Gaja Privacy Policy

PT GPay Digital Asia

This Gaja Privacy Policy is the privacy policy for the use of the Gaja electronic-money-based mobile payment application (“Gaja App”). This Privacy Policy governs how PT GPay Digital Asia (“GPay”), as the personal data controller, carries out the collection, acquisition, storage, use, processing, disclosure, protection, and/or management of the information and personal data of Gaja App Users (“You” or “User”), as a form of GPay’s commitment to respect and protect the privacy and personal data of Users in accordance with applicable laws and regulations.

This Privacy Policy (together with the Gaja Terms and Conditions and other information stated in the Gaja App) explains the types of information and personal data that GPay collects, how GPay uses and protects such information, the parties who may receive disclosure of such information, as well as the rights and choices that Users have in connection with the processing of personal data by GPay.

In this Privacy Policy, “Personal Data” means any data about a person who is identified and/or can be identified individually or in combination with other information, whether directly or indirectly, through electronic and/or non-electronic systems in accordance with applicable laws and regulations.

A. INTRODUCTION

1.By accessing, registering, and/or using the Gaja App, the User understands that all data and information provided is true, accurate, complete, and valid. The User also declares having read, understood, and agreed to this Privacy Policy, including granting consent to GPay to process the User’s Personal Data to the extent necessary for the purposes set out in this Privacy Policy and in accordance with applicable laws and regulations.
2.If the User does not agree with part or all of the provisions in this Privacy Policy, the User has the right not to access and/or use the Gaja App.

B. INFORMATION AND PERSONAL DATA THAT GPAY COLLECTS

1.GPay collects and processes the User’s information and Personal Data to provide services in the Gaja App, process Transactions, verify Users, fulfil obligations under applicable laws and regulations, improve service quality, maintain the security of electronic systems, and for other lawful purposes in accordance with applicable provisions.
2.The information and Personal Data that GPay collects may be obtained from various sources, including but not limited to:
a.information provided directly by the User to GPay;
b.information obtained automatically when the User accesses and/or uses the Gaja App;
c.information obtained from affiliates, partners, service providers, and/or other third parties that cooperate with GPay in accordance with applicable laws and regulations; and/or
d.information obtained when the User contacts or interacts with GPay through email, phone, social media, User Service, or other communication channels.
3.Information and Personal Data provided directly by the User may include name, address, phone number, email address, date of birth, identity documents, account data and/or transaction information; and/or other information needed for the provision of Gaja App services and the fulfilment of applicable provisions.
4.Information collected automatically when the User uses the Gaja App may include:
a.internet protocol address (IP address);
b.device and operating system information;
c.log data and Gaja App usage activity;
d.geographic location information (geolocation), to the extent the User grants location access permission on the device used;
e.network and connection information; and/or
f.other technical data generated from the use of electronic systems.
5.The Gaja App may request access to certain features on the User’s device, including geographic location (GPS), camera, microphone, or contacts, to the extent necessary for the provision of certain services in the Gaja App in accordance with the User’s consent.
6.The User may set or disable the granting of certain access permissions through the settings of the device used. Nevertheless, disabling such access may cause some features or services in the Gaja App to be unable to function optimally.

C. HOW GPAY COLLECTS PERSONAL DATA

1.GPay may collect the User’s Personal Data through various means, including but not limited to:
a.data provided directly by the User when registering, verifying, using the service, carrying out Transactions, or submitting requests and/or complaints;
b.data collected automatically through the electronic systems and devices used by the User when accessing or using the Gaja App;
c.data obtained from affiliates, business partners, service providers, financial institutions, identity verification service providers, and/or other third parties that cooperate with GPay in accordance with applicable laws and regulations; and/or
d.data obtained from the User’s communications and interactions with GPay through email, phone, social media, User Service, or other communication channels.
2.Where necessary based on applicable provisions or for the provision of certain services, GPay may verify, match, or update the User’s Personal Data based on information obtained from other legitimate sources.
3.The User declares that all Personal Data provided to GPay is true, accurate, complete, and valid, and has been obtained in accordance with applicable legal provisions.
4.GPay may use cookies and other similar technologies to automatically collect certain information in connection with the use of the Gaja App, for purposes such as:
a.maintaining the security and performance of the Gaja App;
b.storing the User’s preferences;
c.understanding the use and performance of the services;
d.conducting analysis and service development; and/or
e.other purposes to the extent permitted by applicable laws and regulations.

