Introduction
PT Alpine Solusi Andalan (“we”, “the Company”) operates the EasyWeb Indonesia https://easyweb.id. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our services.
By using EasyWeb Indonesia services, you agree to the practices described in this policy. If you disagree, please discontinue use of our services.
Data We Collect
2.1 Account Information
When you register or use our services, we collect:
- Identity information: full name, email address, phone number
- Account credentials: password (stored as an encrypted hash — never in plain text)
- OAuth data: if you register via a third-party login provider, we receive your profile ID, name, and avatar from that provider
- Account status: email verification status, login history, and last activity timestamp
2.2 Payment & Billing Data
To process subscriptions and domain purchases, we collect:
- Name, email, and phone number for billing
- Full address (street, city, province, postal code, country) — required for domain registration
- Payment method data is managed directly by Xendit (our payment provider); we do not store credit card details directly
- Transaction history: invoice numbers, payment status, dates and amounts
- Subscription data: active plan, start/end dates, renewal history
2.3 Domain Data
If you purchase or transfer a domain through EasyWeb:
- Domain name and registration contact information as required by international domain registration regulations
- Status and configuration of your domain
2.4 Website Project Data
When you build a website through our platform:
- Project name, design content, and assets you upload
- Business preferences and requirements you share with our team
- Status and history of your website
2.5 Technical Data & Logs
We automatically collect:
- IP address and device information for account security
- Session logs: login time, device used, and token revocation status
- Platform analytics data including pages visited, referral sources, and device type
2.6 Messaging Communications
If you interact with our team via a messaging platform:
- Your phone number or messaging account identity
- Message content and media you send
How We Use Data
We use the collected data to:
- Provide services: create and manage accounts, build websites, register domains, and process payments
- Communication: send verification emails, billing notifications, domain renewal reminders, and service updates
- Security: detect suspicious activity, prevent unauthorized access, and protect your account
- Service improvement: analyze usage patterns to improve platform performance and features
- Customer support: respond to questions and assistance requests you submit to us
- Legal compliance: fulfill legal obligations and regulations applicable in Indonesia
Each data processing activity is based on one of the following legal bases under Article 20 of Law No. 27/2022 on Personal Data Protection (UU PDP):
| Processing Purpose | Legal Basis |
|---|---|
| Providing services, processing payments, registering domains | Contract performance (Article 20(b)) |
| Verification emails, billing notifications, account security | Legitimate interest of the controller (Article 20(e)) |
| Platform usage analytics, service improvement | Data subject consent (Article 20(a)) |
| Tax and financial regulatory compliance | Legal obligation of the controller (Article 20(c)) |
Data Storage
Your data is stored in secure infrastructure using industry standards. Access to data is restricted to authorized personnel and systems that require it to deliver the service.
Data retention: Your account data is stored while the account is active. If you delete your account, data will be removed within 30 days, except data required to be retained by law (such as financial transaction records).
International data transfer (Articles 56–57 UU PDP): Some of your payment data is processed by a payment provider that may operate outside Indonesia. Such transfers are made only to parties that apply data protection standards equivalent to or higher than those required under Indonesian law, and solely for the purpose of processing your transactions.
User Rights
As a user of our service, you have the following rights over your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Update inaccurate information via your account dashboard or by contacting us
- Deletion: Request deletion of your account and associated data (within 30 days; some transaction data may be retained to meet legal obligations)
- Portability: Request an export of your project data and website content in a machine-readable format
- Objection: Object to data processing for specific purposes (e.g., marketing)
- Restriction: Request restriction of data processing under certain conditions, such as when the accuracy of data is contested
- Withdrawal of consent (Article 26 UU PDP): You may withdraw consent to data processing at any time by contacting us. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
- Session revocation: Revoke access from specific devices or sessions via your account settings
To submit a request regarding your data, contact us at [email protected]. We will respond within 14 business days.
Right to lodge a complaint with the supervisory authority (Article 66 UU PDP): If you believe your privacy rights have been violated and the matter cannot be resolved through us, you have the right to lodge a complaint with the personal data protection supervisory authority in Indonesia, namely the National Cyber and Crypto Agency (BSSN) or the authority designated by the Ministry of Communication and Digital Affairs.
Data Security
We implement technical and organizational measures to protect your data:
- Transit encryption: All communications use HTTPS/TLS
- Password hashing: Passwords are stored as hashes using a strong algorithm — never in plain text
- OAuth token encryption: OAuth access tokens from external providers are stored encrypted
- Secure cookies: Session tokens use HttpOnly and Secure flags
- Rate limiting: Request rate limiting to prevent brute-force attacks
- Access monitoring: Detailed logs for every login attempt, including device and IP address
Data breach notification (Article 46 UU PDP): In the event of a breach, loss, or unauthorized access to your personal data, we commit to:
- Notifying the data protection supervisory authority within 14 calendar days of becoming aware of the breach
- Directly notifying you if the breach is likely to result in significant risk to your rights and freedoms, within a reasonable timeframe
- Taking immediate mitigation steps to limit the impact of the breach
Policy Changes
We may update this Privacy Policy from time to time. Significant changes will be communicated via:
- Email to the address registered to your account
- Notification in the EasyWeb platform dashboard
- Update of the "Effective" date at the top of this page
Continued use of the service after changes take effect constitutes acceptance of the updated policy.
Contact Us
For questions, data-related requests, or privacy concerns, you may contact us via:
