LEGAL REFERENCE

How harta11 Handles Your Account Data

This is the harta11 privacy policy. We wrote it for the account you open with us in Indonesia, covering the information we collect when you sign in, fund...

Policy v3.2Indonesia scopePlain EnglishUpdated quarterlyAccount-level
Account access Read FAQ
harta11 How harta11 Handles Your Account Data

Our Policy Posture and Jurisdiction

Our policy applies to harta11 accounts opened from Indonesia and other supported regions where local law permits. We collect the data needed to verify you, run your wallet, and keep your session secure: your name, contact details, device fingerprint, and the e-wallet handle you link for top-ups. We don't sell your data, we don't pass it to marketing brokers, and we keep

transaction records for the period our financial obligations require. Where Indonesian regulation sets a stricter standard than our default, the stricter standard wins. If you close your account, we retain only what compliance forces us to retain, and the rest is purged on schedule.

Service availability is jurisdiction-dependent. Users are responsible for checking local law before access.

24/7 SUPPORT

Privacy Contact Paths

If something in this policy needs clarifying, or you want to exercise a data right, these are the channels our privacy desk monitors. Each one routes to the same team, so pick...

Privacy inbox Email [email protected] from the address tied to your account. Our data team replies within two business days and handles access, correction and deletion requests directly from that thread.
In-app chat Open the chat bubble after you sign in and type 'privacy' to skip the general queue. Your session context loads automatically, so the agent can verify you without asking for documents twice.
Postal channel For formal data subject requests you'd rather put on paper, our registered correspondence address is listed inside your account settings under Legal. Allow ten working days for written acknowledgement.
TRUST MARKERS

How We Review This Policy

This document isn't static. Six checkpoints govern how it gets drafted, reviewed and published, and each one leaves a trail you can ask us about.

Legal review

Our retained counsel re-reads the policy every quarter against Indonesian data rules and the laws of the regions we accept accounts from. Any wording that drifted from current statute is corrected before the next publish window.

Security sign-off

Our infrastructure lead signs off on the data flow diagram referenced in this policy. If a new vendor enters the stack, the policy gets amended before that vendor processes a single record from your account.

Version history

Every published version is archived with a timestamp and a short changelog. You can request the diff between any two versions and we'll send the redlined document back to the email on file.

Named owner

A single Data Protection Officer owns this policy end-to-end. Their role, not their personal name, is published so the accountability survives staffing changes.

User feedback loop

Questions raised through our privacy inbox feed directly into the next revision cycle. If three users flag the same clause as unclear, that clause gets rewritten in the following quarterly publish.

External audit

An independent assessor reviews our data handling annually and the summary is referenced inside your account settings. We don't publish the full report, but the scope and findings letter are available on request.

SIDE BY SIDE

Consistency With Our Other Legal Pages

This policy lives alongside our terms, cookie statement and account rules. Where they touch the same topic, the wording is aligned so you don't have to reconcile contradictions.

01

Terms of Service

Account creation clauses match here and there — same age threshold, same supported regions, same identity check trigger.

02

Cookie Statement

Categories named here (essential, functional, analytic) use identical definitions in the cookie page so consent maps cleanly across both.

03

AML Notice

Retention periods for transaction records cited here mirror the AML notice exactly, including the seven-year financial record window.

04

Account Rules

Closure procedure references the same workflow described in account rules, with identical data-purge timing on both pages.

05

Promo Terms

Marketing consent handling cross-references the promo terms so opting out here removes you from campaign lists immediately.

06

Complaint Policy

Privacy complaints escalate through the same tiered process described in the general complaint policy, with the DPO as the final internal step.

07

Cookie Banner

Banner choices write to the same consent ledger this policy describes, so toggling there is reflected in your account record.

What Defines This Policy Page

A few structural choices shape how this document reads. We've kept them visible at the top of the layout so you can find the part you...

Section anchors

Each major clause has a deep-link anchor in the sidebar. Bookmark the one that matters to you — retention, sharing, your rights — and you'll land directly on that paragraph next visit.

Plain phrasing

We rewrote legal boilerplate into sentences a non-lawyer can read in one pass. Where a technical term is unavoidable, the first use carries a short bracketed definition.

Change log

A dated list of edits sits at the foot of the page. If you signed our terms in March and we revised the policy in July, the changelog tells you what shifted.

Scope marker

Every clause is tagged with the data category it governs — identity, financial, behavioural — so you can skim by topic rather than reading start to finish.

Request shortcut

A one-tap link inside your account settings drops a pre-filled data request into our privacy inbox, with your verification token attached so we can act faster.

Last reviewed stamp

The header carries the date of the most recent legal review, not just the last edit. That tells you the policy has been actively checked against current Indonesian rules.

Privacy Policy Questions We Get Asked

We collect your name, date of birth, contact details, the device you sign in from, and the e-wallet handle you link for DANA, OVO, GoPay or QRIS. Nothing beyond what verification and wallet operation require.

Only with processors that directly support your account — payment rails, identity check vendors, and our hosting provider. Each one is bound by contract to use your data only for the task we engaged them for, nothing else.

Identity and transaction records are held for seven years to satisfy financial recordkeeping rules in supported regions. Marketing preferences and session logs are purged within ninety days of closure, on a rolling schedule.

Yes. Send a request from the email on file to our privacy inbox and we'll return a structured export within thirty days. The export covers identity, wallet activity and any communication history we've kept.

Most fields are editable directly in account settings. For locked fields like name or date of birth, message the privacy desk with a supporting document and the correction is applied once verification clears, usually within two business days.

We store the wallet handle and a tokenised reference, not your full credentials. The actual authentication happens on the DANA, OVO, GoPay or QRIS side, so your underlying account stays inside their security boundary, not ours.

The header carries the last-reviewed date and the foot of the page lists every change made in the past two years. If a material change affects you directly, we email the address on your account before it takes effect.