D. USE OF PERSONAL DATA

GPay may use and process the User’s Personal Data for the following purposes:

1.carrying out registration, verification, management, maintenance, updating, suspension, and/or closure of the User’s Account;
2.providing, operating, developing, and maintaining services in the Gaja App, including the execution and processing of Transactions;
3.carrying out identity verification, authentication, validation, risk assessment, and other security measures in connection with the use of the Gaja App;
4.processing Instructions, Transactions, balance top-ups, fund transfers, payments, fund withdrawals, refunds, and other activities carried out through the Gaja App;
5.contacting the User in connection with the use of the Gaja App, including for the delivery of notifications, announcements, service updates, feature changes, security information, and other communications related to the services;
6.responding to questions, requests, complaints, disputes, or issues submitted by the User through User Service or other communication channels;
7.carrying out monitoring, analysis, testing, audit, research, development, improvement, and enhancement of the quality of services, features, electronic systems, security, and the Gaja App usage experience;
8.preventing, detecting, investigating, and acting against unlawful, suspicious, unauthorized, or potentially harmful activities, including but not limited to fraud, service misuse, money laundering, terrorism financing, electronic system security breaches, or other activities that violate applicable laws and regulations;
9.fulfilling GPay’s obligations under applicable laws and regulations, including obligations to regulators, government agencies, law enforcement officials, and/or competent authorities;
10.cooperating with affiliates, business partners, service providers, and/or other third parties in connection with the provision of Gaja App services in accordance with applicable laws and regulations;
11.sending information, offers, promotions, surveys, loyalty programs, or other marketing communications related to GPay’s services to the extent permitted by applicable provisions;
12.carrying out mergers, consolidations, restructuring, acquisitions, funding, or other corporate transactions involving GPay to the extent permitted by applicable provisions; and/or
13.other purposes to the extent:
a.required or permitted by applicable laws and regulations; and/or
b.consent has been obtained from the User in accordance with applicable provisions.

E. BASIS FOR PROCESSING PERSONAL DATA

GPay processes the User’s Personal Data based on one or more processing bases in accordance with applicable laws and regulations, including but not limited to:

1.consent given by the User for one or several specific purposes;
2.the performance of an agreement between the User and GPay, including for the provision of services and the execution of Transactions through the Gaja App;
3.the fulfilment of legal obligations and/or laws and regulations applicable to GPay, including obligations in the field of payment systems, anti-money laundering, prevention of terrorism financing, and other applicable provisions;
4.the fulfilment of GPay’s legitimate and reasonable interests to the extent not contrary to the User’s rights under applicable laws and regulations, including to:
a.maintain the security of GPay’s electronic systems and services;
b.prevent fraud, misuse, or other illegal activities;
c.carry out service development and improvement; and/or
d.handle disputes and enforce GPay’s rights; and/or
5.other processing bases permitted by applicable laws and regulations.

F. PROVISION OR DISCLOSURE OF PERSONAL DATA

1.GPay does not sell the User’s Personal Data to third parties.
2.To the extent permitted by applicable laws and regulations, GPay may provide, disclose, and/or share the User’s Personal Data with the following parties for the purposes of service provision, business operations, fulfilment of legal obligations, and other lawful purposes in accordance with this Privacy Policy:
a.affiliated companies, the parent company, and/or entities within GPay’s business group;
b.business partners, merchants, payment system providers, banks, financial institutions, technology service providers, infrastructure providers, cloud service providers, communication service providers, and/or other third parties that assist in the provision of services on the Gaja App;
c.consultants, auditors, professional advisors, and other service providers who reasonably require access to Personal Data in order to provide services to GPay;
d.providers of identity verification, fraud prevention, risk analysis, anti-money laundering compliance and prevention of terrorism financing;
e.government agencies, regulators, law enforcement officials, courts, or competent authorities based on applicable laws and regulations or a valid official request; and/or
f.other parties based on the User’s consent or as required and/or permitted by applicable laws and regulations.
3.Where necessary, GPay may transfer or disclose the User’s Personal Data to third parties located outside the territory of the Republic of Indonesia in accordance with applicable laws and regulations. GPay will ensure that such transfer is carried out with an adequate level of Personal Data protection in accordance with applicable legal provisions.
4.GPay may process and share data that has had its personal identity removed and/or has been combined with other data so that it cannot be identified as data belonging to a particular User, to the extent in accordance with applicable laws and regulations.
5.GPay will take reasonable steps to ensure that the recipients of Personal Data maintain the confidentiality and security of Personal Data in accordance with applicable provisions.

G. STORAGE OF PERSONAL DATA

1.GPay will store Personal Data for as long as necessary to fulfil the purposes of its collection and use as described in this Privacy Policy and/or for as long as required by applicable laws and regulations.
2.GPay may store Personal Data longer where necessary for the purposes of evidence, dispute resolution, fulfilment of legal obligations, audit, fraud prevention, and/or compliance with the provisions of regulators and competent authorities.
3.After the storage period ends or the Personal Data is no longer needed for processing purposes, GPay will delete, destroy, and/or modify such Personal Data so that it can no longer be identified as data belonging to a particular User in accordance with applicable provisions.

