Last updated · Replace with real date once lawyer-reviewed.
1. Data we collect
- Account: email, display name, hashed password.
- Shipping addresses you save.
- Pack opening history and wallet transactions.
- Device push tokens (if you opt into notifications) via Firebase Cloud Messaging.
- Technical logs: IP, user agent, timestamps, for anti-abuse.
2. How we use it
- Operate the service (authentication, pack draws, shipping).
- Communicate shipment + account updates.
- Prevent fraud and abuse.
- Comply with legal obligations (tax, consumer protection).
3. Who sees your data
We do not sell your personal data. We share it only with processors that help us operate: Supabase (database, auth, storage), Vercel (hosting), Firebase (push notifications), and payment providers (if applicable). Each is bound by a data-processing agreement.
4. Data retention
We retain account data while your account is active. Pack-opening records and wallet transactions are retained for accounting purposes consistent with Indonesian tax requirements (typically 10 years). You may request deletion subject to these obligations.
5. Your rights
- Access — request a copy of your data.
- Rectification — correct inaccuracies.
- Deletion — subject to legal retention limits.
- Portability — receive your data in a portable format.
- Withdraw consent — for marketing or push notifications.
6. Security
We use transport encryption (TLS), at-rest encryption on our databases, row-level security policies, and least-privilege access controls. No system is perfectly secure; please report suspected issues promptly.
7. Contact
Privacy requests go to hello@indoripa.com.