Privacy & Policy

Durianpay Privacy Notice

Please read this Privacy Notice carefully to ensure that You understand the provisions surrounding Durianpay’s processing of Your Personal Data.

Preface

Preface

Preface

We believe that You should be able to make informed decisions about Your personal data. We created this privacy notice (previously referred to as Privacy Policy) (hereinafter referred to as “Privacy Notice”) to inform and explain to You how we, PT Durian Pay Indonesia, an entity duly established in Indonesia with office in Equity Tower Lantai 28, Unit H, Jalan Jendral Sudirman Kav.52-53, SCBD, Senayan, Kebayoran Baru, Jakarta Selatan, Provinsi DKI Jakarta, which is the controller that processes Personal Data as described in this Privacy Notice and Our affiliates and wholly owned subsidiaries (collectively “Durianpay”, “We”, “us”, “Our”, or “Ours”) obtain, collect, store, control, use, process, analyze, correct, update, display, announce, transfer, disclose, and protect the Personal Data (altogether “Processing” Personal Data or carrying out “Personal Data Processing”) that You provide to Us.

This Privacy Notice applies to all users, merchants, business partners (such as payment processors, acquiring banks, issuing banks, payment gateways, card networks, and other financial institutions), agents, vendors, suppliers, service providers, and contractors (collectively referred to as “You” or “Your”), except as provided in a separate privacy notice.

This Privacy Notice is an inseparable part of Durianpay Terms and Conditions. We recommend that You read this Privacy Notice in conjunction with any of Our product or Service terms and conditions as they may contain product or service-specific information about how We Process Your Personal Data.

The use of the Durianpay platform, including any of Our features, services, and/or products related to payment processing (the “Services”), constitutes Your agreement to the Terms of Use and this Privacy Notice. Therefore, You need to read this Privacy Notice carefully to ensure that You fully understand it before registering, accessing, and/or using Our Platform (including any Services thereof).

Privacy Notice also has the same meaning as the privacy policy as stated in the Terms of Use and each Service on Our Platform.

Acknowledgement and Consent

Acknowledgement and Consent

Acknowledgement and Consent

01

By proceeding, You acknowledge that You have read and understood this Privacy Notice. Where Processing relies on consent, You give Your explicit consent. For other Processing, Durianpay relies on the appropriate legal bases described in ‘Basis for Processing Personal Data’.

By proceeding, You acknowledge that You have read and understood this Privacy Notice. Where Processing relies on consent, You give Your explicit consent. For other Processing, Durianpay relies on the appropriate legal bases described in ‘Basis for Processing Personal Data’.

02

We require Your Personal Data, among others, to be able to process payment transactions through the Platform, including but not limited to authentication, authorization, settlement, and reconciliation with Our partner financial institutions. Therefore, You declare that the Personal Data submitted to Us during account registration, onboarding, or renewal is accurate and up-to-date. You must update and notify Us if there are any changes to Your Personal Data. You hereby release Us from any demands, lawsuits, damages and/or claims related to failure to process transactions or the use of the Services caused by inaccurate Personal Data that You provided to Us. You further warrant that all data provided in written or other forms to use Our Platform is Your own and has not been obtained from Personal Data belonging to a third party without legal permission, so that all matters arising in connection with the provision and correctness of such data remain Your full responsibility.

We require Your Personal Data, among others, to be able to process payment transactions through the Platform, including but not limited to authentication, authorization, settlement, and reconciliation with Our partner financial institutions. Therefore, You declare that the Personal Data submitted to Us during account registration, onboarding, or renewal is accurate and up-to-date. You must update and notify Us if there are any changes to Your Personal Data. You hereby release Us from any demands, lawsuits, damages and/or claims related to failure to process transactions or the use of the Services caused by inaccurate Personal Data that You provided to Us. You further warrant that all data provided in written or other forms to use Our Platform is Your own and has not been obtained from Personal Data belonging to a third party without legal permission, so that all matters arising in connection with the provision and correctness of such data remain Your full responsibility.

03

In certain cases, You may voluntarily provide Personal Data of third parties (such as customers, beneficiaries, payers, or business contacts) for the purposes of enabling payment processing, settlement, or compliance with anti-money laundering and counter-terrorism financing (AML/CTF) requirements. By providing such third-party Personal Data, You represent and warrant that You have obtained valid consent from the relevant individual(s) and that they have agreed to the Processing of their Personal Data by Us. We may request proof of such consent from You at any time. Any consequences arising from the submission of third-party Personal Data shall be Your responsibility, subject to this Privacy Notice and Applicable Laws and Regulations, and We are released from any claims regarding the unauthorized use of such Personal Data.

In certain cases, You may voluntarily provide Personal Data of third parties (such as customers, beneficiaries, payers, or business contacts) for the purposes of enabling payment processing, settlement, or compliance with anti-money laundering and counter-terrorism financing (AML/CTF) requirements. By providing such third-party Personal Data, You represent and warrant that You have obtained valid consent from the relevant individual(s) and that they have agreed to the Processing of their Personal Data by Us. We may request proof of such consent from You at any time. Any consequences arising from the submission of third-party Personal Data shall be Your responsibility, subject to this Privacy Notice and Applicable Laws and Regulations, and We are released from any claims regarding the unauthorized use of such Personal Data.

04

We will safeguard Your Personal Data in accordance with this Privacy Notice. However, We are not responsible for any Personal Data that You disclose or disseminate to third parties, whether intentionally or unintentionally. Such disclosure will be deemed as a waiver of confidentiality of the disclosed Personal Data.

We will safeguard Your Personal Data in accordance with this Privacy Notice. However, We are not responsible for any Personal Data that You disclose or disseminate to third parties, whether intentionally or unintentionally. Such disclosure will be deemed as a waiver of confidentiality of the disclosed Personal Data.

