Privacy Policy
Last updated: 2026-06-10
This Policy is prepared in accordance with Indonesia's Law No. 27 of 2022 on Personal Data Protection (UU PDP).
This summary is provided for transparency and is not specific legal or tax advice. Questions? Contact support@tagihin.id.
Cavastir, operator of Tagihin ("we", "us", "our"), respects your privacy and is committed to protecting your personal data under Indonesia's Personal Data Protection Law No. 27 of 2022 (UU PDP).
1. Data Controller
Cavastir is the controller (Pengendali Data Pribadi) of your personal data under this Policy.
General contact: support@tagihin.id
Data Protection Contact (DPO): dpo@tagihin.id
This contact point handles questions and data-subject requests relating to your personal data under the UU PDP. See our UU PDP & Data Requests page.
2. Personal Data We Collect
We collect the following data:
- Account data: Email address and password hash (PBKDF2)
- Business profile: Business name, NPWP, address, phone, email, your own static QRIS payload, and logo
- Customer/recipient data: Data you enter about your own customers, such as name, NPWP, and address
- Documents created: Invoices, kwitansi (receipts), quotations, and draft withholding slips
- Uploaded files: Payment-proof images (bukti transfer) and logos stored in Cloudflare R2
- Technical data: IP address and essential cookies
3. Purposes and Lawful Bases
| Purpose | Lawful basis (UU PDP Art. 20) |
|---|---|
| Providing the Service and managing your account | Performance of contract (point b) |
| Processing subscription payments via Stripe | Performance of contract (point b) |
| Security, fraud prevention, and rate-limiting | Legitimate interest (point f) |
| Complying with legal obligations | Legal obligation (point c) |
| Sending marketing emails (where you consent) | Consent (point a) |
4. Data Processors and Third-Party Recipients
We use carefully selected sub-processors to operate the Service:
- Cloudflare — Service hosting, D1 database, KV and R2 storage (data may be processed in global data centres with adequate contractual safeguards)
- Stripe — Subscription payment processing (payment data is transmitted to Stripe, which may process it in the US or abroad, with appropriate safeguards)
We do not sell your personal data, and do not share it with third parties beyond those listed in this Policy.
Cross-border transfer note: Cloudflare and Stripe may transfer data outside the territory of Indonesia. We ensure an equivalent or adequate level of personal-data protection is in place as required by UU PDP Arts. 55–56.
5. Data Retention
We retain your personal data for as long as your account is active. When you delete your account, personal data is deleted upon request unless we are required by law to retain it.
6. Data Security
- HTTPS encryption at all times
- Passwords hashed with PBKDF2 — no plaintext passwords stored
- Access controls: only authenticated users can access their own data
- Storage on Cloudflare D1, KV, and R2 with infrastructure-level encryption at rest
7. Data-Breach Notification
In the event of a personal-data protection failure (data breach), we will give written notification no later than 3 × 24 hours to the affected data subjects and to the supervisory authority, as required by UU PDP Art. 46 — including what data was exposed, when and how it happened, and the remediation steps taken.
8. Data-Subject Rights under the UU PDP
As a data subject, you have the following rights under Law No. 27 of 2022:
- Right of access — Request a copy of your personal data we hold
- Right of rectification — Request correction of inaccurate or incomplete data
- Right of erasure — Request deletion or destruction of your personal data in certain circumstances
- Right to withdraw consent — Withdraw consent at any time without affecting prior processing
- Right to object — Object to certain processing, including for marketing purposes, and request that processing be delayed or restricted
- Right to data portability — Receive your data in a machine-readable format (available via in-app export)
- Right to lodge a complaint — Lodge a complaint with the personal-data protection supervisory authority (interim oversight currently sits with Komdigi)
9. How to Exercise Your Rights
To exercise any of the rights above, you may:
- Use the data-subject request form on our UU PDP page
- Email our data-protection contact at dpo@tagihin.id or support@tagihin.id
- Delete your account and export your data via the in-app Settings page
We will respond to requests within 30 days.
10. Children and Minors
The Service is not directed at individuals under 18 years of age. Under UU PDP Art. 25, processing a child's personal data requires parental/guardian consent. If you are under 18, please obtain parental consent before using the Service.
11. Policy Changes
We may update this Policy from time to time. Material changes will be notified to you by email and/or within the Service.
© 2026 Tagihin · a product of Cavastir · support@tagihin.id