Who We Are and Scope
This Privacy Policy explains how Modulio (as a Personal Data Controller) collects, uses, shares, stores, and protects Personal Data in connection with our products, services, websites, and communications. It applies to processing conducted in Indonesia and to processing outside Indonesia that has legal effect in Indonesia or affects Indonesian citizens.
Reference :
Legal Basis & Principles
We process Personal Data only where at least one lawful basis applies: (a) consent; (b) performance of a contract or steps at your request; (c) compliance with a legal obligation; (d) protection of vital interests; (e) public interest/public authority; or (f) legitimate interests balanced against data subject rights. We follow core PDP principles including purpose limitation, data minimization, accuracy, transparency, security, and deletion after the retention period or upon valid request unless the law requires otherwise. Consent requests are provided in clear language and, where required, in Indonesian (bilingual formats permitted).
Reference:
Categories of Personal Data We Process
We may process:
- General data: name, contact details, company/role, billing and transactional records, support logs.
- Specific/sensitive data (only if needed and lawful): health, biometric, genetic, criminal records, children’s data, financial data. Additional safeguards apply for these categories.
Reference:
How We Collect Data
We obtain data directly from you (forms, contracts, support), automatically (cookies/telemetry consistent with notice and consent), and from lawful third-party sources (e.g., service partners) where permitted.
Purposes of Processing
We use Personal Data to:
- deliver and improve services;
- manage accounts, payments, and invoicing;
- provide support, security, and fraud prevention;
- send administrative notices and—where permitted—marketing communications;
- comply with legal obligations, resolve disputes, and enforce agreements.
- Each purpose is tied to the corresponding legal basis listed above.
Reference:
Data Retention
We retain Personal Data only for as long as necessary for the stated purposes or as required by law. When retention ends, we delete or anonymize the data in a secure manner, unless a lawful exception applies.
Reference:
Security Measures
We implement appropriate technical and organizational safeguards—such as access controls, encryption in transit and at rest where appropriate, secure development practices, monitoring, and employee confidentiality commitments—to protect confidentiality, integrity, and availability of Personal Data.
Sharing with Third Parties
We do not sell Personal Data. We may share data with:
- Processors/Sub-processors (e.g., hosting, payment, email delivery) under written contracts requiring confidentiality, security, and PDP-compliant processing;
- Professional advisers (legal, accounting) under duty of confidentiality;
- Authorities when required by law or valid process;
- Corporate actions (merger, acquisition, restructuring) with appropriate notice to data subjects as required by law.
Reference:
Cross-Border Data Transfers
When transferring Personal Data outside Indonesia, we follow the PDP Law’s layered approach:
- confirm the destination country ensures an equal or higher level of protection; or
- implement adequate and binding safeguards (e.g., standard contractual clauses, binding corporate rules); or
- obtain the data subject’s consent if (1) and (2) are unavailable. Where applicable, coordination/notification to the Ministry of Communication and Informatics (MOCI) may still be required under existing regulations.
Reference:
Your Rights
Subject to legal limits, you may request: information, access (and a copy), rectification, completion, deletion/destruction, termination of processing, restriction/suspension, withdrawal of consent, data portability, and the right to object to decisions based solely on automated processing that have legal or similarly significant effects. We respond within timelines set by law.
Reference:
Children’s Data
We process children’s data only where permitted by law and with verifiable consent from a parent or legal guardian and with heightened safeguards.
Reference:
Cookies & Similar Technologies
Where used, cookies and similar tools are disclosed in a separate notice. Non-essential cookies are set only with your consent, which you may withdraw at any time consistent with Indonesian consent requirements.
Data Breach Notification
If a Personal Data breach occurs that compromises confidentiality, integrity, or availability, we will notify affected data subjects and the supervisory authority no later than 3 × 24 hours (72 hours) after discovering the breach, and will include required details (what data, when/how, remediation). If the incident disrupts public services or seriously impacts the public interest, we will also notify the public as required. Until the PDP supervisory authority is fully established, notifications may be directed to MOCI (and, as commonly practiced, to BSSN).
Reference:
Data Protection Impact Assessments
We will conduct a DPIA where processing is likely to result in a high risk to individuals (e.g., large-scale processing, specific/sensitive data, systematic monitoring, automated decision-making, use of new technologies).
Reference:
Data Protection Officer
We appoint a DPO when the PDP Law conditions apply—such as public-service processing, regular and systematic large-scale monitoring, or large-scale processing of specific/criminal-related data. Following Constitutional Court Decision No. 151/PUU-XXII/2024 (16 July 2025), any one of these conditions triggers the DPO obligation (they are alternative, not cumulative).
Reference:
International Cooperation & Oversight
We cooperate with regulators and organizations as required under the PDP Law and maintain records to demonstrate compliance.
Reference:
How to Exercise Your Rights or Contact Us
To submit a request or ask questions, contact: [email protected] If a DPO is appointed, you may also contact our Data Protection Officer at the same address (attention: “DPO”).
Changes to This Policy
We may update this Policy to reflect changes in law or our practices. Material changes will be announced via our website or by direct notice where appropriate.