05

If You are under the minimum age requirement (less than 18 years of age) or are considered a child or under guardianship in accordance with Applicable Laws and Regulations, You must review this Privacy Notice together with Your parent or legal guardian. Ensure that Your parent or guardian understands and agrees to the terms of this Privacy Notice before You use Our Platform and Services. In the event that Your Personal Data is disclosed to Us, You hereby represent and warrant that Your parent or legal guardian has given consent to the Processing of Your Personal Data in accordance with the provisions of the Applicable Laws and Regulations. Your parent or guardian also agrees to be bound by this Privacy Notice and is responsible for all of Your actions carried out on Our Platform.

If You are under the minimum age requirement (less than 18 years of age) or are considered a child or under guardianship in accordance with Applicable Laws and Regulations, You must review this Privacy Notice together with Your parent or legal guardian. Ensure that Your parent or guardian understands and agrees to the terms of this Privacy Notice before You use Our Platform and Services. In the event that Your Personal Data is disclosed to Us, You hereby represent and warrant that Your parent or legal guardian has given consent to the Processing of Your Personal Data in accordance with the provisions of the Applicable Laws and Regulations. Your parent or guardian also agrees to be bound by this Privacy Notice and is responsible for all of Your actions carried out on Our Platform.

Personal Data

Personal Data

Personal Data

Personal Data refers to any and all information, data, and/or details in any form that can be used to identify You, which from time to time You provide to Us or that You include or submit, whether directly or indirectly, in, on, and/or through the Platform in connection with Your personal or business identity.

Personal Data includes, but is not limited to, Your full name, identification number (including those stated on passport, national identity card, tax identification number/NPWP, or other government-issued identification), address, date of birth, email address, mobile phone number, financial information, payment account details, billing details, transaction data, device information, geolocation data, and any other data categorized as Personal Data under the Applicable Laws and Regulations.

For the avoidance of doubt, Applicable Laws and Regulations shall mean all applicable laws, statutes, regulations, regulatory guidelines, ordinances, protocols, industry codes, licenses, requirements from courts, tribunals, or any governmental or supervisory authority, that are in force from time to time during the validity of this Privacy Notice.

In addition, other data such as behavioral profiles, online identifiers, cookies or device identifiers, fraud signals, and/or transaction patterns that are linked or combined with Your Personal Data shall also be considered as Personal Data.

Please note that Personal Data does not include any information that has already been made available in the public domain.

Basis for Processing Personal Data

Basis for Processing Personal Data

Basis for Processing Personal Data

In accordance with the provisions of Applicable Laws and Regulations, Durianpay Processes Your Personal Data based on:

01

Contractual obligations

Contractual obligations

We Process Your Personal Data to perform Our contractual obligations or to take steps at Your request before entering a contract. For example, when You register as a merchant or use Our Platform to process payments, We Process Personal Data such as Your name, contact details, business information, and payment account details to enable authentication, authorization, settlement, and reconciliation of transactions. This basis also applies when You use additional features of Our Services, such as refunds, chargebacks, or recurring payments.

We Process Your Personal Data to perform Our contractual obligations or to take steps at Your request before entering a contract. For example, when You register as a merchant or use Our Platform to process payments, We Process Personal Data such as Your name, contact details, business information, and payment account details to enable authentication, authorization, settlement, and reconciliation of transactions. This basis also applies when You use additional features of Our Services, such as refunds, chargebacks, or recurring payments.

02

Durianpay’s legitimate business interests

Durianpay’s legitimate business interests

We Process Personal Data where it is necessary for Our legitimate interests in operating and improving Our Services. For example, to ensure the security of Our IT systems and the integrity of payment transactions, to monitor and prevent fraud, to conduct analysis and risk scoring, and to improve Our product features for merchants and users. This may also include limited direct marketing activities for services or features that We believe are relevant to Your business needs. We always balance these interests against Your rights and freedoms and ensure that such Processing does not override Your fundamental rights. If legitimate interest is used as the basis for Processing, We maintain records of the assessment, and You have the right to object to this Processing.

We Process Personal Data where it is necessary for Our legitimate interests in operating and improving Our Services. For example, to ensure the security of Our IT systems and the integrity of payment transactions, to monitor and prevent fraud, to conduct analysis and risk scoring, and to improve Our product features for merchants and users. This may also include limited direct marketing activities for services or features that We believe are relevant to Your business needs. We always balance these interests against Your rights and freedoms and ensure that such Processing does not override Your fundamental rights. If legitimate interest is used as the basis for Processing, We maintain records of the assessment, and You have the right to object to this Processing.

03

Compliance with legal obligations

Compliance with legal obligations

We Process Your Personal Data where required to comply with Applicable Laws and Regulations. This includes, but is not limited to, Know Your Customer (KYC) and Know Your Business (KYB) verification, Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) obligations, Customer/Business Due Diligence (CDD/EDD) processes, screening against official watchlists (such as DTTOT, WMD, and PEP), and reporting of suspicious or unusual transactions to competent authorities. We may also Process Personal Data to fulfill regulatory reporting, record-keeping, and audit requirements issued by Bank Indonesia, PPATK, and other supervisory bodies. Court orders, subpoenas, or regulatory requests may additionally require Us to continue Processing Personal Data for specific lawful purposes related to financial compliance or investigations.

We Process Your Personal Data where required to comply with Applicable Laws and Regulations. This includes, but is not limited to, Know Your Customer (KYC) and Know Your Business (KYB) verification, Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) obligations, Customer/Business Due Diligence (CDD/EDD) processes, screening against official watchlists (such as DTTOT, WMD, and PEP), and reporting of suspicious or unusual transactions to competent authorities. We may also Process Personal Data to fulfill regulatory reporting, record-keeping, and audit requirements issued by Bank Indonesia, PPATK, and other supervisory bodies. Court orders, subpoenas, or regulatory requests may additionally require Us to continue Processing Personal Data for specific lawful purposes related to financial compliance or investigations.