H. USER RIGHTS OVER PERSONAL DATA

1.The User has the right to access, obtain a copy of, correct, and/or update their Personal Data that is in GPay’s possession in accordance with applicable laws and regulations.
2.The User may also withdraw consent to the processing of certain Personal Data to the extent possible under applicable laws and regulations. The User understands that such withdrawal of consent may result in the services on the Gaja App being unable to be used.
3.The User has the right to object to the processing of certain Personal Data and/or to request the restriction of Personal Data processing under certain conditions in accordance with applicable laws and regulations. GPay will follow up on such request by considering the basis for processing Personal Data, GPay’s legal obligations, and applicable laws and regulations.
4.The User may submit a request to delete the Account and/or Personal Data in accordance with the procedures established by GPay and applicable laws and regulations. In certain cases, GPay may continue to store certain Personal Data to the extent required or permitted by applicable legal provisions, including for the purposes of audit, dispute resolution, fraud prevention, and the fulfilment of obligations to regulators or competent authorities.
5.Requests as referred to in this Article may be submitted through User Service or other official communication channels provided by GPay. GPay reserves the right to verify the User’s identity before processing such request.
6.GPay may reject the User’s request in part or in full, to the extent permitted by applicable laws and regulations, including if such request may affect the rights of others, obstruct law enforcement processes, or conflict with GPay’s legal obligations.

I. SECURITY OF PERSONAL DATA

1.GPay applies reasonable and adequate administrative, technical, and physical measures to protect Personal Data from unauthorized access, use, disclosure, alteration, loss, damage, or processing in accordance with applicable laws and regulations.
2.The User understands that the transmission of data through electronic systems and the internet is not entirely free from security risks. Therefore, GPay does not guarantee that the systems and security measures used will always be free from disruptions, failures, unauthorized access, malware, hacking, or other security risks beyond GPay’s reasonable control.
3.The User is responsible for maintaining the security and confidentiality of the Account, device, and Security Information used to access the Gaja App, including but not limited to password, PIN, OTP code, and/or other authentication methods. The User is prohibited from giving or disclosing such Security Information to any party.
4.GPay never requests the User’s Security Information, including password, PIN, or OTP code, through any communication channel outside the official mechanism in the Gaja App.
5.The User must immediately contact GPay through the available official channels if they become aware of or suspect any unauthorized access, use, or disclosure of Personal Data and/or unauthorized use of the Account.

J. NOTIFICATION OF PERSONAL DATA PROTECTION FAILURE

1.In the event of a Personal Data protection failure that affects the User’s Personal Data, GPay will provide written notification to the User and/or the competent authority in accordance with applicable laws and regulations.
2.The notification referred to in paragraph (1) will be delivered no later than 3 x 24 (three times twenty-four) hours from the time GPay becomes aware of the occurrence of such Personal Data protection failure, or within another period as determined by applicable laws and regulations.
3.The notification referred to in paragraph (1) shall at least contain:
a.the type of Personal Data affected;
b.the time and cause of the Personal Data protection failure, to the extent known;
c.the potential impact that may arise for the User; and
d.the handling, recovery, and/or mitigation steps taken by GPay.
4.GPay will make reasonable efforts to reduce the impact arising from the Personal Data protection failure and to prevent the recurrence of similar incidents.

K. DEVICE ACCESS

1.To provide and optimize certain functions in the Gaja App, GPay may request access to certain features or information on the User’s device, including but not limited to:
a.location;
b.camera;
c.storage media;
d.contacts;
e.notifications;
f.device identity; and/or
g.other features on the device required for the use of the Gaja App.
2.Consent to device access is given by the User through the settings on the device or operating system used by the User.
3.Access to device features or information is used to support the functions and services in the Gaja App, including but not limited to the verification process, account security, enhancement of the usage experience, handling of service issues, as well as the development and improvement of GPay’s services.
4.The User may restrict, disable, or revoke device access permissions at any time through the settings of the device used. The User understands that such restriction, disabling, or revocation may cause some features or services in the Gaja App to be unable to function optimally.
5.GPay will carry out the access, use, storage, and processing of data obtained through the User’s device in accordance with this Privacy Policy and applicable laws and regulations.

L. CHANGES TO THE PRIVACY POLICY

1.GPay reserves the right to change, add to, or update this Privacy Policy from time to time with notice to the User through the Gaja App and/or other official communication media no later than 30 (thirty) Business Days before the effective date of such changes.
2.In the event of any changes to this Privacy Policy, the User must give consent to such changes in order to continue using the services on the Gaja App.
3.In the event the User does not agree to such changes, the User has the right to discontinue using the Gaja App and/or to close the Account without any fees, penalties, or other additional obligations, to the extent there are no obligations that still must be settled by the User under applicable laws and regulations.
4.If the User does not give consent to the changes to the Privacy Policy as above, the User understands that GPay may restrict or discontinue the User’s access to services that require the processing of Personal Data based on the updated Privacy Policy.

M. MISCELLANEOUS

1.This Privacy Policy is an integral and inseparable part of the Gaja Terms and Conditions.
2.Unless otherwise determined in this Privacy Policy, the terms used in this Privacy Policy have the same meaning as set out in the Gaja Terms and Conditions.
3.The provisions in the Gaja Terms and Conditions relating to:
a.governing law and dispute resolution;
b.contact us; and
c.miscellaneous provisions;

apply mutatis mutandis to this Privacy Policy to the extent relevant and not contrary to the context of this Privacy Policy.

4.The Application may connect with sites, applications, or services belonging to third parties that have their own privacy policies. GPay is not responsible for the policies or personal data processing practices carried out by such third parties. The User is advised to read the privacy policy applicable to such third-party sites, applications, or services.