Privacy Policy

Last updated: 06 May 2026

This Privacy Policy describes how PT UNIT GLOBAL SYSTEM ("UnitPay", "we", "us", "our") collects, uses, discloses, and protects personal data. It applies to visitors of this website, prospective and active merchants, beneficial owners and directors named in merchant onboarding, end-customers whose payment data we process on behalf of merchants, and anyone who contacts us through the channels listed below. The policy is aligned with the Indonesian Personal Data Protection Law (Undang-Undang Pelindungan Data Pribadi, Law 27 of 2022, "UU PDP"), and the EU General Data Protection Regulation 2016/679 ("GDPR") where it applies extra-territorially. An Indonesia-specific notice is published separately at UU PDP Personal Data Notice and prevails for Indonesian data subjects in case of conflict.

1. Controller identity and contact

The data controller is PT UNIT GLOBAL SYSTEM, a limited liability company established under Indonesian law. Registered office: Menara Cakrawala 12th Floor Unit 05A, Jl. M.H. Thamrin, Kebon Sirih, Menteng, Central Jakarta, DKI Jakarta Province 10340, Republic of Indonesia. Tax identification (NPWP): 22.709.627.8-021.000. Business identification (NIB): 2511240128903, issued 25 November 2024.

General privacy enquiries may be addressed to legal@unitpay.net. Data subject requests (access, rectification, erasure, portability, objection, restriction) should be sent to our Data Protection Officer at dpo@unitpay.net with subject line "DSR request". Postal correspondence may be sent to the registered office above marked for the attention of the Data Protection Officer.

2. Categories of personal data we process

The categories of personal data we process depend on how you interact with us:

  • Website visitors: IP address, device and browser identifiers, pages visited, referrer, language preference, and cookie identifiers as described in our Cookie Policy.
  • Merchant onboarding: legal entity data (name, registration numbers, address), beneficial-owner identity data (full name, place and date of birth, nationality, KTP or passport number, photograph, biometric liveness template hashes), banking instrument numbers for settlement, business activity and KBLI codes, supporting corporate documents.
  • End-customer payment processing: payment-instrument tokens, transaction amounts and timestamps, merchant identifiers, fraud-detection signals (device fingerprint, geolocation at coarse level), and the minimum customer identifiers the merchant supplies for fraud screening and dispute handling.
  • Customer-support and complaint contacts: contact details you provide, the content of your enquiry, and our response, retained for the period set out in section 7.
  • Compliance and audit: AML and sanctions screening outcomes, suspicious-transaction reports filed with PPATK, regulator correspondence, and access logs to systems containing the data above.

We do not knowingly collect personal data from children under 17. If you believe a child has provided personal data, please contact the Data Protection Officer for prompt erasure.

3. Sources of personal data

We obtain personal data directly from you when you visit the site, submit an onboarding application, contact support, or otherwise interact with us. We also receive personal data from third parties: from merchants in respect of their end-customers under a data processor relationship, from KYC and AML service providers (Didit for identity verification, the same vendor for sanctions and PEP screening), from card schemes and acquiring partners in the course of payment processing, and from public registries when we verify entity data submitted at onboarding.

4. Purposes and lawful bases of processing

Each category of processing rests on a documented lawful basis under UU PDP Article 20 and, where applicable, GDPR Article 6:

  • Performance of a contract: provision of payment services to merchants, settlement of funds, customer-support response, and dispute handling. Lawful basis: contractual necessity (UU PDP Art 20(b); GDPR Art 6(1)(b)).
  • Compliance with legal obligations: customer due diligence and ongoing monitoring under UU TPPU (Law 8 of 2010) and PPATK rules; complaint-handling under POJK 18/2018; tax record-keeping. Lawful basis: legal obligation (UU PDP Art 20(c); GDPR Art 6(1)(c)).
  • Legitimate interests: fraud detection, transaction monitoring, network and information security, defence of legal claims, and operating the merchant cabinet. Lawful basis: legitimate interest (UU PDP Art 20(f); GDPR Art 6(1)(f)), subject to a balancing test that does not override your rights.
  • Consent: optional cookies for analytics and any future marketing communications. Lawful basis: consent (UU PDP Art 20(a); GDPR Art 6(1)(a)). Consent is freely given, informed, specific, and revocable at any time without affecting the lawfulness of processing performed before revocation.