04

Substantial public interest

Substantial public interest

We Process Personal Data in situations of substantial public interest, such as preventing, detecting, and responding to fraud, financial crimes, cybersecurity threats, or in cooperation with government authorities to safeguard the financial system. This Processing helps protect both You as a user and the broader public from risks that may endanger financial stability or the security of payment transactions.

We Process Personal Data in situations of substantial public interest, such as preventing, detecting, and responding to fraud, financial crimes, cybersecurity threats, or in cooperation with government authorities to safeguard the financial system. This Processing helps protect both You as a user and the broader public from risks that may endanger financial stability or the security of payment transactions.

05

Your consent

Your consent

Where no other legal basis applies, We Process Your Personal Data based on Your explicit consent. This consent is voluntary and may be withdrawn at any time. For example, You may provide consent to receive newsletters, product updates, or promotional offers from Us. When You provide consent, We will inform You about how You can withdraw or manage Your preferences. Please refer to the “Your Rights” section of this Privacy Notice for more details.

Where no other legal basis applies, We Process Your Personal Data based on Your explicit consent. This consent is voluntary and may be withdrawn at any time. For example, You may provide consent to receive newsletters, product updates, or promotional offers from Us. When You provide consent, We will inform You about how You can withdraw or manage Your preferences. Please refer to the “Your Rights” section of this Privacy Notice for more details.

Personal Data We Collect

Personal Data We Collect

Personal Data We Collect

Personal Data collected when You use the Platform, receive, or provide Our payment services (“Services”), includes the following:

01

Personal Data collected from You as a User or Merchant on the Platform

Personal Data collected from You as a User or Merchant on the Platform

a. Personal Data collected from You as a Merchant, including but not limited to:

a. Personal Data collected from You as a Merchant, including but not limited to:

i. Personal Data and supporting documents submitted when You complete the Durianpay registration form or onboarding process, such as Your name, national identification number (NIK), passport number, taxpayer identification number (NPWP), company registration number (NIB/TDP), business license, deed of incorporation and its amendments, and other establishment or authorization documents (including approvals from the Ministry of Law and Human Rights or equivalent authority);

ii. Information related to the identity of company representatives, management, shareholders, or beneficial owners, including identification documents (KTP, passport, or KITAS for foreign nationals), photographs, and, where applicable, video-call verification records for authentication purposes;

iii. Business and financial information, such as company address, email, contact number, bank account details under the company’s name, logo, proof of business operations, and payment channel configuration;

iv. Documents evidencing regulatory or operational legitimacy, including but not limited to standard certificates, operational permits, domicile certificates, and licenses relevant to the nature of the business or foundation;

v. For international entities, incorporation or association documents, certificate of incumbency (if applicable), payment service provider license (if applicable), and other documentation demonstrating compliance with local or international regulatory requirements;

vi. Information obtained during verification and screening activities, such as authentication results, records of screening against official lists (including DTTOT, WMD, and PEP lists), and risk evaluation outcomes conducted in accordance with Bank Indonesia and PPATK requirements;

vii. Information generated through Durianpay’s risk assessment and profiling mechanisms, including merchant category, business type, transaction pattern, verification channel, jurisdiction, and risk rating (e.g., low, medium, or high risk), which are determined based on Durianpay’s internal risk scoring matrix in accordance with applicable financial and anti-money-laundering regulations;

viii. Verification data obtained during video-call or on-site verification processes, including confirmation of identity, business address, nature of business operations, funding source, transaction purpose, frequency, and other information required to validate the Merchant’s risk profile. For Merchants classified as high-risk, additional verification

may include Ultimate Beneficial Owner (UBO) declarations and other supporting documents to confirm ownership and legitimacy.

ix. Durianpay may screen and monitor Merchants and their representatives against Politically Exposed Person (PEP) databases, sanctions lists, and other official sources to comply with financial and anti-money-laundering regulations. Enhanced Due Diligence (EDD) may be applied to Merchants identified as high-risk or involved in suspicious transactions.

x. Participate in surveys, product feedback, or promotional campaigns conducted by Durianpay or on behalf of Durianpay;

xi. Other Personal Data provided when You communicate with Us, including through Our customer support channels, business correspondence, or meetings with Durianpay representatives.

i. Personal Data and supporting documents submitted when You complete the Durianpay registration form or onboarding process, such as Your name, national identification number (NIK), passport number, taxpayer identification number (NPWP), company registration number (NIB/TDP), business license, deed of incorporation and its amendments, and other establishment or authorization documents (including approvals from the Ministry of Law and Human Rights or equivalent authority);

ii. Information related to the identity of company representatives, management, shareholders, or beneficial owners, including identification documents (KTP, passport, or KITAS for foreign nationals), photographs, and, where applicable, video-call verification records for authentication purposes;

iii. Business and financial information, such as company address, email, contact number, bank account details under the company’s name, logo, proof of business operations, and payment channel configuration;

iv. Documents evidencing regulatory or operational legitimacy, including but not limited to standard certificates, operational permits, domicile certificates, and licenses relevant to the nature of the business or foundation;

v. For international entities, incorporation or association documents, certificate of incumbency (if applicable), payment service provider license (if applicable), and other documentation demonstrating compliance with local or international regulatory requirements;

vi. Information obtained during verification and screening activities, such as authentication results, records of screening against official lists (including DTTOT, WMD, and PEP lists), and risk evaluation outcomes conducted in accordance with Bank Indonesia and PPATK requirements;

vii. Information generated through Durianpay’s risk assessment and profiling mechanisms, including merchant category, business type, transaction pattern, verification channel, jurisdiction, and risk rating (e.g., low, medium, or high risk), which are determined based on Durianpay’s internal risk scoring matrix in accordance with applicable financial and anti-money-laundering regulations;

viii. Verification data obtained during video-call or on-site verification processes, including confirmation of identity, business address, nature of business operations, funding source, transaction purpose, frequency, and other information required to validate the Merchant’s risk profile. For Merchants classified as high-risk, additional verification

may include Ultimate Beneficial Owner (UBO) declarations and other supporting documents to confirm ownership and legitimacy.

