdraws consent for its processing per Article 8 of the Personal Data Protection Act.

The data deletion process is conducted using methods that ensure data cannot be recovered or accessed again, maintaining the confidentiality and security of personal information until the end.

All data termination and deletion activities are documented and monitored to ensure no procedural violations occur. In case of an incident, we promptly take mitigation steps and report it in accordance with regulations.

Mailtarget responsibly safeguards the protection of personal data for children and persons with disabilities as per the Personal Data Protection Act,

Children's personal data is processed with special attention. We require parental or legal guardian consent before processing children's data, ensuring all purposes and uses are clearly explained in accordance with Article 25 of the Personal Data Protection Law.

All child data processing activities must involve explicit consent, involving parents or guardians to provide informed consent.

Personal data of persons with disabilities is treated with special policies. Communications and processing are conducted in a way that considers their unique needs, requiring consent from the person with a disability or official guardian following Article 26 of the Personal Data Protection Law.

We provide accessible communication methods for people with disabilities, ensuring information can be obtained in a manner that is suitable and comfortable for them.

Children’s and persons with disabilities’ data is managed with a high level of confidentiality and protection, maintaining the integrity and security of information at all times.

In fulfilling personal data protection obligations, Mailtarget acknowledges certain situations require exceptions to the data subjects' rights, following the Personal Data Protection Act.

Personal data may be processed without consent in cases involving national defense and security interests.

Exceptions apply within law enforcement processes requiring data processing as part of an official investigation.

To facilitate public government interests, data may be used as needed without further consent.

Data processing can be conducted for interests related to financial services supervision, monetary matters, payment systems, and financial stability.

Personal data may be excluded for use in statistical and scientific research activities, where subjects' privacy and anonymity are maintained.

Mailtarget appoints a Data Protection Officer (DPO) responsible for ensuring compliance with data protection regulations and acting as a contact person for users. We ensure compliance with standards like ISO 27001:2013 and continuously update related documentation.

A professional and knowledgeable DPO in law and data protection practice is selected. Their primary task is to ensure Mailtarget complies with all legal provisions related to personal data processing according to Article 53 of the Personal Data Protection Law.

The DPO is responsible for (According to Article 54 of the Personal Data Protection Law):

13.2.1 Providing advice and information to data controllers about legal obligations.

13.2.2 Ensuring Mailtarget's internal policies comply with the Personal Data Protection Act.

13.2.3 Providing advice on data protection impact assessment and monitoring related performance.

13.2.4 Coordinating and acting as a contact point with data protection authorities and responding to issues related to data processing.

In performing their duties, the DPO considers risks related to data processing by understanding the context and processing objectives and providing appropriate mitigation advice.

Through this commitment, Mailtarget ensures all data-related activities are conducted with full compliance with legal standards, prioritizing the protection of users' personal data.

Mailtarget is committed to regularly updating its personal data protection policy to ensure it aligns with regulatory changes and best practices.

This policy will be reviewed regularly to ensure it remains relevant and effective, considering the latest legal and technological developments.

Any significant changes to the data protection policy will be communicated to users through appropriate communication channels, ensuring transparency and clear understanding.

Mailtarget continues to commit to protecting users' personal data and enhancing data security practices in line with implemented policy changes.

For questions or requests related to Personal Data Protection, users can contact Mailtarget via email: [email protected]