5. Recipients and disclosures

We disclose personal data to the following categories of recipients, each bound by contractual confidentiality and data-protection obligations aligned with UU PDP and, where applicable, GDPR Article 28:

  • Our infrastructure provider Amazon Web Services (Asia Pacific - Jakarta), which hosts production workloads in the ap-southeast-3 (Jakarta) region under its published shared-responsibility model.
  • Our KYC and AML screening vendor Didit for identity verification, sanctions, and PEP checks. Onward processing is restricted to the verification and screening purposes specified in our agreement.
  • Acquiring banks, card schemes (Visa, Mastercard), and local payment-method operators (QRIS, virtual-account issuers) when those parties are necessary to route a transaction or resolve a dispute.
  • Our consent management platform Iubenda for cookie-consent capture and audit trail.
  • Professional advisers (legal, audit, tax) bound by confidentiality.
  • Regulators and authorities (Bank Indonesia, OJK, PPATK, the Indonesian Personal Data Protection Authority, tax authority, courts, and law enforcement) where disclosure is required by law or compelled by valid legal process.

We do not sell personal data. We do not share personal data for the independent marketing purposes of third parties.

6. International transfers

Personal data of Indonesian data subjects is processed and stored within Indonesia (ap-southeast-3, Jakarta region) by default. Where cross-border transfer is necessary for the purposes described above (for example, where a vendor's incident-response team operates outside Indonesia), we apply UU PDP Article 56 safeguards: an adequacy determination, contractual protections including the European Commission Standard Contractual Clauses where the recipient jurisdiction lacks adequacy, and supplementary technical measures such as encryption in transit and at rest with keys held in our control. The current list of sub-processor jurisdictions is published alongside the UU PDP Personal Data Notice; we notify merchants of material sub-processor changes in advance through the merchant cabinet.

7. Retention

We retain personal data only for as long as needed for the purpose for which it was collected, and no longer than the maximum periods set by law:

  • Merchant onboarding records, KYC artefacts, transaction records: at least 10 years after the end of the merchant relationship, in line with UU TPPU Article 24 and Bank Indonesia record-keeping rules.
  • Customer-support correspondence: 24 months from last contact, unless retention is extended by an open complaint or legal claim.
  • Audit logs and access logs: 7 years under the security framework described in our Security Policy.
  • Website analytics: aggregated for up to 26 months; identifiers tied to a cookie are deleted on consent withdrawal or at session end where consent was never granted.
  • Marketing contact lists: until consent is withdrawn, subject to a suppression list retained as long as needed to honour the withdrawal.

Where law allows shorter periods we shorten retention accordingly. Where law mandates longer (for example, in connection with ongoing legal proceedings or a regulator instruction), we extend retention for the minimum period necessary and document the lawful basis.

8. Your rights

Subject to applicable law you have the right to: be informed about how we process your personal data; access the personal data we hold about you; have inaccurate data rectified; have data erased where retention is no longer justified; restrict processing in defined circumstances; receive your data in a portable format and have it transmitted to another controller where technically feasible; object to processing carried out on the basis of legitimate interests; and withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any right, contact the Data Protection Officer at dpo@unitpay.net. We respond within the timeframes set by applicable law (30 days under GDPR Art 12, 3 x 24 hours acknowledgement under UU PDP). We may ask for proof of identity before disclosing personal data; this is to protect you, not to obstruct the request. If you are dissatisfied with our response, you may complain to the Indonesian Personal Data Protection Authority or, where GDPR applies, to your local supervisory authority. Financial-service complaints may also be escalated to OJK via the contact channels in our Dispute Resolution Policy.

9. Security

We protect personal data through the controls described in our Security Policy, including TLS-encrypted transport, encryption at rest with customer-managed keys in ap-southeast-3, least-privilege access with multi-factor authentication, comprehensive audit logging, and a 24x7 incident-response capability. Personal data breaches meeting the UU PDP Article 46 threshold are notified to the Personal Data Protection Authority and to affected data subjects within 3 x 24 hours of confirmed determination.

10. Changes to this policy and contact

We review this policy at least annually and on any material change to our processing. Material changes are flagged at the top of this page and, for merchants, communicated through the merchant cabinet. The "Effective date" below indicates the version currently in force; superseded versions are retained internally for audit.

For general privacy questions: legal@unitpay.net. For data subject rights and DPO contact: dpo@unitpay.net. For complaints under POJK 18/2018: complaints@unitpay.net. Our working hours are Mon-Fri 09:00-18:00 WIB.

Effective date: 06 May 2026