ix. Durianpay may screen and monitor Merchants and their representatives against Politically Exposed Person (PEP) databases, sanctions lists, and other official sources to comply with financial and anti-money-laundering regulations. Enhanced Due Diligence (EDD) may be applied to Merchants identified as high-risk or involved in suspicious transactions.

x. Participate in surveys, product feedback, or promotional campaigns conducted by Durianpay or on behalf of Durianpay;

xi. Other Personal Data provided when You communicate with Us, including through Our customer support channels, business correspondence, or meetings with Durianpay representatives.

b. Personal Data collected from You as a Merchant, including but not limited to:

b. Personal Data collected from You as a Merchant, including but not limited to:

i. For corporate Clients — company name, registration documents, licenses, taxpayer identification number (NPWP), and supporting documents equivalent to those required from Merchants;

ii. Additional verification data, including facial photographs or selfies with identity documents, and, where applicable, financial or bank account information to facilitate payment processing.

i. For corporate Clients — company name, registration documents, licenses, taxpayer identification number (NPWP), and supporting documents equivalent to those required from Merchants;

ii. Additional verification data, including facial photographs or selfies with identity documents, and, where applicable, financial or bank account information to facilitate payment processing.

c. Personal Data recorded when You use the Platform, including but not limited to:

c. Personal Data recorded when You use the Platform, including but not limited to:

i. Transaction data, including payment amount, transaction time and date, payer and payee details, payment method, currency, device used, IP address, geolocation data, and transaction reference number, as well as related metadata such as status, settlement confirmation, and reconciliation results;

ii. Usage and activity data, including registration logs, login timestamps, device identifiers, and actions taken on the Platform (for example: creating invoices, viewing reports, initiating settlements, or processing refunds);

iii. Technical and device data, including device type, operating system, browser type and version, network information, language settings, device identifiers, advertising identifiers, IP address, and cookies or similar technologies that allow Us to recognize Your browser or device;

iv. System and server logs, such as access time, API calls, URL requests, error logs, and authentication attempts, used for performance monitoring, fraud prevention, and diagnostic purposes; and

v. Fraud and security data, including risk scores, behavioral patterns, geolocation anomalies, and device fingerprints generated during the course of transaction monitoring.

i. Transaction data, including payment amount, transaction time and date, payer and payee details, payment method, currency, device used, IP address, geolocation data, and transaction reference number, as well as related metadata such as status, settlement confirmation, and reconciliation results;

ii. Usage and activity data, including registration logs, login timestamps, device identifiers, and actions taken on the Platform (for example: creating invoices, viewing reports, initiating settlements, or processing refunds);

iii. Technical and device data, including device type, operating system, browser type and version, network information, language settings, device identifiers, advertising identifiers, IP address, and cookies or similar technologies that allow Us to recognize Your browser or device;

iv. System and server logs, such as access time, API calls, URL requests, error logs, and authentication attempts, used for performance monitoring, fraud prevention, and diagnostic purposes; and

v. Fraud and security data, including risk scores, behavioral patterns, geolocation anomalies, and device fingerprints generated during the course of transaction monitoring.

02

Personal Data collected from You as a Partner or Vendor

Personal Data collected from You as a Partner or Vendor

a. Partner:

Personal Data may be collected during the course of business partnership engagement, including at the stage of Non-Disclosure Agreement (NDA) signing or execution of cooperation agreements, for the purposes of due diligence, verification, business alignment, and contract administration. Personal Data collected may include:

· Corporate documents (e.g., deed of establishment, NIB, NPWP), identification of directors or authorized representatives, and any related correspondence;

· Contact information (e.g., business email address, phone number, and job title of the designated PIC); and

· Supporting data related to integration or testing activities (e.g., developer or merchant dashboard credentials, partner API access logs).

· Corporate documents (e.g., deed of establishment, NIB, NPWP), identification of directors or authorized representatives, and any related correspondence;

· Contact information (e.g., business email address, phone number, and job title of the designated PIC); and

· Supporting data related to integration or testing activities (e.g., developer or merchant dashboard credentials, partner API access logs).

The timing and scope of Personal Data collection may vary depending on Durianpay’s business engagement process and the specific requirements of each partner. Durianpay ensures that all such Processing is carried out in accordance with Applicable Laws and Regulations.

b. Vendor:

Personal Data collected during vendor registration and procurement processes, including but not limited to:

· Vendor name, tax identification number (NPWP), business registration number (NIB/SIUP), address, bank account information (bank name, account number, and account holder name), and contact details of designated finance or business representatives (PIC);

· Supporting documentation such as tax exemption letters (if applicable) and proof of banking information (e.g., bank book cover page).

· Vendor name, tax identification number (NPWP), business registration number (NIB/SIUP), address, bank account information (bank name, account number, and account holder name), and contact details of designated finance or business representatives (PIC);

· Supporting documentation such as tax exemption letters (if applicable) and proof of banking information (e.g., bank book cover page).

Such Personal Data is collected and processed for the purposes of vendor due diligence, registration, payment processing, and contract administration.

c. Other communications:

Personal Data shared through interactions with Durianpay, including calls (which may be recorded for quality assurance or dispute handling), meetings, letters, or email exchanges

Personal Data shared through interactions with Durianpay, including calls (which may be recorded for quality assurance or dispute handling), meetings, letters, or email exchanges

03

Personal Data collected from other sources

Personal Data collected from other sources

  1. Partners and service providers who assist Us in providing payment and financial services on the Platform under controller-to-controller or controller-to-processor arrangements, including but not limited to acquiring banks, payment processors, card networks, e-wallet providers, KYC/AML verification vendors, risk and fraud detection providers, and logistics or accounting service providers;

  2. Third parties or integration platforms that You use to create or access a Durianpay account, including but not limited to e-commerce platforms, accounting tools, or systems that connect to the Durianpay API;

  3. Regulatory or government databases used to verify identity, licensing, tax information, or sanction status, as required by Applicable Laws and Regulations. This may include verification through systems or databases maintained by government authorities or financial intelligence units (e.g., PPATK, Bank Indonesia) for the purposes of Customer or Business Due Diligence (CDD/EDD), sanction list checks, and compliance monitoring

  4. Marketing and analytics service providers that assist Us in delivering relevant offers and improving Our Services, where applicable; and/or

  5. Publicly available sources, such as company registries, professional networks, or public records.

Durianpay may combine or process Personal Data obtained from these sources with other Personal Data in Our possession to ensure accuracy, detect fraud, or comply with legal and regulatory obligations.

In the event that additional Personal Data is collected beyond what is stated in this Privacy Notice, Durianpay will request Your additional consent, taking into account the protection of Your Personal Data in accordance with Applicable Laws and Regulations.

Durianpay may combine or process Personal Data obtained from these sources with other Personal Data in Our possession to ensure accuracy, detect fraud, or comply with legal and regulatory obligations.

In the event that additional Personal Data is collected beyond what is stated in this Privacy Notice, Durianpay will request Your additional consent, taking into account the protection of Your Personal Data in accordance with Applicable Laws and Regulations.

Use of Personal Data

Use of Personal Data

Use of Personal Data

Durianpay uses the Personal Data collected to verify and onboard merchants and partners, process and reconcile payment transactions, fulfill compliance obligations (including KYC, KYB, and AML/CFT requirements), communicate service updates, improve the Platform’s security and performance, and—where permitted by law—send relevant service or marketing communications based on Your consent.

Sharing of Personal Data Which We Collect

Sharing of Personal Data Which We Collect

Sharing of Personal Data Which We Collect

01

We may disclose, provide access to, or share Your Personal Data with Our affiliates and/or other parties for the following purposes and for other purposes permitted under Applicable Laws and Regulations: Data collected from You as a Partner or Vendor

We may disclose, provide access to, or share Your Personal Data with Our affiliates and/or other parties for the following purposes and for other purposes permitted under Applicable Laws and Regulations: Data collected from You as a Partner or Vendor

  1. If You are a User or Merchant, to enable Our financial partners and service providers (such as acquiring banks, issuing banks, payment gateways, e-money issuers, and card networks) to process, authorize, settle, and reconcile Your payment transactions made through the Platform.

  2. If You are a Partner or Vendor, to enable Users or Merchants to receive the services You provide to Durianpay under Your agreement with Us.

  3. If required or authorized by Applicable Laws and Regulations —including but not limited to responding to regulatory inquiries, supervisory reviews, reporting obligations to Bank Indonesia, PPATK, or other authorities, or complying with statutory filing and retention requirements.

  4. If instructed, requested, required, or permitted by competent government agencies or law enforcement authorities for purposes stated in Applicable Laws and Regulations, including anti-money-laundering (AML), counter-terrorism financing (CTF), fraud investigation, and consumer-protection matters.

  5. For the purposes of internal investigations of violations of law or company policies within Durianpay and its affiliated companies.

  6. If there is a legal process of any kind between You and Us, or between You and other parties in connection with the Services on the Platform, for the purposes of such legal process and dispute resolution.

  7. To detect and protect against fraud, financial crime, cybersecurity incidents, or technical vulnerabilities, where We may transfer and disclose Your Personal Data to relevant third-party security and fraud-monitoring service providers.

  8. In connection with KYC (Know Your Customer) and KYB (Know Your Business) processes or any other verification activities that We and/or third parties conduct before granting You access to the Services or activating Your merchant account. This may include sharing or reporting of relevant Personal Data to competent authorities such as Bank Indonesia and the Financial Transaction Reports and Analysis Center (PPATK) for purposes of Anti-Money Laundering, Counter-Terrorism Financing, and ongoing regulatory supervision as required by Applicable Laws and Regulations.

  9. In an emergency involving the safety or security of Durianpay, its employees, Users, Merchants, Partners, or the public, to handle such emergency and prevent harm.

  10. In connection with public-interest or financial-system stability matters, where Durianpay may share Personal Data with government agencies or supervisory authorities for purposes of monitoring systemic risk, fraud patterns, or payment system integrity as required by Applicable Laws and Regulations.

  11. In connection with any merger, acquisition, financing, corporate restructuring, or sale of assets involving Durianpay or its affiliates, for the purposes of such transaction (including due diligence). If another entity acquires Durianpay or its assets, Your Personal Data may be transferred as part of that transaction subject to the same protections set forth in this Privacy Notice.

  12. To third-party service providers (including cloud computing, data hosting, infrastructure, IT support, analytics, risk scoring, fraud detection, and payment system integration providers) who assist Us in operating the Platform or performing functions on Our behalf, subject to confidentiality and data-protection obligations.

  13. To Our affiliates or members of Our corporate group (including subsidiaries and the parent company), for purposes of supporting Platform operations, providing back-office and technical services, and ensuring business continuity. All such affiliates are required to Process Personal Data in accordance with this Privacy Notice and Applicable Laws and Regulations.

  14. To financial-sector partners, payment scheme operators, and clearing institutions for purposes of settlement, reconciliation, reporting, or compliance with industry standards (e.g., card network rules, Bank Indonesia regulations).

  15. To marketing and analytics partners only for lawful and limited purposes of improving Our Services, subject to Your consent where required by Applicable Laws and Regulations.

  16. To carry out any other Processing activities for the purposes described in this Privacy Notice, where permitted by Applicable Laws and Regulations. For clarity, Durianpay does not sell, rent, or trade Your Personal Data to any third party.

02

Where Personal Data does not need to be associated with You, We will make reasonable efforts to anonymize or aggregate the data before disclosing or sharing it with third parties.

Where Personal Data does not need to be associated with You, We will make reasonable efforts to anonymize or aggregate the data before disclosing or sharing it with third parties.

03

We will not sell or lease Your Personal Data to any party under any circumstances.

We will not sell or lease Your Personal Data to any party under any circumstances.

04

In addition to the above, Durianpay may disclose and share Your Personal Data only after providing You with notice and obtaining Your consent when such disclosure is required under Applicable Laws and Regulations.

In addition to the above, Durianpay may disclose and share Your Personal Data only after providing You with notice and obtaining Your consent when such disclosure is required under Applicable Laws and Regulations.

International Data Transfers

International Data Transfers

International Data Transfers

Your Personal Data that We collect may be stored, transferred, or processed outside Indonesia by Our personnel or by third-party service providers, vendors, suppliers, partners, contractors, or Durianpay affiliates for one or more of the purposes set out in this Privacy Notice — for example, cloud hosting, cross-border payment processing, or fraud monitoring.

Durianpay will comply with all Applicable Laws and Regulations and use reasonable efforts to ensure that countries where Our affiliates or service providers are located maintain a level of Personal Data protection that is equivalent to or higher than that of Indonesia, or that those third parties are bound by adequate and enforceable data-protection agreements (such as standard contractual clauses or binding corporate rules).

Where required by Applicable Laws and Regulations, Durianpay will seek Your explicit consent before transferring Your Personal Data outside Indonesia. You understand and consent to such transfer of Your Personal Data outside Indonesia for the lawful purposes described herein.

Storage of Personal Data

Storage of Personal Data

Storage of Personal Data

Your Personal Data will only be stored as long as necessary to fulfill the purposes for which it was collected, during the applicable retention period, or as otherwise required or permitted by Applicable Laws and Regulations. Personal Data may be retained for up to ten (10) years in accordance with prevailing regulations, or longer if required by Applicable Laws and Regulations.

We will cease storing Personal Data, or remove its association with You as an individual, as soon as it is determined that the purpose for which the Personal Data was collected is no longer necessary, upon Your written request for the deletion and destruction of Your Personal Data, or when retention is no longer required for business, operational, or legal purposes.

Durianpay will delete and/or anonymize User Personal Data under Durianpay’s control if:

  1. the User’s Personal Data is no longer necessary to fulfill the purpose of its collection;

  2. the retention period has expired; and

  3. retention is no longer required to comply with Applicable Laws and Regulations, including but not limited to those issued by Bank Indonesia and other competent financial or data protection authorities

Please note that there may still be instances where some of Your Personal Data is stored or controlled by other parties, including partner financial institutions, payment gateways, card networks, or government authorities, in certain ways. In cases where We share Your Personal Data with such authorized institutions and/or other entities designated by the government or cooperating with Us, You acknowledge and agree that the retention of Your Personal Data by these institutions will follow their respective data retention and compliance policies.

To the extent permitted by Applicable Laws and Regulations, You release Us from and against any and all claims, losses, liabilities, costs, damages, and expenses (including but not limited to legal fees and full compensation costs) directly or indirectly resulting from any Personal Data processing activities conducted outside of Our Platform or Services.

Your Rights as a Personal Data Subject

Your Rights as a Personal Data Subject

Your Rights as a Personal Data Subject

01

As regulated under the Applicable Laws and Regulations, You as the subject of Personal Data have the following rights regarding Your Personal Data:

As regulated under the Applicable Laws and Regulations, You as the subject of Personal Data have the following rights regarding Your Personal Data:

a. Right to be informed

a. Right to be informed

You have the right to be provided with clear, transparent, and easily understandable information about how We collect, use, store, and disclose Your Personal Data, as well as Your rights as a data subject. Accordingly, Durianpay provides this information through this Privacy Notice and related communications.

You have the right to be provided with clear, transparent, and easily understandable information about how We collect, use, store, and disclose Your Personal Data, as well as Your rights as a data subject. Accordingly, Durianpay provides this information through this Privacy Notice and related communications.

b. Right to rectify

b. Right to rectify

You have the right to complete, correct, or update Your Personal Data at any time. You may edit Your profile information (e.g., name, email address, phone number, business information, or bank account details) directly through the Platform or, where applicable, by contacting Our customer support team.

If You encounter difficulties or require assistance, You may request Our help to correct or update Your information. Durianpay may request reasonable verification to ensure the accuracy of the changes.

You have the right to complete, correct, or update Your Personal Data at any time. You may edit Your profile information (e.g., name, email address, phone number, business information, or bank account details) directly through the Platform or, where applicable, by contacting Our customer support team.

If You encounter difficulties or require assistance, You may request Our help to correct or update Your information. Durianpay may request reasonable verification to ensure the accuracy of the changes.

c. Right to Access

c. Right to Access

You have the right to request confirmation as to whether We are Processing Your Personal Data and to obtain access to and a copy of such data, subject to verification and applicable administrative procedures.

You have the right to request confirmation as to whether We are Processing Your Personal Data and to obtain access to and a copy of such data, subject to verification and applicable administrative procedures.

d. Right to erasure (“right to be forgotten”)

d. Right to erasure (“right to be forgotten”)

You have the right to request the deletion or destruction of Your Personal Data under certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected, or where You have withdrawn consent and there is no other lawful basis for retention. If You wish to delete Your account or Personal Data, please contact Us. Durianpay will assess Your request and delete, destroy, or permanently anonymize the data as required, in accordance with this Privacy Notice and Applicable Laws and Regulations. Please note that We may continue Processing certain Personal Data as required to fulfill Our legal or regulatory obligations (e.g., transaction records, tax documentation, or audit logs).

You have the right to request the deletion or destruction of Your Personal Data under certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected, or where You have withdrawn consent and there is no other lawful basis for retention. If You wish to delete Your account or Personal Data, please contact Us. Durianpay will assess Your request and delete, destroy, or permanently anonymize the data as required, in accordance with this Privacy Notice and Applicable Laws and Regulations. Please note that We may continue Processing certain Personal Data as required to fulfill Our legal or regulatory obligations (e.g., transaction records, tax documentation, or audit logs).

e. Right to restrict Processing

e. Right to restrict Processing

Under specific conditions, You may request that We restrict or temporarily suspend the Processing of Your Personal Data or raise an objection to certain Processing activities, including direct marketing or profiling.

Under specific conditions, You may request that We restrict or temporarily suspend the Processing of Your Personal Data or raise an objection to certain Processing activities, including direct marketing or profiling.

f. Right to withdraw consent

f. Right to withdraw consent

Where We rely on Your consent as a lawful basis for Processing, You have the right to withdraw Your consent at any time. You may withdraw consent by contacting Us through the communication channels listed in this Privacy Notice or by using the available “unsubscribe” or “opt-out” options in Our communications. Please note that withdrawal of consent may affect Our ability to deliver certain Services (e.g., payment processing, account verification, or dispute handling) and may result in account deactivation or termination of Your contractual relationship with Durianpay. We will inform You of any potential consequences prior to processing Your withdrawal request.

Where We rely on Your consent as a lawful basis for Processing, You have the right to withdraw Your consent at any time. You may withdraw consent by contacting Us through the communication channels listed in this Privacy Notice or by using the available “unsubscribe” or “opt-out” options in Our communications. Please note that withdrawal of consent may affect Our ability to deliver certain Services (e.g., payment processing, account verification, or dispute handling) and may result in account deactivation or termination of Your contractual relationship with Durianpay. We will inform You of any potential consequences prior to processing Your withdrawal request.

g. Right to data portability

g. Right to data portability

You may request that We provide or transfer Your Personal Data to another controller or service provider in a commonly used and machine-readable format, where technically feasible, and where the Processing is based on consent or the performance of a contract

You may request that We provide or transfer Your Personal Data to another controller or service provider in a commonly used and machine-readable format, where technically feasible, and where the Processing is based on consent or the performance of a contract

h. Right to lodge a complaint

h. Right to lodge a complaint

If You deem that Your data privacy rights have been violated or You have suffered losses due to unlawful processing of Your Personal Data, You have the right to lodge a complaint directly with the relevant data privacy authority pursuant to the Applicable Laws and Regulations.

If You deem that Your data privacy rights have been violated or You have suffered losses due to unlawful processing of Your Personal Data, You have the right to lodge a complaint directly with the relevant data privacy authority pursuant to the Applicable Laws and Regulations.

i. Rights related to automated decision-making

i. Rights related to automated decision-making

Durianpay does not implement fully automated decision-making processes that produce legal or significant effects on You. If, in the future, We introduce automated systems (e.g., risk scoring, transaction anomaly detection, or fraud prevention models), You will retain the following rights:

· Human Intervention: To request human review of any automated decision;

· Expressing Views: To express Your opinion and provide additional information relevant to the decision;

· Explanation: To request an explanation of the logic involved in the automated decision; and

· Challenging Decisions: To contest or request reconsideration of such automated decisions.

Durianpay does not implement fully automated decision-making processes that produce legal or significant effects on You. If, in the future, We introduce automated systems (e.g., risk scoring, transaction anomaly detection, or fraud prevention models), You will retain the following rights:

· Human Intervention: To request human review of any automated decision;

· Expressing Views: To express Your opinion and provide additional information relevant to the decision;

· Explanation: To request an explanation of the logic involved in the automated decision; and

· Challenging Decisions: To contest or request reconsideration of such automated decisions.

02

Access, correction, and verification procedures

Access, correction, and verification procedures

You may exercise Your right to access, correct, or obtain a copy of Your Personal Data under Durianpay’s control by contacting Us via Our official communication channels or through Our customer support team. All requests will be subject to an identity verification process and reviewed to ensure compliance with Applicable Laws and Regulations. Durianpay reserves the right to:

You may exercise Your right to access, correct, or obtain a copy of Your Personal Data under Durianpay’s control by contacting Us via Our official communication channels or through Our customer support team. All requests will be subject to an identity verification process and reviewed to ensure compliance with Applicable Laws and Regulations. Durianpay reserves the right to:

a. Refuse requests deemed irrelevant, unfounded, excessive, or that may infringe the rights of others; and

b. Charge a reasonable administrative fee for processing data access or copy requests, where permitted by law (such fee will be communicated to You in advance)

Durianpay will respond to Your request within the period stipulated by Applicable Laws and Regulations.

Durianpay will respond to Your request within the period stipulated by Applicable Laws and Regulations.

03

Exercising other rights

Exercising other rights

If You wish to exercise any other rights as a Personal Data Subject, You can contact Us via the channels provided in the “Contact Us” section of this Privacy Notice. Our team will assist You in fulfilling Your rights in accordance with legal and technical requirements.

If You wish to exercise any other rights as a Personal Data Subject, You can contact Us via the channels provided in the “Contact Us” section of this Privacy Notice. Our team will assist You in fulfilling Your rights in accordance with legal and technical requirements.

04

Retention after deletion requests

Retention after deletion requests

Please note that even after a deletion request, Durianpay may continue to Process certain Personal Data strictly for legitimate business or legal purposes, such as fraud detection, risk management, regulatory compliance, or system security.

Please note that even after a deletion request, Durianpay may continue to Process certain Personal Data strictly for legitimate business or legal purposes, such as fraud detection, risk management, regulatory compliance, or system security.

For example, if an account is suspended for fraud, We may retain certain identifiers to prevent the same individual or entity from re-registering under a new account.

We may also retain transaction or audit data as required under Applicable Laws and Regulations, including those issued by Bank Indonesia.

Security of Your Personal Data

Security of Your Personal Data

Security of Your Personal Data

01

The confidentiality of Your Personal Data is of utmost importance to Durianpay.

The confidentiality of Your Personal Data is of utmost importance to Durianpay.

We apply appropriate technical, organizational, and operational security measures to protect and secure Your Personal Data from unauthorized access, collection, use, disclosure, alteration, or destruction. These measures include, among others, data encryption, access control, network and application security, monitoring, and internal policy enforcement. For the security of Your Personal Data, We strongly recommend that You always use the latest version of Our Platform and maintain the security of Your devices and login credentials.

We apply appropriate technical, organizational, and operational security measures to protect and secure Your Personal Data from unauthorized access, collection, use, disclosure, alteration, or destruction. These measures include, among others, data encryption, access control, network and application security, monitoring, and internal policy enforcement. For the security of Your Personal Data, We strongly recommend that You always use the latest version of Our Platform and maintain the security of Your devices and login credentials.

01

Although Durianpay uses its best efforts to secure and protect Your Personal Data, please note that data transmission over the Internet is not entirely risk-free.

Although Durianpay uses its best efforts to secure and protect Your Personal Data, please note that data transmission over the Internet is not entirely risk-free.

In the event of a Personal Data breach involving Your information, and to the extent required by Applicable Laws and Regulations, Durianpay will promptly notify You and the competent authorities through official communication channels, either directly or indirectly, to provide sufficient information regarding the breach and the mitigation actions taken to prevent any misuse of Your Personal Data.

In the event of a Personal Data breach involving Your information, and to the extent required by Applicable Laws and Regulations, Durianpay will promptly notify You and the competent authorities through official communication channels, either directly or indirectly, to provide sufficient information regarding the breach and the mitigation actions taken to prevent any misuse of Your Personal Data.

Links to Third-Party Platforms

Links to Third-Party Platforms

Links to Third-Party Platforms

01

Please note that when You use the Platform, Durianpay may contain hyperlinks or links to third-party platforms, websites, or applications (collectively, “Third-Party Platforms”), including their content, for Your convenience. Such Third-Party Platforms may include, but are not limited to, merchant sites, partner bank portals, payment channel dashboards, or external APIs integrated into Our Services. Durianpay has no control over and assumes no responsibility for the operation, content, privacy practices, or data security measures of these Third-Party Platforms. Therefore, Your access and use of such Third-Party Platforms are entirely at Your own responsibility and risk.

Please note that when You use the Platform, Durianpay may contain hyperlinks or links to third-party platforms, websites, or applications (collectively, “Third-Party Platforms”), including their content, for Your convenience. Such Third-Party Platforms may include, but are not limited to, merchant sites, partner bank portals, payment channel dashboards, or external APIs integrated into Our Services. Durianpay has no control over and assumes no responsibility for the operation, content, privacy practices, or data security measures of these Third-Party Platforms. Therefore, Your access and use of such Third-Party Platforms are entirely at Your own responsibility and risk.

02

This Privacy Notice applies only to the Services provided directly by Durianpay through the Platform and does not extend to any third-party websites, systems, or applications that may be linked or integrated with Our Services.

This Privacy Notice applies only to the Services provided directly by Durianpay through the Platform and does not extend to any third-party websites, systems, or applications that may be linked or integrated with Our Services.

03

We strongly recommend that You carefully review and understand the privacy notices and data-protection policies of any Third-Party Platforms before providing Your Personal Data to them or using their services.

We strongly recommend that You carefully review and understand the privacy notices and data-protection policies of any Third-Party Platforms before providing Your Personal Data to them or using their services.

Governing Law

Governing Law

Governing Law

This Privacy Notice shall be governed by and construed in accordance with the laws of the Republic of Indonesia, including all Applicable Laws and Regulations related to personal data protection, payment systems, financial services, and electronic transactions. You are required to comply with all Applicable Laws and Regulations of the Republic of Indonesia in connection with Your use of the Platform and Services.

Changes to this Privacy Notice

Changes to this Privacy Notice

Changes to this Privacy Notice

This Privacy Notice may be amended or updated from time to time to ensure alignment with developments in Our business operations, technological advancements, or changes in Applicable Laws and Regulations.

Durianpay will notify You of any material changes through reasonable means — including via the Platform, email, or other communication channels — in accordance with legal requirements. However, You are encouraged to review this Privacy Notice periodically to stay informed of the most recent version.

Your continued access or use of the Platform, communication with Us, or utilization of any Services after such amendments will be deemed as Your acknowledgment and acceptance of the updated Privacy Notice.

Contact Us

If you have any questions, comments, complaints, or claims regarding this Privacy Notice, or if you wish to exercise your rights as a Personal Data subject regarding your Personal Data on the Platform, please send an email to privacy@durianpay.id. We will handle your complaint confidentially. We will contact you within a reasonable period after receiving your complaint to discuss it and provide options on how your complaint can be resolved.

I HAVE READ AND UNDERSTAND ALL THE PROVISIONS OF THIS PRIVACY NOTICE AND THEIR CONSEQUENCES, AND I HEREBY ACCEPT AND AGREE TO ALL RIGHTS, OBLIGATIONS, AND TERMS SET FORTH IN THIS PRIVACY NOTICE. THIS STATEMENT IS DEEMED AS MY CONSENT AS THE OWNER AND/OR CONTROLLER OF THE PERSONAL DATA.